One major concern that enterprises and individuals usually have about cloud computing is security. While public cloud services do offer security in terms of data and access, a combination of vulnerabilities from different providers, like a cocktail of prescription drugs taken in the wrong mix, may just prove to be lethal.
It's not everyday that a technology journalist's Gmail account gets hacked. You would expect an experienced technology user to keep his accounts safe and secure, and his data backed up regularly. But hackers have their way of breaking into systems using a bit of ingenuity, social engineering and skills.
And it's not always the victim that needs to be baited. Sometimes, even an established company's customer service department fall victim to these attacks.
Mat Honan got to experience this firsthand, as he details on Wired.
In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook."
Each of Honan's online accounts was secure, as far as he believed. However, he had the inherent problem of daisy-chaining a few accounts, particularly his Gmail, Amazon and Apple ID accounts. Each service offered a strong level of security in itself, but a hacker could slowly piece together bits and pieces of details from each service in order to break in to one.
With a few publicly-available details, a hacker called "Phobia" was able to call Amazon customer service to secure access to Honan's account, and with it the last four digits of a credit card.
While that leads nowhere in itself, these last four digits are actually used by Apple to verify identity, and so the hacker was likewise able to gain access to Honan's Apple ID. And because this account was used for Gmail password recovery, Phobia was able to gain access to Honan's Gmail account.
This was then, in turn, used to access his Twitter account, which was the main intent in the first place. The hacker was able to post embarrassing messages to Honan's Twitter account, which was considered a valuable target because of its three-lettered nature.
The hacker then remotely wiped Honan's iPhone and MacBook, which were considered collateral damage (to prevent the writer from being able to regain access to Twitter). However, a big part of Honan's digital life — kid's pictures and photos of long-dead relatives — were on the MacBook, which added salt to the wound.
In hindsight, a few things could have helped prevent such a breach. For one, Google's two-step verification would offer stronger security, since it requires both a password and access to your mobile phone in order to gain access to Gmail.
Further, billing information should have been kept private. As a domain-owner, Honan's billing details were published on his sites' WHOIS information.
Additionally, Amazon and Apple themselves could improve their security when it came to account recovery. Amazon considered the last four digits of a user's credit card to be relatively safe. However, these very same digits are used by Apple as a security measure to confirm identity.
Lastly, local backups could have prevented the total loss of personal files and data. Sure, backing up to the cloud should have satisfied this requirement in the first place. But given that the cloud-based backups have been destroyed, then local copies would have been a good last-resort.
In conclusion, this single break-in incident underscores the risks involved in cloud computing. There are already concerns on control and ownership of data once it is already in the cloud, as Apple co-founder Steve Wozniak strongly puts forth. If an individual can easily be hacked, how different can it be from an enterprise with its entire data on the cloud?
Given the hodgepodge of security protocols and restrictions that different providers offer, there will inevitably be security loopholes that malicious hackers can exploit. The solution here is vigilance, and likewise cooperation within the cloud-computing ecosystem, such that each service provider be able to adequately tie in their security protocols with other services.
- Blame the C-Suite for Your Failed SharePoint Project
- Where Intranets and Enterprise Social Networks Fit in Your Business
- Gartner's Look at Advanced Analytics Vendors: Are You Using a Winner?
- The IoT is Useless - Unless You Fix Your Data Problems [Infographic]
- Microsoft Will Offer a Peek at SharePoint 2016 at Ignite
- Everything You Really Need to Know About Docker
- Which Enterprise Social Network is Right for Your Intranet?