The last decade has seen the growth of cloud computing. Software and services delivered via the internet ‘the cloud’ has become the default and we now consume and post data to cloud services in some form or another every time we switch on our devices. The proliferation of mobile apps has certainly contributed to the data growth that enriches these services and in-turn provides an experience that would have otherwise not been possible 10 or so years ago. Mark my words, the next decade is not about cloud computing as such, the next 10 years is about who has the most data stored in the digital warehouse, or in other words; who has the biggest dataset and what it is worth to someone else. The industry now refers to this evolution as “Big Data”.
Before deciding to write this article, I had drafted a piece on the recent Heartbleed vulnerability and the concerns that I have after this issue became public knowledge. Although after seeing nearly all ends of the tech and mainstream media covering this issue I decided to write on a broader topic.
“Hacks” or attacks on cloud services and or internet assets of corporations world-wide is now a daily news story. I am not talking about small organisations disclosing these events, this is happening to the cloud pioneers and trusted services that the every day customers or those naïve power-users take for granted and use with complete confidence in the security of their data. Recently; Ebay Inc. identified such a breach in their corporate network which saw hackers steal the entire database of customer data, this included full names, billing and shipping addresses, encrypted passwords, birth dates and telephone numbers, if you missed this story you can review the official response from Ebay.
Most would rightly think that out of the stolen Ebay data, the hackers were after passwords. Encrypted yes, although eventually crack-able given the correct amount of cloud power (servers) and maybe some stolen encryption keys if they were lucky. If you thought this, think again! The passwords might be useful, and yes the hackers might choose to hold a copy of the stolen data to do the hard work of unveiling these passwords, but in reality most criminals are lazy and rather not commit that much effort before reaching pay-day.
Big datasets or ‘big data’ is fast becoming the next most valuable trading commodity of the digital age, much like gold is used to derive the dollar value in global markets, data will soon be so valuable that we might see it being used in similar exchanges. Unfortunately once this paradigm becomes more real and more valuable, crime syndicates will exploit these opportunities to either steal the data for resale or otherwise use the data to carry out more traditional crimes to further gain financially or perform other crimes under stolen identities.
If you haven’t worked out what these criminals are really after, I can explain in a bit more detail. The data that a hacker steals will most likely contain enough information to build a small profile on a victim. This data or identity then becomes tradeable. Hackers will steal data and then use it to either data mine more information about you creating a dataset worth something to someone else or sell that stolen data as-is. The hacker will then look for a buyer to sell this dataset too, crime syndicates who normally become the buyers of such datasets will unfortunately perform such attacks as trying to impersonate you buy calling your financial institution or communicate with you using email or other means such as SMS text to phish additional login details to cloud services where possible.
This might all be starting to sounding scary and trust me, for a victim this can be! The idea that all this is possible, happens because of the data stored in services we use everyday. We as end-users entrust that service providers and organisations store and maintain our data with the best practices possible to make sure our security is protected, although in reality sometimes breaches and mistakes do occur and will occur under current models and practices.
Another example was only very recently, in the last day or so I saw some reports of Apple’s Find My Phone service being used to hold users ransom by triggering the remote lock function from the iCloud service. Apple could have been “hacked” as some might have already reported, although at the time of writing this article I am not aware of such news being officially disclosed yet; the conclusion I would come too is more likely around the end users being caught up in a phishing scam whereby they have unwilling provided the criminals with iCloud credentials sometime before the attacks occurred. Also in the last week, reports were posted of AVG’s user forum having its database also stolen or hacked, again providing criminals with another dataset to mine and analyse.
Other examples of how data theft can occur, are through malware or un-wanted software on a device, phishing scams and/or via marketing/survey participation by fraudsters.
After reading all this, you might become paranoid and simply conclude that it would be easier not use technology full stop, I would suggest that this idea would be impractical. I think that a good understanding of the types of criminal activities that exist and better transparency from cloud operators of what data is stored, shared and collected is what we need moving forward. Data growth is enhancing the software and services we use. Intelligent big datasets can and will enable future research and solve problems that we do no have answers too now. I would hope that we can continue to write good software and enable better ways to warehouse this data without the risks of it being stolen into the future. In reality, one could only hope that Big Data will solve the problems and challenges we face today.
To finish off this article I might leave you with some ideas on what I feel needs to change so that we can accommodate this new era of big data. I am confident these ideas and issues will be addressed and solutions will be found in due course. Some of these have already begun to be addressed which is promising.
- Transparency and disclose of data storage, sharing and collection must be required by all cloud providers. Users need to be given the facts about how and what is being stored. Privacy statements do currently provide some transparency although the clarity on the usage/sharing and storage of unidentifiable data is not always clear.
- Data relationships need to be secured. Web services use SSL to string data together although more is needed.
- The way we do encryption today needs to be reviewed and redesigned. Yes encryption works today although with a few implementation mistakes or buggy software the encryption could potentially become ineffective.
- All current Internet protocols reviewed and redesigned where possible with a security first communication second approach. The introduction of IPv6 enables this to become possible.
These ideas are not providing answers, and although some of the answers might seem obvious to some, we can’t approach the issues with simple solutions as this will just restrict and hamper the free nature and growth of the internet. The internet would not be as useful or accessible as it currently is today if some of the limits and restrictions on security and protocol architecture were in place from the beginning, for this we should be grateful.