About a month ago I gave a presentation in Kuala Lumpur that covered some of the concerns about the seemingly enthusiastic rush to push everything out "to the cloud".
People in the Marketing business love the term "cloud computing" and have come up with some lovely images of fluffy clouds reflected on office blocks and touted it as the best thing since sliced bread. Basically, the term "cloud computing" is used when resources, applications, products and/or services are pushed out to servers somewhere on the Internet instead of being run on local resources. And of course, this usually means that data must be sent, received, processed and stored somewhere on the Internet, not locally on an individual's system or a corporation's systems.
While this type of processing has been around for a while now, it is still very much in its infancy. One of the biggest potential issues in this area is that of data security and privacy. And we are today seeing a perfect example of what can go wrong when data is stored on a central server by a third party who does not fully understand data security and the implications of insecure data handling.
An Apple iPhone app called "Quip" promises to let iPhone users send pictures to each other for free – like sending a multimedia message but without any fees. So of course, people being people, many people have used the application to send private and in some cases questionable pictures of themselves to others. These pictures include themselves in the nude or having sex. Some photos were of people on a family day out, and even baby photos were sent. It seems one photo appears to have been taken from inside the White House.
How do I know this? Because the pictures were apparently stored on servers belonging to Addy Mobile, the makers of the Quip app. And these servers were not secured properly. In fact, apparently the pictures were stored unencrypted on the servers and were easily accessed by hackers with minimal hacking skills.
Once these pictures were accessed, the hackers then posted them and made them available for the public to view. Some Internet users have also allegedly matched up nude pictures with real names and Facebook profiles. A spokesman for Addy Mobile has stated that the servers in question have been shut down and they have started to secure all files in the system.
But the horse has well and truly bolted, so it's a bit late to shut the gate now….!
There are lots of advantages to pushing some services out onto the Internet, or "into the cloud". But when you do that, you are having to rely on someone else to store and handle your data in a safe & secure manner. You lose absolute control over the security of your assets. I'm not saying cloud computing can't be done safely, but I'm sure that there are still plenty operators like Addy Mobile out there that don't know how to properly handle and store your data to ensure its confidentiality, integrity and availability.
I can't help but think that lots of companies like Addy Mobile, and these people whose private & intimate pictures are now publicly available on the Internet, will be learning the lesson the hard (and very embarrassing) way until the "cloud computing" business matures further.
Senior Cybercrime Research Analyst
Author ESET Research, We Live Security