Apple Adding New Security Controls To iCloud


Apple is adding new security controls to its iCloud storage service, according to its chief executive, in a move to better protect user accounts from hackers who recently flooded the Internet with nude photographs of celebrities.

Apple CEO Tim Cook told The Wall Street Journal that a new alert process will validate significant changes made to user accounts. Attackers correctly answered security questions to obtain the celebrities' iCloud account passwords or could have used a phishing scam to obtain user IDs or passwords, he said. It's the first time that the Cupertino, Calif.-based technology giant indicated that its iCloud service needed additional safeguards to protect users.

Apple currently sends an alert via email for password changes or logins from unknown Apple devices. Engineers will add push notifications for significant account changes and will begin alerting when users attempt to restore iCloud data, Cook said. The alert system will give users immediate access to retake control of their accounts or contact Apple's security team. The changes will begin to appear in two weeks, he said.

[Related: Celebrity iCloud Security Intrusion Prompts Apple Response]

Apple partners said the company is in the unusual position of having to defend its reputation after the incident came to light last weekend. The timing is also bad, they said, since Apple is less than a week away from its annual event where it showcases its new products and services. The cache of private images appeared on the image-based bulletin site 4chan.

"Hopefully the event will put all this behind them, but as we've seen they can't rely on a walled garden to keep bad guys out," said one Apple partner who asked not to be named.

Apple issued a statement earlier this week categorically exonerating its systems as the cause of the security incident, pointing out that the celebrities, among the actresses Kirsten Dunst and Jennifer Lawrence, were the victims of targeted attacks. Security experts told CRN that attackers may have brute-forced their way into some accounts, using an automated tool to guess passwords and answers to security questions. Apple said it does provide protection to safeguard against brute-forcing for iCloud, but declined to say how many attempts will lock users out of their accounts.

Phishing attacks that trick users into giving up account credentials and other sensitive data to cloud services and banking firms are common and a significant threat, say solution providers. Apple is doing what all cloud providers and social networks should do to provide additional protection for users, said Rob Kraus, director of research at Omaha, Neb.-based managed security services provider Solutionary, a subsidiary of NTT Group.

"Apple iOS is very user-friendly so it may seem counterintuitive for some users to go through additional verification, but this is a practical step that could thwart some attacks," Kraus said. "Other providers, if not implementing this type of capability, should at least make it available as an option as part of their notifications."

Some security experts are criticizing Apple for being late with support for two-factor authentication, typically a temporary passcode sent via text message, that verifies the authenticity of a user attempting to log into an account. Cook said the next version of iOS will support two-factor authentication or mobile access to iCloud accounts. It's a security measure that likely would have thwarted the attack, said Kraus.

"Implementing some form of multifactor authentication is a sure way to reduce the risk of being a victim," Kraus said. "The second validation measure is where many attacks will fail."

PUBLISHED SEPT. 5, 2014