As more of our world, from family photos to financial information, moves into the cloud, malicious hackers are following.
It is easy to see why: Cloud computing systems contain lots of critical information, from sensitive corporate and personal financial data to government secrets and even nude photographs never meant to be shared.
All of it has been targeted by hackers, and in many cases stolen. In 2009, a password-stealing “botnet,” or collection of malevolent software, was found inside Amazon Web Services, perhaps the world’s largest cloud-computing system. More recently, celebrities’ private photos were stolen from Apple’s iCloud storage system.
IBM says its researchers regularly receive taunts from Russian hackers who leave them mocking messages in software aimed at stealing from the 300 banks IBM serves.
Special Section: Security
After a year of record-setting hacking incidents, companies and consumers are finally learning how to defend themselves and are altering how they approach computer security.
“Talk about hand-to-hand combat,” said Marc van Zadelhoff, vice president for strategy at IBM Security Systems. “People are salivating at the chance of stealing money. The darker side of society thinks fast, out of desperation.”
Cloud computing systems are collections of server and mainframe computers, sometimes over one million, made into a single collective via software that disperses data and computing chores among them. Because there is less waste and more flexibility in this sharing, the computing whole is far greater than the sum of its computer parts.
Many clouds are privately owned and controlled, inside corporate and government facilities. The biggest and fastest-growing systems are “public clouds,” from the likes of Amazon, Google, Microsoft and many telecommunications providers.
Both kinds of clouds share information across many points, both inside their own networks and with external devices like smartphones. Much of the older software being moved from regular servers to the cloud were not designed for use there, making the transition particularly vulnerable. In addition, conventional security precautions, such as firewalls that establish a perimeter around a company’s resources, are far less useful in a cloud.
“They are now fundamentally irrelevant,” Mr. van Zadelhoff said. “The notion of a perimeter, where your computing begins and ends, is obliterated in the cloud.”
Hackers may want to be inside clouds for more than just sensitive data, since cloud computing systems are places where supercomputer-quality processing power can be rented. That makes them useful in developing new and strong types of malware.
At the Black Hat security conference last summer, two researchers, Bob Ragan and Oscar Salazar, showed how to build a cloud-based botnet for no money at all, simply by using the free-trial offers of many cloud-based businesses.
That processing power hijacked from others can be deployed for moneymaking schemes besides botnets, like “mining,” or creating, new units of the cybercurrency Bitcoin without paying for machine time.
Just as recent hacks reached critical information through innocuous-seeming things like heating and air-conditioning systems that were networked to other computers, cloud systems may have even more pathways in, and a greater number of potential targets out — basically, any connected devices. Not far away, devices for health monitoring and building control, among other things, will make for even richer targets, says Steven Weber, who recently received a $15 million grant to start a center for long-term cybersecurity at the University of California, Berkeley.
“In a couple of years we’re not just going to be talking about finance and banking,” he said. “We’re going to be talking about control of your heart rate, what you eat, how you live. That’s where all this is going, with all kinds of critical stuff going into an environment with possibly variable security.”
While caution is necessary, not all is doom and gloom. For one thing, the concentration of core computing systems into clouds means that computers are likely to be better managed, security flaws more frequently and thoroughly patched, and devices inspected in a more uniform way. All of those things are improvements over the current state of affairs.
In addition, companies like Amazon, Microsoft and Google have among the world’s best security engineers. For the most part, you would rather have those people looking after your data than the generalist information technology workers in the average company.
“We have a greater concentration of resources, so we can have specialized teams with better tools,” said James Hamilton, a senior executive overseeing the design and construction of Amazon Web Services. In addition, with customers including the Central Intelligence Agency, the company gets a lot of feedback, and pressure to keep improving itself.
Despite the larger scale and new targets in the cloud, most of the methods used in hacking are not changing much. In the case of the celebrity photos, Apple said its investigation revealed that “accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.” Elsewhere, even though new malware has more sophistication, it still frequently takes over a computer by affecting the way the system’s memory functions.
But aspects of the cloud, and greater computing intelligence in general, can be used to combat these threats in new ways. In particular, data can be easily encrypted even when at rest deep within the system, so a hacker will most often lack the ability to read what is captured. Intelligent “agents” and pattern-scanning software can be deployed within the cloud to monitor system behavior of virtually every packet, and catch much unorthodox behavior before it happens.
In the last few years companies have offered new security approaches. One company, Skyhigh Networks, tries to track all the unregistered applications that come into a corporate cloud via an employee’s smartphone, then close off applications that do not look as if they have good security. Another, SentinelOne, uses data analysis and agents to predict attacks before they can do damage. And Illumio provides visualizations of interactions between applications and the cloud to create decisions about how to maintain security, then encrypts data as it travels through the cloud.
“The solution is probes and sensors — you melt analytics everywhere,” said Mr. van Zadelhoff of IBM, which besides security analytics is moving older software to the cloud. “Over the past 20 years, there are moments when the bad guys are ahead, and we catch up. They’re ahead now, but we’ll catch up again.”