Many of you will already know, or will wake up to, the news that TechCrunch has obtained a number of private internal documents sent in by a hacker who managed to access Twitter employees personal accounts some weeks ago.
Evan Williams, Twitter’s co-founder, confirmed there had been a targeted attack on Twitter and was aware of the various media that had been posted. I don’t particular want to regurgitate all the news , TechCrunch has it well covered and discusses the various documents they are considering publishing here.
What I do want to discuss is a term that initially begun as marketing speil but encompasses such a huge range of technology offerings: software-as-a-service (SaaS), storage on-demand etc…. Cloud Computing and why we are a long way from being really ready for it.
Interestingly enough (for you guys reading this), I suffered a personal targeted attack two months ago, which saw a hacker access my various email accounts (by breaking into one) and then gain access to my PayPal account and attempt to transfer $5000 to a random email/paypal account. He/she also gained access to my domain registrar and a number of other personal areas, all obviously online. Regaining control of it all of it took around 2-3 days and when it happened again – within a day – presumably from the same person, it was another week or so before I once again had control. I had to of course ensure I did all I could to ensure that *if* it did happen again…I’d have every possible means to regain access. To this day, i’m not certain how the hacker initially broken in, but I do know that, like Twitter, the majority of the damage was done through password retrieval mechanisms.
The two most significant things that perplexed me when it happened was:
- a) how email is by far the most significant hub of personal information for virtually anyone who uses the web, and access to that opens up many more doors to private information.
- b) How limited the account retrieval services Google (my email provider) had available to me. At the time, Google provided two ways to prove your identity (with Google Apps), upload or a file to the relevant domain’s servers or email a new password to your back-up email account within your google apps settings. Ridiculous because there’s a good chance the hacker had already had access to both…
Nothing More Secure Than Email
In my opinion, there should be no more secure area online than private email addresses. It should be easily as secure as private banking online and require as much offline verification as possible to prove identity. Thankfully, Google has recently taken steps (however small) to step up their verification mechanisms and new GMail users are required to enter their mobile phone numbers when setting up new accounts.
Corporate Security and Cloud Computing Uptake
But lets forget individuals…Twitter’s story reveals, above all, how cloud computing is not yet ready to meet Corporate IT needs. CEO’s and CIO’s alike have said openly that they aren’t ready for cloud computing yet….
The basic fact is that, besides the various means of access, you’re sharing data with others is a huge security risk. If a company has a server with their data at least they know that they can protect their own data, but if they begin to mix hundreds of these (servers) and information, there might be one bug, in one application, that will allow a virus to move to the others. A bug, a configuration error, anything…
Now don’t get me wrong, those who know me will know I’m a huge advocate of of cloud computing, but for corporations, I don’t think it will take over from traditional computing – until something drastic is done.
Need A Real Solution
I’m not a security expert nor hacker, I’m a blogger, designer, marketer & internet fiend with first hand experience of what having your personal information hacked into is like….But as with my thoughts on the Mobile Web and child protection, there surely needs to be mass adoption of an offline security device or mechanism before cloud computing is widely adopted across the board.
Hardware manufacturers, software developers, system designers, CIO’s and every other influential individual/company relevant to online security need to work together to create one highly secure means of access to web applications and cloud computing services. Whether it’s a key of some sort (like the YubiKey), or frankly, ideally thumbprint scanning facilities across every computer or mobile device created – which, although not without its flaws, comes with far less security vulnerabilities than a bloody password.