Forgot your password?
typodupeerror
Cloud Security Apple

Does Apple Need To Get Serious About Security? 84

Posted by Soulskill
from the apple-a-day-keeps-the-hackers-away dept.
An anonymous reader writes "An article at The Verge makes the case that Apple's development of its cloud services hasn't been accompanied by the necessary effort to ramp up security to match users' increasing levels of risk. As evidence, they use a recent (and very simple) security hole that allowed anyone to reset an Apple ID password with just a user's email address and birth date. Apple's initial response failed to fully stop the exploit, and then it took several days for them to fix the issue. 'A server-side attack on Apple's cloud could get customers' credit card numbers and addresses, device backups with their encryption keys — as well as contacts and Apple IDs — anonymously and in bulk. Those systems may be defended like a castle, but bandits have plenty of places to chip away at private information at the periphery: intercepting wireless location data, cracking the still-private protocols for services like FaceTime or iMessage, or imitating iTunes updates to install to take over a user's phone. There's nothing sexy about securing these systems. None of them contribute directly to Apple's bottom line. And when it came to securing a business netting it an estimated $2 billion each year, Apple locked the screen door and left the front door open, without asking anyone else to check that the house was safe.' The article also points out that many other cloud service providers have detailed privacy and security policies, and actively participate in developing best practices, whereas Apple's procedures are shrouded in the company's typical secrecy. The article comes alongside reports of a way for people to DDoS other users' iMessage box."
This discussion has been archived. No new comments can be posted.

Does Apple Need To Get Serious About Security?

Comments Filter:
  • by rtfa-troll (1340807) on Sunday March 31, 2013 @08:31AM (#43323549)
    Apple needs to get serious at the moment that it's customers care or at the moment someone put's legal liability on them and not a minute earlier. Given that the effect of Paris Hilton's phone getting hacked was to vastly increase the sales of the model, I don't think that's going to happen some time soon.
    • the effect of Paris Hilton's phone getting hacked was to vastly increase the sales of the model

      I think that was more down to accidental celebrity endorsement than any security vulnerability.

      • by Chris Mattern (191822) on Sunday March 31, 2013 @09:09AM (#43323721)

        Of course it was. But the fact that "Paris Hilton uses it" meant immensely more to most people than "she got owned because it was absurdly easy to hack" demonstrates security is not something that matters at all to most of Apple's customers, and thus is not something that Apple feels a need to matter to them.

        • by Anonymous Coward

          Apple can Quattruple-AES-4096 encrypt the phone and close ALL Bugs including Jailbreak, if Paris uses "1234" as PIN, it won't matter (and i firmly belive that 1234 is too complex a password for her anyways...)

          • Apple can Quattruple-AES-4096 encrypt the phone and close ALL Bugs including Jailbreak, if Paris uses "1234" as PIN, it won't matter (and i firmly belive that 1234 is too complex a password for her anyways...)

            Typical blame the victim IT security type.

            If your default locking mechanism recommends a four digit PIN code and you have no way (like a bank) of enforcing a retry limit since it is possible to do a memory clone of your device, who is to blame if the mechanism fails? The customer who used it as it seemed to be designed or the engineer who chose the mechanism? The person who just went to a shop and assumed that the system they bought was fit for being a personal mobile device or the engineer who failed t

            • by Anonymous Coward

              iPhone supports > 4 digit passcodes so I don't know what you're smoking.

              Facial recognition is crap because it is defeated by printing out a picture of the owner and waiving it in front of the phone's camera.

            • by oPless (63249)

              Apple can Quattruple-AES-4096 encrypt the phone and close ALL Bugs including Jailbreak, if Paris uses "1234" as PIN, it won't matter (and i firmly belive that 1234 is too complex a password for her anyways...)

              And for most people it seems. Have you read: http://www.datagenetics.com/blog/september32012/ [datagenetics.com] ?

              If your default locking mechanism recommends a four digit PIN code and you have no way (like a bank) of enforcing a retry limit since it is possible to do a memory clone of your device, who is to blame if the mechanism fails? The customer who used it as it seemed to be designed or the engineer who chose the mechanism? The person who just went to a shop and assumed that the system they bought was fit for being a personal mobile device or the engineer who failed to make it that way.

              iPhone has a 4 digit PIN, and full pass phrase, complete with timed lockout after multiple bad passwords, and with the option of wiping the device.
              A six digit PIN would be nice, but would probably be birth dates too hohum.

              Samsung has come up with ideas such as facial recognition.

              I thought that was cool too. But once I had fooled it with a (bad) photo of me displayed from my iPhone I decided that it was a terrible idea. I'm sure it would have problems with my habit of gro

              • Apple can Quattruple-AES-4096 encrypt the phone and close ALL Bugs including Jailbreak, if Paris uses "1234" as PIN, it won't matter (and i firmly belive that 1234 is too complex a password for her anyways...)

                And for most people it seems. Have you read: http://www.datagenetics.com/blog/september32012/ [datagenetics.com] ?

                Not my quote please note. It is well known that to avoid the complexity of 1234 most people switch to 1111. This makes PIN codes terrible for exposed data.

                If your default locking mechanism recommends a four digit PIN code and you have no way (like a bank) of enforcing a retry limit since it is possible to do a memory clone of your device, who is to blame if the mechanism fails? The customer who used it as it seemed to be designed or the engineer who chose the mechanism? The person who just went to a shop and assumed that the system they bought was fit for being a personal mobile device or the engineer who failed to make it that way.

                iPhone has a 4 digit PIN, and full pass phrase, complete with timed lockout after multiple bad passwords, and with the option of wiping the device. A six digit PIN would be nice, but would probably be birth dates too hohum.

                It's typical for someone with little security experience to miss the fact that the attacker always goes for the weakest link. Having two different codes is likely to make things weaker than having one unless you are very very careful. In this particular case elcomsoft provides standard software [crackpassword.com] which can use just the PIN to bypass all the other secur

            • Apple can Quattruple-AES-4096 encrypt the phone and close ALL Bugs including Jailbreak, if Paris uses "1234" as PIN, it won't matter (and i firmly belive that 1234 is too complex a password for her anyways...)

              Typical blame the victim IT security type.

              That's funny coming from somebody who blames Apple for the fact that Paris Hilton's T-Mobile Sidekick was hacked.

        • Of course it was. But the fact that "Paris Hilton uses it" meant immensely more to most people than "she got owned because it was absurdly easy to hack" demonstrates security is not something that matters at all to most of Apple's customers, and thus is not something that Apple feels a need to matter to them.

          No! not in the slightest. People who *admire* Paris Hilton...definitely not "most"(sic) or even some, but that select group of people who are swayed by her. I suspect it actually did a lot of harm, as many of that select group, who I would not be astonished would have given iPhones by Apple as (cough) gifts, as those people love exposure, but only the type they manage. I suspect those people have ditched those phones now.

          ...but again its simply celebrity endorsement.

        • by 93 Escort Wagon (326346) on Sunday March 31, 2013 @01:24PM (#43325311)

          Of course it was. But the fact that "Paris Hilton uses it" meant immensely more to most people than "she got owned because it was absurdly easy to hack" demonstrates security is not something that matters at all to most of Apple's customers, and thus is not something that Apple feels a need to matter to them.

          Wait. When Paris Hilton's phone got hacked a number of years ago, it was a T-Mobile Sidekick.

      • by Teun (17872)
        I think the word you're looking for is Infectious'.
    • Paris = sidekick (Score:4, Informative)

      by jbolden (176878) on Sunday March 31, 2013 @09:59AM (#43324003) Homepage

      Paris Hilton was a spokesperson for Danger's HipTop (Sidekick on T-Mobile). That was the phone that got hacked. And her endorsement of the phone was well known prior to the hacking. They had huge Hollywood parties and she appeared in public using the phone regularly.

      Apple wasn't involved.

      • Apple wasn't involved.

        I know that failing to read the article is de rigueur. I do follow the new fashion on Slashdot of not reading the summary. However, failing to read the comment you are replying to is a new and excellent level of trolling. Well played that man. At no point in my comment did I claim Apple was involved but you just read a random sentence and then assumed I would. Cool.

        Paris Hilton was a spokesperson for Danger's HipTop (Sidekick on T-Mobile). That was the phone that got hacked. And her endorsement of the phone was well known prior to the hacking. They had huge Hollywood parties and she appeared in public using the phone regularly.

        Actually, it was widely publicised at the time [playstation.com] that it the publicity campaign had been pretty much a failure up till the hack and that the

        • by jbolden (176878)

          Actually, it was widely publicised at the time [playstation.com] that it the publicity campaign had been pretty much a failure up till the hack and that the hack caused a vast increase in sales.

          Nonsense. Paris was hacked Feb 2005. Oct 2002 the Sidekick went on sale. By the time of Paris' hack they were 3 very successful models in: original, color and Sidekick 2. This is a video which shows you the promotions on TV from the year before.

          A backup failure incidentally is what killed the Sidekick. While n

    • Or they could start caring about it now and save themselves even more litigation. I'm sure Apple's lawyers would rather deal with Apple's constant patent trolling than something serious.
    • Apple needs to get serious at the moment that it's customers care or at the moment someone put's legal liability on them and not a minute earlier.

      It's too late by then. Security needs to be designed into a system from the start. You can't put it in within minutes of somebody wanting it.

      See Microsoft, they've been trying for decades to retrofit security into their systems, and failing. You think Apple's engineers are can do better?

  • by koan (80826)

    I worked for them until recently, and I can say people walk around (in my area) talking about the impervious OS X, and I chuckle.
    I honestly don't think Apple has taken security as seriously as say, Microsoft.

    But this is one persons experience and I was seriously disillusioned after working for them, but that's more likely a result of my initial naïveté.

    Without Jobs fascism Apple is another corporation that will quickly slide into suck, here's hoping you got out above 600.

    • It wont be a quick slide but it will be a slow steady slide down steve jobs made the whole package. No other company can do that and be competitive. Just look at RIM, Palm, etc.

      Apple will end up like them.

      • It wont be a quick slide but it will be a slow steady slide down steve jobs made the whole package. No other company can do that and be competitive. Just look at RIM, Palm, etc.

        Let me just make an observation. There are plenty of people claiming that Apple will inevitably go downhill without Steve Jobs. On the other hand, on theregister where they discuss Nolan Bushnell (ex-Atari) mentioned his ex-employee Steve Jobs, they insist that he didn't actually do anything worthwhile at all, that he is just a marketing guy doing nothing of any worth, and his success is all due to pure luck.

        So which one is it?

        • by Nerdfest (867930)

          Why can't both be true? The new CEO doesn't seem to have the same luck or marketing ability. Even if they were an innovative company, you frequently still need marketing and luck to really succeed.

    • by deniable (76198)
      Yeah, but Microsoft used to be similar until they got repeatedly slammed by security issues. Once they got serious, things changed but it took time.
      • Actually - there are few similarities between Apple and Microsoft. The two greatest similarities are market hype, and financial success. And, we might say that each has enjoyed something of a cult following, although the cults themselves are quite different.

        I would elaborate further, but I'd be typing for half the day if I ever got started. Especially since I would probably start googling for citations on some of it.

        But, you go ahead and believe that Apple and Microsoft are similar on security. Whatever

      • by Shavano (2541114)
        It took time because of the mountain of deferred security work. Same thing for Apple but before anybody writes them off, check out the mountain of money piled up to their chins.
    • by alen (225700)

      as a whole system with the locked down Mac App store OS X is fairly secure

  • by alen (225700) on Sunday March 31, 2013 @09:09AM (#43323725)

    compared to everyone else?

    that journalist was one case. the article mentioned a lot of scary things, but no one has done any of it yet. and some of these services have been around for almost 2 years.

    • by silviuc (676999)
      How would you measure? How would you compare?

      MS and Apple disclose only what they fix. They also don't have the same amount of users for their operating systems. The more eyeballs on one's product, the more flaws get discovered.
      • How would you measure?

        Google might help to find how many billions of dollars have been spent by corporations and businesses to alleviate damage from Microsoft's security flaws.

        A similar search might find similar figures for Apple's security flaws. Or not.

        Microsoft started out without any security model at all. Further, Microsoft has often sacrificed security for convenience and/or backward compatibility. Apple started with a Unix-like security model. It is fair to say that Microsoft has been steadily im

        • by jbolden (176878) on Sunday March 31, 2013 @11:47AM (#43324641) Homepage

          Actually Microsoft NT started with a capability based system, not a permissions system which is vastly vastly more secure. The problem they realized very quickly was that end users couldn't handle capabilities, and their application ecosystem wasn't compatible with it. Internet Explorer being an serious example because at that point it was the default shell. So end users ended up granting almost unlimited capabilities to most applications. At that point Microsoft began introducing permissions...

          I'd say Microsoft's NT problems are a classic example of different parts of Microsoft fundamentally disagreeing about objectives, like security vs. backwards compatibility.

          ____

          Apple's initially had overlapping permissions systems: the BSD based one, the NeXT based one and the various applications one from the mess that was OpenStep's security. They had to introduce a fourth one for connectivity to Microsoft networks. They've unified them somewhat and added 2 more security modules based on capabilities but they had a tremendous mess.

          _____

          Arguably:
          Microsoft started further ahead but couldn't handle the conflicts between competing interests.
          Apple had a total mess but made better compromises.

          That is the opposite of what you were claiming.

          • Opposite. Ohhh-kay . . . I think that you are offering a more nuanced explanation of things, and probably more accurate for the nuances. But, the case I'm making is, Apple's finished product was demonstrably more secure in real world environments, for real world users, for a long time. Microsoft has made tremendous improvements since then, and may rival Apple today, depending on one's perspective.

            I'll return to my original statements, regarding the costs of dealing with compromised systems.

            I'm somewhat s

            • by jbolden (176878)

              Thank you for the polite response.

              Apple's finished product was demonstrably more secure in real world environments, for real world users, for a long time

              I can absolutely agree with that. Since 2001 Mac end users who do not have complex security needs have had a much more secure experience. As my daily home and often work machine I've been on a Mac since 10.1 and don't run anti-virus don't really have to think about it. That's rather impressive.

          • by Anonymous Coward

            NT started by actually being a VMS kernel, with much of the code lifted straghit from the work David Cutler brought with him from DEC when his latest project got canned and Microsoft hired him. (Look at the old lawsuits from DEC, the settlements, and the memory architecture of NT for evidence of this.). It was basically written for the 64-bit Alpha architecture from DEC. It was possible to rewrite for the Pentium because much of the Pentium architecture was stolen from the Alpha! So it's not surprising NT w

            • by jbolden (176878)

              The security model and much of its formerly clean architecture had to be discarded

              I don't know that it had to be. Microsoft choose to discard. They could easily have made opposite choices. They could have for example introduced a porting system. They could have introduced individual applications sandboxes (remember these were part of OS/2, so Microsoft did know how to do them), etc...

              Microsoft choose to make the migration from Wind95/98 painless for application developers. That gave them a huge appli

      • How would you measure? How would you compare?

        How many exploits have existed in the wild?

        It's something you can look at for desktops and mobile platforms.

        The password reset issue was bad, but Apple did the right thing there and clamped shut the vulnerable page until the issue was fixed.

        Meanwhile in a world where Apple is supposedly leaving people exposed, we get daily trojans on Android that can exploit SMS directly.

  • by hsmith (818216) on Sunday March 31, 2013 @09:14AM (#43323755)
    the famed incident was more of a social engineering hack than anything else. Which, lets be fair, you can have the best security in the world, but humans are the biggest weaknesses in any real system.

    Security is a constantly evolving game - people are constantly developing exploits. Could Apple be better? Everyone can. Are they bad? I don't think they are horrible.

    Hell, how many people don't even have PIN screens setup on their phone. Most people just don't care at all.
    • Re: (Score:2, Interesting)

      by GNULinuxGuy (2483278)

      I think most people just realize PINs are more hassle than they're worth. Having to enter them all the time while in public with people and CCTV cameras everywhere it's not exactly a secret number anymore.

      • by Shavano (2541114)
        True, but my company sez I have to set a PIN if I want to see my corporate email on my phone.
    • by Anonymous Coward

      Hell, how many people don't even have PIN screens setup on their phone. Most people just don't care at all.

      That may be because they are practically useless except to fend off children and non-tech people. You can use one of the screen unlocking mechanisms people have figured out (lol Apple engineers don't know how to make a state diagram and implement it properly) or simply connect the device to a computer and let it brute force the pin, since pin failures through the USB access don't count towards the "fai

      • Seriously, don't use iOS for anything requiring real security.

        I hate those FTFY posts, but in this case I believe it's called for:

        Don't use a phone of any kind for anything requiring real security.

      • by hsmith (818216)
        But, I'd say for a majority of people - the PIN is simply enough. Yes, iOS and Android are trivial to hack, but lacking one opens them up to easy exploits. I mean, a 4 digit numeric pin is virtuously useless - but it would protect you when your phone got stolen.
  • Bullshit (Score:3, Insightful)

    by Anonymous Coward on Sunday March 31, 2013 @09:39AM (#43323895)

    Every single one of these "possible attacks" exists in nothing more than the submitters mind.

    "bandits have plenty of places to chip away at private information at the periphery: intercepting wireless location data, cracking the still-private protocols for services like FaceTime or iMessage, or imitating iTunes updates to install to take over a user's phone"

    None of these things are possible. FaceTime and iMessage are encrypted end-to-end. iTunes updates are signed. If you want to know how they work, buy a fucking disassembler. Until then, don't spout off bullshit, it just makes you sound like an ignoramus.

  • Not quite true (Score:5, Informative)

    by gnasher719 (869701) on Sunday March 31, 2013 @09:50AM (#43323945)
    "Anybody could access ... with just AppleID and date of birth" is not true. You needed someone's AppleID, date of birth, _and_ the knowledge of a clever hack. As a reaction, Apple first shut down the site, then fixed the problem.

    The "social engineering hack" won't work anymore once you switch your AppleID to two factor authentication. The disadvantage is that if you lose two of (password, backup code, trusted device), Apple _cannot_ restore your account. It becomes unusable. The reason social engineering won't work is that even a proven genuine account owner cannot get help.
    • by AdamWill (604569)

      "As a reaction, Apple first shut down the site"

      They 'shut down the site' in a way which did not prevent access to the hack. They just hung an 'Under Construction' sign over the front page of the site, but the 'hack' - really, just entering a deeper-level URL - continued to work just fine. They screwed up what ought to have been the simplest step of the fix process: "block access to the exploit".

  • Can we stop with the mentioning of DDOS and security in the same breath as if they were related?
  • No Need to Worry (Score:4, Insightful)

    by Trip6 (1184883) on Sunday March 31, 2013 @10:22AM (#43324135)
    Apple will be irrelevant soon.
    • by Anonymous Coward

      Apple will be irrelevant soon.

      This quote has been spoken by:

      Amiga
      Be
      Commodore
      Compaq
      DEC
      IBM's PC division
      Sun
      Gateway

      Soon to be joining them,
      HP
      Dell

    • I really mean this - not intended to be flamebait. Without Jobs, Apple's grasp of the perfect user experience will give way to engineers' insistence of packing on new features. The products will become harder and more cumbersome to use, and the premium Apple charges for the perfect user experience will be shunned by the market. And then they will be toast.

"Just think of a computer as hardware you can program." -- Nigel de la Tierre

Working...