Publications
Partners
Cape Town - As Apple prepares to launch its latest iPhone, some are asking how they can trust the iCloud platform that resulted in several celebrities' nude pictures being released to the public.
Stay with Fin24 for Live Updates on the Apple event.
But the problem may not only rest with Apple's security.
"E-mail addresses and passwords got harvested from a breach or leak on another website. They just happen to share the same credentials on iCloud, which led to the compromise. This is the most plausible hypothesis," Guillaume Lovet, senior manager, FortiGuard Labs Threat Response Team at Fortinet told Fin24.
Celebrities, including Jennifer Lawrence and Mary Elizabeth Winstead, have had images from their iCloud accounts leaked and Apple rejected accusations that its platform was flawed.
However, the company moved to restore trust in its cloud platform ahead of the launch of its latest iPhone, expected on Tuesday.
Social engineering
Apple will alert users through e-mail and push notifications when someone tries to change an account password, restore iCloud data to a new device, or when a device logs into an account for the first time, CEO Tim Cook told the Wall Street Journal in an interview.
Lovet said that Fortinet was unable to detect any specific flaw in Apple's iCloud service.
Most users do not make enough of an effort to create strong passwords and this may have contributed to the hack. According to the 2014 Trustwave Global Security Report, the most common password was "123456", followed by "123456789", "1234" and "password".
"Celebrities, like any other end-user, probably do not always use strong passwords to protect their accounts, however, they will usually keep their email addresses private, so as not to be spammed by fans," said Lovet.
Cyber criminals also use social engineering techniques to trick users into giving away sensitive information.
"Often the first kind of vulnerability exploited by attackers is the human one. They use social engineering techniques to trick individuals who work for an organisation into doing something that jeopardises corporate security," Ghareeb Saad, senior security researcher with the Global Research & Analysis Team, Middle East, Turkey and Africa at Kaspersky Lab told Fin24.
According to multiple reports, the US FBI is investigating the data breach though charging an individual may prove difficult as the images were posted anonymously.
Strong passwords
Lovet said that the two-factor authentication system should go some way to preventing the kind of breach.
"Again, should two-steps authentication been available for iCloud as well, this might have prevented at least part of the leak: ID/password combinations harvested from previous database breaches would have not been enough to log in iCloud and download the targets' photostream."
He advised that people use multiple strong passwords for different platforms. Strong passwords have a mix of numbers, symbols and letters in both upper and lower case.
Regarding iCloud specifically, you can prevent photos to be uploaded from your Apple device to the cloud by disabling Settings → iCloud → Photos → My Photo Stream.
- Follow Duncan on Twitter
