Should The Cloud Be To Blame Or The App Invasion?

The App Invasion

Recent days have seen an avalanche of private images belonging to celebrities released on to various internet chat boards. The photos claim to show stars such as Jennifer Lawrence, Kate Upton and Victoria Justice in either nude or other compromising positions.

While sites such as Reddit, Imgur, and 4Chan have been working hard to remove the images, the damage has already been done. A lot of the blame has been laid at the door of cloud computing, with users flooding forums to express their disgust at how insecure online storage sites appeared to be, whilst also claiming they would no longer be using services such as iCloud, Google Drive, OneDrive or DropBox.

A look at Reddit’s pages reveal the scale of user dissatisfaction – but also some interesting and reasoned responses from more knowledgeable commentators. What’s the truth behind all the misunderstanding and misinformation? Is the cloud to blame or are apps and users at fault? Is the cloud more or less secure than keeping photos and other data on your own local hard drive?

The situation is complex. A recent report by the University of New Haven’s Cyber Forensics Research and Education Group says that security flaws, breaches of privacy and additional Vulnerabilities in apps as diverse as instant chat services, online dating sites and social media facilities are now putting nearly one billion subscribers as risk of problems. The report has now been released as a series of videos.

Ibrahim Baggili, a Professor of Computer Science at UNH’s Tagliatela College of Engineering says “Anyone who has used or continues to use the tested applications are at risk of confidential breaches involving a variety of data, including their passwords in some instances”. It’s a comment that suggests that the droves of people criticising Apple, SnapChat and Facebook are not being subjective and that poorly designed apps are more responsible for the problems than the cloud. He adds “Although all of the data transmitted through these apps is supposed to go securely from just one person to another, we have found that private communications can be viewed by others because the data is not being encrypted and the original user has no clue”, again putting the emphasis on poor app design.

For their part, Apple said on Tuesday that hackers obtained the nude celebrity photos by stealing images from individual accounts rather than through a wide-ranging attack on the company’s iCloud and Find my iPhone services, adding that it had only released these results after conducting 40 hours of investigation. The company has said they will cooperate fully with a newly-launched FBI investigation into the leak, though urged all users to adopt stronger passwords and enable a two-step authentication feature to prevent data thefts.

The fact they have switched the onus back onto users is telling. They clearly believe that their servers are as secure as they could realistically expect to be and they cannot be held responsible for users mismanaging the technology they are provided with, failing to understand how or when their devices share data, or leaving their accounts vulnerable by having weak passwords or using unsecured networks to access accounts.

They undoubtedly have a point – users who are complaining that the cloud is wholly and solely responsible are missing the point. Data saved on a local hard drive is just as unsafe when saved on a local machine or USB drive if its owner is irresponsible. Viruses and Malware can monitor your keystrokes, steal your personal data, obtain your passwords and pose as legitimate websites, while USB drives can be lost, stolen or corrupted without the owner realising until it is far too late. Ultimately any computer, phone or tablet that accesses the internet is at risk – and the large online storage providers do a much better job of encrypting and securing data than an average home user.

What the future holds for online storage services.

So, does the cloud have a case to answer? Apple’s iCloud service (seemingly the main source of the stolen images) secures data by encrypting it when it is sent over the internet, storing it in an encrypted format on their own servers and using secure tokens for authentication. It means that data is theoretically protected from unauthorised access both while it is being transmitted between devices and while it is stored. Additionally, iCloud – along with most online storage services – uses a minimum of 128-bit AES encryption, the same level of security employed by major financial institutions.

Nonetheless, there are still flaws in the system. Questions such as your mother’s maiden name are often used by companies to improve online security, yet the recent theft shows the ease with which those questions can be hacked. “Personal questions as a password recovery mechanism is flawed”, Chris Morales, Manager of security-testing and analysis firm NSS Labs said. “[If you have to use them] don’t provide the obvious expected answers to questions like mother’s maiden name, pet’s name, or where you were born. If you have a user’s e-mail and know a bit of personal history on that person, it isn’t that hard to get the password”.

As people post increasingly sensitive information to social networks, it has become easier for criminals to obtain the answers to security questions. That means consumers can rarely rely on just one set of defences and have to add more layers, even if it makes online accounts less convenient. It’s especially true for famous people because security questions protecting their online accounts from intruders are often trivial to answer solely based on the publically information available about them. It doesn’t amount to much of a security barrier.

The conclusion is that the cloud isn’t really to blame, but cloud providers are arguably equally as culpable as any other security system by making it too easy to hack and instigate a password reset.

Despite all the encryption security put in place by Apple, online accounts often have unrecognised and unnoticed vulnerabilities. Apple are now facing accusations that they have given people a false sense of security. Technology magazine Wired first reported that software from a Russian firm, ElcomSoft, was being mentioned on a hackers discussion group as a useful tool for infiltrating iCloud accounts, with the software being marketed to police and law enforcement groups as a way to access backups of iCloud content with an iPad or iPhone. It has called into question the security of the much-vaunted ‘two-step verification system’ because it can be easily bypassed using any software that allows access to iCloud backups. Indeed Apple’s own website says the two-step process only protects the ‘My Apple ID’ page, ‘App Store, iTunes or iBooks Store purchases’ and ‘Apple ID Support’. It makes no mention of any protection for photos, contacts or calendar entries, which are all backed up to iCloud – yet in response to the hack on Tuesday, Apple suggested its customers “always use a strong password and enable two-step verification”.

So the truth is somewhere in the middle, and everyone must take a share of the blame. Apple, users, security software designers and device manufacturers all need to improve in order to make the cloud as risk free as possible. Ultimately, the cloud offers too many benefits to both home users and businesses for it to be discarded, and even if usage sees a momentary dip, it will still rebound and grow to levels far in excess of what we see today. The cloud is here to stay, and a naked celebrity won’t change anything.

By Daniel Price

Kelly Dyer

Healthcare Data Security: Why It Matters

Healthcare Data Security Today, electronic healthcare data exists at every point along a patient’s journey. So frequently is it being processed, accessed, and shared between multiple providers, that we’d be forgiven for forgetting the highly ...
Derrek Schutman

Providing Robust Digital Capabilities by Building a Digital Enablement Layer

Building a Digital Enablement Layer Most Digital Service Providers (DSPs) aim to provide digital capabilities to customers but struggle to transform with legacy O/BSS systems. According to McKinsey research, 70% of digital transformation projects don’t ...
Marcus Schmidt

What IT Leaders Should Know About Microsoft’s Operator Connect

Microsoft’s Operator Connect Earlier this year, Microsoft announced a new calling service for Microsoft Teams (Teams) users called Operator Connect. IT leaders justifiably want to know how Operator Connect is different from Microsoft’s existing PSTN ...
Derrek Schutman

Implementing Digital Capabilities Successfully to Boost NPS and Maximize Value Realization

Implementing Digital Capabilities Successfully Building robust digital capabilities can deliver huge benefits to Digital Service Providers (DSPs). A recent TMForum survey shows that building digital capabilities (including digitization of customer experience and operations), is the ...
David Loo

The Long-term Costs of Data Debt: How Inaccurate, Incomplete, and Outdated Information Can Harm Your Business

The Long-term Costs of Data Debt It’s no secret that many of today’s enterprises are experiencing an extreme state of data overload. With the rapid adoption of new technologies to accommodate pandemic-induced shifts like remote ...

CLOUD MONITORING

The CloudTweaks technology lists will include updated resources to leading services from around the globe. Examples include leading IT Monitoring Services, Bootcamps, VPNs, CDNs, Reseller Programs and much more...

  • Opsview

    Opsview

    Opsview is a global privately held IT Systems Management software company whose core product, Opsview Enterprise was released in 2009. The company has offices in the UK and USA, boasting some 35,000 corporate clients. Their prominent clients include Cisco, MIT, Allianz, NewVoiceMedia, Active Network, and University of Surrey.

  • Nagios

    Nagios

    Nagios is one of the leading vendors of IT monitoring and management tools offering cloud monitoring capabilities for AWS, EC2 (Elastic Compute Cloud) and S3 (Simple Storage Service). Their products include infrastructure, server, and network monitoring solutions like Nagios XI, Nagios Log Server, and Nagios Network Analyzer.

  • Datadog

    DataDog

    DataDog is a startup based out of New York which secured $31 Million in series C funding. They are quickly making a name for themselves and have a truly impressive client list with the likes of Adobe, Salesforce, HP, Facebook and many others.

  • Sematext Logo

    Sematext

    Sematext bridges the gap between performance monitoring, real user monitoring, transaction tracing, and logs. Sematext all-in-one monitoring platform gives businesses full-stack visibility by exposing logs, metrics, and traces through a single Cloud or On-Premise solution. Sematext helps smart DevOps teams move faster.