The news this week about apparently hundreds of (very) private pictures of celebrities apparently being siphoned from Apple’s iCloud service reminds us again how careful we need to be with what exactly winds up in the cloud.
One might wonder what the pictures were doing there in the first place: sophisticated email users, certainly in the corporate environment, have long understood that you shouldn’t really say anything in an email that you wouldn’t be comfortable if it were read by others than the intended recipients (like: anyone). Likewise this applies to photographs on the internet – especially for “high value” targets.
While the Apple security team will no doubt be double and triple reviewing their practices and procedures, it appears that this breach was some form of targeted attack using perhaps a combination of brute force techniques, social engineering, and possibly, exploitation of “soft spots” in the iCloud infrastructure.
As for email and certain photographs, how much more so for passwords, a “high value” target we call have — encrypted though they may be. We all love the convenience that syncing (and sharing) things through the cloud can give us. However, as detailed in a recent security review of password applications cited by Ars Technica last month,
“Severe” password manager attacks steal digital keys and data en masse, solutions which store passwords in the cloud are vulnerable to the same kind of breach as in the Jennifer Lawrence situation. Like services such as iCloud, vendors who host passwords in the cloud present a fixed-location target for the determined attack, and once breached, provide access to everything, all in one place.
While security technology will always by an arms race, there are some obvious design approaches that can greatly mitigate the exposure. passQi’s solution, of only storing passwords in the user’s phone while providing the convenience of login automation, moves the “big password treasure trove in the sky” to a much safer remove from hacker exploits. Password information is never persisted in the cloud, and it only transits the internet and passQi infrastructure having first been encrypted by a one time (AES, 256 bit) encryption code which itself has never been presented on any network, using passQi’s secure tethering technology. The user is in complete control of when sessions are created and terminated, and whenever a session-encrypted passsword is relayed out of the phone in response to a login request, this is real-time visible to the user as a smartphone notification.
Jennifer Lawrence and others may have done well to have turned off photostream. Likewise, users who want convenient storage of passwords to turn off products which store them in the cloud.