16 Comments

Summary:

The hard truth for consumers is that using cloud services means they’re often at the mercy of their cloud providers’ security practices, perhaps even their HR practices. However, unless they’re willing to abstain from the cloud altogether, trusting their providers is often all consumers can do.

cloud security

The story of the breach of former Gizmodo staffer Mat Honan’s iCloud account took an interesting turn Sunday with news that the attacker was able to call Apple and convince a customer service employee that he was Honan. While hardly the breach of the century, the situation does highlight a couple hard truths about cloud security when it comes to consumer applications.

1. You’re giving up control. This is a good mantra to keep in mind when considering the use of cloud services. The problem isn’t so much security technology as it is about process, policy and, perhaps, business model. Cloud-storage Dropbox, for example, has experienced a couple of high-profile breaches and security issues owing to the company’s seemingly lax policies about how user information is stored and who has access to it. Then, there’s LinkedIn and its questionable password practices.

With iCloud, the problem seems to be the business model: tying hardware devices to cloud software might be a recipe for disaster. If someone steals Google or Twitter account information, the damage is largely limited to those services and whatever is accessible from them. When someone gets access to iCloud info, it’s lights out on your phone, tablet and laptop, too. At least temporarily, you’re giving control over your physical property — not just your digital life — to a hacker.

It’s just the risk you take, or the price you pay, for putting control over your data in someone else’s hands. Even if data is encrypted, that doesn’t make it any loss gone if someone deletes it or steals it.

2. People are the real problem. Regardless how good the security technology and processes are, there’s often little that can be done about the people who ultimately control everything. Honan was the victim of social engineering, a process by which a hacker tries to con his way into a user’s account by pretending to be that person. A convincing lie or a gullible customer service agent could bypass years of investment to prevent brute-force attacks or other methods for gaining account access digitally.

And social engineering appears to be becoming more prominent. When I spoke with former hotshot hacker Kevin Mitnick to talk about how he keeps his web site secure, he noted that people are always calling his cloud provider trying to get access by pretending to be Mitnick. Sure, it’s rarely successful (this story from a Computerworld writer about not being able to access his own iCloud account show how locked-down even Apple can be), but like most things, it’s a numbers game.

Of course, in some cases, data breaches don’t even require a false identity. Sometimes, all it takes is a malicious insider with access to sensitive data (e.g., U.S. Army Private Bradley Manning turning over documents to Wikileaks). In this case, users have to rely on their cloud providers’ HR practices, too.

No turning back now

But at this point, no one is going to turn their back on cloud or web services; they probably couldn’t if they wanted to. Still, although there are exceptions, there’s precious little that most consumers can or — in the name of convenience — will do to secure their information if someone really wants at it.

Which brings us to the third harsh truth of the consumer cloud: If we want to be part of it, we just have to keep on trusting our providers to keep us safe. In many cases, they’re trying very hard to do that — but stuff does happen and oversights do occur. When it does, there will always be plenty of people saying, “I told you so.”

Feature image courtesy of Shutterstock user nobeastsofierce.

You’re subscribed! If you like, you can update your settings

  1. The very least you can do is keep your own local copy of everything you care about. That won’t stop someone who hacks your cloud provider from seeing it, but if they (or an error at the provider) deletes it, you’ll still have your own local copy.

  2. Mat Honan says he’s a jerk who doesn’t back up data. I wouldn’t say he’s a jerk, but I do hope he’s learned a hard lesson about backups.

  3. You are simply the best
    Can I share this article on my blog If you give me permission

    http://itechbook.net/?p=622

    1. You don’t need permission. You know that. You just want to spam your worthless blog.

  4. Keith Townsend Sunday, August 5, 2012

    This brings up another question I had on backing up data that’s written directly from an application to iCloud. I’d like to see someone document an automated process.

    Even with a backup once the device gets wiped the only way to recover the device is with the PIN used to wipe the device. This is a double edged sword. I’m sure the Genius’ at the Apple Store can get back into the device but you are going to have a lot of explaining to do.

  5. iCloud is not unique on this risk.

    Most devices with Microsoft Exchange/ActiveSync obey a remote request to wipe their data and it’s possible to do it from Outlook (even the Web version of it)

    Likewise, Android devices with the Google Apps profile and syncing to Google can also be remotely wiped from the users’ Google Apps control panel.

  6. Make a backup that isn’t cloud based.

    I advise my clients to backup their cloud data to local servers regularly, and to encrypt it. For my personal stuff I use syncdocs.com to backup all my Google stuff and encrypt it. Keeping a copy on hardware you own protects you from this sort of hack.

    The cloud can be very useful though, so it’s a trade off.

  7. Derrick Harris Sunday, August 5, 2012

    I think any sensible person would agree with backing up locally, I’m just not sure how many average consumers actually want that hassle, especially for something like email. Same goes for other security enhancements such as two-factor authentication or encryption.

    Also, it’s ironic that we’re now saying “back up locally” instead of “back up in the cloud.” How far we’ve come.

    1. Derrick, if you care about it, you back it up locally, even if it’s email (notice I said if you care about it). Don’t want the hassle? That’s fine until something you really wanted to keep is gone and you can’t get it back. Then you change your attitude.

  8. according to Honan: “They got in via Apple tech support and some clever social engineering that let them bypass security “questions.”

    Not so magical at all

  9. Good to know that you have enough evidence to characterize Manning as ‘malicious’. Please make it public, as the trial is under way.

    1. Fair point, although it’s not a comment on Wikileaks. From an organization’s perspective, someone inside knowingly doing something unwanted would be malicious.

  10. I’d like to see two key authentication become a standard and a government mandate to make it illegal for mobile phone providers to charge for simple text messages … that would solve many of these problems and make all of our data a LOT more secure.

  11. Hey Derrick! Nice post. You made a great point on the fact that users (who often don’t realize) are giving up control when they adopt consumer cloud solutions like iCloud. For consumers, the tradeoff between total control and convenience is often acceptable. But the same definitely cannot be said for companies. Companies need to maintain control over their own data as well as identities, that’s why support for identity management is critical for enterprise applications. I just shared our approach over here at Oxygen in my own post – The Importance of keeping your identity http://blog.oxygencloud.com/2012/08/06/the-importance-of-keeping-your-identity/

  12. This has nothing to do with the cloud, nice FUD. It’s all about the improper security validation by the iDiots and Apple technical support and how a single email account was the lynchpin in totally unraveling all of his accounts. Even two key authentication is a complete waste of time when some iDiot support person resets your email account password without proper verification and then the whole security thing crumbles like a house of cards.

  13. I think most people are missing the point that this was a colossal customer support failure. As such, it could have happened with any application. If Honan’s bank account had been wiped clean in the same way, I bet that there wouldn’t be this much publicity or discussion.

Comments have been disabled for this post