16 Comments

Summary:

The hard truth for consumers is that using cloud services means they’re often at the mercy of their cloud providers’ security practices, perhaps even their HR practices. However, unless they’re willing to abstain from the cloud altogether, trusting their providers is often all consumers can do.

cloud security

The story of the breach of former Gizmodo staffer Mat Honan’s iCloud account took an interesting turn Sunday with news that the attacker was able to call Apple and convince a customer service employee that he was Honan. While hardly the breach of the century, the situation does highlight a couple hard truths about cloud security when it comes to consumer applications.

1. You’re giving up control. This is a good mantra to keep in mind when considering the use of cloud services. The problem isn’t so much security technology as it is about process, policy and, perhaps, business model. Cloud-storage Dropbox, for example, has experienced a couple of high-profile breaches and security issues owing to the company’s seemingly lax policies about how user information is stored and who has access to it. Then, there’s LinkedIn and its questionable password practices.

With iCloud, the problem seems to be the business model: tying hardware devices to cloud software might be a recipe for disaster. If someone steals Google or Twitter account information, the damage is largely limited to those services and whatever is accessible from them. When someone gets access to iCloud info, it’s lights out on your phone, tablet and laptop, too. At least temporarily, you’re giving control over your physical property — not just your digital life — to a hacker.

It’s just the risk you take, or the price you pay, for putting control over your data in someone else’s hands. Even if data is encrypted, that doesn’t make it any loss gone if someone deletes it or steals it.

2. People are the real problem. Regardless how good the security technology and processes are, there’s often little that can be done about the people who ultimately control everything. Honan was the victim of social engineering, a process by which a hacker tries to con his way into a user’s account by pretending to be that person. A convincing lie or a gullible customer service agent could bypass years of investment to prevent brute-force attacks or other methods for gaining account access digitally.

And social engineering appears to be becoming more prominent. When I spoke with former hotshot hacker Kevin Mitnick to talk about how he keeps his web site secure, he noted that people are always calling his cloud provider trying to get access by pretending to be Mitnick. Sure, it’s rarely successful (this story from a Computerworld writer about not being able to access his own iCloud account show how locked-down even Apple can be), but like most things, it’s a numbers game.

Of course, in some cases, data breaches don’t even require a false identity. Sometimes, all it takes is a malicious insider with access to sensitive data (e.g., U.S. Army Private Bradley Manning turning over documents to Wikileaks). In this case, users have to rely on their cloud providers’ HR practices, too.

No turning back now

But at this point, no one is going to turn their back on cloud or web services; they probably couldn’t if they wanted to. Still, although there are exceptions, there’s precious little that most consumers can or — in the name of convenience — will do to secure their information if someone really wants at it.

Which brings us to the third harsh truth of the consumer cloud: If we want to be part of it, we just have to keep on trusting our providers to keep us safe. In many cases, they’re trying very hard to do that — but stuff does happen and oversights do occur. When it does, there will always be plenty of people saying, “I told you so.”

Feature image courtesy of Shutterstock user nobeastsofierce.

  1. The very least you can do is keep your own local copy of everything you care about. That won’t stop someone who hacks your cloud provider from seeing it, but if they (or an error at the provider) deletes it, you’ll still have your own local copy.

    Share
  2. Mat Honan says he’s a jerk who doesn’t back up data. I wouldn’t say he’s a jerk, but I do hope he’s learned a hard lesson about backups.

    Share
  3. You are simply the best
    Can I share this article on my blog If you give me permission

    http://itechbook.net/?p=622

    Share
    1. You don’t need permission. You know that. You just want to spam your worthless blog.

      Share
  4. This brings up another question I had on backing up data that’s written directly from an application to iCloud. I’d like to see someone document an automated process.

    Even with a backup once the device gets wiped the only way to recover the device is with the PIN used to wipe the device. This is a double edged sword. I’m sure the Genius’ at the Apple Store can get back into the device but you are going to have a lot of explaining to do.

    Share
  5. iCloud is not unique on this risk.

    Most devices with Microsoft Exchange/ActiveSync obey a remote request to wipe their data and it’s possible to do it from Outlook (even the Web version of it)

    Likewise, Android devices with the Google Apps profile and syncing to Google can also be remotely wiped from the users’ Google Apps control panel.

    Share
  6. Make a backup that isn’t cloud based.

    I advise my clients to backup their cloud data to local servers regularly, and to encrypt it. For my personal stuff I use syncdocs.com to backup all my Google stuff and encrypt it. Keeping a copy on hardware you own protects you from this sort of hack.

    The cloud can be very useful though, so it’s a trade off.

    Share
  7. Derrick Harris Sunday, August 5, 2012

    I think any sensible person would agree with backing up locally, I’m just not sure how many average consumers actually want that hassle, especially for something like email. Same goes for other security enhancements such as two-factor authentication or encryption.

    Also, it’s ironic that we’re now saying “back up locally” instead of “back up in the cloud.” How far we’ve come.

    Share
    1. Derrick, if you care about it, you back it up locally, even if it’s email (notice I said if you care about it). Don’t want the hassle? That’s fine until something you really wanted to keep is gone and you can’t get it back. Then you change your attitude.

      Share
  8. according to Honan: “They got in via Apple tech support and some clever social engineering that let them bypass security “questions.”

    Not so magical at all

    Share
  9. Good to know that you have enough evidence to characterize Manning as ‘malicious’. Please make it public, as the trial is under way.

    Share
    1. Derrick Harris Monday, August 6, 2012

      Fair point, although it’s not a comment on Wikileaks. From an organization’s perspective, someone inside knowingly doing something unwanted would be malicious.

      Share
  10. I’d like to see two key authentication become a standard and a government mandate to make it illegal for mobile phone providers to charge for simple text messages … that would solve many of these problems and make all of our data a LOT more secure.

    Share

Comments have been disabled for this post