What's Happening in Information Security

From the desk of Warren Axelrod

Oops, again! Seemingly tens of thousands of email passwords belonging to users of hotmail, gmail, and others were hijacked and are being used by spammers – see the October 6, 2009 article “Passwords for Google, Yahoo and Hotmail accounts illegally leaked online,” by Nate Lanxon. This is not a good thing, to say the least.

 No one appears quite sure – or maybe just not willing to disclose – what actually happened here. Some attribute the loss to phishing, others to keylogging. It sounds to like a direct attack on the password files, but I really don’t have any evidence to support that. The reason I suspect a more direct attack is that the report verified that affected account names began with the letters A and B. That would appear to suggest that password files had been stolen, since phishing and keylogging would generally yield a more random selection of names. But who knows?

More important than the specific attack vector (although that is important for preventing it from happening again), is the issue of relying on the cloud for storing one’s sensitive data, whether you are an individual or a corporation or a government agency. Clearly, data stored in the cloud can be exposed to theft and misuse. In some cases, such as with the PCI DSS (Payment Card Industry Data Security Standard) and various laws and regulations, it is often impossible to comply because of the opacity of the cloud.

I attended a presentation at which the information security officer of a major financial firm mentioned that he had discovered that millions of records of sensitive information had been inadvertently stored with a cloud services provider. Upon discovery, they pulled the data back inside the company. However, knowing how virtualized the storage of data is in the cloud, with many copies residing across numbers of machines in many locations, it’s practically impossible to ensure that all copies of every data item have been removed.

Data persistence, like that in the cloud, represents a significant risk to regulated companies in particular and represents risk to any entities that choose to store sensitive data in the cloud. The danger is compounded when they don’t know that they are doing so. Organizations do not have control over all their structured and (especially) unstructured data as it is, so the risk of exposure in the cloud is that much greater.

What has really happened is that we have taken a bad situation and made it worse. In the “good old days” of relatively simple IT outsourcing, one usually had some idea of what data you were sharing with third parties and you could attempt to make sure that the data were protected and suitably destroyed when no longer needed. Now, it appears, all that is up for grabs in the cloud where virtualization, resiliency and load balancing have taken away any real ability to manage your data.