Following last weekend's celebrity photo data theft, Apple's CEO, Tim Cook has spoken out about what can be done to better increase the security and protect the privacy of their customers. The steps include sending notifications for account changes, backup restores, and new device logins; broadening the deployment of two-step verification; and to ramp up efforts to educate customers about the dangers of social engineering and phishing attacks, and the importance of strong passwords. The latter of those steps was emphasized when Cook reaffirmed that iCloud servers hadn't been hacked, the individual accounts were hacked. The Wall Street Journal:
When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece. I think we have a responsibility to ratchet that up. That's not really an engineering thing.
We want to do everything we can do to protect our customers, because we are as outraged if not more so than they are.
While alerts don't help prevent attacks, they do help mitigate them. Customers receiving account notifications will be able to change passwords and even alert Apple's security team. That service should start rolling out in two weeks.
Cook also emphasized what most of us already know — Touch ID, for example, never leaves the Apple A7 secure enclave and is never stored on iCloud or any server, so fingerprint data can't be compromised online. If, as rumored, Apple rolls out a new mobile payments feature alongside the iPhone 6 and iWatch, it's expected that will tie into a new secure enclave on the new Apple A8 system-on-a-chip.
Apple has also informed developers that HealthKit data cannot be stored on iCloud, and any app trying to do so will be rejected from the App Store.
Hopefully Apple will also replace "security questions" with something less susceptible to social engineering attacks. (Unless/until that happens, fill those fields with strong passwords as well, and store those passwords securely.)
These are good next-steps from Apple, especially with the iPhone 6 event coming up in less than a week. Especially good having Tim Cook do it interview style rather than simply issuing another media advisory.
What do you think of Tim Cook's response? Any other steps you'd like to see taken by Apple?
Source: The Wall Street Journal