Not best practices: Apple’s iCloud is neither private nor secure

by Paul Rubell, Esq.

Can your business survive a massive data breach? If your business stores, backs up or syncs its data to the cyber cloud, take note. Apple’s iCloud is currently the subject of ransomware. As you will read, the moral to this article is that confidential business data, trade secrets, customer lists and other information is at peril if it is stored off-site on a remote web server such as Office365 or iCloud. The details are fascinating but the song remains the same as it has always been: caveat emptor when it comes to the world of processing information online.turk

A hacking group that calls itself the Turkish Crime Family alleges that it has gained remote access to more than 627 million iCloud accounts maintained on Apple’s servers. The group has threatened to delete all of the data maintained on those accounts, as well as data contained on the Apple desktop and mobile devices to which the accounts are connected. Turkish Crime Family has claimed on Twitter that the data will be deleted unless Apple pays a random by April 7, 2017. The amount of the random is either $75,000 US in Bitcoin or Ethereum blockchain currency or $100,000 US in iTunes gift cards.

turk2Apple users whose email addresses contain the domains ‘icloud.com’ and ‘me.com’ are apparently at risk. The rogue hackers had posted a video on YouTube (ironically a Google company) that purportedly showed communications between the group and Apple. That video has been deleted, presumably at Apple’s insistence.

Notably, even iCloud accounts that utilize enhanced two-factor authentication are vulnerable. This casts a shadow over the entire concept of securing one’s data because most users do not utilize robust 2-F authentication. (This author strongly urges you to enable 2-F on all of your financial and sensitive accounts.

Apple has not made any public comment about this ransomware threat, presumably because Apple’s often-stated corporate policy is not to pay hostage fees. As a result, 624 million iCloud accounts could be deleted and worse, the computers and devices to which those paypalaccounts belong could be wiped clean on April 7th.

Advertisements

Best practice to keep your trade secrets private: avoid Password Managers

by Paul Rubell, Esq.

Information is the currency of 2017. For this reason it is mission-critical to keep data currency safe, secure and private. Just as gold bricks should be stored in a physical safe, data needs to be kept secret electronically.

Passwords are the key to enter the digital vault. Strong passwords are designed to thwart hacking attacks but their drawback is that they can be difficult to remember. A weak password such as “123456” can be memorized, but a more clever password like “A1@b2*C3(d)Zx4#” can be readily forgotten. And when numerous passwords are deployed to protect data further, the problem is exacerbated. There are many ways to keep track of passwords. Although no single method is fool-proof, some techniques are more iron-clad than others.

In order to achieve data privacy, software developers urge their customers to purchase password manager applications. Some apps store passwords in the cloud on a remote web server; others host the electronic keys locally on a mobile or desktop device. In addition, some apps generate complex passwords using mathematical algorithms and store them in a data capsule. No matter how an app’s technology functions, the unifying theme is to secure all points of entry to electronic information in a single place. Experts urge us to use password manager applications for this reason. By the way, it does not matter whether an app is free of charge or not. What really matters is the app’s functionality and security.

As a result, many people download password managers for their Android phones such asgold LastPass, Keeper, 1Password, My Passwords, Dashlane Password Manager, Informaticore Password Manager, F-Secure KEY, Keepsafe, and Avast Passwords. Each of these popular apps has been download from the Google Play store between 100,000 and 50 million times. What a relief to know that one’s data currency is secured and encrypted.

Unfortunately their security is just vaporware. On February 28, 2017, a group of German security experts issued a report showing that all nine of these apps contain vulnerabilities that make them susceptible to compromise by hackers. In some cases the master key that locks the cryptic safe is stored in plain text, visible to the naked eye let alone to a computer. In other cases features that have been designed to make the apps user-friendly, such as auto-fill, are themselves insecure. To make this point crystal clear — the software developers built their apps with vulnerabilities built in.

sign

 

Relying on an app in the cloud to keep a company’s trade secrets private is irresponsible.  If you need a financial incentive to protect your company’s golden eggs, you should be aware that some cyberliability insurance policies exclude data breaches from insurance coverage, if the breach might be related to the company’s use of insecure software applications such as password managers. It is incumbent upon each of us to design protocols and corporate policies that maintain the integrity as well as the privacy of the gate-keepers to our most important and vulnerable trade secrets.

Caveat emptor.  Let the buyer beware.  Best practices demands more from each of us than downloading apps from that iCandy Store in the Cloud.” The Google Play store is insecure, as are the password manager apps that are available for download there. After decades of building your business, it is reckless for you to rely blindly on public software to protect your golden goose. Your company does not want to litigate and you do not want to lose a shareholder derivative lawsuit claiming that you breached your fiduciary duty by failing to secure information.

Take due care and exercise due caution.  Get expert advice.  Purchase cyberliability insurance.  Develop best practices.  Build a digital Fort Knox to keep safe your business’ trade secrets.

best practices sign