September 8, 2014

Foggy Perceptions of the Cloud

Interviews News

The past few days have been a bonanza for online privacy geeks following a breach of iCloud data including compromising photos of a number of A-list celebrities including Jennifer Lawrence, Kate Upton and others.


I’ll assume you haven’t been living under a rock, and won’t waste your time with the details. If you’ve just come back from an off-the-grid vacation, you can get the gist here.

The underlying problem here does not arise from whether iCloud (or any other Apple service) was breached, if a vulnerability in “find-my-iphone” was exploited or what tool was used to do the dastardly deed.

Even when something isn’t free, more often than not the same issues persist, because the premium that makes something ‘other-than-free,’ isn’t about security or privacy.

The real issue is that most consumers have no idea what data is sitting in the cloud somewhere. And among of those that do know, almost nobody can tell you where that data actually lives, who has access to it or how well protected it actually is. I can wager a pretty solid guess as to the level of Jennifer Lawrence and Kate Upton’s cyber-privacy awareness, but I submit that even those who are the most cyber-aware still can’t achieve much separation from the Lawrences or the Uptons in this discussion.

Consider the ever-changing services that the various tech giants (Google, Facebook, Apple, etc.) offer. Consider as well their ever-changing privacy policies and settings. And that fails to account for the never-ending cycle of vulnerability emergence and security updates, the latter of which often relies on unwilling and uninformed consumers, but this is largely beside the point. The point is, you just can’t keep up!

A few years ago, one of my colleagues became the victim of exactly this phenomenon. It was around the time Apple first started enabling iCloud on all iOS devices. My colleague took part in the following exchange with one of his friend’s via iMessage:

Friend: Where we meeting for drinks tonight?
Colleague: Don’t care. Anywhere that’s close and has at least one hot bartender.

Pretty benign, right? Well not so much, because exactly that same day the iCloud synchronized all iMessenger data across all of his iDevices. I imagine you can see where this is going. At any rate, my colleague’s texts land on his son’s iPad. His son then brings that iPad to his mom. And well, you can just imagine what ensued.

To be clear, Apple has since (sort of) addressed that little glitch. And most tech-savvy parents have gotten wise to shortcomings in the assorted “iSpend” services, establishing separate accounts for the kiddies.

The questions remain: Where is the data? Who has access to it? How is it secured?

Regarding the security of cloud services (particularly consumer cloud services): authentication stinks and can be hacked using simple social engineering or off-the-shelf hacking tools requiring zero technical talent; two factor authentication is available, but, frankly, it stinks too (primarily because of its inconvenience).

Beyond that, the users have no idea what is theirs and what is not, in part because no one, and I mean no one, reads the end-user-license agreement. And of what is (or should be) theirs, it’s practically impossible, or at the very least difficult, to control or manage.

Now you may say, “That’s the price of Free,” and you would be neither the first nor last.

That may be a fair argument, but we’re living in a world where free is difficult to avoid. Even when something isn’t free, more often than not the same issues persist, because the premium that makes it other-than-free, isn’t about security or privacy.

To that end, the fact is that those fancy iPhones, Macs and iPads that are quietly transmitting your data up to the mythical cloud, which you should understand is really just some server in Cupertino, California (or more likely somewhere with lower property value), are far from free.

Consider for a moment the world of online productivity tools. If you’re a small business or an employee at a small business and you’re not using these then you’re spending more than you need to. Thus, a lack of productivity tool use puts you at a competitive disadvantage.

Like everything involving the Internet and computers, these tools create, transmit, store and otherwise traffic in data, but where is the data? This is a big issue if you’re doing business in someplace like, oh, I don’t know, Europe. Is the data being indexed? Who has access to it? Could those indexes be cross-tabbed by, let’s just say, some government somewhere? Or worse, a competitor? This scenario is precisely why it is so stupid to say that those with nothing to hide have nothing to fear, because “those with nothing to hide” simply do not exist. Hidden is not a synonym for criminal.

These are big problems that are only going to get bigger, and the small business allegory above can be adapted to your personal life: where does the data from all those free health applications live? Who gets to see that data? When will it begin to affect the amount of money you pay for healthcare? Consumers and business will become more savvy to the issues. If you’re a marketer at Facebook, you’re aware of this already. How are those Facebook Messenger downloads going?

But feigning outrage isn’t the answer. Apple and others are making beaucoup bucks on services that sit squarely on these shortcomings. Okay, Apple, maybe it was an Advance-Persistent-Threat-Class attack on media darlings Jennifer and Kate as you insinuated in your statement. However, what is advanced today will be commonplace by the time you finish reading this article. We’ve all got serious problems and we ought to admit it.

At Kaspersky, we’re acutely aware of these problems. We think about it. And we know that while our bread-and-butter, endpoint security products, may reduce some of the risk, we also know they aren’t the whole answer. We’ve got work to do. Who wants to help us?