For renowned computer hacker turned security consultant Kevin Mitnick, his online life is like one big playground game. “It’s like I’m the king of the mountain,” Mitnick says, “and everybody wants to take me down.”
It’s easy to see why. Mitnick was one of the earliest high-profile cybercriminals around, hacking into some rather important systems and eventually spending five years in federal prison. He’s now a best-selling author and a security consultant trying to protect clients that might have been his former targets from newer versions of himself. If you take down Kevin Mitnick, well, you’ve taken down Kevin Mitnick.
Ironically, the situation got so bad that Mitnick — an admitted cloud computing skeptic — in 2009 turned to the cloud to save him. Kind of.
Who doesn’t like free?
Prior to that, he had been using a less-than-stellar web host as a favor to a girlfriend, and his site was breached on numerous occasions. Because he didn’t have administrative access to the server, there was nothing he could do. In 2009, an upstart cloud provider called FireHost came to him and offered to host his site for free to prove it could stop the intrusions.
It’s three years later and Mitnick’s corporate website still runs on FireHost’s cloud. So far, he said, all has been pretty much well. There are distributed denial of service attacks — including one earlier this week — that prove to be little more than nuisances, and about a month ago someone spotted a cross-site scripting vulnerability that was fixed before any damage could be done. But no serious breaches.
Security first, always
Of course, Mitnick isn’t taking any chances to begin with. Even with his previous hosting provider, he said, “I never kept anything of value [on the web server],” and that remains true with FireHost. His site’s only dynamic page is the email contact form (that’s where the vulnerability was spotted), and he only exposes as little of his server as possible, just port 80. When he accesses his virtual servers, he uses a VPN and and then makes changes via SSH.
Mitnick is also an Amazon EC2 user, but there he’s even more cautious — or perhaps just cost-conscious. He hosts hacking demonstrations on EC2, but they’re only live for a short time before, during and after his presentations. In part, this helps save him from attack (although no one really knows where they are or that they’re his), but, he said, it’s also just a lot cheaper to not run them when they’re not in use.
But FireHost is hosting Mitnick for free, and he doesn’t really expose anything of value in the cloud, so there’s no real reason not to stay. What about the million-dollar question, though: Does Mitnick actually think the cloud is secure enough to handle valuable apps or data? The short answer is “no.”
“To be honest with you, if I’m running an enterprise, I’d want my data local and maybe I’d host applications in the cloud,” Mitnick said. He still wouldn’t trust a third party with proprietary data, and he generally doesn’t trust cloud providers unless he’s able to test them and verify they’re secure enough for his purposes. He trusts FireHost enough to let them access his resources on his behalf. As for Amazon, he acknowledged, he hasn’t really done the homework to figure out whether he’d host his site there.
The most-secure cloud you’ve never heard of
For what it’s worth, Mitnick isn’t alone in trusting FireHost. The cloud provider, which touts itself as the most-secure cloud around has lots of big-name paying customers too, including Johnson & Johnson, 3M, Farmers Insurance and Johns Hopkins University. FireHost has attracted them in part because it’s willing to prospective customers put its claims of security, performance and availability to the test.
“The consumption model is not just technology,” Co-founder and CEO Chris Drake told me recently, “it’s the human factor.” FireHost doesn’t have any outbound sales staff, he said, but when companies see they can get first-class security and performance — even test it in a proof-of-concept — while maintaining the ease of management of a service such as Amazon EC2, and “fish are jumping into the boat.”
Aside from technological security measures, FireHost is also in the business of playing a virtual HOA of sorts. Drake said the company won’t host gaming, gambling or pornography sites in part because they tend to attract bad traffic that could affect their virtual neighbors, and in part because they’re morally objectionable. If you want certain flagship clients, Drake said, you sometimes have to sacrifice easy money.
Mitnick’s still got it
Still, Mitnick warns, whoever a company chooses as a cloud provider, it’s ultimately up to the client company to make their applications are secure. Fairly recently, he said, a company offering a cloud-based desktop service wanted Mitnick to speak on its behalf about how secure the service was. He demanded to test it before putting his name behind it.
That turned out to be a costly decision. Within an hour, he was able to access the virtual machine where the virtual desktop was running. Within 8 hours he had given himself administrative control, broke most of the passwords and had pretty much compromised the whole company. Unfortunately, Mitnick said, he charges a lot more for speaking than he does for a few hours of penetration testing.