As we move deeper and deeper into a Cloud based world, the cynics and critics use security as a weapon for spreading fear. They just touch the raw nerves of users who are still coming to terms with the new way of doing computing and try to exploit their anxiety about the new computing model to protect their current bastion in the marketplace. Cloud Computing is not the secret sauce to the ultimate secure computing we all are dreaming about. Like the real world we live in, there are some security issues that needs to be taken care of. Some of them can be managed by changing the way we manage security at present and some of the issues requires development of new technology and, even, new conceptual frameworks.
The problem facing any user wanting to move to the clouds (for that matter, the web itself) is not the inherent systemic vulnerabilities in the Cloud ecosystem. It is as good or as bad as the existing technologies. The biggest challenge facing the users as they move from a closed shell offered by the traditional computing system to a more powerful, ubiquitous, open interconnected world, is the users themselves. Irrespective of whether there are technological weaknesses in the Cloud ecosystem, the weakest link to the security in the Cloud is the ignorant, and most times just lazy, user themselves. If there is something the recent Twitter hack had exposed about the current computing ecosystem, it is about what the user didn’t know and/or didn’t do.
Now we are also seeing a new trend in the form of social networks. The relative anonymity and “do it from your couch” nature of these social networks entice even the shy among us to be a brand on the uber-pervasive internet world. The new breed of social media gurus and branding specialists churn out non stop tweets and blog posts about how one can position themselves to become one among the Who’s Who of the internet, without even giving users any time to think about the consequences of following these suggestions. The very ideas these gurus offer to help users climb up the ladders of the social media bandwagon are the ones security professionals will tell them not to do in this uber-connected world of Clouds. But, hey, who listens to security professionals anyway. They are hell bent upon putting roadblocks on our way to the ultimate internet nirvana. They are just a bunch of geeks who have trouble finding dates and they want the rest of the human society to suffer just like them. Well, this feel good factor about the opportunities to attain internet nirvana would have continued for some more time if not for the rude awakening in the name of the Twitter hack.
There are two sides to a hack attack. One is the hacker (ok, cracker) side where someone with either malicious intent or plain curiosity enters someone else’s “private property” and does one (or many) of the following
- Just lurks around the property
- Steals information from the property
- Causes irreparable damage to the property
The other side is the owner of the private property (well, it is us, the users of computing systems). In my opinion, most of the users who talk passionately about the idea of “private property” fail to put in efforts to safeguard it. It is the responsibility of the owner of the private property to ensure its security. Most of the times, they fail either due to the ignorance about the safeguarding measures or plain laziness with a lame assumption that everything is going to be ok. This is what is happening in the cloud ecosystem too. The cloud users are either ignorant about good security practices or lazy in following these practices. Either way, they are quick to absolve themselves from their responsibility whenever someone breaks into their account. Whereas, in reality, except in cases where there are some attacks on the systemic level (before anyone goes tangentially on this point, I want to emphasize that such systemic attacks are part of the traditional systems too), most of the users are quick to pin the blame entirely on the hacker than on themselves. I am not condoning the hackers but I am just pointing out that, in most cases, it is the users who should take the blame for not being responsible enough.
Techcrunch’s anatomy of Twitter hack offers a similar story about what went wrong in the case of Twitter.
For an attacker such as Hacker Croll looking to exploit the combinationof bad user habit, poorly implemented features and users mixing theirpersonal and business data – his chances of success just gotexponentially greater. Companies that are heavily web based relylargely on users being able to manage themselves – the odds are notonly stacked against Twitter, they are stacked against most companiesadopting this model.
Bad human habit #1: Using the same passwords everywhere. We are allguilty of it. Search your own inbox for a password of your own. HackerCroll reset the password of the Gmail account to the password he foundassociated with some random web service the user had subscribed to andthat sent a confirmation with the password in clear text (and he foundthe same password more than once). He then waited, to check that theuser was still able to access their account. Not too long later therewas obvious activity in the email account from the account owner -incoming email read, replies sent and new messages drafted. The accountowner never would have noticed that a complete stranger was lurking inthe background. The second domino falls.
From here it was easy.
Hacker Croll now sifts through the new set of information he hasaccess to – using the emails from this user’s personal Gmail account tofurther fill in his information map of his target. He extends hisaccess out to all the other services he finds that this user has signedup for. In some instances, the password is again the same – that ledCroll into this user’s work email account, hosted on Google Apps forDomains. It turns out that this employee (and in fact most/all Twitteremployees and everyone else) used the same password for their GoogleApps email (the Twitter email account) as he did with his personalGmail account. With other sites, where the original password may notwork – he takes advantage of a feature many sites have implemented tohelp users recover passwords: the notorious “secret question”.
Well, the story is similar to what most of us do in the web. Leaving aside the moral issues associated with the hacker’s activities, the two things that stand out of Twitter story are
- The users keeping really weak passwords and using the same password in all their online accounts
- More importantly, Twitter, as a company, has failed to educate its employees about safe security practices
The blame lies entirely on Twitter and its employees. Twitter is a hot startup and there is no way the geeks involved in it are unaware of the Security 101 lessons and the need to educate employees about good security practices. This is just a case of sheer laziness and overconfidence on the part of Twitter and their employees.
Well, by now you must have lost patience reading such a long post and must be wondering about the connection between this rant and the Google Profiles. Google Profile, in short, is your identity on the Google’s properties. From Google’s Help Page,
A Google profile is simply how you present yourself on Googleproducts to other
Google users. It allows you to control how you appearon Google and tell others a bit more about who yo
u are. With a Googleprofile, you can easily share your web content on one central location.You can include, for example, links to your blog, online photos, andother profiles such as Facebook, LinkedIn, and more. You have controlover what others see. Your profile won’t display any privateinformation unless you’ve explicitly added it.
You can also allow people to find you more easily by enabling yourprofile to be searched by your name. Simply set your existing profileto show your full name publicly.
In the words of Social Media gurus and Branding specialists, it is an amazing tool to help you climb up the social media ladder. One of the advice given by these professionals is to include as much information about you in as many sites as possible so that when your name is searched on the search engines, it comes up on the top of the search results. There is a multi-million dollar industry behind helping individuals and companies to get the top rankings in search engines. Since Google’s search engine has a huge marketshare, Google Profile becomes the most important tool to push your brand to have significant presence in the search results. When someone searches for your name, your Google Profile is listed prominently in the search results.
Therein lies the catch. While Google Profile pushes you up the social media strata, it also makes you more and more vulnerable to attacks. Unlike other social profiles, Google Profiles insists on the users to submit a significant amount of information about themselves before including their names in the search. This forces the users to submit information like the cities they had lived, their schools and colleges, their interests, etc.. These are the kind of information many web services require for password recovery. When a hacker gets these information from the users’ Google Profiles, all he/she has to do is to use this information on a webservice that takes in one such information and spits out the password of the user. Once the hacker has this password, in most cases, the user’s other accounts can also be compromised (see the laziness rant above). Even otherwise, the information provided in the Google Profile will be a treasure trove for the hackers to map out your online and real life and, then, look for the weakest point. In short, Google Profiles is a treasure trove for hackers to cause havoc in people’s life with the information they willfully provided.
I have nothing against social media craze and I have no problem if you want to listen to these social media gurus and branding specialists. I just want the Cloud users to understand the consequences of following these suggestions. If something goes wrong with your Cloud based accounts, don’t blame the hacker who broke in. Blame yourself first and take responsibility for your own role in the hack attack.
security is like climate change. nobody really gives a shit.