A recent hack carried out on a journalist resulted in him losing his entire ‘digital life’, thanks to flaws in both Apple and Amazon public cloud services. Whilst Mat Hanon, the victim of the attack, admitted his mistake of linking many of his accounts together, he also said: “what happened to me exposes vital security flaws in several customer service systems, most notably Apple’s and Amazon’s”. “Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification.”
“The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.”
Mr Hanon first noticed a problem when his iPhone turned itself off and he couldn’t access any of his data, then the same happened to his iPad, MacBook Air and he also lost control of both his Gmail and Twitter accounts.
His Gmail account was later deleted and after a one and a half hour conversation with Apple support, he eventually got to the root of the problem. Hanon said that he has since heard from other users who have experienced the same problem and reasons that, for public cloud, different security measures are necessary to ensure that hackers can’t use similar tactics that they have in the past.
By this he means measures that counter attacks known as ‘brute force’ and social engineering tactics, which were employed by the hacker to persuade Apple to hand over control of his iCloud account and essentially all of his devices.
Whilst this is more of a concern on a consumer basis, it does illustrate a good lesson learned in back up and the choice of cloud service providers, some of whom may not carry out good security practices.
Whilst Amazon has been criticised in the past over the security of its public cloud service, Apple are more renowned for being the most secure OS on the market. However, not only has this been disproven lately by a botnet that targeted Mac users, but also by this incidence of customer support gone wrong.
From an enterprise point of view, this could represent a serious problem for those who run BYOD schemes. Whilst we have covered the potential issues surrounding such schemes before, this is a very good illustration of what could happen to an organisation’s data if they don’t have sound BYOD policies in place.
The hacker was not only able to take control of email and Twitter accounts, he also had full control of all of Mr Hanon’s Apple devices and were able to impose four-digit lock codes on each device before wiping all of the data. Of course, this also means that they had access to all of this data.
Apple responded to the incident saying that: “In this particular case, the consumer data were committed by a person who had access to this personal information. In addition, we discovered that our policy not was duly fulfilled. We are reviewing all our processes to reset passwords to ensure that our customer’s data is safe.”
However, the only information the hacker had was the last four digits of a credit card, hardly the full information necessary for security, surely. In fact, the hacker, calling himself 'Phobia' later told Mr Hanon that it's a simple matter to access any Apple email address and then progress from there.
Any business thinking of using cloud services such as virtual hosted desktops for example then, should be absolutely positive that they have a strong BYOD policy in place that addresses issues such as this. Not only should employees be made aware of the dangers of linked accounts, but also ensure that they have layers of protection set up to guard against this kind of problem.
This should be worked into any plan when it comes to deployment within the cloud, which once again flags up the importance of having a sound strategy in place when it comes to moving to the cloud.
It’s important therefore, to liaise with your GoCloud hosted desktop reseller if you’re a client as we provide them with full training to ensure that not only you gain the best solution for your company, but also ensure that your business benefits from great support and training, as well as having the correct privacy and security policies in place.