The Next Web

Twitter Break-in Exposes the Major Flaws in Cloud Computing. We are simply not ready yet.

By Zee
July 15, 2009
Tweet This
Tip Techmeme
Submit to Hackernews

Share


Comments

Twitter Break in Exposes the Major Flaws in Cloud Computing. We are simply not ready yet.Many of you will already know, or will wake up to, the news that TechCrunch has obtained a number of private internal documents sent in by a hacker who managed to access Twitter employees personal  accounts some weeks ago.

Evan Williams, Twitter’s co-founder, confirmed there had been a targeted attack on Twitter and was aware of the various media that had been posted. I don’t particular want to regurgitate all the news , TechCrunch has it well covered and discusses the various documents they are considering publishing here.

What I do want to discuss is a term that initially begun as marketing speil but encompasses such a huge range of technology offerings: software-as-a-service (SaaS), storage on-demand etc…. Cloud Computing and why we are a long way from being really ready for it.

Personal Experience

Interestingly enough (for you guys reading this), I suffered a personal targeted attack two months ago, which saw a hacker access my various email accounts (by breaking into one) and then gain access to my PayPal account and attempt to transfer $5000 to a random email/paypal account. He/she also gained access to my domain registrar and a number of other personal areas, all obviously online. Regaining control of it all of it took around 2-3 days and when it happened again – within a day – presumably from the same person, it was another week or so before I once again had control. I had to of course ensure I did all I could to ensure that *if* it did happen again…I’d have every possible means to regain access. To this day, i’m not certain how the hacker initially broken in, but I do know that, like Twitter, the majority of the damage was done through password retrieval mechanisms.

The two most significant things that perplexed me when it happened was:

  • a) how email is by far the most significant hub of personal information for virtually anyone who uses the web, and access to that opens up many more doors to private information.
  • b) How limited the account retrieval services Google (my email provider) had available to me. At the time, Google provided two ways to prove your identity (with Google Apps), upload or a file to the relevant domain’s servers or email a new password to your back-up email account within your google apps settings. Ridiculous because there’s a good chance the hacker had already had access to both…

Twitter Break in Exposes the Major Flaws in Cloud Computing. We are simply not ready yet.Nothing More Secure Than Email

In my opinion, there should be no more secure area online than private email addresses. It should be easily as secure as private banking online and require as much offline verification as possible to prove identity. Thankfully, Google has recently taken steps (however small) to step up their verification mechanisms and new GMail users are required to enter their mobile phone numbers when setting up new accounts.

Corporate Security and Cloud Computing Uptake

But lets forget individuals…Twitter’s story reveals, above all, how cloud computing is not yet ready to meet Corporate IT needs. CEO’s and CIO’s alike have said openly that they aren’t ready for cloud computing yet….

The basic fact is that, besides the various means of access, you’re sharing data with others is a huge security risk. If a company has a server with their data at least they know that they can protect their own data, but if they begin to mix hundreds of these (servers) and information, there might be one bug, in one application, that will allow a virus to move to the others. A bug, a configuration error, anything…

Now don’t get me wrong, those who know me will know I’m a huge advocate of  of cloud computing, but for corporations, I don’t think it will take over from traditional computing – until something drastic is done.

Need A Real Solution

I’m not a security expert nor hacker, I’m a blogger, designer, marketer & internet fiend with first hand experience of what having your personal information hacked into is like….But as with my thoughts on the Mobile Web and child protection, there surely needs to be mass adoption of an offline security device or mechanism before cloud computing is widely adopted across the board.

Hardware manufacturers, software developers, system designers, CIO’s and every other influential individual/company relevant to online security need to work together to create one highly secure means of access to web applications and cloud computing services. Whether it’s a key of some sort (like the YubiKey), or frankly, ideally thumbprint scanning facilities across every computer or mobile device created – which, although not without its flaws, comes with far less security vulnerabilities than a bloody password.


  • ntas
    ye I agree with you. I will never recommend any company to store there docs in the cloud especially legal and financial ones. I understand for young startups wanting to do this but its just too risky.
  • Ross
    What are you talking about, twitter isn't even using cloud computing they are using hosting services from Verio.
  • The author is using "cloud computing" in a rather broad sense, which seems to be very common nowadays among those in the media, to include any kind of hosted solution for a service. So because started with Gmail accounts, he's saying twitter was using "cloud computing" because Gmail is a hosted service (as opposed to say a company having their own email server in-house).

    the funny thing though is that these were personal gmail accounts that were hacked, not it would appear, Twitter company email accounts (unless at Twitter, these are all one and the same?)

    the hacking of personal email accounts hosted with yahoo, gmail, hotmail etc is nothing that new and shouldn't be a knock on "cloud computing" in general.
  • Luca F.
    I think you are making a lot of confusion between "cloud computing" (i.e. consumption of computing capacity on demand) and security.

    This seems to be a "security" issue that has no relationship with "cloud computing" as far as I can tell.
  • Sorry but I'm completely unable to understand the relation between this attack and Cloud Computing. We have a large number of examples of attacks like this one in the history of computing, even before the Internet has been invented.
  • Cloud Computing security is not only about technology, it's also about trust links. Using the bank account analogy I've made a post about the fears of moving to the Cloud:


    http://www.cloudviews.org/2009/01/why-are-we-so...

    I've also this one, where I try to explain my ideas about the the fears and doubts:
    http://www.cloudviews.org/2009/03/can-we-trust-...
  • I think large companies will only end up using cloud computing if they are running the cloud. Options for running your own cloud services (Docs, Spreadsheet, CRM etc.) are limited currently and decision making processes in large organisations can take a year plus.

    Cloud systems could (and should) be more secure than they are now.

    Google docs for example is not using SSL after you login so you could steal someone's session while they are logged in at a conference on wifi.

    Cloud systems should support stronger authentication along the lines of something you know(password) + something you have (like RSA SecurID or the Yubico you mentioned).
  • In the case of Twitter, it was not running in the cloud but as a hosted service. The level of security provided for Twitter and the level of security provided for an enterprise application that is exposed to access outside the firewall have identical issues. Twitter has an SLA with Verio to provide security.
    And while one could argue that Gmail and Google docs are examples of cloud computing, the hijaking of your email was not enabled because your account and my account were floating on the same server at some point in time. If the hacker had been able to take advantage of some flaw in the specialized Linux that Google uses to jump from your account to gain access to others then I would agree that the Cloud is not safe yet. BUT your examples are more along the line of "the internet is not safe yet".
  • Thanks for stopping by John. Unless i'm mistaken, the hacker got access to Twitter employees email addresses first and through there managed to access other web services. Regarding your point about "hijacking of your email was not enabled because your account and my account were floating on the same server at some point in time". Completely agree, but they were really separate points...
  • I like to use https://www.grc.com/passwords.htm pick one copy & paste to local, copy & paste entry. Simple and FREE!
  • Fingerprints are a bad idea. If we use fingerprints to authenticate identity, digital copies must be stored somewhere, and those could be hacked into as well. At least with passwords, we can change this. However, if you use a fingerprint as a password and your provider gets hacked, your fingerprint data is public FOREVER.
  • Hi Zee

    I enjoy your commentary on tech/web 2.0 etc. In this case, as others have suggested, this isn't really about Cloud computing security. Its primarily about password strength of email based services.

    To your point about enterprise adoption of cloud services: yes there is concern but there is something remarkable going on that hasn't happened to the same degree in the past...a group of major cloud providers and customers have got together to define cloud security standards.

    If anyone is interested, they can find out more here:
    http://cloudsecurity.org/2009/05/11/the-cloud-s...

    Cheers,
    Craig
  • David
    How do you use the traditional Microsoft services, from the OS to Office? Cloud computing is just the opposite of that.
  • As people keep saying, this leak seems to have less to do with the security of "cloud computing" and more to do with personal email security. Personal webmail accounts have been being hacked for years, sometimes just by figuring out the security questions. People need to learn more about how to keep their webmail accounts secure.

    The other issue here is the topic of security policies and procedures within a company. Should an employee even have had login information for the company in their personal email to begin with?
blog comments powered by Disqus
 


TwitterCounter