Virtualization Technology News and Information
Thinking before Syncing: Cloud Usage, Security, and Risks


By Summer Hirst

"I've looked at clouds from both sides now, from up and down, and still somehow... it's cloud illusions I recall... I really don't know clouds at all." - Judy Collins, Singer, "Both Sides Now"

Judy Collins, as confused as she was about the real clouds, might not have been able to figure out the tech clouds either.

Among other buzzwords, "the cloud" is very commonly heard when we discuss technology. You might have heard tech gurus, millennials, or even your grandmother use this word but does anyone really understand the cloud?

This is why when The Onion released a parody video on how nobody really knows how cloud works, it instantly clicked. The movie Sex Tape depicted the same: "Nobody understands the cloud!"

The fact, however, is different. The cloud isn't all that hard to understand. 

Cloud computing can be compared to using someone else's computer. For example, when you use Gmail, you store your email on Google's cloud. So your emails are not stored in your local device but on Google's device.

Or imagine playing videos on YouTube. The videos you play are not stored on your device. Instead, they are stored on Google's computer and you watch them directly from there, even if those computers are thousands of miles away from you.

A cloud can be referred to as a group of machines with storage and processing capabilities. This group acts as an extension to your device. 

Whether you're working on your iPhone, Android, laptop, or any other device, all the big companies have huge data centers that have storage "factories". Companies such as Apple, Google, Microsoft, Amazon, Yahoo, etc. have their own data centers.

So yeah, the cloud isn't just a vague concept. It's real, concrete, and tangible.

Let's Discuss Some Obvious Questions You Might Have About the Cloud Technology

What is the cloud again?

Apart from the mass of tiny liquid droplets of water, a cloud is a data center or a collection of servers where data is stored. 

If I had to see where my files were stored, where should I go?

Cloud companies have storage factories all over the world and you won't get to know which factory is storing your files. So you can't really go looking for them. But you WILL be able to see them all on your device.

Why should I use it?

You're probably using it already. Using email? Watching YouTube videos? Using automatic backup facilities on your smartphone to store your photos? Yep, you're using the cloud.

According to a report, only 26% of cloud users know that they use cloud technology. If you think you don't use the cloud, you need to analyze your internet habits and see how common and extensive the cloud is.

Does everyone have their own cloud?

The data is stored on common disk space. But you do have a separate portion of it. Your files, notes, and photos, etc. can be accessed only by you. Of course, if your password gets hacked or you forget to log off your device, your account can be seen by others.

Why is cloud so confusing?

It doesn't have to be. Cloud is just a name given to data center that store data so you can use it remotely on your device. That's it. 

A few years back, people stored files on floppy disks. As file sizes grew, floppy disks became insufficient. They were replaced by CDs. Then DVDs. USB storage devices. And now, it's the cloud. Instead of carrying around your storage, you take up a part of a large server and store your files there.

It's Cloudy Everywhere

Still think you're not a part of the whole cloud universe? Here are some companies that provide their services through the cloud. Ever used one of these?

  • Airbnb: Hospitality services that help you travel around the world
  • Dropbox: A data syncing software system
  • Facebook: A social media giant with billions of users
  • Twitter: Microblogging platform for individuals and businesses
  • Evernote: Similar to Dropbox - a service that stores your notes and files
  • Netflix - video streaming
  • Spotify - music streaming
  • Zynga - online gaming

All the above services have these things in common:

  • The user isn't involved in the active management of services.
  • You don't need physical access to gain access to these services.
  • You get on-demand services, which means they're there when you need them.

How Cloud Has Changed Our Digital Atmosphere

Before smartphones, laptops, and tablets, we had a big box under the desk. It housed the processor, hard disk, and other components of the computer.

After the cloud, we don't have to buy big data storage devices. We can rent a part on a server and store our data there.

That's not the only benefit. Here's what you get from the cloud.

  • Reduced costs: Instead of buying expensive storage devices, you can store your documents and files in the cloud. And if you don't have a lot to store, you can use free cloud services.
  • Increased reliability: If you lose or drop your hard disk, your data will be erased permanently. Same with a hard disk crash. However, when your data is stored in a data factory, it's taken care of by expert engineers and is well-protected.
  • Universal access: You're at a vacation and realize you have to send an important file to your boss. If it's on your hard disk, there's no way of doing that. But with cloud, you can send that file from anywhere you are.
  • Device independence: You can access your files from any device. For example, if you have your files on a DVD, you can use it only on your computer. But with files stored on the cloud, the files can be accessed from your computer as well as your phone.
  • Unlimited resources: You can use online tools that you don't have to download on your device. There are several tools for designing and programming that run on the cloud.
  • Remote sharing: You can share your files with others over the cloud. You don't need to be located geographically close to each other for that.

Let's take the example of Uber. It uses maps, geolocation, online payments, and SMS technology. All of this would need a cloud service to work right. 

The user books a cab, sends their location, and finds a driver. The driver arrives and finds the person and both the parties communicate. Once the cab drive is complete, the financial transaction is done. 

Without cloud services, all this wouldn't be possible.

But while it sounds very attractive, is it completely free of risk?

Can You Trust the Cloud?

That's an important question. Can you really place your sensitive data in the cloud? 

Having your files synchronized in Dropbox, Google Drive, Apple iCloud, or any other cloud service is certainly handy. Even if you lose your smartphone or break your laptop, you'll still be able to retrieve your photos and documents. 

But should you assume that your data is safe? 

The fact is that no data is ever 100% safe, whether you save it on the cloud, PC, smartphone, SD cards, USB hard drives or floppies. Even when the cloud service encrypts your data so that it's practically unhackable, even with supercomputers. In theory, nothing is absolutely secure.

There have been cases of hacking where servers of big companies have been hacked. In May this year, Canva, the graphic designing service suffered a data breach where the records of 139 million users were compromised. And this is just one of the many, many data breaches that occur every year.

Jack Schofield, a technology journalist, once said, "Never assume your data is safe, even if it's online."

Let's add a corollary to that - backups don't exist unless your files are available on at least three different places. And deleting them from one medium should not affect the others.

Why Are People Hesitant When It Comes to Cloud Technology?

It's not physically under your control. 

With the cloud, your personal photos and videos are "up there" and you're not directly in control. So you're not sure if that's trustworthy.

With a USB hard drive, you know your personal items are with you. There are no copies. You control what you have. With the cloud, who knows how many copies are there - at least that's what the common fear is.

Someone else is handling your files so your security lies in their hands. And they're not just handling your files but the files of thousands of other customers. Would they care about your files specifically? You know you're not directly in control and this is what makes you anxious.

That's not the only security concern. There are several other considerations. Let's look at some of them.

Cloud Security Concerns

Sure, the cloud is convenient, cheap, and has changed the way we live. However, there are a number of security issues that can lead to cybercrime.

Hackers use a number of techniques to access our private data without any legal authorization. They can also use phishing to lure you into giving them your cloud credentials. Here are some security risks that loom over cloud technology.

Malware Injection

A malware injection is a code or script that's embedded by a hacker into a cloud service that acts as a valid instance. This means that the cloud server will read it as a normal script and perform the actions in the script without detecting a breach.

Once the injection is executed, the hacker can read the contents and compromise sensitive data. According to a report by East Carolina University, malware injections have become a huge security concern for cloud security.

Man in the Cloud

Just like the man in the middle attack, if the hacker is in the cloud, it's called the Man in the Cloud (MITC) attack. 

These attacks are worrying as they don't require any malicious code or other exploits during their initial stages. Instead, they depend on the file synchronization services for gaining command and control. A hacker can just reconfigure cloud services without the knowledge of the end user and create an attack tool.

And the problem is that it might not be easy to recover such compromised accounts. According to a report by Imperva, MITC attacks are not just threats but have actually happened. 

The process of synchronization to the cloud is as follows: Files are added to the local sync folder. These are automatically uploaded to the cloud. Any files loaded directly to the cloud are also downloaded to the sync folder. 

The system monitors the sync folder to see if there are any changes. If any changes are detected, they are communicated to the cloud using a dedicated channel. Any changes made to the cloud folder are also reflected on the local sync folder.

To communicate with the cloud, a user needs credentials. But most cloud services use sync tokens instead of explicit username/password combinations.

The reason behind that is even if the token is compromised, it will not compromise the account. However, there's a weakness in the sync token in which if the hacker gets the host_id value of the token, it will be impossible to revoke permissions even if the password of the account is changed.

Account Hijacking

Since cloud technology is being used widely, account hijacking is a major risk. Attackers can use your login information to access sensitive data stored in the cloud. 

Apart from just stealing passwords, hackers can also target scripting bugs to gain access to unauthorized data. In 2010, Amazon saw a scripting bug that was aimed to steal user credentials. It was discovered and purged quickly but this just goes to show that scripting bugs can find their way into even the most secure systems. 

Apart from that, hackers can use phishing and keylogging to steal user credentials. 

Meltdown and Spectre

In January 2018, studies showed that a feature that's common in most microprocessors could let content (including encrypted data) by read from the memory using malicious code.

There were two variants of this issue and they are known as Meltdown and Spectre. They can affect any device from servers to smartphones. Since they have the ability to affect data centers as well, this is a cloud security threat.

Both these variants allow side-channel attacks. Any attacker that has used hacked credentials to access the system can read the kernel information. 

While there are patches for this issue, they cannot stop the attack. They can only make the attack a bit difficult to execute. Also, these patches can reduce the performance so some organizations might not want to use them.

The CERT advisory recommended replacing all processors with this feature, which is a tough call. 

The good thing is that there have been no reported cases where a hacker used Meltdown or Spectre. But experts believe that these attacks are likely. The best thing for all cloud providers is to use the patches that are available. 

As a customer, you should ask your cloud provider how they intend to respond to Meltdown and Spectre.

Security Concerns in the Coming Years

Gartner study shows the security and privacy concerns related to the cloud will continue to haunt corporations and consumers. While the study also predicted that about 95% of failures related to cloud security will be due to customers' mistakes, there are also several security concerns that cloud companies should take into consideration.

A recent study by Cloud Study Alliance showed that companies have started adopting cloud technology but there are several security concerns related to unauthorized access and data leaks. Security in public cloud atmosphere is the responsibility of users and providers.

The big question about risks is that do they ever materialize?

When Cloud Got Hacked

Sure, the cloud has tight security. But it is not infallible. While companies might follow strong safety protocols, if your password is weak and someone guesses it, they can get access to your files. It's all about finding the weakest link.

Let's look at some cloud horror stories.

The Fappening

Not many years ago, there was the great iCloud hack when celebrity nudes were leaked and published online. This was called the fappening and it gained a lot of popularity because of its controversial nature.

According to TechCrunch, it was less of a hack and more of combining phishing attacks, guessing passwords, and using the Forgot Password links. 

Any technology is only as strong as the weakest link. The security of your account ultimately lies in your own hands. 

College professor lost her Dropbox data

A college professor lost over 3,200 files from her Dropbox folder. Dr. Heidi Kevoe-Feldman, professor at Northeastern University, had been using Dropbox for several years and very carefully at that.

She kept files in two computers and in her Dropbox and she had them all synced. Her files went missing from the Dropbox folder as well as the two computers. They were also gone from a backup external hard drive that was also synced.

Luckily for her, she used the Time Machine feature on her Mac computer and was able to get back all the files. If she didn't have that feature, her files would've gone forever.

This story is especially scary because Kevoe-Feldman took complete care of keeping multiple copies so that she doesn't lose the data and yet, somehow, she did lose it.

JetBlue flights delayed

In 2016, there was an outage at one of the Verizon data centers, leading to disruptions in the flights of JetBlue Airways. The airport and check-in gates were affected along with the JetBlue website, app, and toll-free phone number. The problem was resolved in a few hours but led to the delay of 200 flights. 

It wasn't disclosed which data center was affected and why the auxiliary systems didn't work to compensate for the outage. 

Uber Failure

In 2016, Uber received emails from an individual saying that he has access to data stored on the private Uber cloud on AWS (Amazon Web Services). Uber investigated and found that he indeed had access to archived copies of the database. 

The hacker gained access to that data because Uber didn't use multifactor authentication on its GitHub account. Instead of revealing the hack, the cab company kept quiet for over a year and even used its bug bounty to keep the hacker silent.

GCP attack

In January this year, hackers used GCP (Google Cloud Platform) to launch a malware attack using PDF baits. This attack primarily targeted banking and financial institutions. Public firms all over the world were their secondary target.

Voter Records Leak

In 2017, the records of over 198 million US voters were made public. These records contained the data of voters for over 10 years. The database was owned by Deep Root Analytics and it was stored on the Amazon S3 server. 

The data was made publicly available because of a misconfiguration problem. While it wasn't a hacking issue, it was a serious security risk.

Alteryx Data Breach

The records of over 123 million US households were exposed due to a data breach. The database contained 248 categories including phone numbers, ages, addresses, and personal interests. The data was stored on AWS and Alteryx failed in providing it the right layers of security.

While there was no evidence of this data landing in the wrong hands, but the vulnerability is still a huge problem.

These were just a few of the innumerous cases that happen every year. 

Organizations often misunderstand the security offerings of modern cloud services such as Google, Amazon, and Microsoft, and this is why there are cases of misconfiguration.

How to Safeguard Your Data in the Cloud

Check Cloud Server location

There are several US-based cloud services. However, since the US is among the Five Eye countries, there are strong chances that they'll spy on your data.

It's best to select a cloud provider that's located in a privacy-friendly country. Also, try to use a zero-knowledge cloud service. Zero-knowledge cloud means they won't know what you keep in their folders. 

On some occasions, Dropbox has restricted users' file access because they were not in accordance with DMCA rules. However, they say that they review only public links and not private folders.

But then, we cannot forget that Snowden warned us that Dropbox is hostile to privacy as it had appointed Condoleezza Rice, former Secretary of State, to its board. She's still on the board and has always been anti-privacy, so Dropbox's dedication to privacy is questionable.

Keep local backups

Although this kind-of beats the whole purpose of using a cloud service in the first place, if something is very important to you, make sure you also have a local backup with you so you don't face what Dr. Heidi Kevoe-Feldman faced.

Also, don't sync your local backup with the cloud. Otherwise, if something is deleted from the cloud, it might disappear from your local backup as well. 

Use a VPN

While many cloud services keep your online data encrypted, it is still unguarded when you share your files with someone else on another medium. To make sure all your data is safe when it travels through the internet, use a VPN.

Just like a zero-knowledge cloud service, make sure your VPN is a zero-log one so it doesn't track your online activities.

Be cautious

If we have learned anything from the fappening, it's that we should keep strong passwords and not fall for phishing. Cloud technology can be safe only if you're careful. If you keep "password" or "abc123" as your password, no amount of security will keep you safe.

Also, if you plan to make a sex tape or keep nudes on your phone, it's best to not upload them to the cloud. Before you make a video or click photos, turn off the auto cloud backup option from your phone. Once you've recorded the video, export the files to an external local hard disk. Now delete it from your phone and recycle bin before you turn the automatic backup on.

The Cloud's Nature

The cloud can be dark and ominous or white and fluffy, depending on how you use it. If you're a Bob Ross fan, you might even call it a happy little cloud. 

It offers the benefits of lower costs, flexibility, scalability, and ease of use. Of course, there are some security concerns as well but several security failures have happened due to neglect on the part of cloud users.

The notion that only onsite data is safe isn't true. Today's cloud providers have invested a lot in security and they intend to keep user data completely secure.

But the trick is to find the right provider that doesn't intend to snoop on your files and to stay careful while uploading and syncing to the cloud. 

Even if your data is not stolen or publicly published, it can still be available to the government. If the government demands to see the data you've stored in the cloud, it's up to the cloud service company if they want to deny access.

Companies like Microsoft and Google often get requests from various governments to access user data. In several cases, these companies hand over some kind of data, even if it's not the full content. Google published its transparency report showing how often they are contacted by governments and when they comply with their requests. 

The moral of the story is that if you want to fully enjoy the benefits that the cloud has to offer, you need to think before you sync.   

Published Tuesday, September 03, 2019 1:57 PM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<September 2019>