# How safe is the cloud?



## FCC (May 26, 2011)

Just a little article from the BBC on the Cloud. It should give us all a little something to think about. We often times jump into the latest and greatest tech before stopping to think it through. I am not anti-cloud, but I do think there are issues to be worked through. Thoughts?


Are there criminals in the cloud? 
By Alex Hudson 
BBC Click 

Following the exposure of the Sony PlayStation 3 security flaws - and with so much of our data stored online - are we making it too easy for criminals to get hold of our information? 
When over 100 million people's details were garnered illegally from Sony recently, users were up in arms about their prized information being leaked. 
But, 
over two thirds of companies are planning to store at least some of their data in "the cloud" - a term used to describe putting data online rather than on a hard-drive. 
With more businesses using the cloud, this sort of leak could become a more regular occurrence. 
"While the potential of cloud computing is rapidly being revealed, so too are its vulnerabilities," Brendan O'Connor, the Australian minister for Home Affairs, 
THE SONY CRISIS 
Graham Cluley, security consultant "People need to be more careful with their passwords and make sure that they have different passwords for different online accounts. 
"People should also consider lying about some of their details. I have given Facebook a phoney date of birth for instance." 
And, he believes, criminals "can hide data in clouds" if they are clever about it. 
"Rogue cloud service providers based in countries with lax cybercrime laws can provide confidential hosting and data storage services," he said. 
"[This] facilitates the storage and distribution of criminal data, avoiding detection by law enforcement agencies." 
An easy parallel to draw is with the way Swiss bank accounts were rumoured to operate in the past. 
While bank customers were offered the utmost of discretion with their financial transactions, that same courtesy could now be offered to those wishing to de-encrypt sensitive data. 
Stealing secrets 
To safeguard information, details are regularly encrypted to a high level, meaning that - until very recently - supercomputers were required to get any details in a useable form. 
But now the internet itself is offering criminals the chance to super-charge their processing power to make decryption quicker, cheaper and easier than ever before. 
William Beer, director of Price Waterhouse Cooper's security division, says "even if credit card details are encrypted, there is software that may be able to decrypt it given enough processing power" once it has been stolen from the cloud itself. 
"Encryption is often seen as a silver bullet. We need to be very careful because there are many different types of encryption. It can introduce an air of complacency into organisations and what we're starting to see are criminals actually looking to the cloud. 
"It can provide massive amounts of processing power and [this] can actually de-encrypt some of the data. The irony of it is that they are using stolen credit cards to buy that processing power from the cloud providers." 
And this type of activity 
by German security researcher Thomas Roth. 
He used a "brute force" technique that could previously only be possible with super-computers to break into encrypted WiFi networks. 
The technique allows 400,000 different passwords to the encryption to be tested per second, quite literally knocking at the door until it caves in. No specialist hacking techniques need to be used. 
This was done using a cloud computing service costing just a few dollars per hour. 
“ Even if you have supercomputers, if your encryption is strong enough, it would still take years to break those passwords ” 
Mark Bowerman, Financial Fraud Action UK 
Roth used Amazon's Elastic Cloud Computing (EC2) system, which allows users to rent increased computing power by the hour or for as long as is needed - thus the name elastic. 
Amazon says it continually works to make sure the services aren't used for illegal activity and takes all claims of misuse of services very seriously and investigates each one. 
While Roth was not doing this for illicit means - and could be done with any cloud system - the idea could be used, in principle at least, for the purpose of de-encrypting credit card details. 
He is already experimenting with speeds that could allow one million passwords a second to be tried. 
Hacking 'master key' 
What many see as most scary about this idea is that because the criminals using the cloud are using false information, they are very difficult to trace. 
That said, there are data standards in relation to private information kept by companies which are particularly strict when financial details are held. 
"You've got to meet the data security standard - it is the absolute minimum requirement," says Mark Bowerman, a spokesman for Financial Fraud Action UK. 
"Beyond that, there are reputational issues to consider. If you are hacked and data is stolen, then it will be a serious concern both reputationally and financially as well." 
So what can be done to protect information yourself? 
"Unfortunately, people have the habit of reusing their passwords for multiple different services," says Rik Ferguson, of digital security company Trend Micro. 
"Many people will have to consider that these criminals have both their email address and their common password. 
"Once you own someone's email account, that's really the master key to everything because you can go through the password reset process of [a number of services] and of course, they come back to that email account. It's the key to your online life." 
But, says Bowerman, if both you and the companies you trust with your data are careful with it, serious breaches are still very unlikely. 
"Even if you have supercomputers, the computing power of hundreds of thousands of computers linked together, if your encryption is strong enough, it would still take years and years to break those passwords," he says. 
"It boils down to how good your encryption is." 
Story from BBC NEWS:
BBC News - Are there criminals hiding in the cloud?

Published: 2011/05/08 11:33:00 GMT

© BBC 2011
Print Sponsor
Advertisement


----------



## discipulo (May 26, 2011)

Thank you, David, very important to be aware of this!


----------



## Semper Fidelis (May 26, 2011)

What most don't realize is that their computer is on "the cloud" when it is connected to the Internet. Any attack vector that is good enough to get through the multiple defensive layers of the major cloud providers (and the people they have monitoring for such attacks) is much more likely to be successful getting to your machine if someone wants your data. Add to that unpatched systems with vulnerabilities, etc. For my piece of mind, if I need to share documents with people, I trust documents hosted on Google Apps more than I trust the security level of the computers of the people who I might e-mail a file to. If you're worried about people getting your sensitive information then I suggest data-at-rest encryption for your hard drive. I also suggest that you use something like Roboform or Lastpass to keep track of complex and unique passwords for all your accounts. I personally prefer Lastpass.

By the way, in answer to a question offline, both Roboform and Lastpass encrypt the passwords you store online with very strong encryption that would take years to crack.


----------



## FCC (May 26, 2011)

The encryption certainly helps with the security Rich. I am glad to hear that. I am a computer forensic examiner and have been trying to learn some more about the cloud and it's effects in that field primarily. I know that the internet is basically the cloud but having your actual data out there on another server, out of your physical control is bothersome to me. Your information is excellent, thank you for sharing it!

David


----------



## VictorBravo (May 26, 2011)

Another aspect of cloud servers is the agreement you have with the provider. I'm fairly obsessive about reading terms of service agreements when it comes to confidential data. A few years ago for example, Dropbox had a very tight agreement that offered a high level of promised security to your data. It promised that none in their company would look at the data and promised to notify you if it received legal process demanding to see your data. That provided a fair amount of confidence that the company would give you a chance to raise confidentiality defenses, etc. (which is significant to a lawyer representing clients).

But I received word that the company had changed the terms of service recently so that its employees may look at data in conducting routine maintenance and testing. Well, I doubt that the employees are interested in snooping out my client's secrets, but the fact that I have implicitly agreed to allow third parties to look at confidential information could open the door to legal challenges to things like client confidentiality.

Admittedly, perhaps a special case concern, but it's a good idea to remember that terms of service promises can change, and company policies can change with them. The only sure thing about controlling accessibility to your data is to encrypt it before sending it to the cloud.


----------



## Ask Mr. Religion (May 27, 2011)

VictorBravo said:


> But I received word that the company had changed the terms of service recently so that its employees may look at data in conducting routine maintenance and testing. Well, I doubt that the employees are interested in snooping out my client's secrets, but the fact that I have implicitly agreed to allow third parties to look at confidential information could open the door to legal challenges to things like client confidentiality.


Indeed. My consulting practice is in the intellectual property realm and I use Dropbox to mirror various projects I am working on. The recent revelations by the company have given me great pause. I suppose I will have to encrypt files before dropping them into my dropbox folder now.

AMR


----------



## Semper Fidelis (May 27, 2011)

FCC said:


> I know that the internet is basically the cloud but having your actual data out there on another server, out of your physical control is bothersome to me. Your information is excellent, thank you for sharing it!



Yeah, the way I look at it, it's always a matter of balancing risks. I started thinking about the kind of information I'm really worried about compromising and it's not a whole lot. I'm doing a bit of research right now to figure out which information I want to encrypt as encrypting my whole hard drive is really unnecessary. This thread also kind of reminded me that I need to start thinking more seriously about protecting my browsiing with something like Witopia. My greatest risk is losing data that means a lot to me. I'm taking steps to guard my identity against theft so that doesn't worry me much. What concerns me more is the idea that I could lose years of memories found in pictures or even e-mails and other information I've collected over the years. Most of that information is not something I need to encrypt but I do want it backed up.

As far as Cloud Documents, I obviously have my e-mail in the cloud but the only thing I really have in the way of documents are things that I share with other elders in the Church and with a non-profit that I'm the VP for. In both cases it is not only much more efficient for us to use Cloud Docs but the risk of compromise of the docs is lessened in the aggregate as Documents are not being sent over e-mail (onto multiple locations in the Cloud) and there is less risk of the compromise of individual systems that are unprotected.


----------



## Edward (May 27, 2011)

There has been debate as to whether it is a violation of legal ethical standards for an attorney to use GMail to communicate with his or her clients. Its a combination of the terms of service and Google's history of lack of respect for customer privacy. It is certainly the safer practice to not use it. 

Here's a place to start on thinking about that:

3 Geeks and a Law Blog: The Ethics of Using Gmail Revived

contra:

Is Your Free E-mail an Ethics Violation?


----------



## Der Pilger (Jun 1, 2011)

Semper Fidelis said:


> What most don't realize is that their computer is on "the cloud" when it is connected to the Internet.



I'm not sure about that. One of the main points of the cloud is to have data physically residing on, and managed at, remote networks. With a home computer, however, here are some points to consider: 1) The data does not physically reside in remote storage on the cloud; 2) since the data is physically on one local machine, a hacker who breaks in has access to only those files. If hundreds of people, on the other hand, stored their data on a single storage location in the cloud, the potential loss of data confidentiality, integrity, and availability is much greater should that single network be hacked; and 3) any company with multiple employees on their network has a greater security challenge because each employee's computer is a potential break-in point.



> Any attack vector that is good enough to get through the multiple defensive layers of the major cloud providers (and the people they have monitoring for such attacks) is much more likely to be successful getting to your machine if someone wants your data.



*Probably,* but how certain is it that they have best security practices in place? One would have to find that out from their network manager(s) whether that is so. Good luck with that. 

Also, keep in mind that a network that stores data for hundreds or thousands of users is a much more attractive target to professional hackers and cybercriminals than a lone PC on someone's home network.

I for one have deep reservations about cloud security, and I'm not the only one, either.


----------



## LawrenceU (Jun 2, 2011)

Der Pilger said:


> I for one have deep reservations about cloud security, and I'm not the only one, either.



Super-sized Ditto.


----------



## Semper Fidelis (Jun 3, 2011)

Der Pilger said:


> Semper Fidelis said:
> 
> 
> > What most don't realize is that their computer is on "the cloud" when it is connected to the Internet.
> ...


 
Given your description above, it is pretty plain you have not looked at how Google stores information in its Cloud. Also, I'm curious what your credentials are. I'm not guessing in my statements above.


----------



## Der Pilger (Jun 3, 2011)

Semper Fidelis said:


> Der Pilger said:
> 
> 
> > Semper Fidelis said:
> ...


 
I wasn't addressing any particular provider. Regarding credentials, now I'm curious: Why do you ask?


----------



## LawrenceU (Jun 4, 2011)

Semper Fidelis said:


> What most don't realize is that their computer is on "the cloud" when it is connected to the Internet. Any attack vector that is good enough to get through the multiple defensive layers of the major cloud providers (and the people they have monitoring for such attacks) is much more likely to be successful getting to your machine if someone wants your data.



Yes, absolutely true. I have a very good friend who is a top-notch cyber security expert who will completely agree with this. He makes oodles of money preventing just this sort of attack against very secured networks; both those connected to the internet and those isolated from it. In his words, 'Any network or computer has a vulnerability that can be utilised to gain information stored on it.' You should hear some of the tactics he has discovered. Amazing.


----------



## Semper Fidelis (Jun 4, 2011)

Der Pilger said:


> I wasn't addressing any particular provider. Regarding credentials, now I'm curious: Why do you ask?



I ask because it is my business to know about Cyber Security. My command is a level 3 CNDSP.

You made some sweeping generalizations about the ease with which hundreds of users' data could be compromised by the compromise of a single physical system and that is not how any of the major Cloud providers architect their systems. I'm wondering if you're just guessing about this or if you work in the discipline.


----------



## Der Pilger (Jun 4, 2011)

Semper Fidelis said:


> Der Pilger said:
> 
> 
> > I wasn't addressing any particular provider. Regarding credentials, now I'm curious: Why do you ask?
> ...



That has nothing to do with whether my points are right or wrong.



> You made some sweeping generalizations about the ease with which hundreds of users' data could be compromised by the compromise of a single physical system and that is not how any of the major Cloud providers architect their systems. I'm wondering if you're just guessing about this or if you work in the discipline.


 
I think you are reading a bit too much into my post. I never mentioned anything about how easy or hard it would be for a network to be compromised. My point (to repeat) was that it *could *be easy, but that depends on how well the network security is managed in that particular system. I would not assume that a company uses best security practices. Also, the potential for loss is greater on a system that contains hundreds of users' data than on a single home PC. That greater amount of data also makes such systems a more attractive target to hackers compared to a personal home computer. A major company faces a greater security challenge not only because of the multiple user accounts which a hacker could target but also because of its massive amounts of data--especially if said company stores valuable information such as credit card numbers for thousands of customers. Another point was that a home PC is not on the cloud, as you said. My blog is in the cloud, and often my e-mail is in the cloud, but not the vast majority of my PC's files, software, etc. The overall architecture in which my home computer operates is client-thick, not client-thin. Thus, merely being connected to the internet does not put my PC in the cloud.

Now that I've clarified this, do you disagree with any of these points?


----------



## Semper Fidelis (Jun 4, 2011)

Der Pilger said:


> That has nothing to do with whether my points are right or wrong.


It is germane to your expertise to speak about them and your initial quoting and responding to the points I made initially.


Der Pilger said:


> Now that I've clarified this, do you disagree with any of these points?


Yes, I do but you seem content with the knowledge you have on the subject.


----------

