Apple’s biggest security threat is you

By

Hacker who tried to extort Apple for $100k is spared prison
iCloud faces some tough security issues. Photo: Jim Merithew/Cult of Mac
Photo: Jim Merithew/Cult of Mac

iCloud passwords and security passwords can be guessed using social networking and various phishing techniques, and complex passwords and two-step verification are not as intuitive as they should be.

In a delightfully complete article over at TidBITS, author Rich Mogul lays out the facts behind the current spate of Apple security problems – most of which boil down to this: People are the weakest link in the chain.

As anyone who’s worked with technology in the past decade can tell you, the thorniest technical challenges aren’t typically those that deal directly with hardware and software. No, in most cases, the toughest things to troubleshoot and fix lie along the human spectrum. System administrators have long known this, coming up with acronyms like PEBCAK and ID-10T errors.

The same goes for security, which in Apple’s case affects an ever-increasing number of people who not be savvy to the ways of information security.

“Don’t expect human behavior to change. Ever.”

Mogul points out that hundreds of millions of people use Apple gear.

“I don’t know what the iCloud numbers are,” he writes, “but we are talking about a company that just sold 10 million iPhones in a weekend. Security complexity increases exponentially as fringe situations encompass millions of users. With Apple operating on that scale, the rules change.”

At this scale, Mogul says, Apple must tackle the problem of user behavior and malicious attacks upon it in a way that no other company has to. While he praises Messages, FaceTime and iCloud Keychain as brilliant uses of encryption behind the scenes, he also suggests that, in addition to Apple’s well-respected implementation of Touch ID and it’s equally brilliant Apple Pay system, the company needs to go even further.

Apple should tackle the authentication issue from multiple angles, making it simpler and simpler for most users. Cupertino also needs to use all available tools to boost cloud security, continually updating and adapting techniques and technologies along the way.

What Apple shouldn’t do, says Mogul, is to expect to change user behavior. The technologies around security can and should be used to make sure that us crazy monkeys don’t end up compromising our own informational security.

“My guiding principle as a security professional,” he writes, “is: ‘Don’t expect human behavior to change. Ever.’ No one, not even Apple, is about to eliminate the need for passwords or come up with a single, near-perfect way to protect accounts. Nor can we rely on education or better security habits when hundreds of millions of users are involved.”

Read the full article for some great security-themed insights.

Source: TidBITS

Newsletters

Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.