So You Actually Trust Your Sensitive Data to Apple’s iCloud ?
Like your date of birth, one of the all too common security questions for 'reset password' requests? I use a fake one whenever I can. And I disable syncing of my contact list or data to iCloud.
Choice excerpts from TheVerge.com in Password denied: when will Apple get serious about security?.
Last Friday, The Verge revealed the existence of a dead-simple URL-based hack that allowed anyone to reset your Apple ID password with just your email address and date of birth. Apple quickly shut down the site and closed the security hole before bringing it back online.
Apple initially simply put a maintenance sign over the iForgot page, preventing ordinary password resets. But even then, a hacker could still force a password reset and skip Apple’s security questions simply by entering in a URL as if the page were still accepting resets, fooling the still-online server into thinking those two questions had been successfully answered. When it became aware that user passwords were still vulnerable, Apple then took the iForgot server completely offline, which it could (and arguably should) have done straight away until the security hole had been plugged.
It would be easy to retrieve copies of device backups, documents, contacts, mail, and messages from the cloud but otherwise leave a user’s profile intact; by the time a user knows something is amiss, he or she would only be aware that his or her old password is no longer functioning. Criminals don’t need continued access to users’ digital identities if they can browse full copies of their cloud data at leisure. Even strong encryption can be broken when time is no longer a factor.
All of this underscores the seriousness of Apple’s security lapse with iForgot. This was a high-priority system defeated with an extremely common form submission hack. It’s the equivalent of breaking into someone’s home by opening a first-floor window someone forgot to lock. Then imagine it happening again and again and again.
How could such a well-known type of exploit been missed in even a basic security audit? The likely answer: a competent audit was never made. Think about that. Call it blossom rot.
Both Amazon and Microsoft have detailed, extensive, public privacy and security policies for their cloud services. Both companies have every point in their systems audited by independent third parties. They have multiple certifications, which are used both within industry to establish reliability and verify that the services satisfy laws governing things like private medical information or use by government services. They permit their customers to deploy their own penetration testing. They’re members of the Cloud Security Alliance, a nonprofit that establishes industry best practices for data security. The CSA also includes Google, Box, HP, Rackspace, VMWare, Intel, Adobe, Oracle, and nearly every other company with a significant presence in cloud computing and storage.
Apple’s not part of the CSA. In fact, Apple does none of these things. It doesn’t have or advertise any of the external certifications available for IT security. And Apple won’t disclose how its security audits are conducted, or by whom.
Reached by The Verge, Apple declined to answer whether iCloud security had ever been audited by a third party. Apple won’t disclose whether any part of its cloud security is even audited internally apart from that governing its customer service group. Pressed on these questions, an Apple representative sent links to its public security FAQs, which doesn’t address them.
Declined to answer? Think about the implications of such a weasel response.
I remain deeply distrustful of the cloud in general. You only have to be compromised once for short and likely long-term damage.
Sadly, perhaps the far greater risk is the government tax authorities that now require electronic filing of just about everything (now required by law here in California for many things). Your most sensitive data—and you are required by law to submit it, every year. We can of course rely upon governmental authorities to quickly notify us when their systems are compromised.
So you do what you can do: choose what data you trust with whom.