Articles and Insights ,

Apple iCloud breach proves Wozniak’s point about cloud risks

By Michelle Drolet
7 Aug 2012

In a great article by Ted Samson at InfoWorld, that not even a complex, 16-character password guarantees that your cloud-based data and devices are secure.

Here is what Ted had to say:

This past weekend, Apple co-founder Steve Wozniak predicted that cloud computing would yield “horrible problems” in coming years. By extraordinary coincidence, Wired reporter Mat Honan experienced firsthand a series of horrible, cloud-related problems, all of which reportedly started when an unnamed Apple employee reset his iCloud password at the request of a hacker posing as Honan.

This marks the second high-profile cloud-related snafu in the past week, the first being the the Dropbox fiasco where hackers pulled a list of Dropbox customer email addresses from a Dropbox employee’s Dropbox account. The incidents almost render moot the raging debate over on Sophos’ Naked Security blog as to whether Microsoft’s newly rebooted Outlook.com should support more than a 16-character limit on passwords. Evidently even the strongest, most complex password is no match for the formidable combination of hacker perseverance and resourcefulness and end user naivet√© (or ignorance) about best security practices.

Let’s start with what happened to Wired’s Honan. By his account, a malicious hacker gained entry to his iCloud account and used it to remote wipe all of his devices, including his iPhone, iPad, and MacBook Air. The initial mystery: How did the hacker get his or her hands on Honan’s password? “My password was a 7-digit alphanumeric that I didn’t use elsewhere. When I set it up, years and years ago, that seemed pretty secure at the time,” Honan wrote.

Honan’s first guess was that hacker employed brute force techniques to crack the password. While that might have been feasible, it wasn’t the case. “They got in via Apple tech support and some clever social engineering that let them bypass security questions,” Honan wrote in an update.

Once the hacker got into Honan’s iCloud account, it was matter of time before he or she was able to wipe Honan’s iDevices, as well as wreaking other havoc, such as changing his Gmail account password and purging that account.