SUCCESSFUL ARMED FORCES EMPLOYMENT PROGRAMME EXTEN... » An innovative programme that helps jobseekers who have an interest in the Armed Forces get into work... NW Systems helps meet safeguarding needs of Outs... » Hoylake-based NW Systems has provided an advanced IP video system to help Wirral Hospitals’ School, ... UK TROOPS TO TRAIN MODERATE SYRIAN OPPOSITION » THE Defence Secretary has announced today that the UK will provide further support to the internatio... Options secure new multi-million pound banking f... » London / New York: Options has announced that they have secured a new multi-million pound banking fa... £200,000 Tees Valley Catalyst Fund loan helps Co... » A Cramlington-based company has won a $6 million contract with Hyundai Engineering & Construction to... 2019: The danger that lies ahead, but what time is... » A SPECIAL ANALYSIS ON THE NIGERIAN POLITY FROM 1914 - TILL THE PRESENT “Justice is the constant... GOODLUCK EBELE JONATHAN & HIS ROCK STEADY BROTHEL:... » THE DUMBING DOWN OF VALUES IN THE AGE OF JONATHAN: STANDARDS IN PUBLIC LIFE BEGINNING AT THE PRESIDE... Becrypt announces publication of CESG approved gui... » London, UK: Becrypt has announced that CESG, the UK’s National Technical Authority on Information As... Semafone partners with AsiaPay to offer secure pay... » Guildford, Surrey, UK: AsiaPay has announced that Semafone®, the international provider of secure pa... Wick Hill named as one of ‘1000 companies to inspi... » Woking, Surrey: After an incredibly successful 2014, and being named Woking’s ‘Most Successful Compa...

CLICK HERE TO

Advertise with Vigilance

Got News?

Got news for Vigilance?

Have you got news/articles for us? We welcome news stories and articles from security experts, intelligence analysts, industry players, security correspondents in the main stream media and our numerous readers across the globe.

READ MORE

Subscribe to Vigilance Weekly

Information Security Header

The Fundamental Flaw of the ‘Find My Mac’ Feature

From also-ran to industry leader, Apple has managed to build an unbeatable customer base for its products. Its game-changing design and fundamental understanding of the way that users want to interact with technology have attracted an enormously loyal fan base.

 

One of the other things that Apple users like to congratulate themselves about is security, since Mac Operating Systems have very rarely been targeted by virus writers and hackers. Which is why the gaping security hole in the current Mac set up is so surprising. It’s bad enough for consumers (and Matt Honan at Wired magazine explains exactly how bad it can be after his now notorious epic hack) but now that Apple is branching out from its traditional stronghold in education and the creative industries, it’s going to be a big problem for corporates as well.

The security problem stems from the ‘Find My’ feature that comes as standard on all new Apple products, including MacBooks, iPads and iPhones, and the single AppleID password that is deemed sufficient to protect them.

As Honan explains, in the world of password cracking getting hold of someone else’s AppleID is not that hard. And once you have that password you can remotely access your victim’s Mac device, and through the Find My feature wipe all the data. In a business setting, where passwords for the entire IT estate are far more likely to be centrally set and controlled, it can open up the entire corporate network to the data equivalent of a neutron bomb. It is a gift to corporate spies and professional hackers everywhere.

There is no doubt that the 'Find My' feature is very attractive. In fact it’s a great idea, and anyone who has ever left a laptop in a taxi or a phone in a bar will immediately recognise the merits. But superb though the service is, it hasn’t been implemented to business-grade standards because it doesn’t have an appropriate level of user authentication.

If Apple is serious about increasing its footprint in the corporate world, it needs to make sure its security measures are up to scratch. That almost certainly means adopting two-factor authentication (2FA) to provide an extra layer of identify verification to the basic password.

2FA solutions are based on the user having ‘something they know’ – in this case the AppleID, and ‘something they have’. This can be a token or a card, but since the Apple computing experience is built on mobility, some form of tokenless solution, such as that offered by SecurEnvoy, is likely to prove more attractive.

With a tokenless solution, users would enter their AppleID in the normal way. But then the system would issue a one-time passcode to the user’s registered mobile phone. That code also has to be entered for access to be granted. Once the code is entered it is automatically deleted, and if the phone itself is lost or stolen, it can be immediately blocked from receiving any more passcodes.

2FA is increasingly recognised as an essential means to strengthen password-based systems. Tokenless solutions effectively turn mobile phones into temporary tokens. When it comes to protecting your Apple-based data, there is a beautiful form of logic to it.