The Biggest Cloud Computing Security Risk Is Impossible to Eliminate

The past couple of years have been tough for those defending the security of cloud computing and those trying to establish secure cloud infrastructures for themselves. For the most part, there have been DDOS attacks or defacements designed to embarrass or punish site owners.

However, even considering only websites or services from which hackers actually took over accounts, stole data or money, or planted malware to help steal data or money from others, the list of security failures is long and distinguished: Google, LinkedIn, Twitter, Hotmail, Global Payments (credit-card clearinghouse for Visa, MasterCard and others), Federal Express, Zappos, a host of local bank and police agencies, and the China Software Developer Network (which, all by itself, lost personal information on 6 million users to a single hacker named Zeng).

True, some of those victims offer services with access too restricted and services too limited to be considered "cloud." Except for the potential booty (money, data or notoriety), cloud and non-cloud services look pretty much the same to criminals trying to crack them open.

During 2010, only 4 million user accounts were compromised by hackers; in 2011 hackers penetrated 174 million accounts (thanks, Anonymous), according to the Data Breach Investigations Report published by Verizon in March. If anything, 2012 is going to be even worse, according to anti-virus/security vendor Kaspersky Labs.

All that hackery did generate tons of publicity, plenty of vocal outrage from victims, diluvian volumes of frettage from pundits and solemn warnings from security companies thrilled to find themselves center stage in a drama they've been narrating all but unheard for years.

Despite all that noise, it's odd to realize that the incident with the greatest potential to cause a change in attitude among users and IT is the hack of a single reporter's backup account on Apple's consumer-oriented iCloud storage service.

It wasn't even a cool hack. It barely qualified as social engineering.

Due only to the weak identity verification of Apple and Amazon, Wired reporter Mat Honan suffered what he described as his own digital death and dissolution. Not only did hackers get into his email and iCloud accounts, but they also used the data-sync connections among Honan's all-Apple suite of personal devices to wipe out all his backup data in the cloud. They deleted everything from his MacBook and iPhone, leaving him with no easily recoverable copy of any of his data, most of which was valuable to only him.

"In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted," he explained in a piece for Wired explaining "How Apple and Amazon Security Flaws Led to My Epic Hacking." "Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook."

Details of the attack are telling, but have been left out to annoy the readership into even more outrage at the poor security/customer service of Apple and Amazon. (They're actually in "Anatomy of a Successful Personal Hack," if you haven't read them elsewhere, follow the link to be appalled by them.)

Next: Why the Cloud is a Horrendous Security RiskHonan acknowledges that some random hacker couldn't have rolled up and eaten his whole digital life without help from the victim himself.

"Had I been regularly backing up the data on my MacBook, I wouldn't have had to worry about losing more than a year's worth of photos, covering the entire lifespan of my daughter, or documents and e-mails that I had stored in no other location," he wrote in his Wired piece. "Those security lapses are my fault, and I deeply, deeply regret them. But what happened to me exposes vital security flaws in several customer service systems, most notably Apple's and Amazon's."

Unsurprisingly, Honan recommends against daisy chaining all your data-heavy devices to the same control account. More usefully, publishing his story prompted both Apple and Amazon to revamp security, at least to the extent of eliminating the specific gaps Honan's hackers exploited. Neither company required frequent password changes, secure passwords or two-factor authentication for anything. It wouldn't do any good, anyway.

Most end users--and most IT people, for that matter--aren't interested in going to the amount of trouble it would take to keep from being digitally gutted by the same hack that eviscerated Honan. No matter how many warnings they get, an astonishing number still use simplistic passwords (123456 is a favorite) and the same passwords for everything (easier to remember), and link as many accounts as possible (to avoid multiple logins).

In fact, single sign-on--the secure version of the same practice--has been the goal of dozens of major enterprise networking products. No one likes having to remember passwords or log in separately to every application or website. Apple, Google, Facebook, Twitter and most other consumer-oriented services count on that to get customers to agree to link their social networking accounts--a major marketing benefit to the vendors that offers users almost nothing good.

Last week, Apple co-founder Steve Wozniak got roasted for suggesting that relying on the cloud too heavily would result in "horrendous" consequences for end users.

"I really worry about everything going to the cloud. I think it's going to be horrendous. I think there are going to be a lot of horrible problems in the next five years," he said. "With the cloud, you don't own anything. You already signed it away."

Woz did get plenty of support from cloud haters, digital paranoids and from experts who realize the cloud is just as dangerous and filled with security flaws as any other Web service, data center or other computerized structure invented by and configured for the use of demonstrably imperfect humans.

Next: Every Cloud Needs a Back Door--But Here's the ProblemEven pieces written well before the Honan attack pointed out that Apple had made iCloud "reasonably" secure but built in security flaws to keep control of the network itself and help return access or data to clueless end users.

Every other public cloud service did the same thing, for the same reasons. One person's security flaw is another person's fail-safe mechanism. Every cloud needs a back door for end users who can't get in; the problem is that locks on the back door are just as flimsy as those on the front. No matter how secure it's possible to make cloud services, it will never be possible to make them secure enough that clueless users won't lock themselves out and unscrupulous hackers won't be able to weasel their way in.

Honan isn't a clueless user; he didn't use stupidly simple passwords or his Social Security number as a username. He just failed to turn on every single security feature available on every Web service he used.

Is it fair to expect end users to make up for gaps in the security of major services? No. Woz is right that cloud is a horrendous risk, but it's only marginally more risky than more traditional IT.

An iCloud or Twitter account may be easier to see, and therefore easier to target. That doesn't mean the risk of losing data from iCloud is greater than losing it to thieves who swipe your end users' iPads, iPhones. No matter what Apple, Amazon, Twitter or Google do, cloud computing security risks will never go away.

The answer isn't total security; the answer is balanced risk. Backing up data into comparatively safe harbors (cloud storage, enterprise backup or external hard drive) drastically cuts the risk of catastrophic data loss. It also adds the risk that your backup could be hacked, but there's no benefit without concomitant risk.

The trick is picking the security measures that work for you but don't make your tech so inconvenient you avoid it completely.

Security is inconvenient. It's expensive. It's impossible to cost-justify unless you actually see it stamping out a threat. It's also inconvenient to lock your front door and carry keys with you everywhere you go. There's no better chance of stamping out insecurity online than there is in real life.

Don't assume because some people get hacked that it's necessary to make your cloud or your users' laptops or smartphones invulnerable. It's not. It is necessary to take precautions appropriate to the situation, whether you're using the cloud or the Web or an internal glass-house, ultra-secure data center.

Forgetting where your data is, or what precautions are appropriate for each of the places in which it's stored, is a quick way to find out what real threats surround you.

Cloud security is as simple as that--though in IT, simple is relative. Simple security still means you have to pay attention, keep your backups complete and hope your service provider's customer service isn't quite as forgiving or naively helpful as Mat Honan's.

Kevin Fogarty is a freelance writer covering networking, security, virtualization, cloud computing, big data and IT innovation. He blogs daily at ITWorld.com; his byline has appeared in The New York Times, The Boston Globe, CNN.com, CIO, Computerworld, Network World and other leading IT publications. Write to him at [email protected] or on Twitter at @kevinfogarty.Anatomy of a Successful Personal Hack

How did a hacker help expose holes in cloud security at Apple and Amazon? By doing some basic research and making some calls. If your end users carry iOS devices, read on.

According to Mat Honan's detailed discussion of his pwnage, he wasn't targeted for his connection with Gizmodo or Wired or anything he wrote online.

A hacker calling him/herself "Phobia" (whom Honan interviewed via email and Twitter DM) sparked on Honan because of his ultra-short Twitter handle: @mat.

Phobia's goal was always to crack Honan's Twitter account, but doing so meant starting with bigger fish and working gradually toward details that would allow the Twitter account to be cracked.

Apple's record of the attack starts at 4:33 Aug. 3 with a call from "Honan" complaining he was shut out of an email account on Apple's iCloud service.

The actual attack started earlier, when "Phobia" followed a link on Honan's public Twitter profile to his personal webpage, where they found his Gmail address, which, he/she assumed, was the email linked to his Twitter account.

Off Phobia went to the Gmail password-recovery page, which offered not only Honan's Gmail handle, but also most of the backup address he listed for account recovery--m****[email protected].

That told Phobia Honan had an iCloud account and an AppleID that would probably have access to all his other Apple devices or accounts.

"'You honestly can get into any email associated with apple,' Phobia claimed in an e-mail," Honan wrote in his explanation. "And while it’s work, that seems to be largely true."

To get into his Twitter account, Phobia needed Honan's Gmail password; to get the Gmail password Phobia needed access to either the Gmail account, or the password-recovery account, which could also log in to Honan's Gmail.

Getting the AppleID was a little more complicated, but required only the last four digits of Honan's credit card and his street address. Phobia got the street address by running a whois search on Honan's personal webpage but could have done a five-minute Google search and come up with the same result, as is the case for most Americans.

The credit-card information sometimes comes up in Google Searches, but it didn't in Honan's case. Phobia got that by scamming Amazon--the giant retail service, not AWS, the cloud service. Phobia phoned Amazon, asking to add a credit card to the account, then giving a bogus number and new email address. The bogus email allowed Phobia to go to Amazon's password-recovery page and send a temp password to the fake account.

Honan and Wired ran the same scam, to see if it worked. It did, twice--it took a few minutes each time.

Amazon's temp password let Phobia log in to Amazon, read Honan's credit-card information, then use the credit card and confirmed-by-Amazon street address to confirm ownership of Honan's iCloud account during a phone call to Apple tech support.

AppleCare responded by sending a temporary password; Phobia used the temp password to change the password to the AppleID account, locking Honan out and gaining control of Honan's iCloud account and access to all the accounts to which it was linked.

"It’s also worth noting that one wouldn’t have to call Amazon to pull this off. Your pizza guy could do the same thing, for example," Honan wrote. "If you have an AppleID, every time you call Pizza Hut, you’ve giving the 16-year-old on the other end of the line all he needs to take over your entire digital life."--K.F.