9to5 Mac has a list to the worst passwords of 2014. If you are currently using “password”, “123456”, “12345678”, or “qwerty”, consider your accounts already hacked. See 9to5 Mac’s coverage for additional passwords to avoid.
Recently I posted an article explaining why attorneys should be concerned about the recent iCloud celebrity photo breach. At the time that I posted the article, details were just coming out about how these individuals had their confidential materials leaked. Since then, the leading theory has been that the celebrities had their iCloud iPhone backups accessed by malicious users using tools originally developed for law enforcement purposes. Christina Warren of Mashable recently posted a great article explaining just how easily she was able to hack her own iCloud backup. I recommend that all attorneys read her post to see just how easy some of this information can be obtained.
My recommendation based on the events of the past week is that attorneys should not store confidential materials on iCloud until Apple makes the online service more secure. If you backup your iPhone or iPad using iTunes, you have the option of encrypting your backup with a separate password (that can and should be different from your iTunes password). Unfortunately this option is not available for iCloud backups. Without a second-factor authentication option or a separate encryption password for your online backups, a malicious user would only need to determine your iCloud password to access all your backed up data.
You can turn off iCloud backup by going into your iOS settings and choosing iCloud. Within the initial iCloud settings you can choose Storage & Backup to choose whether to enable iCloud Backup. Within that settings panel simply disable iCloud backup to turn it of on your device.
If you have other iOS devices, choose Manage Storage and from there you can delete backups from iCloud. You also should be careful that you understand what other apps on your device may be using iCloud to store data. To determine this, choose Documents & Data from within the initial iCloud settings. This will give you a list of apps that are storing data on iCloud. If you keep confidential client data within any of these apps, you may want to disable the ability of these apps to store documents and data in iCloud.
It is important to remember that these recommendations are only if you have confidential information on your device. If you do choose to disable iCloud backups, it is important that you plug your device into your computer and backup using iTunes on a regular basis (and select the encryption option in iTunes). Email account passwords are not stored on the iCloud backup, so do not worry about this information being at risk if you do choose to use iCloud backup.
I am hoping that with the attention this has been receiving in the press that Apple quickly offers options to better secure iCloud in the near future. In the meantime, it is important that you at least understand what data on your device is being uploaded to the cloud and that you know if it is adequately protected.
Update: According to 9 to 5 Mac, Apple’s CEO Tim Cook has issued a statement promising that Apple will enable new notifications in the next two weeks to address some of the concerns discussed above. Notably individuals will begin to receive emails when a password is changed, when a backup is restored to a new device, when a device logs into iCloud for the first time, and users will be able to use two factor authentication for iCloud when iOS 8 is released. It is nice that Apple is promising quick improvements to better secure user’s data.
Read Christina Warren’s How I Hacked My Own iCloud Account, for Just $200 http://feedproxy.google.com/~r/Mashable/~3/I41sXRKDLao/
I recently posted a new article on Mobile4Law.com about Client Confidentiality in light of the recent iCloud celebrity image leak that occurred over this past weekend. iCloud is a service offered by Apple that is available on every current iPhone and iPad that allows certain data on your device to be stored in the cloud. Over the weekend, it was reported that about 100 different celebrities had personal images accessed that were being stored using Apple’s iCloud service.
It is suspected that these photos were accessed by malicious users using a brute-force attack to guess passwords of the accounts affected. It appears that the only reason they were successful in the attack is because the accounts were using simple passwords, and that Apple did not lock accounts after a certain number of unsuccessful login attempts.
In the article on Mobile4Law.com, it is explained why this should be a concern to individuals in the legal community that use cloud services for storage of confidential cloud information. I suggest that attorneys take a look at revised Rule 1.6 and the comments to that rule, and determine if they would have committed an ethical violation if confidential client information had been accessed from their account using this same attack.
This post was written by Steven Butler. Steven is a full-time Delaware attorney that limits his practice to Social Security Disability. Along with being a contributor for iPlugDelaware, he is a partner at Linarducci & Butler, PA.
UPDATE: Apple has responded that the processes identified by Zdziarski are there only for diagnostic purposes. Rene Ritchie at iMore has clarified that what Zdziarski has actually discussed is dependent on “Trust Relationships”. When you plug in your iPhone or iPad to a computer, you are prompted to “Trust this computer”. The information on your device is only accessible if that type of trust agreement has been created between your device and some hardware (usually your computer). Zdziarski is concerned about the ability for a third party to steal the pairing records created when you trust a computer, or spoofing your iPhone or iPad into creating a “Trust Relationship” with hardware like a public USB charger.
ZDNet has an alarming article detailing a recent security talk from Jonathan Zdziarski revealing backdoors that exist in iOS that he suggests that Apple created with the purpose of making secure data available to law enforcement. He suggests that this can be done through USB, WiFi, or possibly even cellular. Although this would allow Apple to obtain personal data off your device, he couldn’t find a way that it could be used to restore data. He concludes that the only purpose could be to pull data off for other purposes than to help the customer.
The only truly secure state for the phone, according to Jonathan Zdziarski, is password-protected and powered off. A very interesting and eye-opening read. (PLEASE SEE UPDATE WITH APPLE RESPONSE AT BEGINNING OF POST!)
If you are using an iPad or iPhone, it is time to fire up your Settings app again and do a software update. Apple has released iOS 7.1.2 which patches a bug that left attachments to your email without encryption. This means that if your password protected device was plugged into a desktop computer, any email attachments would be available without the normal encryption.
Although this is a relatively small bug for most, those in the legal community could face dire consequences if documents attached to your email could be easily accessed from a lost or stolen device. As always, this update is available over the air by going into settings, then general, and finally Software Update. Before updating it is important to have a backup of your device. I always recommend plugging into a computer and doing a local backup, but at least make sure your device has been backed up to iCloud recently.
Some users have experienced problems of their device freezing during installation. Redmond Pie has an article suggesting how to reset your device if you experience this issue.
The US Supreme Court issued a unanimous decision in Riley v. California today indicating that law enforcement must have a warrant to search cell-phone content of a person that has been arrested. The petitioner in the case was stopped for a traffic violation that eventually led to an arrest on weapons charges. After being arrested, a police officer seized the defendant’s cell phone and accessed photographs and videos that were used to charge him with a shooting that occurred a few weeks earlier. The Supreme Court found that generally, without a warrant, law enforcement may not search digital information stored on a cell phone of an individual that has been arrested. The Court determined that the Fourth amendment exception that allowed police to search property found on or near an arrestee does not apply for cell phones. It was decided that digital data stored on a cell phone does not present risks to officer safety or present risk of evidence destruction (it noted that law enforcement has some technologies to prevent remote wiping to combat the potential loss of evidence). The Court noted that exigent circumstances exceptions to the Fourth amendment would still apply in case-specific situations. The reasoning behind the decision was that substantial privacy interests are at stake when digital data is involved, and that this is not comparable to inventorying personal items. The Court explained that cell phones have an immense storage capacity and prior searches of a person was limited by physical realities that individual could only carry a small number items. The difference is with a cell phone a person can “store millions of pages of text, thousands of pictures, or hundreds of videos”. Further a search of a cell phone could also include data from remote servers which would extend well beyond papers and effects in the proximity of an arrested individual. It was acknowledged that the decision would have an impact on the ability of law enforcement to combat crime, but it was noted that information could still be obtained from a cell phone with valid warrant, and partly due to today’s technology, warrants can be obtained with “increasing efficiency”. This decision represents a win for personal privacy, but a potential setback to over-engrossing law enforcement actions. It is great to see that this was a unanimous decision that clearly defines for both law enforcement and the general public of the expectations of privacy when cell phone are involved. This will be a very important decision in the practice of law. It is important to note that the Court did not rest its decision on whether or not the phone was locked, and this means that protection even would apply if an individual has not password secured their device.