Does Apple Need To Get Serious About Security? 84
An anonymous reader writes "An article at The Verge makes the case that Apple's development of its cloud services hasn't been accompanied by the necessary effort to ramp up security to match users' increasing levels of risk. As evidence, they use a recent (and very simple) security hole that allowed anyone to reset an Apple ID password with just a user's email address and birth date. Apple's initial response failed to fully stop the exploit, and then it took several days for them to fix the issue. 'A server-side attack on Apple's cloud could get customers' credit card numbers and addresses, device backups with their encryption keys — as well as contacts and Apple IDs — anonymously and in bulk. Those systems may be defended like a castle, but bandits have plenty of places to chip away at private information at the periphery: intercepting wireless location data, cracking the still-private protocols for services like FaceTime or iMessage, or imitating iTunes updates to install to take over a user's phone. There's nothing sexy about securing these systems. None of them contribute directly to Apple's bottom line. And when it came to securing a business netting it an estimated $2 billion each year, Apple locked the screen door and left the front door open, without asking anyone else to check that the house was safe.' The article also points out that many other cloud service providers have detailed privacy and security policies, and actively participate in developing best practices, whereas Apple's procedures are shrouded in the company's typical secrecy. The article comes alongside reports of a way for people to DDoS other users' iMessage box."
Apple will get serious when you do. (Score:5, Insightful)
The more a phone is Cracked (Score:2)
the effect of Paris Hilton's phone getting hacked was to vastly increase the sales of the model
I think that was more down to accidental celebrity endorsement than any security vulnerability.
Re:The more a phone is Cracked (Score:4, Insightful)
Of course it was. But the fact that "Paris Hilton uses it" meant immensely more to most people than "she got owned because it was absurdly easy to hack" demonstrates security is not something that matters at all to most of Apple's customers, and thus is not something that Apple feels a need to matter to them.
Re: (Score:1)
Apple can Quattruple-AES-4096 encrypt the phone and close ALL Bugs including Jailbreak, if Paris uses "1234" as PIN, it won't matter (and i firmly belive that 1234 is too complex a password for her anyways...)
Re: (Score:2)
Apple can Quattruple-AES-4096 encrypt the phone and close ALL Bugs including Jailbreak, if Paris uses "1234" as PIN, it won't matter (and i firmly belive that 1234 is too complex a password for her anyways...)
Typical blame the victim IT security type.
If your default locking mechanism recommends a four digit PIN code and you have no way (like a bank) of enforcing a retry limit since it is possible to do a memory clone of your device, who is to blame if the mechanism fails? The customer who used it as it seemed to be designed or the engineer who chose the mechanism? The person who just went to a shop and assumed that the system they bought was fit for being a personal mobile device or the engineer who failed t
Re: (Score:1)
iPhone supports > 4 digit passcodes so I don't know what you're smoking.
Facial recognition is crap because it is defeated by printing out a picture of the owner and waiving it in front of the phone's camera.
Re: (Score:3, Funny)
Re: (Score:3)
Apple can Quattruple-AES-4096 encrypt the phone and close ALL Bugs including Jailbreak, if Paris uses "1234" as PIN, it won't matter (and i firmly belive that 1234 is too complex a password for her anyways...)
And for most people it seems. Have you read: http://www.datagenetics.com/blog/september32012/ [datagenetics.com] ?
If your default locking mechanism recommends a four digit PIN code and you have no way (like a bank) of enforcing a retry limit since it is possible to do a memory clone of your device, who is to blame if the mechanism fails? The customer who used it as it seemed to be designed or the engineer who chose the mechanism? The person who just went to a shop and assumed that the system they bought was fit for being a personal mobile device or the engineer who failed to make it that way.
iPhone has a 4 digit PIN, and full pass phrase, complete with timed lockout after multiple bad passwords, and with the option of wiping the device.
A six digit PIN would be nice, but would probably be birth dates too hohum.
Samsung has come up with ideas such as facial recognition.
I thought that was cool too. But once I had fooled it with a (bad) photo of me displayed from my iPhone I decided that it was a terrible idea. I'm sure it would have problems with my habit of gro
Re: (Score:2)
Apple can Quattruple-AES-4096 encrypt the phone and close ALL Bugs including Jailbreak, if Paris uses "1234" as PIN, it won't matter (and i firmly belive that 1234 is too complex a password for her anyways...)
And for most people it seems. Have you read: http://www.datagenetics.com/blog/september32012/ [datagenetics.com] ?
Not my quote please note. It is well known that to avoid the complexity of 1234 most people switch to 1111. This makes PIN codes terrible for exposed data.
If your default locking mechanism recommends a four digit PIN code and you have no way (like a bank) of enforcing a retry limit since it is possible to do a memory clone of your device, who is to blame if the mechanism fails? The customer who used it as it seemed to be designed or the engineer who chose the mechanism? The person who just went to a shop and assumed that the system they bought was fit for being a personal mobile device or the engineer who failed to make it that way.
iPhone has a 4 digit PIN, and full pass phrase, complete with timed lockout after multiple bad passwords, and with the option of wiping the device. A six digit PIN would be nice, but would probably be birth dates too hohum.
It's typical for someone with little security experience to miss the fact that the attacker always goes for the weakest link. Having two different codes is likely to make things weaker than having one unless you are very very careful. In this particular case elcomsoft provides standard software [crackpassword.com] which can use just the PIN to bypass all the other secur
Re: (Score:2)
Apple can Quattruple-AES-4096 encrypt the phone and close ALL Bugs including Jailbreak, if Paris uses "1234" as PIN, it won't matter (and i firmly belive that 1234 is too complex a password for her anyways...)
Typical blame the victim IT security type.
That's funny coming from somebody who blames Apple for the fact that Paris Hilton's T-Mobile Sidekick was hacked.
Think of the Little People (Score:2)
Of course it was. But the fact that "Paris Hilton uses it" meant immensely more to most people than "she got owned because it was absurdly easy to hack" demonstrates security is not something that matters at all to most of Apple's customers, and thus is not something that Apple feels a need to matter to them.
No! not in the slightest. People who *admire* Paris Hilton...definitely not "most"(sic) or even some, but that select group of people who are swayed by her. I suspect it actually did a lot of harm, as many of that select group, who I would not be astonished would have given iPhones by Apple as (cough) gifts, as those people love exposure, but only the type they manage. I suspect those people have ditched those phones now.
Re:The more a phone is Cracked (Score:5, Informative)
Of course it was. But the fact that "Paris Hilton uses it" meant immensely more to most people than "she got owned because it was absurdly easy to hack" demonstrates security is not something that matters at all to most of Apple's customers, and thus is not something that Apple feels a need to matter to them.
Wait. When Paris Hilton's phone got hacked a number of years ago, it was a T-Mobile Sidekick.
Re: (Score:2)
Re: (Score:2)
...customers don't take security seriously.
Disregarding your jibe about Microsoft (because it's irrelevant and I don't care about them anyway), Apple and just about everybody else is in a bind. They need their services to be available to the individuals who have signed up for them. But those individuals are often too overloaded to take the trouble to use strong passwords and/or multi-factor authentication when available. Even if they do, there's always the risk of interception. At the same time, the service provider has to offer a means to reset cr
Re: (Score:2)
IMHO I think obviously systems like calling a home phone (they call you) to do a password reset work pretty well. The phone system while not hack proof is fairly resilient.
That failing we do have institutions available in huge numbers all over the world that do authentication as part of their core business function, banks. I'd say Apple, Google, etc... should partner with banks and allow them to do resets based on physical credentials (like a passport) for a nominal fee (say $10).
Paris = sidekick (Score:4, Informative)
Paris Hilton was a spokesperson for Danger's HipTop (Sidekick on T-Mobile). That was the phone that got hacked. And her endorsement of the phone was well known prior to the hacking. They had huge Hollywood parties and she appeared in public using the phone regularly.
Apple wasn't involved.
Re: (Score:2)
Apple wasn't involved.
I know that failing to read the article is de rigueur. I do follow the new fashion on Slashdot of not reading the summary. However, failing to read the comment you are replying to is a new and excellent level of trolling. Well played that man. At no point in my comment did I claim Apple was involved but you just read a random sentence and then assumed I would. Cool.
Paris Hilton was a spokesperson for Danger's HipTop (Sidekick on T-Mobile). That was the phone that got hacked. And her endorsement of the phone was well known prior to the hacking. They had huge Hollywood parties and she appeared in public using the phone regularly.
Actually, it was widely publicised at the time [playstation.com] that it the publicity campaign had been pretty much a failure up till the hack and that the
Re: (Score:2)
Actually, it was widely publicised at the time [playstation.com] that it the publicity campaign had been pretty much a failure up till the hack and that the hack caused a vast increase in sales.
Nonsense. Paris was hacked Feb 2005. Oct 2002 the Sidekick went on sale. By the time of Paris' hack they were 3 very successful models in: original, color and Sidekick 2. This is a video which shows you the promotions on TV from the year before.
A backup failure incidentally is what killed the Sidekick. While n
Re: (Score:1)
Re: (Score:3)
It's too late by then. Security needs to be designed into a system from the start. You can't put it in within minutes of somebody wanting it.
See Microsoft, they've been trying for decades to retrofit security into their systems, and failing. You think Apple's engineers are can do better?
Ya! (Score:2)
So, I'll answer the question with "Nah! They're doing fine!" just to be Troll.
Its more likely going to move the discussion onto redefining the word troll.
Re: (Score:1)
The fuck are you talking about? What would you call this, for example? [forbes.com]
Re: (Score:2)
So, I'll answer the question with "Nah! They're doing fine!" just to be Troll.
Everytime I read any connectivity spec regarding apple products, these days it always bangs on about thunderbolts and lightning. I find that very very frightening.
My Experience (Score:1, Troll)
I worked for them until recently, and I can say people walk around (in my area) talking about the impervious OS X, and I chuckle.
I honestly don't think Apple has taken security as seriously as say, Microsoft.
But this is one persons experience and I was seriously disillusioned after working for them, but that's more likely a result of my initial naïveté.
Without Jobs fascism Apple is another corporation that will quickly slide into suck, here's hoping you got out above 600.
Re: My Experience (Score:1)
It wont be a quick slide but it will be a slow steady slide down steve jobs made the whole package. No other company can do that and be competitive. Just look at RIM, Palm, etc.
Apple will end up like them.
Re: (Score:2)
It wont be a quick slide but it will be a slow steady slide down steve jobs made the whole package. No other company can do that and be competitive. Just look at RIM, Palm, etc.
Let me just make an observation. There are plenty of people claiming that Apple will inevitably go downhill without Steve Jobs. On the other hand, on theregister where they discuss Nolan Bushnell (ex-Atari) mentioned his ex-employee Steve Jobs, they insist that he didn't actually do anything worthwhile at all, that he is just a marketing guy doing nothing of any worth, and his success is all due to pure luck.
So which one is it?
Re: (Score:3)
Why can't both be true? The new CEO doesn't seem to have the same luck or marketing ability. Even if they were an innovative company, you frequently still need marketing and luck to really succeed.
Re: (Score:2)
Re: (Score:3)
Actually - there are few similarities between Apple and Microsoft. The two greatest similarities are market hype, and financial success. And, we might say that each has enjoyed something of a cult following, although the cults themselves are quite different.
I would elaborate further, but I'd be typing for half the day if I ever got started. Especially since I would probably start googling for citations on some of it.
But, you go ahead and believe that Apple and Microsoft are similar on security. Whatever
Re: (Score:2)
Re: (Score:1)
as a whole system with the locked down Mac App store OS X is fairly secure
Re: (Score:2)
All apps from the Mac App Store are both signed and sandboxed. Incredibly more secure by design for the very things you mentioned than an app installed and run from anywhere else.
Re: (Score:2)
That security is just designed to let Apple spend less effort curating the App Store. Most commercial applications are not trying to do bad things to customer's computers and most commercial applications do not have wide enough distribution to be an effective attack vector. All of that security is just there so that it is hard for people to use the App Store as a malware distribution platform. It doesn't actually provide much benefit for software users and it is a royal pain in the ass for software devel
Re: (Score:2)
Re: (Score:2)
This just in... obvious fanboi is obvious.
"They aren't trying do help at all" - no, clearly Microsoft has done nothing to improve the security of their OSes in the last decade. At least in the bizarro world you live in. Wouldn't it be great if they released a great, free product like Microsoft Security Essentials? That would be awesome. If only that happened.
The fact that you believe vulnerability to viruses is "a loophole" means you don't even know what the words you're using mean.
Re: (Score:2)
So you consider a Virus scanner a "security suite"?
Let me guess you are a upper level manager or an executive of some type.
Re: (Score:1)
how many security issues has apple had? (Score:5, Insightful)
compared to everyone else?
that journalist was one case. the article mentioned a lot of scary things, but no one has done any of it yet. and some of these services have been around for almost 2 years.
Re: (Score:2)
MS and Apple disclose only what they fix. They also don't have the same amount of users for their operating systems. The more eyeballs on one's product, the more flaws get discovered.
Re: (Score:2)
How would you measure?
Google might help to find how many billions of dollars have been spent by corporations and businesses to alleviate damage from Microsoft's security flaws.
A similar search might find similar figures for Apple's security flaws. Or not.
Microsoft started out without any security model at all. Further, Microsoft has often sacrificed security for convenience and/or backward compatibility. Apple started with a Unix-like security model. It is fair to say that Microsoft has been steadily im
Re:how many security issues has apple had? (Score:4, Insightful)
Actually Microsoft NT started with a capability based system, not a permissions system which is vastly vastly more secure. The problem they realized very quickly was that end users couldn't handle capabilities, and their application ecosystem wasn't compatible with it. Internet Explorer being an serious example because at that point it was the default shell. So end users ended up granting almost unlimited capabilities to most applications. At that point Microsoft began introducing permissions...
I'd say Microsoft's NT problems are a classic example of different parts of Microsoft fundamentally disagreeing about objectives, like security vs. backwards compatibility.
____
Apple's initially had overlapping permissions systems: the BSD based one, the NeXT based one and the various applications one from the mess that was OpenStep's security. They had to introduce a fourth one for connectivity to Microsoft networks. They've unified them somewhat and added 2 more security modules based on capabilities but they had a tremendous mess.
_____
Arguably:
Microsoft started further ahead but couldn't handle the conflicts between competing interests.
Apple had a total mess but made better compromises.
That is the opposite of what you were claiming.
Re: (Score:2)
Opposite. Ohhh-kay . . . I think that you are offering a more nuanced explanation of things, and probably more accurate for the nuances. But, the case I'm making is, Apple's finished product was demonstrably more secure in real world environments, for real world users, for a long time. Microsoft has made tremendous improvements since then, and may rival Apple today, depending on one's perspective.
I'll return to my original statements, regarding the costs of dealing with compromised systems.
I'm somewhat s
Re: (Score:2)
Thank you for the polite response.
Apple's finished product was demonstrably more secure in real world environments, for real world users, for a long time
I can absolutely agree with that. Since 2001 Mac end users who do not have complex security needs have had a much more secure experience. As my daily home and often work machine I've been on a Mac since 10.1 and don't run anti-virus don't really have to think about it. That's rather impressive.
Re: (Score:1)
NT started by actually being a VMS kernel, with much of the code lifted straghit from the work David Cutler brought with him from DEC when his latest project got canned and Microsoft hired him. (Look at the old lawsuits from DEC, the settlements, and the memory architecture of NT for evidence of this.). It was basically written for the 64-bit Alpha architecture from DEC. It was possible to rewrite for the Pentium because much of the Pentium architecture was stolen from the Alpha! So it's not surprising NT w
Re: (Score:2)
The security model and much of its formerly clean architecture had to be discarded
I don't know that it had to be. Microsoft choose to discard. They could easily have made opposite choices. They could have for example introduced a porting system. They could have introduced individual applications sandboxes (remember these were part of OS/2, so Microsoft did know how to do them), etc...
Microsoft choose to make the migration from Wind95/98 painless for application developers. That gave them a huge appli
Pretty easy to measure and compare (Score:1)
How would you measure? How would you compare?
How many exploits have existed in the wild?
It's something you can look at for desktops and mobile platforms.
The password reset issue was bad, but Apple did the right thing there and clamped shut the vulnerable page until the issue was fixed.
Meanwhile in a world where Apple is supposedly leaving people exposed, we get daily trojans on Android that can exploit SMS directly.
Who says they aren't? (Score:5, Interesting)
Security is a constantly evolving game - people are constantly developing exploits. Could Apple be better? Everyone can. Are they bad? I don't think they are horrible.
Hell, how many people don't even have PIN screens setup on their phone. Most people just don't care at all.
Re: (Score:2, Interesting)
I think most people just realize PINs are more hassle than they're worth. Having to enter them all the time while in public with people and CCTV cameras everywhere it's not exactly a secret number anymore.
Re: (Score:1)
The protection they rely on is holding the device like they should. If it's taken the PIN will be trivially bypassed anyway. Now I feel like an idiot for replying to what probably amounts to a troll, but you never know.
Re: (Score:2)
Re: (Score:1)
Hell, how many people don't even have PIN screens setup on their phone. Most people just don't care at all.
That may be because they are practically useless except to fend off children and non-tech people. You can use one of the screen unlocking mechanisms people have figured out (lol Apple engineers don't know how to make a state diagram and implement it properly) or simply connect the device to a computer and let it brute force the pin, since pin failures through the USB access don't count towards the "fai
Sigh. (Score:1)
Seriously, don't use iOS for anything requiring real security.
I hate those FTFY posts, but in this case I believe it's called for:
Don't use a phone of any kind for anything requiring real security.
Re: (Score:2)
Bullshit (Score:3, Insightful)
Every single one of these "possible attacks" exists in nothing more than the submitters mind.
"bandits have plenty of places to chip away at private information at the periphery: intercepting wireless location data, cracking the still-private protocols for services like FaceTime or iMessage, or imitating iTunes updates to install to take over a user's phone"
None of these things are possible. FaceTime and iMessage are encrypted end-to-end. iTunes updates are signed. If you want to know how they work, buy a fucking disassembler. Until then, don't spout off bullshit, it just makes you sound like an ignoramus.
Not quite true (Score:5, Informative)
The "social engineering hack" won't work anymore once you switch your AppleID to two factor authentication. The disadvantage is that if you lose two of (password, backup code, trusted device), Apple _cannot_ restore your account. It becomes unusable. The reason social engineering won't work is that even a proven genuine account owner cannot get help.
Re: (Score:2)
"As a reaction, Apple first shut down the site"
They 'shut down the site' in a way which did not prevent access to the hack. They just hung an 'Under Construction' sign over the front page of the site, but the 'hack' - really, just entering a deeper-level URL - continued to work just fine. They screwed up what ought to have been the simplest step of the fix process: "block access to the exploit".
PLEASE! (Score:2)
No Need to Worry (Score:4, Insightful)
Re: (Score:1)
Apple will be irrelevant soon.
This quote has been spoken by:
Amiga
Be
Commodore
Compaq
DEC
IBM's PC division
Sun
Gateway
Soon to be joining them,
HP
Dell
Not Flamebait - True (Score:2)