Apple security under fire in iCloud celebrity hack
Apple announced Tuesday that it would probe media reports suggesting that vulnerabilities in iCloud, its online storage service, led to the hacks of celebrities’ accounts last weekend. In one scenario, a GitHub user found a weakness in Apple’s Find My iPhone app, an iCloud service that tracks an iPhone’s location and allows its user to remotely disable it, according to a post on the online code-sharing site. The vulnerability could have allowed the hacker to perform “brute force” attacks until the correct passwords were identified.
Rich Mogull, chief executive of security research and advisory firm Securosis, told the Wall Street Journal it’s possible that hackers exploited the Find My iPhone bug, but added it’s more likely that they hacked the celebrities’ individual accounts.
Apple said in a statement that the hacks were a result of hackers deducing the victims’ login credentials by targeting user names, passwords and security questions, and not by breaching Apple’s security systems. The company did, however, patch a flaw in its Find My iPhone app that security experts said could be partially responsible for the leak.
Apple’s efforts to ensure that HealthKit is compliant with U.S. regulatory requirements is noteworthy as health data has gained value with advertisers, according to Forbes, which cited a Senate Commerce Committee report that said companies are developing databases consisting solely of people’s health-related information. Apple’s new privacy rules allow developers to share users’ health data with third parties “for medical purposes,” which could potentially be a loophole in the policy. Developers will, however, need users’ permission to do so.
Microsoft defies U.S. data search ruling
Microsoft is still standing its ground against Judge Loretta Preska’s ruling to turn over customer emails and records stored at its Ireland data center. In July, Judge Preska upheld a U.S. magistrate judge’s ruling that because Microsoft can control data stored physically in Ireland without actually entering the country’s domain, the data’s location isn’t relevant and Microsoft must comply with a government search warrant for that data. Microsoft argued that user emails should be afforded the same legal protections as U.S. mail and phone conversations.
Microsoft said that it will not be turning over the customer records and will bring the case to the appeals court. AT&T, Apple and other tech heavyweights are submitting briefs to support Microsoft’s defiance of the search warrant.
E.U. reforms data protection law to include steeper penalties
The E.U. will soon reform its 1995 data protection rules in an effort to unify legislation across Europe and strengthen privacy guarantees, as well as enforce steep penalties should the new rules be violated. Under the reforms, the responsibility for violations would be shared between the organizations that own the data, or data controllers, and data processors, such as cloud providers that store the data.
Peter Groucutt, managing director at cloud backup provider Databarracks, told Business Cloud News that the proposed reforms could spur organizations to toughen their IT security policies. Additionally, the upcoming changes could help chief security officers acquire greater security funding due to the number of potential fines, which make it a priority for boards of directors, he added.