There's been a lot of discussion about cloud security, and the conclusion has generally been that we'd see a major exploitation of cloud vulnerabilities sooner rather than later.
It may have already happened.
Last month, Atlanta-based Global Payments Inc., one of the world's largest processors of Mastercard and Visa payments, discovered that up to one and a half million credit card numbers may have been exported by hackers who had access to its network. The information taken was considered sufficient to make fraudulent purchases or clone credit cards. It had initially been thought that as many as 10 million accounts might have been affected.
Major enough? Perhaps we're inured to news of this kind after living through the wave of assaults on Sony's networks last year, the Zappos hit in January, and sundry attacks on banks and financial institutions. The significance of the Global Payments exploit may lie, not in its scale, but in the possibility that it's an example of our worst cloud nightmares coming true.
A possibility is all it is, because Global Payments, while keen to emphasize the limited nature of the damage done, has been less than forthcoming about the circumstances surrounding the breach. Analysts like Gartner's Avivah Litan and security expert Brian Krebs have been trying to piece the story together.
As Krebs observes, Global Payments moved its hosting to Amazon's EC2 cloud in February this year. Krebs also reports an anonymous source claiming that Global Payments was breached well in advance of the reported date, possibly as early as January 2011. He also points out that it's by no means clear that early rumors of a 10 million card breach refer to the Global Payments exploit or a different, as-yet-undisclosed incident.
Litan, meanwhile, had also been hearing about an intrusion affecting a payment aggregator for a New York taxicab or parking garage business. Breaking the relatively unsophisticated knowledge-based authentication gave access to this business's admin account. The weakness of the cloud's infrastructure then gave the hackers a window into Global Payments.
As is evident, cloud security can be compromised by "weakest link" participants -- in this case, quite possibly a participant with easily forced password security.
Said Litan:
I'm thinking, "Who uses knowledge-based authentication?" Probably these not-so-sophisticated, and even the sophisticated, cloud providers. Cloud providers don't like to distribute tokens or do anything too difficult. Then that's why the [Global Payments] CEO wasn't lying by saying none of their merchant systems were compromised, because it was the cloud security provider's system that was compromised. That's my theory, at least.
Right now, a theory is all it is. But it leaves questions that urgently need to be answered, not just by Global Payments, but by the cloud vendor. Litan raises the suspicion that the possibility of hackers migrating from one client to another within the cloud was the key vulnerability in this case. That seems to be a question that Amazon, rather than Global Payments, needs to address.
Not even a little bit true.For example; to access any information in my data center you must use two factor authwntication via token along with login credentials. Cloud providers don't have this implemented...
Following the links, you'd see that the theory is not armchair speculation, but is based on information from sources who do not wish to be identified. The journalists speaking with these sources, however -- Brian Krebs and Aviah Litan -- have high credibility. Litan is a VP of Gartner, a former director of financial systems at the World Bank, and a former Washington Times reporter. Krebs, with 14 years at the Washington Post behind him, is probably the most distinguished independent investigative journalist working in the cybersecurity space.
No, we don't know the whole story, but these are not journalists who point the finger "without any evidence."
My purpose was to underline the fact that, whereas your own weak links may expose vulnerabilities in your own networks, the weak links of other clients can leave you exposed in the cloud. This has been pointed out as a theoretical matter by NIST; we've been waiting to see it shown in practice.
In reading your article all I can determine is that you have almost no information about the breach and that you apparently want to get the finger pointed at the Cloud without any evidence.
The weakest link, end users and passwords, exist in all applications and if the application has a user interface it doesn't matter where the back end is (EC2, Azure or your own data center) social engineering and bad passwords will always be able to get you.
Kim, thanks for presenting the theories behind the recent breach. If this indeed was a cloud security issue, it may set back some enterprise plans for adopting cloud services for huge, mission-critical systems. Then again, we can't forget that in-house systems haven't really fared better. Recall TJ Maxx.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
When David E. Sanger of The New York Times broke the news that the United States was responsible for the Stuxnet malware exploit against Iran's nuclear program, Senator John McCain accused the administration of deliberately leaking the story to enhance President Obama's national security record.
The Gamma Group's business of supplying surveillance technology exclusively for use by government agencies may be legitimate. But not when it poses as the popular, free, open-source web browser Firefox.
Yesterday's hack of the official Associated Press Twitter feed demonstrated the enormous risk attached to the platform's lazy, single factor approach to security.
Cybercriminals don't hesitate when they see an opportunity to spread malware. Not even when it means exploiting as horrific an event as the Boston Marathon bombing.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Multi-tenant clouds assure security for clients, but not necessarily for their ideas. Here's one thing you should discuss with your cloud provider before you sign on.
All the recent hoopla about cloud security overlooks an important point, which is that it's not strictly a cloud problem. The linkage of online services into cooperative chains creates the risk, and only biometrics and federation of providers can save us.
Mozilla's Firefox OS could be a major advance in building smartphones and tablets with a more cloud-friendly and open interface, but there are still questions of performance and security that will have to be managed.
Less than a year ago, we were debating whether private or public cloud would prevail. Private cloud now appears to be a clear favorite. The reason? Organizations of all sizes are getting comfortable with cloud, and vendors are providing solutions that make the adoption of private cloud straightforward and less risky.
65% of CIOs are on board with cloud, but 55% are still thinking about it. Risk is the major barrier to entry. Cloud purveyors can help to address this by providing turnkey cloud solutions targeted at specific vertical industry markets.
People are right to be disappointed by Apple's iPhone 4S announcement, but not because of the phone itself. Rather, they should be disappointed with Apple's lack of innovation with iCloud.
Only a few new domain name applications have been given the go-ahead, so be wary of offers for "pre-registration" of the .suffix of your choice. Most likely, the registrars making such offers don't have the authority.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Subsidized handsets, rather than locked handsets, should be the focus of regulators. We're not getting good deals, not fostering innovation, and weakening our power as buyers.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
