Cloud computing hit by 'Celebgate'
Enterprises are questioning their cloud strategy after Apple's iCloud service was implicated in the leak of nude celebrity photos. But should one bad Apple spoil the bunch?
Apple's iCloud Activation Lock cracked
They say all publicity is good publicity but for cloud computing, the mass media coverage of 'Celebgate' – the leaking of dozens of nude photos of Hollywood actresses and others stored on Apple's iCloud service – has severely damaged its credibility and caused many consumers and enterprises to question their cloud strategy.
The news first broke last weekend that nude photos of ‘Hunger Games' actress Jennifer Lawrence, actress Mary Elizabeth Winstead and model Kate Upton had appeared online in what Lawrence's spokesperson called a “flagrant violation of privacy”.
The pictures –some genuine, some fake – were dumped on two image-sharing sites, 4Chan and AnonIB, along with a list of over 100 other celebs whose images may have been stolen, including Downton Abbey actress Jessica Brown Findlay, model Cara Delevigne, singer Avril Lavigne and ‘Big Bang Theory' actress Kaley Cuoco.
The leaks were blamed on hackers using brute-force attacks to crack the victims' Apple account passwords and download the images stored on iCloud.
The FBI began investigating, as did an “outraged” Apple which blamed the leaks on a “targeted attack on user names, passwords and security questions”.
Apple initially found no breach of iCloud or Find my iPhone and advised: “To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification (2FA).”
But damagingly, the BBC and mobile security firm Lookout, among others, reported that as well as Apple allowing repeated brute-force attacks in the first place, the 2FA system on iCloud can be bypassed using some commonly available software (whilst still needing the user's password), and in any case 2FA only protects some services – not including photo storage.
Apple then promised to beef up iCloud's security, with CEO Tim Cook telling The Wall Street Journal they would alert users when any account password was changed, when a device logs into an account for the first time, or if iCloud data is restored to a new device.
Forget Ed Snowden, this is Hollywood
In the aftermath, it's still not entirely clear who has been hacked, when and by whom. What is clear is that this breach has raised awareness of the privacy threat presented by smartphones and cloud storage to a whole new, global level.
As Andrew Conway, research analyst at threat prevention firm Cloudmark, put it: “We may see more impact in terms of people's concern about their security from hearing about celebrity nude photographs being leaked than we got from the Snowden revelations.”
Certainly when Kim Kardashian talks about people “needing to make sure they have every privacy setting”, you know that data protection has finally reached a mass audience.
More importantly, some industry heavy hitters think the event has been highly damaging to the credibility of cloud and is causing many enterprises to rethink their strategy.
Mike Janke, former US Navy SEAL and now CEO of Silent Circle, which produces the Android-based encrypting Blackphone, said: “This was a wake-up call for the mass market. We are being flooded with questions from hundreds of enterprise customers this week alone, about our thoughts and advice on their existing cloud strategy.”
Janke told us: “It is already having a strong negative impact in the marketplace. For a long time people and businesses simply took for granted that this ‘magic' of the cloud meant it was secure. People viewed iCloud as the holy grail, now everyone is questioning what they put in the cloud.”
Other experts we spoke to are hoping businesses will rethink their approach to cloud - but not to the extent of deciding ‘one bad Apple spoils the whole barrel'.
James Lyne, head of research at security firm Sophos, said: “Blaming the cloud is very much the wrong approach but I think one that a lot of people will take.”
Lyne said: “Apple has been really quite remiss in that they've taken quite a long time to fix a very obvious flaw which enables 1990s-style brute-forcing attacks. So really what this raises is that you can't apply the term ‘cloud' as a one-size-fits-all from a security posture perspective.
“Providers vary from really quite excellent to really quite poor, and consumers and businesses need to think a little bit more carefully about who's actually holding their data.”
Cloudmark's Andrew Conway shares this view: “This may be a setback for cloud storage when it should only be a setback for bad cloud storage,” he said.
The pundits expect business users to start asking much tougher questions of their cloud service suppliers.
Conway said: “I hope that businesses will at least give a proper risk assessment to the use of cloud storage, go through what are their exposures and come up with a decent corporate policy about what it's OK to use cloud storage for and what it isn't.”
Marc Rogers, principal security researcher at Lookout, added: “I wouldn't say this breach has undermined the cloud but it has armoured people with some pretty tough questions. I would anticipate that cloud service providers will be forced to step up their game over the next few months as a result.”
But most commentators think the setback for cloud will be temporary.
Rogers said: “Cloud service providers need to realise that they are under attack and take steps to protect the increasingly personal data they hold,” but feels: “As companies grapple with the ever expanding cloud of personal data they will increasingly look to the cloud as a solution.”
Richard Parris, CEO of cyber security experts Intercede, agreed: ”The cloud is only going to get bigger.”
But Parris concludes: “Whenever security breaches of cloud infrastructure happen, it underlines the need for more robust measures and heightens public awareness for a new generation of online protection.
“Conversations are needed between governments, manufacturers, vendors and users to define what constitutes best practice in protecting people's digital assets. And after the conversations, action. Otherwise these breaches will just keep happening.”