August 16, 2012, 10:08 AM — Several lessons have been derived from the recent iCloud security incident, but the most important for me is how it demonstrates the ignorance of many security professionals, an ignorance that calls their management into question.
When the iCloud hack started hitting the news, it generated a lot of discussions among security personnel. Many of them grasped the underlying concepts reasonably well. Unfortunately, though, some of the conversations demonstrated a clear lack of understanding of fundamental security concepts.
As is widely known by now, a hacker was able to compromise the Amazon.com and iCloud accounts of a Wired reporter. The accounts were compromised as a result of operational security flaws in the password reset processes of the respective organizations. The attack itself was rather involved, but at bottom it was a fairly straightforward social engineering type of attack.