Imagining An Attack That Could Wipe Out Trust In The Cloud

In a previous post, I described how the public confidence in services that collect your private information is getting closer to crossing the creepy line, and that any security breaches that actually harm customers would likely be the final straw that break the camel’s back. I also mentioned that instead of Google, Facebook and others, I predict that the final straw will actually come from hackers intruding into our devices and accounts.

Here, I want to elaborate on the example that I have in mind. Before this however, I want to update the reader on a relatively new form of malware called Ransomware. Ransomware is holds your data hostage and importantly, instead of just causing you trouble, it blackmails you to send money. Also of great significance is that Ransomware creation can now be outsourced.

Ransomware works because victims are willing to pay money to get back their files. However, now that we often have more valuable data on our smartphones or in the Cloud than on our PCs, it is reasonable to assume that hackers are right now thinking of new ways to hold your private photos, your location data, or messages that you might want to keep secret as hostages.

For example, a recent Apple Ransom scam  asked for a $30-$50 ransom or otherwise they would do a factory reset. The author advises that you simply ignore this because you can easily recover with a backup. However, what if the scammer had threatened to publish all your photos, your emails, your location data, etc. on the web for all to see. Would you still ignore the scammer? Unlike the iCloud celebrity photo leak, this is something that could happen to any normal person, and this is what makes it so scary.

This is not about Apple vs. Google/Facebook or about any single company’s approach to privacy. If such attacks became widespread, it could cause people to be scared of storing anything in the cloud, despite whatever security measures each individual company took. Of course two-factor authentication will help, but not enough people use it yet.

Advanced two-factor authentication systems may mitigate the worries in the future. However, if such attacks strike now, I fear that the companies that depend on the cloud will have a hard time getting people to trust them once again. Given the potentially widespread consequences, I think this is definitely something to give due thought to.

  • obarthelemy

    Then again, local storage isn’t better. actually, it’s worse, because clients (and client users) are less safe than servers (and admins).

    I think it goes the other way round, and rightly so: people who have lost local data for any reason (hardware failure, mistake, malfeasance, hacks…) conclude that data is safer in the cloud. It’s broadly true…

    … but the only 100% secure solution is to have backups. Backups work for both cloud and local data; and backups are
    1- offline (not in the cloud, not always connected to your PC, so ransomware/your ex/your kids can’t get to it)
    2- offsite (in case of physical destruction ie fires, robbery, flood…)
    3- multiple (because Murphy’s law: your one backup will fail when your live data fails)
    4- tested (because if you can’t restore it, it’s not a backup, and you don’t KNOW you can restore it until you’ve actually restored it).

    I’ve had clients lose data because any and all of those requirements were missing: single backup that failed, backup that was silently failing instead of being done, fire that fully destroyed the premises incl the backups…

    • You mistake the issue. What I am talking about is not an issue of losing your data due to hardware failures. It is about criminals gaining access to your data and exploiting it.

      • obarthelemy

        I’m actually talking about both issues. Ransomware and HW failure: both are usually better prepared for in the cloud than on the local device.

        And I’m talking about more than both, but data security in general (ie, also bugs, mistakes, non-hacking malfeasance; environmental events…).Again, Cloud is still generally safer than local.

        The bit about backups is because although Cloud is a bit safer than Local, in the end only a rightly-done backup is 100% proof against all those data-loss threats.

        • Again, I’m not talking about data loss. I’m talking about your personal data being exposed and used by people with malicious intent.

          For example, the celebrities that had their nude photos exposed would probably had much preferred data loss than having the photos being posted publicly.

          Note that for data to be stolen from local devices, you have to misplace that device and it has to physically end up in the hands of the hackers, who most likely are located in Russia or China. You also have to get the data before it’s remotely wiped. That’s not easy and it’s not how the Democrat party’s emails were hacked. It’s much easier today for hackers to access data on servers from a remote location.

          • obarthelemy

            That’s not what ransomware is. Ransomware is data loss, because you lose access to your data. Your data is not exposed, and is not used, just taken out of your reach for ransom.

          • Apologies if my intent wasn’t clear enough. I’m using ransomware as an example to show how malware is being monetised, even for normal consumers.

            As for the local/cloud discussion, you are totally correct that malware on the PC is a great way to get your cloud passwords and is very common.

            However, on the other hand, if you have the data on the cloud, hackers can do all of this without attaching your PC at all. They can do this hacking completely on the cloud.

          • obarthelemy

            Yes. But my points are:
            1- malware is but one way to lose your data. Tackling only malware makes little sense when for example failure rates for hard drives are up to 5%/yr and 1% on average ( http://www.hardware.fr/articles/954-6/disques-durs.html , SSD are up to 8%/yr, though significantly lower on average, about 0.3%) ie significantly higher than the risk of malware.
            2- I understand people get a sense of safety from their data being in the cloud, and that they’re only partly right, so in the end, wrong: it’s safer in the cloud than local, but still not utterly safe, only proper backups achieve that.
            3- attacking the cloud (ie, servers) directly is significantly harder than attacking client devices. It will have a massive impact if it does happen, and will be a PR nightmare because of the synchronicity of millions of hacks, but it probably still won’t make Cloud worse than Local as far as data safety and confidentiality is concerned.

  • Pingback: Start Up: Airpods ahoy!, inside Pebble’s fall, Facebook’s (bad) Year in Review, cloud mistrust, and more | The Overspill: when there's more that I want to say()