Now that the dust has somewhat settled on the situation, let’s review some things we’ve learned about the recent nude photos of celebrities that have been leaked online – seemingly via Apple’s iCloud service. Details continue emerging, but based on initial reports it appears that targeted accounts were breached, and compromising photos and videos were recovered from accounts’ PhotoStreams or, more likely, stored online backups. Hopefully most enterprise security teams don’t spend too much of their time dealing with racy photos, but there are a couple of ideas that folks may want to consider based on this breach:
• Watch What You Store – Let’s be clear – if anyone who is of-age, celebrity or otherwise, wants to use their iPhone or other device to take racy photos or videos of themselves that’s within their rights and these poor women have been victimized in a horrible way. Hopefully those responsible for this breach will be tracked down and held accountable. As an enterprise, especially one that is taking possession of sensitive customer data, you have to realize you’ll be held to a different standard. Every piece of sensitive data you collect increases your risk of exposing something sensitive. And you have to expect that your organization will be held accountable for misuse of your customers’ data – by the market and its perception of your brand as well as by regulators and compliance bodies. So security teams need to act as advisors to groups building applications and deploying systems: Do you really need to collect that social security number? Did you check to see if you were accidentally storing that credit card strip data? How were you planning on protecting the medical history information you have to collect? If Jennifer Lawrence wants to take some sexy selfies, that’s her business. If your organization wants to collect my blood test results and my credit card info, I’m going to expect you to properly protect them.
• Know Where Your Data Goes – Keeping track of what data goes where can be a challenge for consumers. This is both because of opaque EULAs that no one reads as well as insecure default settings that have a tendency to spread data all over the place. For an individual user it is understandable that they wouldn’t lock down settings and pore over arcane legal text in a user agreement that can’t be negotiated. For an enterprise it is unacceptable. Failing to negotiate acceptable data handling policies with vendors is a big issue. At the very least, you need to have an understanding of the rules that govern how your data will be managed when it leaves your systems. This is harder in a world of distributed cloud services, but something that must be addressed.
• Authentication Is Still a Hard Problem – Details are still emerging about how attackers accessed the iCloud accounts, but Apple has stated that the breach wasn’t a result of their systems being directly compromised but was rather based on targeted attacks on specific accounts. This should be a reminder to enterprises that authentication is still a hard problem, but there are things that can be done to help prevent authentication-based breaches. Having password complexity and length requirements are a start and Apple gets this half-right. However with an 8 character minimum length they could be doing better. Also, Apple provides the ability to enable two-factor authentication but did not require it at the time of the breach. Two-factor authentication can help to ameliorate the situation where users reuse passwords between accounts – especially business and home systems. It also appears that they were a bit late to the game adding detection of and protection against brute force attacks. So for enterprise security teams taking stock after this latest breach, it may be worth taking a step back to look at the authentication systems you provide for your internal users and external customers to see if you may fall victim to similar attacks.
• Keep a Closer Eye Out for Malware – Certainly none of the upstanding folks who read this blog would ever go searching online for stolen salacious photos of celebrities, but some of your users might. Sites purporting to host this type of content also often host malware. Depending on how you control or monitor traffic on your corporate network you might want to increase your level of vigilance and tune those systems for the inevitable malware that comes along with any high profile release of content like this. Also be aware that many users might try and access this type of content from their mobile devices so be extra-aware of corporate and BYOD devices on your networks.
For the women targeted by this horrible mess hopefully the perpetrators will be caught and held responsible and that provides them a sliver of solace. For enterprise security teams hopefully this incident provides some opportunities for reflection about the way their organizations design and deploy systems. I’ve always been a fan of learning by example – especially when other organizations are willing to step up and provide that example.