![Are there criminals hiding in the cloud?
By Alex Hudson
BBC Click
Task 1: Following the exposure of the Sony
Is this the PlayStation 3 security flaws - and with
underlined so much of our data stored online - are
Text we making it too easy for criminals to
get hold of our information?
When over 100 million people's details were
garnered illegally from Sony recently, users
were up in arms about their prized Sony's shares have fallen significantly
information being leaked. in the aftermath of the security breach
Task 2:
But, according to one study, over two thirds of companies are planning to
store at least some of their data in "the cloud" - a term used to describe
putting data online rather than on a hard-drive. The Red coloured text
With more businesses using the cloud, this sort of leak could become a more
regular occurrence.
"While the potential of cloud computing is rapidly being revealed, so too are
its vulnerabilities," Brendan O'Connor, the Australian minister for Home
Affairs, told the International Association of Privacy Professionals.
And, he believes, criminals "can hide data THE SONY CRISIS
in clouds" if they are clever about it. Graham Cluley, security
"Rogue cloud service providers based in consultant
countries with lax cybercrime laws can
provide confidential hosting and data
storage services," he said.
"People need to be more careful with
"[This] facilitates the storage and their passwords and make sure that
distribution of criminal data, avoiding they have different passwords for
detection by law enforcement agencies." different online accounts.
An easy parallel to draw is with the way
Swiss bank accounts were rumoured to
"People should also consider lying
operate in the past.
about some of their details. I have
While bank customers were offered the
given Facebook a phoney date of birth
utmost of discretion with their financial for instance."
transactions, that same courtesy could now Sony crisis: The expert panel
be offered to those wishing to de-encrypt
sensitive data.
Stealing secrets
To safeguard information, details are regularly encrypted to a high level,
Ricardo Norbert Page 1](https://image.slidesharecdn.com/task3-120131035209-phpapp01/85/Assignment-1-1-320.jpg)
![meaning that - until very recently - supercomputers were required to get any
details in a useable form.
But now the internet itself is offering criminals the chance to super-charge
their processing power to make decryption quicker, cheaper and easier than
ever before.
William Beer, director of Price Waterhouse Cooper's security division, says
"even if credit card details are encrypted, there is software that may be able
to decrypt it given enough processing power" once it has been stolen from the
cloud itself.
"Encryption is often seen as a silver bullet.
We need to be very careful because there
are many different types of encryption. It
can introduce an air of complacency into
organisations and what we're starting to see
are criminals actually looking to the cloud.
"It can provide massive amounts of
processing power and [this] can actually de- PM David Cameron says cyber-crime is
encrypt some of the data. The irony of it is a top priority for national security
that they are using stolen credit cards to buy that processing power from the
cloud providers."
And this type of activity has actually been tested by German security
researcher Thomas Roth.
He used a "brute force" technique that could previously only be possible with
super-computers to break into encrypted WiFi networks.
The technique allows 400,000 different passwords to the encryption to be
tested per second, quite literally knocking at the door until it caves in. No
specialist hacking techniques need to be used.
This was done using a cloud computing service costing just a few dollars per
hour.
Roth used Amazon's Elastic Cloud Even if you have
Computing (EC2) system, which allows supercomputers, if your
users to rent increased computing power by encryption is strong enough, it
the hour or for as long as is needed - thus would still take years to break
those passwords
the name elastic.
Amazon says it continually works to make
sure the services aren't used for illegal Mark Bowerman, Financial Fraud
Action UK
activity and takes all claims of misuse of
services very seriously and investigates each one.
While Roth was not doing this for illicit means - and could be done with any
cloud system - the idea could be used, in principle at least, for the purpose of
de-encrypting credit card details.
Ricardo Norbert Page 2](https://image.slidesharecdn.com/task3-120131035209-phpapp01/85/Assignment-1-2-320.jpg)
![He is already experimenting with speeds that could allow one million
passwords a second to be tried.
Hacking 'master key'
What many see as most scary about this idea is that because the criminals
using the cloud are using false information, they are very difficult to trace.
That said, there are data standards in relation to private information kept by
companies which are particularly strict when financial details are held.
"You've got to meet the data security standard - it is the absolute minimum
requirement," says Mark Bowerman, a spokesman for Financial Fraud Action
UK.
"Beyond that, there are reputational issues
to consider. If you are hacked and data is
stolen, then it will be a serious concern both
reputationally and financially as well."
So what can be done to protect information
yourself?
"Unfortunately, people have the habit of
reusing their passwords for multiple Credit card information is heavily
different services," says Rik Ferguson, of encrypted when held online
digital security company Trend Micro.
"Many people will have to consider that these criminals have both their email
address and their common password.
"Once you own someone's email account, that's really the master key to
everything because you can go through the password reset process of [a
number of services] and of course, they come back to that email account. It's
the key to your online life."
But, says Bowerman, if both you and the companies you trust with your data
are careful with it, serious breaches are still very unlikely.
"Even if you have supercomputers, the computing power of hundreds of
thousands of computers linked together, if your encryption is strong enough, it
would still take years and years to break those passwords," he says.
"It boils down to how good your encryption is."
Ricardo Norbert Page 3](https://image.slidesharecdn.com/task3-120131035209-phpapp01/85/Assignment-1-3-320.jpg)
Assignment 1
- 1. Are there criminals hiding in the cloud? By Alex Hudson BBC Click Task 1: Following the exposure of the Sony Is this the PlayStation 3 security flaws - and with underlined so much of our data stored online - are Text we making it too easy for criminals to get hold of our information? When over 100 million people's details were garnered illegally from Sony recently, users were up in arms about their prized Sony's shares have fallen significantly information being leaked. in the aftermath of the security breach Task 2: But, according to one study, over two thirds of companies are planning to store at least some of their data in "the cloud" - a term used to describe putting data online rather than on a hard-drive. The Red coloured text With more businesses using the cloud, this sort of leak could become a more regular occurrence. "While the potential of cloud computing is rapidly being revealed, so too are its vulnerabilities," Brendan O'Connor, the Australian minister for Home Affairs, told the International Association of Privacy Professionals. And, he believes, criminals "can hide data THE SONY CRISIS in clouds" if they are clever about it. Graham Cluley, security "Rogue cloud service providers based in consultant countries with lax cybercrime laws can provide confidential hosting and data storage services," he said. "People need to be more careful with "[This] facilitates the storage and their passwords and make sure that distribution of criminal data, avoiding they have different passwords for detection by law enforcement agencies." different online accounts. An easy parallel to draw is with the way Swiss bank accounts were rumoured to "People should also consider lying operate in the past. about some of their details. I have While bank customers were offered the given Facebook a phoney date of birth utmost of discretion with their financial for instance." transactions, that same courtesy could now Sony crisis: The expert panel be offered to those wishing to de-encrypt sensitive data. Stealing secrets To safeguard information, details are regularly encrypted to a high level, Ricardo Norbert Page 1
- 2. meaning that - until very recently - supercomputers were required to get any details in a useable form. But now the internet itself is offering criminals the chance to super-charge their processing power to make decryption quicker, cheaper and easier than ever before. William Beer, director of Price Waterhouse Cooper's security division, says "even if credit card details are encrypted, there is software that may be able to decrypt it given enough processing power" once it has been stolen from the cloud itself. "Encryption is often seen as a silver bullet. We need to be very careful because there are many different types of encryption. It can introduce an air of complacency into organisations and what we're starting to see are criminals actually looking to the cloud. "It can provide massive amounts of processing power and [this] can actually de- PM David Cameron says cyber-crime is encrypt some of the data. The irony of it is a top priority for national security that they are using stolen credit cards to buy that processing power from the cloud providers." And this type of activity has actually been tested by German security researcher Thomas Roth. He used a "brute force" technique that could previously only be possible with super-computers to break into encrypted WiFi networks. The technique allows 400,000 different passwords to the encryption to be tested per second, quite literally knocking at the door until it caves in. No specialist hacking techniques need to be used. This was done using a cloud computing service costing just a few dollars per hour. Roth used Amazon's Elastic Cloud Even if you have Computing (EC2) system, which allows supercomputers, if your users to rent increased computing power by encryption is strong enough, it the hour or for as long as is needed - thus would still take years to break those passwords the name elastic. Amazon says it continually works to make sure the services aren't used for illegal Mark Bowerman, Financial Fraud Action UK activity and takes all claims of misuse of services very seriously and investigates each one. While Roth was not doing this for illicit means - and could be done with any cloud system - the idea could be used, in principle at least, for the purpose of de-encrypting credit card details. Ricardo Norbert Page 2
- 3. He is already experimenting with speeds that could allow one million passwords a second to be tried. Hacking 'master key' What many see as most scary about this idea is that because the criminals using the cloud are using false information, they are very difficult to trace. That said, there are data standards in relation to private information kept by companies which are particularly strict when financial details are held. "You've got to meet the data security standard - it is the absolute minimum requirement," says Mark Bowerman, a spokesman for Financial Fraud Action UK. "Beyond that, there are reputational issues to consider. If you are hacked and data is stolen, then it will be a serious concern both reputationally and financially as well." So what can be done to protect information yourself? "Unfortunately, people have the habit of reusing their passwords for multiple Credit card information is heavily different services," says Rik Ferguson, of encrypted when held online digital security company Trend Micro. "Many people will have to consider that these criminals have both their email address and their common password. "Once you own someone's email account, that's really the master key to everything because you can go through the password reset process of [a number of services] and of course, they come back to that email account. It's the key to your online life." But, says Bowerman, if both you and the companies you trust with your data are careful with it, serious breaches are still very unlikely. "Even if you have supercomputers, the computing power of hundreds of thousands of computers linked together, if your encryption is strong enough, it would still take years and years to break those passwords," he says. "It boils down to how good your encryption is." Ricardo Norbert Page 3
- 4. Task 2: Names of People Mentioned and their Job Roles. Bredan O’Conner, Australian Minister for Home Affairs Graham Cluley, Security Consultant Thomas Roth, German Security Researcher Mark Bowerman, Spokesman for Financial Fraud Action UK , Digital Security Names of Organisations Mentioned Sony Playstation Task 3: Graham Cluley People that are against Fraud Mark Bowerman Bredan O’Conner Rik Ferguson Thomas Roth Sony PlayStation Summary: The spider diagram shows us that the people involved in this article are agreed that fraud and believe it should be stopped Ricardo Norbert Page 4