[Vision2020] iCloud breach puts spotlight on cloud security

Mon Aug 6 12:50:11 PDT 2012

*iCloud breach puts spotlight on cloud security*
 By Derrick Harris | GigaOM.com, Updated: Monday, August 6, 6:08 AM

The story of the breach of former Gizmodo staffer Mat Honan’s iCloud
account<http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard>took
an interesting turn Sunday with news that the attacker was able to
call Apple and convince a customer service employee that he was Honan.
While hardly the breach of the century, the situation does highlight a
couple hard truths about cloud security when it comes to consumer
applications.

*1. You’re giving up control.* This is a good mantra to keep in mind when
considering the use of cloud services. The problem isn’t so much security
technology as it is about process, policy and, perhaps, business model.
Cloud-storage Dropbox, for example, has experienced a couple of
high-profile breaches<http://gigaom.com/cloud/dropbox-yes-we-were-hacked/?utm_medium=content&utm_campaign=syndication&utm_source=washingtonpost&utm_content=icloud-breach-highlights-some-hard-truths-about-the-consumer-cloud_550012>and
security
issues <http://www.wired.com/threatlevel/2011/05/dropbox-ftc/> owing to the
company’s seemingly lax policies about how user information is stored and
who has access to it. Then, there’s LinkedIn and its questionable password
practices<http://gigaom.com/2012/06/19/linkedin-will-connect-with-a-federal-judge-after-privacy-breach/?utm_medium=content&utm_campaign=syndication&utm_source=washingtonpost&utm_content=icloud-breach-highlights-some-hard-truths-about-the-consumer-cloud_550012>
.

With iCloud, the problem seems to be the business model: tying hardware
devices to cloud software might be a recipe for disaster. If someone steals
Google or Twitter account information, the damage is largely limited to
those services and whatever is accessible from them. When someone gets
access to iCloud info, it’s lights out on your
phone<http://www.apple.com/iphone/built-in-apps/find-my-iphone.html>,
tablet and laptop, too. At least temporarily, you’re giving control over
your physical property — not just your digital life — to a hacker.

It’s just the risk you take, or the price you pay, for putting control over
your data in someone else’s hands. Even if data is encrypted, that doesn’t
make it any loss gone if someone deletes it or steals it.

*2. People are the real problem.* Regardless how good the security
technology and processes are, there’s often little that can be done about
the people who ultimately control everything. Honan was the victim of
social engineering, a process by which a hacker tries to con his way into a
user’s account by pretending to be that person. A convincing lie or a
gullible customer service agent could bypass years of investment to prevent
brute-force attacks or other methods for gaining account access digitally.

And social engineering appears to be becoming more prominent. When I spoke
with former hotshot hacker Kevin
Mitnick<http://gigaom.com/cloud/kevin-mitnick-doesnt-really-trust-the-cloud-but-he-uses-it/?utm_medium=content&utm_campaign=syndication&utm_source=washingtonpost&utm_content=icloud-breach-highlights-some-hard-truths-about-the-consumer-cloud_550012>to
talk about how he keeps his web site secure, he noted that people are
always calling his cloud provider trying to get access by pretending to be
Mitnick. Sure, it’s rarely successful (this story from a Computerworld
writer about not being able to access his own iCloud
account<http://news.idg.no/cw/art.cfm?id=A7ECE693-AE1D-22D6-1702DF66D8E3A484>show
how locked-down even Apple can be), but like most things, it’s a
numbers game.

Of course, in some cases, data breaches don’t even require a false
identity. Sometimes, all it takes is a malicious insider with access to
sensitive data (e.g., U.S. Army Private Bradley Manning turning over
documents to Wikileaks). In this case, users have to rely on their cloud
providers’ HR practices, too.

*No turning back now*

But at this point, no one is going to turn their back on cloud or web
services; they probably couldn’t if they wanted to. Still, although there
are exceptions, there’s precious little that most consumers can or — in the
name of convenience
<http://en.wikipedia.org/wiki/Two-factor_authentication>— will do to
secure their information if someone really wants at it.

Which brings us to the third harsh truth of the consumer cloud: If we want
to be part of it, we just have to keep on trusting our providers to keep us
safe. In many cases, they’re trying very hard to do
that<http://gigaom.com/cloud/security-cloud-computing/?utm_medium=content&utm_campaign=syndication&utm_source=washingtonpost&utm_content=icloud-breach-highlights-some-hard-truths-about-the-consumer-cloud_550012>—
but stuff does happen and oversights do occur. When it does, there
will
always be plenty of people saying, “I told you so.”

-- 
Art Deco (Wayne A. Fox)
art.deco.studios at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.fsr.com/pipermail/vision2020/attachments/20120806/cde7f9ff/attachment.html>