Cloud Can Rain Down Malware, Hijacking, ID Theft, Data Loss, Piracy, Trojan Horses

Commentary by Erick Hansen

Cloud Computing may rain on your parade.  The latest buzz word in the online universe could soon become the most hated as the Cloud blows away to reveal such a potential major security storm that it makes present Internet problems look like a drizzle.

Cloud Computing refers to the largest Internet and computer companies as well as indies storing your life. The idea is to put all your data, such as credit info, personal and legal documents, family photos, even phone records in shared networks.

In exchange, you can use a dumb terminal and let the corporations handle it all. That would save you money on hardware, though in the era of laptops starting at $200, it is not clear how much you would save.

It could be dust in the wind and a waste of your money.  While some people have their head in the clouds, others prefer their technology and personal info closer to the ground – and private.

Cloud technology may make Sony’s loss of the data from 75 million accounts seem like just a breeze compared to what could happen if billions of users adopt the upcoming Cloud storm.

Cloud leaders like big brothers Cisco, Dell and Microsoft could be responsible for one of the biggest tech flops ever.

What if it is a sunny day and your cloud company has gone out of business?

Or even if you cannot connect. When on the road your crucial data will be unavailable whenever your (expensive) mobile Internet does not work. Even in town, think about how many dropped calls you get on your regular cell phone. Both the Cloud dumb terminal and the connection need to work together to get “Dumb and Dumber.”

The danger is waking up one bright day and having to ask “where is my money, personal info and family photos?”

They tried dumb terminals in the early days of personal computing, mainly just a keyboard and screen – with various networks handling your data and software.  Turned out people liked to keep their personal info personal and the PC and Mac era began in earnest.

Even HP and the Cloud Security Alliance (CSA) have dire concerns over the potential threats hovering above the clouds – and they both want Cloud to succeed.

They both have published info on the Seven Deadly Sins of Cloud security.

The first is “Abuse and Nefarious Use of Cloud Computing:”

ï‚· Insecure Application Programming Interfaces

ï‚· Malicious Insiders

ï‚· Shared Technology Vulnerabilities

ï‚· Data Loss/Leakage

ï‚· Account, Service & Traffic Hijacking

The Cloud providers offer their customers the illusion of unlimited compute,network, and storage capacity — often coupled with a ‘frictionless’ registration process where anyone with a valid credit card can registerand immediately begin using cloud services. Some providers even offer free limited trial periods. By abusing the relative anonymity behind these registration and usage models, spammers, malicious code authors, and other criminals have been able to conduct their activities with relative impunity. Providers have traditionally suffered most from this kind of attacks; however, recent evidence shows that hackers have begun to target IaaS vendors as well.

Future areas of concern include password and key cracking, launching dynamic attack points, hosting malicious data, botnet command and control, building rainbow tables, and CAPTCHA solving farms. Impact Criminals continue to leverage new technologies to improve their reach, avoid detection, and improve the effectiveness of their activities. Cloud Computing providers are actively being targeted, partially because their relatively weak registration systems facilitate anonymity, and providers’ fraud detection capabilities are limited. Another treat is that Cloud Computing providers expose a set of software interfaces or APIs that customers use to manage and interact with cloud services. Provisioning, management, orchestration, and monitoring are all performed using these interfaces.

The security and availability of general cloud services is dependent upon the security of these basic APIs. From authentication and access control to encryption and activity monitoring, these interfaces must be designed to protect against both accidental and malicious attempts to circumvent policy. Furthermore, organizations and third parties often build upon these interfaces to offer value-added services to their customers. This introduces the complexity of the new layered API; it also increases risk, as organizations may be required to relinquish their credentials to thirdparties in order to enable their agency. Insecure Interfaces and APIs Description Cloud Computing providers expose a set of software interfaces or APIs that customers use to manage and interact with cloud services. Provisioning, management, orchestration, and monitoring are all performed using these interfaces. The security and availability of general cloud services is dependent upon the security of these basic APIs. From authentication and access control to encryption and activity monitoring, these interfaces must be designed to protect against both accidental and malicious attempts to circumvent policy. Furthermore, organizations and third parties often build upon these interfaces to offer value-added services to their customers. This introduces the complexity of the new layered API; it also increases risk, as organizations may be required to relinquish their credentials to thirdparties in order to enable their agency.

Malicious Insiders Description The threat of a malicious insider is well-known to most organizations. This threat is amplified for consumers of cloud services by the convergence of IT services and customers under a single management domain, combined with a general lack of transparency into provider process and procedure. For example, a provider may not reveal how it grants employees access to physical and virtual assets, how it monitors these employees, or how it analyzes and reports on policy compliance.

To complicate matters, there is often little or no visibility into the hiring standards and practices for cloud employees. This kind of situation clearly creates an attractive opportunity for an adversary — ranging from the hobbyist hacker, to organized crime, to corporate espionage, or even nation-state sponsored intrusion. The level of access granted could enable such an adversary to harvest confidential data or gain complete control over the cloud services with little or no risk of detection.

There are more threats documented at cloudsecurityalliance.org. Thank goodness most of us like to keep our info to ourselves, one hacker or virus here can infect a country.

Even now, about 69 percent of us (nearly 2 billion internet users) are using a type of Cloud such as your email service, which stores your email on its site until you delete it or reach a limit.

Yet you don’t let them control your whole online and computing life.

Disruption to Amazon.com Inc servers that host Internet services took down a raft of social networking websites including Foursquare and Quora early on Thursday, underscoring concerns about reliability as more companies turn to the “cloud.”

Amazon’s “Elastic Compute Cloud,” part of the online retail company’s cloud-computing service that hosts websites for startups, experienced latency problems and other errors, according to Amazon’s status page.

The company said it was dealing with capacity issues amid a flood of queries and information, according to Reuters.

Amazon is “now seeing significantly reduced failures and latency and … continuing to recover. We have also brought additional capacity online in the affected availability zone,” it said.

Now here’s how one hacked can infect a planet. The video link to Microsoft’s explanation of a global supercloud is chilling and spooky, though it is supposed to promote the Cloud.

http://www.microsoft.com/en-us/cloud/default.aspx?WT.srch=1&WT.mc_id=AEBF120C-9AC0-4DA4-B151-D9B6E31754CA&CR_SCC=200010704&fbid=KtimvU06aO5

Americans like their privacy and freedom and there are big questions on whether Cloud computing offers either. This writer believes Big Brother should blow away home and let us keep our personal data to ourselves and share it as we please, not as they do.  Let the sun shine.

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

More To Explore