One more harsh lesson in cloud security
August 7, 2012
Grazed from ITWorld. Author: Brian Proffitt.
The travails of former Gizmodo writer Mat Honan may illustrate the dangers of the consumerization of the cloud, and serve as a reminder that when it comes to security, the human factor may still be the weakest link.
Honan’s story is pretty frightening: in the course of 15 minutes Friday afternoon, a hacker was able to access his Apple iCloud account, obtain access to his Gmail account by executing a password reset request, and then–after obtaining access to many of Honan’s other accounts, including his access to the Gizmodo Twitter account–proceeded to remotely wipe the data from Honan’s iPhone, iPad, and MacBook, using those devices’ Find My feature.
It was a stunning hack, and one that might have been quietly swept under the Apple rug as “user error,” had not the victim been a well-known technology writer with the social clout to find out answers…
Namely, as Honan would learn during his investigation, how was the hacker able to obtain Honan’s iCloud account by calling Apple support and social engineering that information from Apple?
If true, this is a huge hole in Apple’s security procedures, and one that puts Apple iCloud users at serious risk of having their data examined and, as with Honan’s case, lost.
Laying this all on Apple’s feet would be easy to do, and there’s no getting around the fact that Apple has a problem that needs to be solved. But beyond Apple, this incident also points out potential problems with the growing dependency consumers have with cloud data storage and management.
In the past, such a monumental data wipe by remote would be possible, but usually counter productive. After all, why destroy a PC when you can use it for a perfectly good botnet? But with data being stored more on the cloud where it is “safe,” hackers can copy and destroy data at will without even accessing your computer.
The usual tips will help: protect your passwords, use two-factor authentication, and for goodness’ sake, don’t use the same password across multiple accounts. Honan’s incident should remind to make sure that whatever cloud service we do use has enough obscure questions and answers so no one gets past the service’s tech support line.
The cloud affords us a lot of convenience, but like any new tool offers the chance for abuse, as well. While this happened on one user’s Mac accounts, it could easily be on a Windows or Linux machine in the near future if someone makes similar services available on those platforms.
For me, it is a hard choice. I like cloud services, and use services like Dropbox to share files across all of my machines. Most of my data is locally stored, because I still can’t see the advantage in such slow upload times when I can just buy a bigger removable drive.
But as my Android phone gets more advanced features and cloud-friendly, as my iPad is now, I worry that one of these devices is going to find itself a target through a cloud service I use, or access to my data gets blocked by one password change.
Paranoid? Maybe. But the cloud means that access to our data is no longer limited to just one PC or Mac machine. It’s out there for anyone to see, and not even Linux users are safe this kind of attack.
With all of these myriad cloud and cloud-like services crowding for consumer attention, users are going to have to pay attention to how these services work in order to keep themselves safe. But that’s not enough–clearly, even users like Honan who are very well equipped and know what’s what can get caught out by over-centralization of services.
This is why cloud services need to be held far more accountable for our datas’ security. If they want our data, they must work harder to ensure that it is well and truly protected.
Hacks like this will still happen; there’s always someone smarter than you or a corporation. But it should not be this easy.