Does Apple Need To Get Serious About Security?

← Back to Stories (view on slashdot.org)

Does Apple Need To Get Serious About Security?

Posted by Soulskill on Sunday March 31, 2013 @12:28AM from the apple-a-day-keeps-the-hackers-away dept.

An anonymous reader writes "An article at The Verge makes the case that Apple's development of its cloud services hasn't been accompanied by the necessary effort to ramp up security to match users' increasing levels of risk. As evidence, they use a recent (and very simple) security hole that allowed anyone to reset an Apple ID password with just a user's email address and birth date. Apple's initial response failed to fully stop the exploit, and then it took several days for them to fix the issue. 'A server-side attack on Apple's cloud could get customers' credit card numbers and addresses, device backups with their encryption keys — as well as contacts and Apple IDs — anonymously and in bulk. Those systems may be defended like a castle, but bandits have plenty of places to chip away at private information at the periphery: intercepting wireless location data, cracking the still-private protocols for services like FaceTime or iMessage, or imitating iTunes updates to install to take over a user's phone. There's nothing sexy about securing these systems. None of them contribute directly to Apple's bottom line. And when it came to securing a business netting it an estimated $2 billion each year, Apple locked the screen door and left the front door open, without asking anyone else to check that the house was safe.' The article also points out that many other cloud service providers have detailed privacy and security policies, and actively participate in developing best practices, whereas Apple's procedures are shrouded in the company's typical secrecy. The article comes alongside reports of a way for people to DDoS other users' iMessage box."

11 of 84 comments (clear)

Min score:

Reason:

Sort:

Apple will get serious when you do. by rtfa-troll · 2013-03-31 00:31 · Score: 5, Insightful

Apple needs to get serious at the moment that it's customers care or at the moment someone put's legal liability on them and not a minute earlier. Given that the effect of Paris Hilton's phone getting hacked was to vastly increase the sales of the model, I don't think that's going to happen some time soon.

--
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
Re:The more a phone is Cracked by Chris+Mattern · 2013-03-31 01:09 · Score: 4, Insightful

Of course it was. But the fact that "Paris Hilton uses it" meant immensely more to most people than "she got owned because it was absurdly easy to hack" demonstrates security is not something that matters at all to most of Apple's customers, and thus is not something that Apple feels a need to matter to them.
how many security issues has apple had? by alen · 2013-03-31 01:09 · Score: 4, Insightful

compared to everyone else?
that journalist was one case. the article mentioned a lot of scary things, but no one has done any of it yet. and some of these services have been around for almost 2 years.
1. Re:how many security issues has apple had? by jbolden · 2013-03-31 03:47 · Score: 3, Insightful
  
  Actually Microsoft NT started with a capability based system, not a permissions system which is vastly vastly more secure. The problem they realized very quickly was that end users couldn't handle capabilities, and their application ecosystem wasn't compatible with it. Internet Explorer being an serious example because at that point it was the default shell. So end users ended up granting almost unlimited capabilities to most applications. At that point Microsoft began introducing permissions...
  I'd say Microsoft's NT problems are a classic example of different parts of Microsoft fundamentally disagreeing about objectives, like security vs. backwards compatibility.
  ____
  Apple's initially had overlapping permissions systems: the BSD based one, the NeXT based one and the various applications one from the mess that was OpenStep's security. They had to introduce a fourth one for connectivity to Microsoft networks. They've unified them somewhat and added 2 more security modules based on capabilities but they had a tremendous mess.
  _____
  Arguably:
  Microsoft started further ahead but couldn't handle the conflicts between competing interests.
  Apple had a total mess but made better compromises.
  That is the opposite of what you were claiming.
Who says they aren't? by hsmith · 2013-03-31 01:14 · Score: 5, Interesting

the famed incident was more of a social engineering hack than anything else. Which, lets be fair, you can have the best security in the world, but humans are the biggest weaknesses in any real system.

Security is a constantly evolving game - people are constantly developing exploits. Could Apple be better? Everyone can. Are they bad? I don't think they are horrible.

Hell, how many people don't even have PIN screens setup on their phone. Most people just don't care at all.
Bullshit by Anonymous Coward · 2013-03-31 01:39 · Score: 3, Insightful

Every single one of these "possible attacks" exists in nothing more than the submitters mind.
"bandits have plenty of places to chip away at private information at the periphery: intercepting wireless location data, cracking the still-private protocols for services like FaceTime or iMessage, or imitating iTunes updates to install to take over a user's phone"
None of these things are possible. FaceTime and iMessage are encrypted end-to-end. iTunes updates are signed. If you want to know how they work, buy a fucking disassembler. Until then, don't spout off bullshit, it just makes you sound like an ignoramus.
Not quite true by gnasher719 · 2013-03-31 01:50 · Score: 4, Informative

"Anybody could access ... with just AppleID and date of birth" is not true. You needed someone's AppleID, date of birth, _and_ the knowledge of a clever hack. As a reaction, Apple first shut down the site, then fixed the problem.

The "social engineering hack" won't work anymore once you switch your AppleID to two factor authentication. The disadvantage is that if you lose two of (password, backup code, trusted device), Apple _cannot_ restore your account. It becomes unusable. The reason social engineering won't work is that even a proven genuine account owner cannot get help.
Paris = sidekick by jbolden · 2013-03-31 01:59 · Score: 3, Informative

Paris Hilton was a spokesperson for Danger's HipTop (Sidekick on T-Mobile). That was the phone that got hacked. And her endorsement of the phone was well known prior to the hacking. They had huge Hollywood parties and she appeared in public using the phone regularly.
Apple wasn't involved.
No Need to Worry by Trip6 · 2013-03-31 02:22 · Score: 3, Insightful

Apple will be irrelevant soon.

--
I hate being bipolar; it's awesome!
Re:The more a phone is Cracked by larry+bagina · 2013-03-31 03:44 · Score: 3, Funny

Also, it was made by asians, so it thinks all white people look the same.

--
Do you even lift?
These aren't the 'roids you're looking for.
Re:The more a phone is Cracked by 93+Escort+Wagon · 2013-03-31 05:24 · Score: 4, Informative

Of course it was. But the fact that "Paris Hilton uses it" meant immensely more to most people than "she got owned because it was absurdly easy to hack" demonstrates security is not something that matters at all to most of Apple's customers, and thus is not something that Apple feels a need to matter to them.
Wait. When Paris Hilton's phone got hacked a number of years ago, it was a T-Mobile Sidekick.

--
#DeleteChrome