![\"Zulfikar](\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/03\/CNBC_Apple_Seagate.jpg\")
<\/a>Let’s take a look at Apple and see what the company\u00a0may have done\u00a0to deserve it.<\/p>\n
Apple.com uses https encryption but fails to enforce it. Data served\u00a0from<\/p>\n
http:\/\/images.apple.com<\/a><\/p>\n and<\/p>\n http:\/\/metrics.apple.com<\/a><\/p>\n are transferred\u00a0without any encryption whatsoever. Apple\u00a0didn’t drop merely\u00a0a few balls, they dropped them all: no security headers means no protection of the user of a compliant web browser.<\/p>\n That bears repeating: none of the cyber security headers,<\/a>\u00a0Strict-Transport-Security,\u00a0Content-Security-Policy,\u00a0Public-Key-Pins,\u00a0X-Frame-Options,\u00a0X-XSS-Protection, and\u00a0X-Content-Type-Options, were actually used. Being the biggest stock-market traded IT company somehow got to their heads. Given the blatant ignorance, the cyber security incident was not a matter of if, but only a matter of when.<\/p>\n Furthermore, Apple is–as of this writing–vulnerable to\u00a0the DROWN attack due to the use of the SSL v2 protocol.<\/p>\n This hack, much like\u00a0earlier disasters (including\u00a0the Apple iCloud hack) have been\u00a0long in the making.<\/p>\n Over the years, Apple has fired some of its best technical talent, including, most notably,\u00a0as Avadis Tevenian, the inventor of the OS X kernel,\u00a0and\u00a0Don Brady, who was in charge of HFS+ and ZFS at Apple for over 20 years and is now a Filesystem & Kernel Software Engineer at Intel<\/a>.<\/p>\n In their place,\u00a0Apple hired away, in marketing, for example\u00a0Angela Ahrendts, Senior Vice President, Apple Retail<\/a>,\u00a0an amazing marketing talent from Burberry. Great move! She is brilliant, very talented and was the driving force behind the turnaround at Burberry. Sadly, she and other top-notch sales experts, came at the expense of software engineers. Given the billions of Dollars Apple puts aside every quarter, was that really necessary?<\/p>\n Apple is not alone, though. Seagate wasn’t far behind in terms of its cyber security blunders, and it shows in the results.\u00a0As long as Apple insists on continuing\u00a0this marketing-only <\/a>strategy, more security breaches are bound to happen.<\/p>\n Seagate’s web servers run on the museum-grade Apache 2.2, a web server that was cool in the late 90’s. Today, using any Apache server version is kind of an insult and not so much a sign a great intelligence. Furthermore, the Diffie-Hellman-Key deployed by Seagate is\u00a0just a mere 1024 bit long. Your iPhone or Android phone might hack this easily (though we haven’t tried).<\/p>\n Having said that, a 1024 bit DH key is just completely inappropriate and more of an invitation to getting hacked than a serious deterrent. Given that, according to Bruce Schneier, massive precomputation<\/a> on clouds such as\u00a0AWS and Azure is\u00a0now commonplace and it greatly simplifies breaking Diffie-Hellman keys.\u00a0A weak DH key\u00a0might have been at the core of the\u00a0Seagate and Apple hack.<\/p>\n Another weakness\u00a0in\u00a0Seagate’s configuration is the lack of\u00a0perfect forward secrecy.<\/p>\n It almost goes without saying that TLS RSA encryption with an RC4 cipher in 128 bit is a\u00a0big no-no! Instead of 128 bit, Seagate should be using\u00a0256 bit. In cyber security, it’s always better to be safe than sorry.<\/p>\n As far as the cyber security headers<\/a> are involved, Seagate did a very poor job and dropped a couple of balls, too. For instance, Seagate omitted the headers Content-Security-Policy,\u00a0X-Frame-Options,\u00a0X-XSS-Protection,and\u00a0X-Content-Type-Options. Especially the Cross Site Request Forgery (XSS) header (a.k.a.\u00a0X-XSS-Protection) might have helped to prevent the attack.<\/p>\n In a nutshell, Seagate did a very sloppy job. Unfortunately, sloppy cyber security seems to be the new normal and that’s why these cyber attacks keep coming (See also:\u00a0The Next Frontier: Hacks, Data Leaks, and How HTTP\/2 Fits the Picture of Cyber Sovereignty<\/a>).<\/p>\n![\"Apple\"](\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/03\/Apple.jpg\")
<\/a><\/p>\n![\"DROWN_attack\"](\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/03\/DROWN_attack.jpg\")
<\/a><\/p>\n![\"Seagate\"](\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/03\/Seagate.jpg\")
<\/a><\/p>\n