Following the exposure of the Sony PlayStation 3 security flaws – and with so much of our data stored online – are we making it too easy for criminals to get hold of our information?
When over 100 million people’s details were garnered illegally from Sony recently, users were up in arms about their prized information being leaked.
But, according to one study, over two thirds of companies are planning to store at least some of their data in “the cloud” – a term used to describe putting data online rather than on a hard-drive.
With more businesses using the cloud, this sort of leak could become a more regular occurrence.
“While the potential of cloud computing is rapidly being revealed, so too are its vulnerabilities,” Brendan O’Connor, the Australian minister for Home Affairs, told the International Association of Privacy Professionals.
THE SONY CRISIS
Graham Cluley, security consultant
“People need to be more careful with their passwords and make sure that they have different passwords for different online accounts.
“People should also consider lying about some of their details. I have given Facebook a phoney date of birth for instance.”
Sony crisis: The expert panel
And, he believes, criminals “can hide data in clouds” if they are clever about it.
“Rogue cloud service providers based in countries with lax cybercrime laws can provide confidential hosting and data storage services,” he said.
“[This] facilitates the storage and distribution of criminal data, avoiding detection by law enforcement agencies.”
An easy parallel to draw is with the way Swiss bank accounts were rumoured to operate in the past.
While bank customers were offered the utmost of discretion with their financial transactions, that same courtesy could now be offered to those wishing to de-encrypt sensitive data.
Stealing secrets
To safeguard information, details are regularly encrypted to a high level, meaning that – until very recently – supercomputers were required to get any details in a useable form.
But now the internet itself is offering criminals the chance to super-charge their processing power to make decryption quicker, cheaper and easier than ever before.
William Beer, director of Price Waterhouse Cooper’s security division, says “even if credit card details are encrypted, there is software that may be able to decrypt it given enough processing power” once it has been stolen from the cloud itself.
PM David Cameron says cyber-crime is a top priority for national security
“Encryption is often seen as a silver bullet. We need to be very careful because there are many different types of encryption. It can introduce an air of complacency into organisations and what we’re starting to see are criminals actually looking to the cloud.
“It can provide massive amounts of processing power and [this] can actually de-encrypt some of the data. The irony of it is that they are using stolen credit cards to buy that processing power from the cloud providers.”
And this type of activity has actually been tested by German security researcher Thomas Roth.
He used a “brute force” technique that could previously only be possible with super-computers to break into encrypted WiFi networks.
The technique allows 400,000 different passwords to the encryption to be tested per second, quite literally knocking at the door until it caves in. No specialist hacking techniques need to be used.
This was done using a cloud computing service costing just a few dollars per hour.
Even if you have supercomputers, if your encryption is strong enough, it would still take years to break those passwords
Mark Bowerman, Financial Fraud Action UK Roth used Amazon’s Elastic Cloud Computing (EC2) system, which allows users to rent increased computing power by the hour or for as long as is needed – thus the name elastic.
Amazon says it continually works to make sure the services aren’t used for illegal activity and takes all claims of misuse of services very seriously and investigates each one.
While Roth was not doing this for illicit means – and could be done with any cloud system – the idea could be used, in principle at least, for the purpose of de-encrypting credit card details.
He is already experimenting with speeds that could allow one million passwords a second to be tried.
Hacking ‘master key’
What many see as most scary about this idea is that because the criminals using the cloud are using false information, they are very difficult to trace.
That said, there are data standards in relation to private information kept by companies which are particularly strict when financial details are held.
“You’ve got to meet the data security standard – it is the absolute minimum requirement,” says Mark Bowerman, a spokesman for Financial Fraud Action UK.
Credit card information is heavily encrypted when held online
“Beyond that, there are reputational issues to consider. If you are hacked and data is stolen, then it will be a serious concern both reputationally and financially as well.”
So what can be done to protect information yourself?
“Unfortunately, people have the habit of reusing their passwords for multiple different services,” says Rik Ferguson, of digital security company Trend Micro.
“Many people will have to consider that these criminals have both their email address and their common password.
“Once you own someone’s email account, that’s really the master key to everything because you can go through the password reset process of [a number of services] and of course, they come back to that email account. It’s the key to your online life.”
But, says Bowerman, if both you and the companies you trust with your data are careful with it, serious breaches are still very unlikely.
“Even if you have supercomputers, the computing power of hundreds of thousands of computers linked together, if your encryption is strong enough, it would still take years and years to break those passwords,” he says.
“It boils down to how good your encryption is.”
