by Constantine von Hoffman

Wired Reporter Hack Spotlights Cloud Security Risks

Aug 07, 20124 mins
Cloud ComputingCybercrimeData and Information Security

The cloud offers a number of benefits to online users, but it's also riddled with risks. A Wired reporter's recent experience should serve as a cautionary tale for all individuals and companies that are embracing the cloud.

It seems like everybody is moving to the cloud nowadays–but not everyone should be. The recent daisy-chain hacking of Wired reporter Mat Honan, and some comments made by Apple co-founder Steve Wozniak, help demonstrate why.

Yesterday Honan published a chilling article about the hack.

From Wired:

“In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.”

Honan is an honest man, and he first admits mistakes he made before pointing out the risks hiding in the cloud. First, the mistakes:

He daisy-chained his accounts together, so:

“Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc.”

He also didn’t regularly back up the data on his computer. (Me, I’m obsessive about backing up data, and I do so two to three times a day.)

Now, on to the bigger issues:

“Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.”

Cloud computing means surrendering control of your data. It means security is out of your hands. Your cloud-computing provider may have the best set of security policies ever, but that doesn’t mean it has the best set of security practices. More than 80 percent of organizations already transfer, or plan to transfer, sensitive or confidential data into the cloud, according to a report out today from Thales e-Security and The Ponemon Institute.

Even considering Honan’s experience, I think your average person is better off in the cloud because most individuals do absolutely nothing to protect their data. (Where do I back-up all my data to? The cloud. I wonder if [COMPANY NAME REDACTED] security is as good as it says it is?)

The cloud itself is not an inherent security risk. If your company is running its own cloud system then it’s just as secure (or not) as any other part of your network. But, if you are using someone else’s system, you should do your own audit of that system’s security as part of the contract with the company. Trust, but verify.

That’s the point Apple co-founder Wozniak recently made–albeit a bit obliquely:

“I really worry about everything going to the cloud. I think it’s going to be horrendous. I think there are going to be a lot of horrible problems in the next five years. With the cloud, you don’t own anything. You already signed it away” through the legalistic terms of service with a cloud provider that computer users must agree to. “I want to feel that I own things. A lot of people feel, ‘Oh, everything is really on my computer,’ but I say the more we transfer everything onto the web, onto the cloud, the less we’re going to have control over it.”

This is the reason I have stayed away from flavor-of-the-month, Tumblr-clone Pinterest. The service’s EULA basically says Pinterest owns the rights to anything I post there. I’m not sure how this policy would stand up in a court of law, but I also I don’t want to pay to find out.