Nebulous Security in the Cloud
The Cloud is a great way to publicise things, but it is not so good at keeping secrets. As a way of distributing media, data and propagating shop fronts like Amazon instantly and reliably across the globe, it is really good. But the catalogue of errors that has beset Cloud services makes it worth considering just how far use of the Cloud should go. Here are a few of the reasons why you might want to be careful, and some things you can do.
Dropbox was in the headlines recently for leaving its online Cloud storage unlocked for four hours, so anyone could log into any account with any password. This happened because of a bug in a code update which turned off the authentication mechanism. It strikes me that there are two problems: Firstly, the architecture should not have been so vulnerable, and secondly, there should have been better testing. Negligence has been alleged in a lawsuit. I have one word for Dropbox: encryption.
Facebook has a history of unilaterally changing terms or settings to release private information that you thought was private, and making its privacy policies and settings all but impenetrable. Most recently, the facial recognition feature was introduced without alerting users so they could opt out. Maybe Mark Zuckerberg doesn’t get it, because it keeps on happening. But it seems more likely that he does get it, and doesn’t care. That data you gave to Facebook? That belongs to Facebook. It’s Facebook’s most valuable commodity, and how Facebook makes its money. So don’t be surprised when it gets out into the open. That’s always the risk you take with Facebook.
Google has your search history, Gmail, Docs and now with Google+, it wants even more. They sure are curious folk at Google. Remember when it turned out that they were also snooping on your wireless data when they went round in the Google Street View cars, peering into your house and garden, and sometimes posting photos of you online without asking. Recently they admitted they had been passing your private information to governments. Most governments are pretty leaky themselves, and they don’t always have your best interests at heart even if you “have done nothing wrong” and should “have nothing to hide”. So: treat Google just like Facebook. Don’t put anything there that you mind if it gets out.
LastPass is a leading password manager, which encrypts your passwords within your browser, and then stores the encrypted hash on its servers in the Cloud, so you can log into websites from almost anywhere. Recently, it had a hacking scare, when it seemed that some of its encrypted data had left its servers.
What is fundamentally different between LastPass and these other Cloud services is that the data is encrypted before it leaves your computer, and it is stored encrypted in a way that LastPass cannot access even if someone made a horrible mistake or they wanted to snoop. The security was in the strength of the password, which is why those with weak passwords were advised to make them stronger.
However, like other Cloud providers, the data is a nice juicy target for hackers, who know it is there and they want a way to get it out. They are prepared to try quite hard. This means that when you store data in the Cloud, security by obscurity is virtually impossible. And in fact, you face an increased collateral risk from hackers looking for something else, but finding you.
Not much can be done about that, but encryption will start to be even more important than it is now. However, not all encryption is the same. It depends who has the keys. In the case of LastPass, you have the key, and LastPass doesn’t. When other service providers say they encrypt your data, they usually have the keys, and you neither know how securely they keep they keys, nor how much of the time the data is decrypted.
I recently bought a new hard drive: Intel SSD 320, which features hardware encryption as standard. That sounded great until I looked at exactly how the encryption worked. You can choose a password, but the encryption is actually done with a password that has been factory set. You can change it, but even then, it is stored in the drive. This means Intel, or possibly other clever people could decrypt my data. I’m not sure I like that, so I use Truecrypt instead. It’s almost as fast, especially as I have hardware AES encryption on my CPU.
The Cloud has become a vital part of our connected world. So if your data is not confidential, all well and good, but if it is confidential, don’t even consider using the Cloud without client-side encryption. You can use free tools like Truecrypt or BoxCryptor, or more commercial feature-rich tools like Trend Micro’s SecureCloud.