Lessons from The Fappening
- 09 September, 2014 12:39
In case you missed it, last week's "Hashtag of the Week" was #fappening. It was a response to the hacking or leaking of hundreds of nude pictures of a number of nude celebrities. Early in the piece it was alleged that Apple's iCloud service had been hacked but the reality is far more complex.
Based on the evidence there are several factors in play. Firstly, some of the celebrities had their iCloud accounts hacked through a combination of having weak passwords and secret questions and an introduced weakness in iCloud that allowed users to enter as many incorrect username and password combinations as they could when trying to use Find my iPhone.
There also seems to be a degree of misunderstanding on how some of iCloud's services, in particular Photo Stream, work. It seems that many might have been unaware that opting in to Photo Stream put their photos onto a cloud service.
Some of the photos might have been stolen many months, or potentially years earlier. In the case of actress Mary E Winstead, the photos of her and her husband were taken some years before and had been deleted. But the thieves waited until they could release them for maximum impact and value.
When you put all this together, this theft and distribution of photos is not as straightforward as a simple grab of data from one service.
What can business learn from this?
Cloud services have become incredibly popular over the last few years. If we think back, the first webmail services such as Yahoo! and Hotmail were the first cloud services, soon followed by Gmail. But a few years ago, the market exploded with enterprise software, storage and almost any service you could conceive being delivered via the Internet to your business.
But what is the cloud?
Whenever you're considering a cloud service for your business substitute the word "cloud" for "a stranger's computer". For example, when you're thinking about using a cloud storage provider for your critical business documents, in order to make sharing and collaborating easier, think of it as "storage and collaboration on a stranger's computer".
That will help you put the risks and benefits into some perspective. It also helps to ask some important questions that might be harder to articulate when you see the cloud as an amorphous, impersonal service.
With services on smartphones such as photo syncing and backup, think hard about the risks and benefits. Clearly, being able to restore all the data from a lost device to a new one is a huge benefit. But if that service is protected by a weak password - that's outside the controls placed on internally delivered services -then there's a weakness in your security protocols.
All of this means that effective security does mean paying attention to the details. When users in your business want to access an externally provided service, you need to look at the details and understand what that means.
If you're going to use externally hosted services then consider identity and access management solutions that let you apply appropriate rules so that robust passwords are in place and to ensure you know where data is being stored.
As a CISO or CSO it's relatively easy to create policies, rules and procedures for users to follow. The trouble is that it's difficult for many users to contextualise these and apply them in their professional lives. When offering security training, present it from the users' context.
For example, rather than say "Having weak passwords and security questions makes the business vulnerable" show them what can happen when their Facebook account is compromised or if their iCloud account is hacked.
Presenting stories such as "How I Hacked My Own iCloud Account, for Just $200" and discussing the merits of putting sensitive personal data on cloud services can make information security a more personal concern rather than a corporate obligation.
Manage the Risks
As we've said before - being attacked or hacked is inevitable. That means you need to have systems in place to reduce the impact and respond quickly. If we look at the recent leak of female celebrity photos there were two immediate reactions.
1. Anger that images had been stolen and circulated
While both are understandable human responses, neither was particularly helpful.
Apple's reaction was to close the flaw that allowed the brute force attack to be executed through Find my iPhone and to say that they will be aggressively promote the use of two-factor authentication.
The celebrities mitigated the damage by actively seeking out copies of the images and having them taken down. In effect, they attempted to retrieve the stolen data although this is a limited response as the images will be available on the Internet forever through some channel.
It's a fair bet that almost anyone with sensitive photos hosted on a cloud service or smartphone is reconsidering and removing the images. From a risk perspective, you need to know what data you have, where it is going and whether you're prepared for the impact of losing that data or it falling into the wrong hands.
It should go without saying but having robust passwords and security questions is important. Where two-factor authentication is available you should consider it. But it's important for businesses that you look for ways to fold the security of external services into your internal policies so that you can enforce effective password rules. That might mean considering an identity and access management solution.
This article is brought to you by Enex TestLab, content directors for CSO Australia.