SecurityTechnology
March 31, 2017

Here is why you need to change your Apple password now

From a customer’s perspective, criminals have allegedly threatened to reset Apple accounts and remotely wipe iPhones, and they have demonstrated possession of some credentials to the media, presumably to place increased pressure on Apple.

Criminals have reportedly threatened to take over 250 million Apple accounts if Apple does not pay a ransom by April 7, 2017. Beyond the implications for Apple and its customers, this evolving situation highlights the need for good password hygiene, multi-factor authentication, and a plan to respond to extortion attempts.

According to Motherboard, who broke the story, hackers contacted them and and provided details of their scheme and screen shots of alleged emails between the group and members of Apple’s security team. ZDNet also reported communicating with the hackers, who allegedly provided them with a set of 54 credentials. ZDNet was able to contact some of the account owners and verify that the passwords were valid.

Apple has told the media, “There have not been any breaches in any of Apple’s systems including iCloud and Apple ID. The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services.” If that is the case, then only customers who used the same password elsewhere should be impacted. However, ZDNet reported, “three people said that their iCloud email address and password were unique to iCloud, and were not used on any other site — a key anomaly that, if accurate, we can’t explain.”

Several scenarios are possible: Criminals could be bluffing based on possession of a small number of credentials and leveraging media exposure. A large number of the passwords could be outdated. They may have the stolen credentials and carry through with the threat or not honour the April 7 deadline as Apple and their customers react to mitigate the risk. It is also possible that Apple servers could be swamped by users changing passwords.

From a customer’s perspective, criminals have allegedly threatened to reset Apple accounts and remotely wipe iPhones, and they have demonstrated possession of some credentials to the media, presumably to place increased pressure on Apple. A remote wipe would render an iPhone unusable, and changing the Apple account password would prevent users from restoring their phones. The same mechanism that prevents thieves from using stolen iPhones would be the turned against owners until they regained access to their Apple account. Criminals could steal or delete data stored in iCloud (including backups) and wreak havoc with other Apple devices, including iPads, Macs, and Apple TVs. Abusing information from services such as Find My iPhone is also a possibility.

While there is some uncertainty as to precisely which accounts may have been compromised, the cost of changing a password is very low compared to the potential risks. Apple customers should therefore change their password immediately and turn on two-factor authentication. Information on two-factor authentication can be found at https://support.apple.com/en-ca/HT204915.

This incident highlights the need for good password hygiene. Using the same password for more than one account increases both the likelihood the potential impact of a compromise. Given advances in password cracking techniques, the best approach is to use a password manager such as 1Password or Lastpass to generate and manage random passwords. Where the use of a random password is not practical, for example when it needs to be typed regularly instead of being automatically inserted by a password manager, choosing a long phrase that contains several words with numbers and symbols in between will make compromise more difficult.

In addition to choosing a different complex password for each account, everyone should take advantage of multi-factor authentication (MFA). Amazon, Apple, Facebook, Google, Microsoft, and Twitter, to name only a few, offer it for free. It is important to remember that MFA augments account security; it is not a replacement for using a unique complex password on each site.

Businesses should learn from this situation and ensure they are prepared to face an extortion attempt. In addition to a clear policy against paying ransoms, employees must be trained to respond, taking into account the need to preserve evidence, and that criminals may provide emails, chat transcripts, and other information to the media in an attempt to pressure or damage the company. The process to notify an incident response team must be clearly documented, along with outside contacts in law enforcement, public relations, and digital forensics.

As with any type of incident, a good public relations plan should be in place. Draft news releases for common scenarios, including advice to customers, may be extremely helpful, especially in organizations without significant experience responding to security incidents.

In addition to an internal error, scenarios outside the organization’s control such as phishing, malware, or third-party breach could lead to the compromise of customer passwords. All businesses that store customer credentials should ensure they have the ability to quickly invalidate all passwords and force customers through a reset process.

Businesses should also take the opportunity to review how their applications manage and protect passwords, including the provision of MFA. A future column will discuss common mistakes and how to architect systems to minimize the likelihood of credential compromise and theft.

So if you haven’t already done so, change your Apple password. Now.

About this author

Avatar

Eric Jacksch

Eric Jacksch is a leading cybersecurity analyst with over 20 years of practical security experience. He has consulted to some of the world's largest banks, governments, automakers, insurance companies and postal organizations. Eric is a regular columnist for IT in Canada and was a regular columnist for Monitor Magazine and has contributed to several other publications.

0 comments

There are no comments for this post yet.

Be the first to comment. Click here.

Security
 
In the show today, J. Richard Jones talks with Rick Howard,...
 
The mixed and varied reactions to Facebook’s announcement of a new...
 
Data is a crucial part of an organization’s success, whether it...
 
For a few years now, there’s been a throwaway metaphor bounced...
 
Governments around the world are increasingly relying on cloud-based IT services...
 
For a few years now, there’s been a throwaway metaphor bounced...
 
According to a 2018 study led by Dr. Michael McGuire, Senior...
 
Cloud technology is a game changer! Successful implementation in both the...
 
For over two days at the end of January this year,...
 
Earlier this month I had the privilege of testifying as an...
 
Canadian Government Executive Media, (CGE) publisher of Canadian Government Executive magazine...
 
In the last few years, we’ve seen various federal governments warning...
 
Canadian Government Executive is excited to announce the agenda for TechGov...
 
In the wake of the WannaCry outbreak, corporate executives, IT professionals,...
 
Facebook Pages can be an essential tool for businesses and charities,...
 
Cybersecurity professionals have sounded the alarm for years, and they are...
 
CBC deserves full credit for exposing the presence of IMSI catchers...
 
Security professionals have an obligation to communicate risks and recommendations to...
 
Over the decades, technology has been grafted into governments around the...
 
In this episode, J. Richard Jones talks about being candid about...
 
Criminals have reportedly threatened to take over 250 million Apple accounts...
 
In this episode, hear more about how Canada is a prime...
 
While the incoming administration of President-elect Donald Trump is being buffeted...
 
In the world that we are living in today, free and...
 
The RCMP adopted a new media strategy earlier this month by...
 
What would tomorrow’s cybersecurity look like? That’s an intriguing question to...
 
Terrorism operates with deadly regularity. In June 2016, a gunman who...
 
Just as the federal government has begun consultations on cyber security,...
 
Efforts by the government to counter the radicalization of young Canadians...
 
Canadian healthcare organizations and businesses in the financial industry are the...
 
Global market trends are accelerating to increase the pressure on commercial...
 
A recent report suggests several strategies how governments and the private...
 
The latest information from IBM Cloud covers: Consolidating Complex Environments Consolidating...
 
IBM Cloud is the first cloud provider to use Intel TXT...
 
Signaling a realignment of Canada’s involvement with NATO, Prime Minister Justin...
 
United States President Barack Obama, speaking before Parliament last night, urged...
 
Yes, according to the former head of the Canadian Security Intelligence...
 
Early this morning, Philippine police confirmed that the severed head found...
 
The challenge is clear: a fast-paced industry pressures organizations to simultaneously...
 
As populations grow and age, the demand for services increases. As...
 
The agency responsible for safeguarding the Pentagon and several other buildings...
 
By Michael Murphy Not all assets can and should be equally...
 
Government agencies, international businesses, as well as, European organizations that comply...
 
The Royal Canadian Mounted Police (RCMP) is poised to launch an...
 
One of Canada’s largest integrated oil companies said it is not...
 
Associates of Russian President Vladimir Putin, the king of Saudi Arabia,...
 
Now more than ever, organizations in both the public and private...
 
The Federal Bureau of Investigation announced that it has managed to...
 
IT organizations, especially those in healthcare facilities and government institutions that...
 
Last year, the Canada Revenue Agency rolled out a pilot program...
 
Strong cryptography is clearly required to protect sensitive government, business, and...
 
As the battle between the FBI and Apple continues to escalate,...
 
“I don’t think that backdoors into encryption is going to increase...
 
Hackers are zeroing in on users of SSL/TLS encryption and no...
 
Meet Bob Heart.  He is an outstanding employee who works hard...
 
The CEO of Google Sundar Pichai has come out in support...
 
A new study released yesterday, Securing the C-Suite, Cybersecurity Perspectives from...
 
Application, operating system, and device logs contain essential security information, but...
 
Yesterday, Ontario Supreme Court Justice John Sproat ruled that the Peel...
 
I wrote about accountability more than a year ago. Recently, a...
 
Intelligence agencies have had widespread and long-running programs to gather, analyze...
 
What concerns me is whether or not we’ve got the balance...
 
One of the consequences of the Information Age in which we...
 
In March of 2011, the east coast of Japan was rocked...
 
BYOD is hot! But is it for you? If yes, which...
 
Protecting critical infrastructure from cyber threats is the shared responsibility of...
 
In numerous interviews with senior military commanders over the past several...
 
In early February, James R. Clapper, the U.S. director of national...
 
The widespread adoption of mobile devices as enterprise-level tools is occurring...
 
CGE Vol.13 No.2 February 2007 Public security, once a task relegated...
 
CGE Vol. 14 No.4 April 2008 In recent years, policy makers...
 
The changing face of public and personal privacy in the face...
 
The announcement regarding the establishment of Shared Services Canada (SSC) was...
 
What role should governments and public servants play in safeguarding personal...
 
L’univers de la sécurité des TI évolue rapidement. À mesure que...
 
The world of IT security is rapidly evolving. As quickly as...
 
There was probably a day in spring of AD 72 that...
 
Cyber attacks don’t have to look highly sophisticated. Hackers are purposely...
 
Some title Some author
Some excerpt
 
Some title Some author
Some excerpt
 
Some title Some author
Some excerpt
 
Some title Some author
Some excerpt
 
Some title Some author
Some excerpt
In the show today, J. Richard Jones talks with Rick Howard,...