iCloud breach highlights some hard truths about the consumer cloud

The story of the breach of former Gizmodo staffer Mat Honan’s iCloud account took an interesting turn today with news that the attacker was able to call Apple and convince a customer service employee that he was Honan. While hardly the breach of the century, the situation does highlight a couple hard truths about cloud security when it comes to consumers applications.

1. You’re giving up control. This is a good mantra to keep in mind when considering whether to use cloud services. The problem isn’t so much about security technology as it is about process, policy and, perhaps, business model. Cloud-storage Dropbox, for example, has experienced a couple of high-profile breaches and security issues owing to the company’s seemingly lax policies about how user information is stored and who has access to it. Then, there’s LinkedIn and its questionable password practices.

With iCloud, the problem seems to be the business model: tying hardware devices to cloud software might be a recipe for disaster. If someone steals Google or Twitter account information, the damage is largely limited to those services and whatever is accessible from them. When someone gets access to iCloud info, it’s lights out on your phone, tablet and laptop, too. At least temporarily, you’re giving control over your physical property — not just your digital life — to a hacker.

It’s just the risk you take, or the price you pay, for putting control over your data in someone else’s hands. Even if data is encrypted, that doesn’t make it any loss gone if someone deletes it or steals it.

2. People are the real problem. And regardless how good the security technology and processes are, there’s often little that can be done about the people who ultimately control everything. Honan was the victim of social engineering, a process by which a hacker tries to con his way into a user’s account by pretending to be that person. A convincing lie or a gullible customer service agent could bypass years of investment to prevent brute-force attacks or other methods for gaining account access digitally.

And social engineering appears to be becoming more prominent. When I spoke with former hotshot hacker Kevin Mitnick to talk about how he keeps his web site secure, he noted that people are always calling his cloud provider trying to get access by pretending to be Mitnick. Sure, it’s rarely successful (this story from a Computerworld writer about not being able to access his own iCloud account show how locked-down even Apple can be), but like most things, it’s a numbers game.

Of course, in some cases, data breaches don’t even require a false identity. Sometimes, all it takes is a malicious insider with access to sensitive data (e.g., U.S. Army Private Bradley Manning turning over documents to Wikileaks). In this case, users have to rely on their cloud providers’ HR practices, too.

No turning back now

But at this point, no one is going to turn their back on cloud or web services; they probably couldn’t if they wanted to. Still, although there are exceptions, there’s precious little that most consumers can or — in the name of convenience — will do to secure their information if someone really wants at it.

Which brings us to the third harsh truth of the consumer cloud: If we want to be part of it, we just have to keep on trusting our providers to keep us safe. In many cases, they’re trying very hard to do that — but stuff does happen and oversights do occur. When it does, there will always be plenty of people saying, “I told you so.”

Feature image courtesy of Shutterstock user nobeastsofierce.



GigaOM