Recent High Profiles Breaches Highlight Security Flaws That Are Not Just In The Cloud
In the past few months there have been some high profile security breaches involving cloud applications that may give people pause in using the cloud. These got a lot of publicity because of the victims involved.
The first was Vice Presidential candidate Sarah Palin's Yahoo email account being hacked. The second was a hacker gaining control of then President-Elect Barack Obama's Twitter account.
If it can happen to them it can happen to anyone, right? Good reason to stay away from the cloud isn't it? Well yes, it could happen to anyone. However, if we look at these closer you could see it happening on your on systems too.
Palin's emailed was hacked by using the automated password reset function. By answering some questions that in theory only Palin knew the answer to the hacker was able to reset the password and gain control of her account. The problem is that as a public person much of the "secret" information was available to the public.
Password resets are probably the biggest single HelpDesk incident in our companies. Automated password reset system are therefore especially attractive and doubly so if we also have Single-Sign-On systems.
Given the familiarity we have with our co-workers, the public information available about the executive management, and the personal information we publish on sites such as LinkedIn and Facebook even the "secret" information of not so public people may be easily found.
The Twitter breach was a true hacking of a password. The account hacked had a easy password that was easily cracked through a dictionary attack especially since they did not limit login attempts. Once the hacker had control of the account they realized just how luckily they were. They had control of a Twitter admin account! Once you have admin privileges the world is users. Fortunately the hacker was more interested in touting his skills than in doing actual damage.
The security weaknesses that allowed these breaches aren't unique to the cloud. You could find them just as easily on the systems you control. They were:
-
Automated systems that asked questions for which the answers could easily be found
-
Weak password on an admin account
-
Allowing unlimited login attempts without locking the system
Each of these flaws are a very basic item and yet they were allowed to occur. In dealing with system security there are 3 things everyone always wants:
-
Tight security
-
Low cost to setup and maintain
-
Easy to use
The problem with security is that when you actually set it up you can only pick two of the three. Any two, but only two, the third is sacrificed. What you actually do is try to strike a workable balance between the three. Obviously Yahoo and Twitter favored low cost and ease of use too heavily thereby jeopardizing security.
We do need to be concerned about security with our cloud applications. When deciding on using a cloud application you should review the security provision just as closely as you to the feature, functionality and costs of the application. Don't get mislead by the hype into thinking our own internal operations are inherently safer than the cloud. As these examples show it only takes a little laxity in the security setup to leave us vulnerable whether it is in the cloud or our internal operations.
How do you balance security, cost and ease of use? Please leave a comment.
"Lock" photo by AMagill
If this topic was of interest, you might also like these:
- Or the posts in the "Web / Web 2.0 / Internet" category
Hey, in generally I agree with you, but we should take care about what's the cloud and which security does we exepct from such cloud? If it is a compute cloud for my company I would avoid such scenarios, if it is a personal system or near private stuff I would consider it being a private problem. Thinking on Palin I really have to take care as a professional politician whether I will use a free email programme or use a system which much higher security.
Tom
Posted by: Tom Peruzzi | February 02, 2009 at 01:50 PM
Tom,
Thanks for commenting. You are absolutely correct – we shouldn’t assume that the provider of cloud services has a good security system in place. You have to perform a true “due diligence”. At the same time this also applies to our own in-house applications. Sometimes we may not be as secure as the cloud and need to perform a due diligence on our own operations.
Professional politicians are always popular targets along with celebrities or other well known people and should always be extra cautious not that extra care wouldn’t hurt us lesser knowns either.
Mike
Posted by: Mike | February 02, 2009 at 04:59 PM