As more of people’s lives, from family photos to financial information, moves into the cloud, malicious hackers are following.
It is easy to see why: Cloud computing systems contain lots of critical information, from sensitive corporate and personal financial data to government secrets and even nude photographs never meant to be shared.
All of it has been targeted by hackers, and in many cases stolen. In 2009, a password-stealing “botnet,” or collection of malevolent software, was found inside Amazon Web Services, perhaps the world’s largest cloud-computing system. More recently, celebrities’ private photos were stolen from Apple’s iCloud storage system.
Illustration: Mountain People
IBM said its researchers regularly receive taunts from Russian hackers who leave them mocking messages in software aimed at stealing from the 300 banks IBM serves.
“Talk about hand-to-hand combat,” IBM Security Systems vice president for strategy Marc Van Zadelhoff said. “People are salivating at the chance of stealing money. The darker side of society thinks fast, out of desperation.”
Cloud-computing systems are collections of server and mainframe computers, sometimes more than 1 million, made into a single collective via software that disperses data and computing chores among them. As there is less waste and more flexibility in this sharing, the computing whole is far greater than the sum of its computer parts.
Many clouds are privately owned and controlled, inside corporate and government facilities. The biggest and fastest-growing systems are “public clouds,” from the likes of Amazon, Google, Microsoft and many telecommunications providers.
Both kinds of clouds share information across many points, both inside their own networks and with external devices like smartphones.
Much of the older software being moved from regular servers to the cloud were not designed for use there, making the transition particularly vulnerable. In addition, conventional security precautions, such as firewalls that establish a perimeter around a company’s resources, are far less useful in a cloud.
“They are now fundamentally irrelevant,” Van Zadelhoff said. “The notion of a perimeter, where your computing begins and ends, is obliterated in the cloud.”
Hackers might want to be inside clouds for more than just sensitive data, since cloud-based computing systems are places where supercomputer-quality processing power can be rented. That makes them useful in developing new and strong types of malware.
At the Black Hat security conference last summer, two researchers, Bob Ragan and Oscar Salazar, showed how to build a cloud-based botnet for no money at all, simply by using the free-trial offers of many cloud-based businesses.
That processing power hijacked from others can be deployed for moneymaking schemes besides botnets, like “mining,” or creating, new units of the cybercurrency Bitcoin without paying for machine time.
Just as recent hacks reached critical information through innocuous-seeming things like heating and air-conditioning systems that were networked to other computers, cloud systems might have even more pathways in, and a greater number of potential targets out — basically, any connected devices.
Not far away, devices for health monitoring and building control, among other things, would make for even richer targets, said Steven Weber, who recently received a US$15 million grant to start a center for long-term cybersecurity at the University of California, Berkeley.
“In a couple of years we’re not just going to be talking about finance and banking,” he said. “We’re going to be talking about control of your heart rate, what you eat, how you live. That’s where all this is going, with all kinds of critical stuff going into an environment with possibly variable security.”
While caution is necessary, it is not all doom and gloom. For one thing, the concentration of core computing systems into clouds means that computers are likely to be better managed, security flaws more frequently and thoroughly patched, and devices inspected in a more uniform way. All of those things are improvements over the current state of affairs.
In addition, companies like Amazon, Microsoft and Google have among the world’s best security engineers. For the most part, you would rather have those people looking after your data than the generalist information technology workers in the average company.
“We have a greater concentration of resources, so we can have specialized teams with better tools,” said James Hamilton, a senior executive overseeing the design and construction of Amazon Web Services.
In addition, with customers including the CIA, the company gets a lot of feedback and pressure to keep improving itself.
Despite the larger scale and new targets in the cloud, most of the methods used in hacking are not changing much. In the case of celebrity photos, Apple said its investigation revealed that “accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.”
Elsewhere, even though new malware has become more sophisticated, it still frequently takes over a computer by affecting the way the system’s memory functions.
However, aspects of the cloud, and greater computing intelligence in general, can be used to combat these threats in new ways. In particular, data can be easily encrypted even when at rest deep within the system, so a hacker would usually lack the ability to read what is captured. Intelligent “agents” and pattern-scanning software can be deployed within the cloud to monitor system behavior of virtually every packet, and catch much unorthodox behavior before it happens.
In the last few years, companies have offered new security approaches. One company, Skyhigh Networks, tries to track all the unregistered applications that come into a corporate cloud via an employee’s smartphone, then close off applications that do not look as if they have good security. Another, SentinelOne, uses data analysis and agents to predict attacks before they can do damage. Illumio provides visualizations of interactions between applications and the cloud to create decisions about how to maintain security, then encrypts data as it travels through the cloud.
“The solution is probes and sensors — you melt analytics everywhere,” Van Zadelhoff said. IBM, besides using security analytics is moving older software to the cloud.
“Over the past 20 years, there are moments when the bad guys are ahead, and we catch up. They’re ahead now, but we’ll catch up again,” Van Zadelhoff said.
With its passing of Hong Kong’s new National Security Law, the People’s Republic of China (PRC) continues to tighten its noose on Hong Kong. Gone is the broken 1997 promise that Hong Kong would have free, democratic elections by 2017. Gone also is any semblance that the Chinese Communist Party (CCP) plays the long game. All the CCP had to do was hold the fort until 2047, when the “one country, two systems” framework would end and Hong Kong would rejoin the “motherland.” It would be a “demonstration-free” event. Instead, with the seemingly benevolent velvet glove off, the CCP has revealed its true iron
At the end of last month, Paraguayan Ambassador to Taiwan Marcial Bobadilla Guillen told a group of Chinese Nationalist Party (KMT) legislators that his president had decided to maintain diplomatic ties with Taiwan, despite pressure from the Chinese government and local businesses who would like to see a switch to Beijing. This followed the Paraguayan Senate earlier this year voting against a proposal to establish ties with China in exchange for medical supplies. This constituted a double rebuke of the Chinese Communist Party’s (CCP) diplomatic agenda in a six-month span from Taiwan’s only diplomatic ally in South America. Last year, Tuvalu rejected an
US President Donald Trump’s administration on Friday last week announced it would impose sanctions on the Xinjiang Production and Construction Corps, a vast paramilitary organization that is directly controlled by the Chinese Communist Party (CCP) and has been linked to human rights violations against Uighurs and other ethnic minorities in Xinjiang. The sanctions follow US travel bans against other Xinjiang officials and the passage of the US Hong Kong Autonomy Act, which authorizes targeted sanctions against mainland Chinese and Hong Kong officials, in response to Beijing’s imposition of national security legislation on the territory. The sanctions against the corps would be implemented
US President Donald Trump on Thursday issued executive orders barring Americans from conducting business with WeChat owner Tencent Holdings and ByteDance, the Beijing-based owner of popular video-sharing app TikTok. The orders are to take effect 45 days after they were signed, which is Sept. 20. The orders accuse WeChat of helping the Chinese Communist Party (CCP) review and remove content that it considers to be politically sensitive, and of using fabricated news to benefit itself. The White House has accused TikTok of collecting users’ information, location data and browsing histories, which could be used by the Chinese government, and pose