The internet exploded this week with a cache of private photos taken from the devices or online accounts of several high-profile celebrities.
Beyond the ethical and social questions raised by this incident are the technology questions and risks that have been exposed through this leak. There are lessons here on what businesses can do to better secure their information and that of their customers.
From what we know so far, the photos were claimed to have been taken from the iCloud accounts of the celebrities involved. It’s recently been revealed that Apple’s Find My iPhone service was vulnerable to password brute-forcing.
Brute-forcing is a password analysing technique which works by testing a large number of passwords until one is shown to be the correct one. Because Apple didn’t block repeated incorrect login attempts, it was vulnerable to this technique.
This recent iCloud vulnerability, whether or not it’s how the photos were gained, is terrifyingly easy to exploit. It’s not a stretch to believe this vulnerability could have also been behind the iPhone ransom incident from a few months ago.
As data continues to move to the cloud, it’s important to implement good security practices to reduce the risk of exposure. If you operate a business that involves handling sensitive or personal information, you are responsible for the security measures that keep that information out of the wrong hands.
Here are five things businesses can do to prevent unauthorised access to their online information:
1. Perform regular security audits on any online applications that store personal data.
Even a fairly rudimentary security audit would have revealed the brute-force vulnerability that Apple was exposed to. You can perform your own security audits using software such as WebSecurify, or hire a “penetration testing” consultant.
2. Ensure all software developers that work on your online applications have adequate knowledge and training in computer security.
This one can be tricky to measure, but most software developers are quick to learn when made aware of hacking techniques and how to protect against them. Resources such as the “Security Now” podcast help increase awareness. Depending on the technologies your company relies on, following related technical blogs is a great way for your developers to stay abreast of any security developments they need to react to.
3. Do not reuse passwords across multiple applications and do not use easily guessable passwords.
The Find My iPhone vulnerability still required a fairly rudimentary password to successfully gain access to an account. Remembering passwords (and creating strong ones!) is a tough process, look to software tools that make it easier and also remember the passwords for you. My personal recommendation would be AgileBits’ 1Password, but many software applications exist that do this well.
4. Keep software up-to-date by installing updates as promptly as possible.
This applies to everything from your operating system, to your browser, to the plugins it may rely on (Java and Flash updates in particular are crucial). Modern operating systems (Windows, OSX, iOS, Android) all display prompts for security updates. Mobile operating systems in particular prompt for updates often, don’t ignore them! If you’ve had a particular software package that doesn’t have auto-update or update prompts, be sure to periodically check online for updated versions of that particular software. Never run unsupported software, or software with known security issues.
5. Finally, if you ever have a security breach, make diagnosing and patching it your number one priority.
Depending on the breach, this is a task that can be performed by your developers, although in some cases you may wish to consult an expert with background in computer forensics or computer security to help diagnose and rectify the problem. Notify your customers if you have a vulnerability that concerns the integrity of their data, and give them the information they need to secure it again.
Remember, your customers might not be happy about the breach, but they’ll be furious if they find out you covered it up or failed to try your best to prevent it.
Farid Wardan is a lead software engineer at Terem Technologies, an Australian company that specialises in developing custom software and technology solutions for corporate innovations and high-tech ventures.