Here is why you need to change your Apple password now – Canadian Government Executive

NEWS

SEARCH

SecurityTechnology
March 31, 2017

Here is why you need to change your Apple password now

From a customer’s perspective, criminals have allegedly threatened to reset Apple accounts and remotely wipe iPhones, and they have demonstrated possession of some credentials to the media, presumably to place increased pressure on Apple.

Criminals have reportedly threatened to take over 250 million Apple accounts if Apple does not pay a ransom by April 7, 2017. Beyond the implications for Apple and its customers, this evolving situation highlights the need for good password hygiene, multi-factor authentication, and a plan to respond to extortion attempts.

According to Motherboard, who broke the story, hackers contacted them and and provided details of their scheme and screen shots of alleged emails between the group and members of Apple’s security team. ZDNet also reported communicating with the hackers, who allegedly provided them with a set of 54 credentials. ZDNet was able to contact some of the account owners and verify that the passwords were valid.

Apple has told the media, “There have not been any breaches in any of Apple’s systems including iCloud and Apple ID. The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services.” If that is the case, then only customers who used the same password elsewhere should be impacted. However, ZDNet reported, “three people said that their iCloud email address and password were unique to iCloud, and were not used on any other site — a key anomaly that, if accurate, we can’t explain.”

Several scenarios are possible: Criminals could be bluffing based on possession of a small number of credentials and leveraging media exposure. A large number of the passwords could be outdated. They may have the stolen credentials and carry through with the threat or not honour the April 7 deadline as Apple and their customers react to mitigate the risk. It is also possible that Apple servers could be swamped by users changing passwords.

From a customer’s perspective, criminals have allegedly threatened to reset Apple accounts and remotely wipe iPhones, and they have demonstrated possession of some credentials to the media, presumably to place increased pressure on Apple. A remote wipe would render an iPhone unusable, and changing the Apple account password would prevent users from restoring their phones. The same mechanism that prevents thieves from using stolen iPhones would be the turned against owners until they regained access to their Apple account. Criminals could steal or delete data stored in iCloud (including backups) and wreak havoc with other Apple devices, including iPads, Macs, and Apple TVs. Abusing information from services such as Find My iPhone is also a possibility.

While there is some uncertainty as to precisely which accounts may have been compromised, the cost of changing a password is very low compared to the potential risks. Apple customers should therefore change their password immediately and turn on two-factor authentication. Information on two-factor authentication can be found at https://support.apple.com/en-ca/HT204915.

This incident highlights the need for good password hygiene. Using the same password for more than one account increases both the likelihood the potential impact of a compromise. Given advances in password cracking techniques, the best approach is to use a password manager such as 1Password or Lastpass to generate and manage random passwords. Where the use of a random password is not practical, for example when it needs to be typed regularly instead of being automatically inserted by a password manager, choosing a long phrase that contains several words with numbers and symbols in between will make compromise more difficult.

In addition to choosing a different complex password for each account, everyone should take advantage of multi-factor authentication (MFA). Amazon, Apple, Facebook, Google, Microsoft, and Twitter, to name only a few, offer it for free. It is important to remember that MFA augments account security; it is not a replacement for using a unique complex password on each site.

Businesses should learn from this situation and ensure they are prepared to face an extortion attempt. In addition to a clear policy against paying ransoms, employees must be trained to respond, taking into account the need to preserve evidence, and that criminals may provide emails, chat transcripts, and other information to the media in an attempt to pressure or damage the company. The process to notify an incident response team must be clearly documented, along with outside contacts in law enforcement, public relations, and digital forensics.

As with any type of incident, a good public relations plan should be in place. Draft news releases for common scenarios, including advice to customers, may be extremely helpful, especially in organizations without significant experience responding to security incidents.

In addition to an internal error, scenarios outside the organization’s control such as phishing, malware, or third-party breach could lead to the compromise of customer passwords. All businesses that store customer credentials should ensure they have the ability to quickly invalidate all passwords and force customers through a reset process.

Businesses should also take the opportunity to review how their applications manage and protect passwords, including the provision of MFA. A future column will discuss common mistakes and how to architect systems to minimize the likelihood of credential compromise and theft.

So if you haven’t already done so, change your Apple password. Now.

About this author

Eric Jacksch

Eric Jacksch

Eric Jacksch is a leading cybersecurity analyst with over 20 years of practical security experience. He has consulted to some of the world's largest banks, governments, automakers, insurance companies and postal organizations. Eric is a regular columnist for IT in Canada and was a regular columnist for Monitor Magazine and has contributed to several other publications.

0 comments

There are no comments for this post yet.

Be the first to comment. Click here.

Security
 
In the wake of the WannaCry outbreak, corporate executives, IT professionals,...
 
Facebook Pages can be an essential tool for businesses and charities,...
 
Cybersecurity professionals have sounded the alarm for years, and they are...
 
CBC deserves full credit for exposing the presence of IMSI catchers...
 
Security professionals have an obligation to communicate risks and recommendations to...
 
Over the decades, technology has been grafted into governments around the...
 
In this episode, J. Richard Jones talks about being candid about...
 
Criminals have reportedly threatened to take over 250 million Apple accounts...
 
In this episode, hear more about how Canada is a prime...
 
While the incoming administration of President-elect Donald Trump is being buffeted...
 
In the world that we are living in today, free and...
 
The RCMP adopted a new media strategy earlier this month by...
 
What would tomorrow’s cybersecurity look like? That’s an intriguing question to...
 
Terrorism operates with deadly regularity. In June 2016, a gunman who...
 
Just as the federal government has begun consultations on cyber security,...
 
Efforts by the government to counter the radicalization of young Canadians...
 
Canadian healthcare organizations and businesses in the financial industry are the...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
The challenge is clear: a fast-paced industry pressures organizations to simultaneously...
 
As populations grow and age, the demand for services increases. As...
 
By Michael Murphy Not all assets can and should be equally...
 
Please to view this Content. (Not a member? Join Today! )...
 
Now more than ever, organizations in both the public and private...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
As the battle between the FBI and Apple continues to escalate,...
 
Please to view this Content. (Not a member? Join Today! )...
 
Meet Bob Heart.  He is an outstanding employee who works hard...
 
A new study released yesterday, Securing the C-Suite, Cybersecurity Perspectives from...
 
Please to view this Content. (Not a member? Join Today! )...
 
Please to view this Content. (Not a member? Join Today! )...
 
Yesterday, Ontario Supreme Court Justice John Sproat ruled that the Peel...
 
I wrote about accountability more than a year ago. Recently, a...
 
Intelligence agencies have had widespread and long-running programs to gather, analyze...
 
What concerns me is whether or not we’ve got the balance...
 
One of the consequences of the Information Age in which we...
 
In March of 2011, the east coast of Japan was rocked...
 
BYOD is hot! But is it for you? If yes, which...
 
Protecting critical infrastructure from cyber threats is the shared responsibility of...
 
In numerous interviews with senior military commanders over the past several...
 
In early February, James R. Clapper, the U.S. director of national...
 
The widespread adoption of mobile devices as enterprise-level tools is occurring...
 
CGE Vol.13 No.2 February 2007 Public security, once a task relegated...
 
CGE Vol. 14 No.4 April 2008 In recent years, policy makers...
 
L’univers de la sécurité des TI évolue rapidement. À mesure que...
 
The world of IT security is rapidly evolving. As quickly as...
 
Cyber attacks don’t have to look highly sophisticated. Hackers are purposely...
 
The announcement regarding the establishment of Shared Services Canada (SSC) was...
 
There was probably a day in spring of AD 72 that...
 
The changing face of public and personal privacy in the face...
 
What role should governments and public servants play in safeguarding personal...
In the wake of the WannaCry outbreak, corporate executives, IT professionals,...

Member Login

Forgot Password?

Join Us

Password Reset
Please enter your e-mail address. You will receive a new password via e-mail.