Friday, October 24, 2014

Apple advises users on iCloud security in response to China cyber attack reports

APPLE HAS ISSUED an update on iCloud.com security in response to reports that the Chinese government is targeting the firm's iCloud service with state-sponsored attacks.
The update does not explicitly mention China, but alludes to reports on Monday from web freedom group GreatFire.org which said that China is targeting iCloud customers with sophisticated man-in-the-middle cyber attacks.
The guidance covers the key security elements of the iCloud system, advising users how to protect their data and offering tips on what to look out for should they come under attack.
"We're aware of intermittent organised network attacks using insecure certificates to obtain user information, and we take this very seriously," the firm said. 
"These attacks don't compromise iCloud servers, and they don't impact iCloud sign in on iOS devices or Macs running OS X Yosemite using the Safari browser."
The information also advises users to look out for the hallmarks of official secure pages, particularly the digital certificate.
"The iCloud website is protected with a digital certificate. If users get an invalid certificate warning in their browser while visiting www.icloud.com, they should pay attention to the warning and not proceed," Apple added.
"Users should never enter their Apple ID or password into a website that presents a certificate warning."
The iPhone maker explained that users should verify that they are connected to the authentic iCloud website by checking the contents of the digital certificate as shown in the guidance for Safari, Chrome and Firefox, each of which provides certificate information and warnings.
GreatFire.org, which fights for anti-censorship rights in China, warned the Chinese public of the attacks in a public post, saying that the strikes were designed to collect considerable amounts of information from iCloud users. The claims arrived just days after Apple launched the iPhone 6 in the country.
"This is clearly a malicious attack on Apple in an effort to gain access to user names and passwords and consequently all data stored on iCloud such as iMessages, photos, contacts, etc," read the post.
"This attack is nationwide and coincides with the launch today in China of the newest iPhone."
The attacks are also thought to be part of a blanket online surveillance campaign.
GreatFire.org said it is unaware how successful the attacks have been, but noted that existing iPhone encryption technologies would at the very least hamper the Chinese government's surveillance.
"Ironically, Apple increased the encryption aspects on the phone allegedly to prevent snooping from the NSA. However, this increased encryption would also prevent the Chinese authorities from snooping on Apple user data," the post continued.
"It is unclear if Apple made changes to the iPhones they are selling in mainland China. However, this attack may indicate that there is at least some conflict between the Chinese authorities and Apple over some of the features on the new phone."
The group has advised Chinese iPhone users to surf the internet using a virtual private network as a protective measure against these types of attack, and to enable two-factor authentication on iCloud accounts. µ

No comments:

Post a Comment