As more of people’s lives, from family photos to financial information, moves into the cloud, malicious hackers are following.
It is easy to see why: Cloud computing systems contain lots of critical information, from sensitive corporate and personal financial data to government secrets and even nude photographs never meant to be shared.
All of it has been targeted by hackers, and in many cases stolen. In 2009, a password-stealing “botnet,” or collection of malevolent software, was found inside Amazon Web Services, perhaps the world’s largest cloud-computing system. More recently, celebrities’ private photos were stolen from Apple’s iCloud storage system.
Illustration: Mountain People
IBM said its researchers regularly receive taunts from Russian hackers who leave them mocking messages in software aimed at stealing from the 300 banks IBM serves.
“Talk about hand-to-hand combat,” IBM Security Systems vice president for strategy Marc Van Zadelhoff said. “People are salivating at the chance of stealing money. The darker side of society thinks fast, out of desperation.”
Cloud-computing systems are collections of server and mainframe computers, sometimes more than 1 million, made into a single collective via software that disperses data and computing chores among them. As there is less waste and more flexibility in this sharing, the computing whole is far greater than the sum of its computer parts.
Many clouds are privately owned and controlled, inside corporate and government facilities. The biggest and fastest-growing systems are “public clouds,” from the likes of Amazon, Google, Microsoft and many telecommunications providers.
Both kinds of clouds share information across many points, both inside their own networks and with external devices like smartphones.
Much of the older software being moved from regular servers to the cloud were not designed for use there, making the transition particularly vulnerable. In addition, conventional security precautions, such as firewalls that establish a perimeter around a company’s resources, are far less useful in a cloud.
“They are now fundamentally irrelevant,” Van Zadelhoff said. “The notion of a perimeter, where your computing begins and ends, is obliterated in the cloud.”
Hackers might want to be inside clouds for more than just sensitive data, since cloud-based computing systems are places where supercomputer-quality processing power can be rented. That makes them useful in developing new and strong types of malware.
At the Black Hat security conference last summer, two researchers, Bob Ragan and Oscar Salazar, showed how to build a cloud-based botnet for no money at all, simply by using the free-trial offers of many cloud-based businesses.
That processing power hijacked from others can be deployed for moneymaking schemes besides botnets, like “mining,” or creating, new units of the cybercurrency Bitcoin without paying for machine time.
Just as recent hacks reached critical information through innocuous-seeming things like heating and air-conditioning systems that were networked to other computers, cloud systems might have even more pathways in, and a greater number of potential targets out — basically, any connected devices.
Not far away, devices for health monitoring and building control, among other things, would make for even richer targets, said Steven Weber, who recently received a US$15 million grant to start a center for long-term cybersecurity at the University of California, Berkeley.
“In a couple of years we’re not just going to be talking about finance and banking,” he said. “We’re going to be talking about control of your heart rate, what you eat, how you live. That’s where all this is going, with all kinds of critical stuff going into an environment with possibly variable security.”
While caution is necessary, it is not all doom and gloom. For one thing, the concentration of core computing systems into clouds means that computers are likely to be better managed, security flaws more frequently and thoroughly patched, and devices inspected in a more uniform way. All of those things are improvements over the current state of affairs.
In addition, companies like Amazon, Microsoft and Google have among the world’s best security engineers. For the most part, you would rather have those people looking after your data than the generalist information technology workers in the average company.
“We have a greater concentration of resources, so we can have specialized teams with better tools,” said James Hamilton, a senior executive overseeing the design and construction of Amazon Web Services.
In addition, with customers including the CIA, the company gets a lot of feedback and pressure to keep improving itself.
Despite the larger scale and new targets in the cloud, most of the methods used in hacking are not changing much. In the case of celebrity photos, Apple said its investigation revealed that “accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.”
Elsewhere, even though new malware has become more sophisticated, it still frequently takes over a computer by affecting the way the system’s memory functions.
However, aspects of the cloud, and greater computing intelligence in general, can be used to combat these threats in new ways. In particular, data can be easily encrypted even when at rest deep within the system, so a hacker would usually lack the ability to read what is captured. Intelligent “agents” and pattern-scanning software can be deployed within the cloud to monitor system behavior of virtually every packet, and catch much unorthodox behavior before it happens.
In the last few years, companies have offered new security approaches. One company, Skyhigh Networks, tries to track all the unregistered applications that come into a corporate cloud via an employee’s smartphone, then close off applications that do not look as if they have good security. Another, SentinelOne, uses data analysis and agents to predict attacks before they can do damage. Illumio provides visualizations of interactions between applications and the cloud to create decisions about how to maintain security, then encrypts data as it travels through the cloud.
“The solution is probes and sensors — you melt analytics everywhere,” Van Zadelhoff said. IBM, besides using security analytics is moving older software to the cloud.
“Over the past 20 years, there are moments when the bad guys are ahead, and we catch up. They’re ahead now, but we’ll catch up again,” Van Zadelhoff said.
Recently, China launched another diplomatic offensive against Taiwan, improperly linking its “one China principle” with UN General Assembly Resolution 2758 to constrain Taiwan’s diplomatic space. After Taiwan’s presidential election on Jan. 13, China persuaded Nauru to sever diplomatic ties with Taiwan. Nauru cited Resolution 2758 in its declaration of the diplomatic break. Subsequently, during the WHO Executive Board meeting that month, Beijing rallied countries including Venezuela, Zimbabwe, Belarus, Egypt, Nicaragua, Sri Lanka, Laos, Russia, Syria and Pakistan to reiterate the “one China principle” in their statements, and assert that “Resolution 2758 has settled the status of Taiwan” to hinder Taiwan’s
Singaporean Prime Minister Lee Hsien Loong’s (李顯龍) decision to step down after 19 years and hand power to his deputy, Lawrence Wong (黃循財), on May 15 was expected — though, perhaps, not so soon. Most political analysts had been eyeing an end-of-year handover, to ensure more time for Wong to study and shadow the role, ahead of general elections that must be called by November next year. Wong — who is currently both deputy prime minister and minister of finance — would need a combination of fresh ideas, wisdom and experience as he writes the nation’s next chapter. The world that
The past few months have seen tremendous strides in India’s journey to develop a vibrant semiconductor and electronics ecosystem. The nation’s established prowess in information technology (IT) has earned it much-needed revenue and prestige across the globe. Now, through the convergence of engineering talent, supportive government policies, an expanding market and technologically adaptive entrepreneurship, India is striving to become part of global electronics and semiconductor supply chains. Indian Prime Minister Narendra Modi’s Vision of “Make in India” and “Design in India” has been the guiding force behind the government’s incentive schemes that span skilling, design, fabrication, assembly, testing and packaging, and
Can US dialogue and cooperation with the communist dictatorship in Beijing help avert a Taiwan Strait crisis? Or is US President Joe Biden playing into Chinese President Xi Jinping’s (習近平) hands? With America preoccupied with the wars in Europe and the Middle East, Biden is seeking better relations with Xi’s regime. The goal is to responsibly manage US-China competition and prevent unintended conflict, thereby hoping to create greater space for the two countries to work together in areas where their interests align. The existing wars have already stretched US military resources thin, and the last thing Biden wants is yet another war.