What enterprises can learn from the iCloud celebrity photo hack

Following the recent discovery that the very personal photos of numerous female celebrities had been stolen and posted online, Apple is rushing to strengthen security for its popular iCloud service. But, the question remains whether or not these measures will be enough to protect users’ private information — and whether enterprise users should be using these services at all.

However, a key positive takeaway is that the same techniques that have been used for years to target enterprises and high profile targets like CEOs, from social engineering to phishing, feature prominently in this incident. That means that key vendors like Apple are likely to improve defenses against those attacks, which will benefit enterprises and consumers alike.

How safe are consumer cloud services?

By and large, consumer cloud services are quite secure for those of us who are not high profile celebrities. When using these services, users employing strong passwords and/or two-factor authentication should feel confident that their documents and photos are safe from public view and access.

Realistically, a data leak is more likely to occur as a result of a phishing attack or social engineering rather than the activity of a hacker. However, popular cloud services are still natural targets for hackers seeking valuable data to steal or sell. This is why many businesses prefer to store their data on premises or in a private cloud.

Is iCloud more susceptible than others?

Hackers target cloud backup services using a technique known as “ripping,” which uses a username and password combination, answers to security questions, or authentication keys to rip cloud backup services using special software. This allows them to access an entire backup, even deleted images and messages.

While all cloud services are targets, iCloud is the hackers’ choice due in part to the popularity of the iPhone platform and because the Camera Roll backup is enabled by default, so the phone automatically stores any photos and videos you take in iCloud.

Apple has other security issues to consider as well. For example, its account recovery process, password requirements, and ability to detect if an email address has an associated iCloud account makes it almost too easy to verify a valid account using brute force attempts.

Apple’s two-factor authentication is a great security measure for protecting account details, but it’s useless for preventing the use of passwords or authentication tokens to extract online backups, although Apple has announced that it will change that.

Device defense

Once a hacker gains access to an iCloud account, all bets are off. They can locate the associated phone, retrieve SMS and MMS messages, recover deleted files and photos, remote wipe the device, and more.

This is a BYOD nightmare waiting to happen and a very good reason why data-centric protection is so important. For instance, if an employee’s iPhone is hacked, every confidential file he ever accessed, emailed, downloaded, uploaded, or annotated in iCloud is at risk.

When files are protected at the data level, they can be managed no matter where they are, providing some control over sensitive content. In addition, a proper enterprise file sync and share mobile app will store all the files encrypted at rest, meaning that even a decrypted backup will not expose any data to the attacker.

Knowledge is power

Considering how digitally advanced today’s generation has become, we are still remarkably naïve about basic Internet security. The most common techniques used by hackers have been the same for years: social engineering, phishing attacks, remote access tools (RATs), and password recovery and reset prompts. These aren’t overly sophisticated methods, but users fall victim to them time and again.

Consumers and enterprises alike need to make secure mobile and online practices a priority. Phishing attacks may be more sophisticated — poorly written emails from foreign princes giving away their fortunes are increasingly rare — but these attempts are still fairly obvious if you know what to watch for. Frequent security training should be a requirement to ensure employees know how to identify and avoid these ploys.

While most enterprises aren’t concerned that their unmentionables will become fodder for public consumption, there are important lessons here about consumer-based cloud services that every enterprise user should consider.

Ryan is the chief product officer for WatchDox, where he is responsible for WatchDox’s products and marketing. He focuses on making sure as many organizations as possible know how WatchDox can protect their most sensitive information. With 14 years of experience in a variety of roles in the US and EMEA, Ryan has an extensive background in information security. Prior to WatchDox, Ryan ran solutions across HP’s portfolio of security products. Before its acquisition by HP, Ryan was director of products at ArcSight. Ryan received his bachelor’s degree from Stanford University, where he studied fault tolerance, cryptography, and authentication algorithms.