Or so the papers say. It’s said by ‘those familiar with the matter’ that stolen credentials from another website or service have been used to try to access iCloud. Where people happen to have an Apple device and have used the same email address and password to secure their online profile in iCloud, criminals have used this access to lock down the device and show a message demanding a ransom of around £60 to be paid via PayPal. This functionality is normally used by the rightful owner to recover and protect a lost iPad or iPhone. Not bad for an afternoon’s work with a list of stolen credentials, but then again the electronic trail following the payments sent via PayPal should prove a rich source of information for law enforcement.
Apple stated at the time of the event “Apple takes security very seriously and iCloud was not compromised during this incident.”
Apple also provides a facility to enable two factor authentication which prevents this kind of attack. If you haven’t already, head on over to My Apple ID to change your settings. You’ll need to know the answers to your security questions in order to enable two factor authentication or just ask for an email to be sent to your account and follow the link.
We’ve seen this kind of attack against many organisations, some of whom are much less prepared to investigate this kind of incident. Without some kind of central security monitoring and awareness of the activity occurring on your network, how would you work out if this kind of attack against an external portal or service came from a compromise of your systems, or a fishing expedition using information stolen from elsewhere? Would you be able to detect a large number of authentication attempts coming from a single location in a short space of time against different accounts? Could you provide a definitive statement to the press in short order?
Those without centralised security monitoring inevitably struggle to find information while the press hurl sometimes ill-informed allegations, dragging the organisation’s reputation through the mud. It sometimes takes a manual review of many system logs by a skilled individual to try to pull even a high level picture of events together. Those with security monitoring should have immediate access to the relevant information, and if configured correctly detect the attack as it happens and block access. This enables accurate information to be given to the press in mitigation, preventing damage to the organisation’s reputation. It could also be possible to detect many authentication attempts across lots of accounts coming from a single source, automatically blocking access to the attacker, raising an alert and prevent further illegal authentication attempts.
SIEM (Security Information and Event Management) software or appliance implements this centralised security monitoring system. While anyone can go out and buy a SIEM, unless you identify what needs to be monitored via a risk assessment and correctly translate this into an effective rule-set within the software, it’s unlikely to be effective.
If you’re left questioning how you’d defend your organisation against this kind of allegation, or if you’re wondering whether that expensive SIEM you bought is configured correctly, why not give one of our friendly and experienced consultants a call? Refreshingly, we don’t sell SIEM software or have an affiliation with any vendor. We choose products that are effective against the requirements of our clients, and configure these against an assessment of risk so that investment is justified and the most severe threats are mitigated first. We can also forensically investigate the most complex of incidents, even if this is a manual activity. Why not give us a call to see if we can help.