Holes In The Cloud

About a month ago I gave a presentation in Kuala Lumpur that covered some of the concerns about the seemingly enthusiastic rush to push everything out "to the cloud".

People in the Marketing business love the term "cloud computing" and have come up with some lovely images of fluffy clouds reflected on office blocks and touted it as the best thing since sliced bread. Basically, the term "cloud computing" is used when resources, applications, products and/or services are pushed out to servers somewhere on the Internet instead of being run on local resources. And of course, this usually means that data must be sent, received, processed and stored somewhere on the Internet, not locally on an individual's system or a corporation's systems.

While this type of processing has been around for a while now, it is still very much in its infancy. One of the biggest potential issues in this area is that of data security and privacy. And we are today seeing a perfect example of what can go wrong when data is stored on a central server by a third party who does not fully understand data security and the implications of insecure data handling.

An Apple iPhone app called "Quip" promises to let iPhone users send pictures to each other for free – like sending a multimedia message but without any fees. So of course, people being people, many people have used the application to send private and in some cases questionable pictures of themselves to others. These pictures include themselves in the nude or having sex. Some photos were of people on a family day out, and even baby photos were sent. It seems one photo appears to have been taken from inside the White House.

How do I know this? Because the pictures were apparently stored on servers belonging to Addy Mobile, the makers of the Quip app. And these servers were not secured properly. In fact, apparently the pictures were stored unencrypted on the servers and were easily accessed by hackers with minimal hacking skills.

Once these pictures were accessed, the hackers then posted them and made them available for the public to view. Some Internet users have also allegedly matched up nude pictures with real names and Facebook profiles. A spokesman for Addy Mobile has stated that the servers in question have been shut down and they have started to secure all files in the system.

But the horse has well and truly bolted, so it's a bit late to shut the gate now….!

There are lots of advantages to pushing some services out onto the Internet, or "into the cloud". But when you do that, you are having to rely on someone else to store and handle your data in a safe & secure manner. You lose absolute control over the security of your assets. I'm not saying cloud computing can't be done safely, but I'm sure that there are still plenty operators like Addy Mobile out there that don't know how to properly handle and store your data to ensure its confidentiality, integrity and availability.

I can't help but think that lots of companies like Addy Mobile, and these people whose private & intimate pictures are now publicly available on the Internet, will be learning the lesson the hard (and very embarrassing) way until the "cloud computing" business matures further.

Craig Johnston
Senior Cybercrime Research Analyst

Author , ESET

  • Waqas

    When will ESET launch its cloud protection. I love using ESET nod32. I also want a firewall and i am currently using Comodo as it has proved it the best by passing the leak test it prepared while many other firewalls failed including Eset smart security. If the author is reading this please tell me about the firewall stuff…

    • Randy Abrams

      Why do you look for “cloud protection”. Just because a buzz word is popular it doesn’t make it a great technology. You should be looking at what gives you the best protection and not what marketing wants you to think is essential. “The cloud” is really just the interent. ESET’s ThreatSense.Net has been using the internet for years now.

      As for the firewall, not all leak tests are actually relevant tests to product performance. there have been a number of observations about the failure of some of these tests to take into account actual protection. Would you buy a car because it has the best seat belts and ignore the bumpers, air bags, brake systems, and other integrated safety devices that affect overall safety? Was the seat belt the best because the fabric was the softest or did it actually withstand real world crashes the best.

      Many tests out there fail to address real world performance and as a result, unsuspecting users are lead to believe things that are not true.

      “The Cloud” is marketing hype. You should be looking for security rather than sound bites.

      Randy Abrams
      Director of Technical Education

Follow us

Copyright © 2018 ESET, All Rights Reserved.