<div style="text-align:left"><img src="http://www.washingtonpost.com/rw/sites/twpweb/img/logos/twp_logo_300.gif"><br><br><font size="6"><b>iCloud breach puts spotlight on cloud security</b></font></div><div id="content">
<h3>
By Derrick Harris | GigaOM.com, <span class="timestamp updated processed"></span>
<span class="timestamp updated processed">Updated: Monday, August 6, <span class="time special">6:08 AM</span></span>
</h3>
<p>The <a href="http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard">story of the breach of former Gizmodo staffer Mat Honan’s iCloud account</a>
took an interesting turn Sunday with news that the attacker was able to
call Apple and convince a customer service employee that he was Honan.
While hardly the breach of the century, the situation does highlight a
couple hard truths about cloud security when it comes to consumer
applications.</p>
<p>
<strong>1. You’re giving up control.</strong> This is a good mantra to
keep in mind when considering the use of cloud services. The problem
isn’t so much security technology as it is about process, policy and,
perhaps, business model. Cloud-storage Dropbox, for example, has <a href="http://gigaom.com/cloud/dropbox-yes-we-were-hacked/?utm_medium=content&utm_campaign=syndication&utm_source=washingtonpost&utm_content=icloud-breach-highlights-some-hard-truths-about-the-consumer-cloud_550012">experienced a couple of high-profile breaches</a> and <a href="http://www.wired.com/threatlevel/2011/05/dropbox-ftc/">security issues</a>
owing to the company’s seemingly lax policies about how user
information is stored and who has access to it. Then, there’s LinkedIn
and <a href="http://gigaom.com/2012/06/19/linkedin-will-connect-with-a-federal-judge-after-privacy-breach/?utm_medium=content&utm_campaign=syndication&utm_source=washingtonpost&utm_content=icloud-breach-highlights-some-hard-truths-about-the-consumer-cloud_550012">its questionable password practices</a>.</p>
<p>With
iCloud, the problem seems to be the business model: tying hardware
devices to cloud software might be a recipe for disaster. If someone
steals Google or Twitter account information, the damage is largely
limited to those services and whatever is accessible from them. When
someone gets access to iCloud info, <a href="http://www.apple.com/iphone/built-in-apps/find-my-iphone.html">it’s lights out on your phone</a>,
tablet and laptop, too. At least temporarily, you’re giving control
over your physical property — not just your digital life — to a hacker.</p><p>It’s
just the risk you take, or the price you pay, for putting control over
your data in someone else’s hands. Even if data is encrypted, that
doesn’t make it any loss gone if someone deletes it or steals it.</p><p>
<strong>2. People are the real problem.</strong> Regardless how good the
security technology and processes are, there’s often little that can be
done about the people who ultimately control everything. Honan was the
victim of social engineering, a process by which a hacker tries to con
his way into a user’s account by pretending to be that person. A
convincing lie or a gullible customer service agent could bypass years
of investment to prevent brute-force attacks or other methods for
gaining account access digitally.</p><p>And social engineering appears to be becoming more prominent. When I <a href="http://gigaom.com/cloud/kevin-mitnick-doesnt-really-trust-the-cloud-but-he-uses-it/?utm_medium=content&utm_campaign=syndication&utm_source=washingtonpost&utm_content=icloud-breach-highlights-some-hard-truths-about-the-consumer-cloud_550012">spoke with former hotshot hacker Kevin Mitnick</a>
to talk about how he keeps his web site secure, he noted that people
are always calling his cloud provider trying to get access by pretending
to be Mitnick. Sure, it’s rarely successful (this story from a
Computerworld writer <a href="http://news.idg.no/cw/art.cfm?id=A7ECE693-AE1D-22D6-1702DF66D8E3A484">about not being able to access his own iCloud account</a> show how locked-down even Apple can be), but like most things, it’s a numbers game.</p>
<p>Of
course, in some cases, data breaches don’t even require a false
identity. Sometimes, all it takes is a malicious insider with access to
sensitive data (e.g., U.S. Army Private Bradley Manning turning over
documents to Wikileaks). In this case, users have to rely on their cloud
providers’ HR practices, too.</p><p>
<strong>No turning back now</strong>
</p><p>But at this point, no one is going to turn their back on cloud or
web services; they probably couldn’t if they wanted to. Still, although
there are exceptions, there’s precious little that most consumers can
or — <a href="http://en.wikipedia.org/wiki/Two-factor_authentication">in the name of convenience</a> — will do to secure their information if someone really wants at it.</p><p>Which
brings us to the third harsh truth of the consumer cloud: If we want to
be part of it, we just have to keep on trusting our providers to keep
us safe. In <a href="http://gigaom.com/cloud/security-cloud-computing/?utm_medium=content&utm_campaign=syndication&utm_source=washingtonpost&utm_content=icloud-breach-highlights-some-hard-truths-about-the-consumer-cloud_550012">many cases, they’re trying very hard to do that</a> — but stuff does happen and oversights do occur. When it does, there will always be plenty of people saying, “I told you so.”</p>
<br clear="all"></div><br>-- <br>Art Deco (Wayne A. Fox)<br><a href="mailto:art.deco.studios@gmail.com" target="_blank">art.deco.studios@gmail.com</a><br><br><img src="http://users.moscow.com/waf/WP%20Fox%2001.jpg"><br><br>