Researchers advise cyber self defense in the cloud

Web services and access from anywhere, any time make the cloud a risky place.

Security researchers are warning that Web-based applications are increasing the risk of identity theft or losing personal data more than ever before.

The best defense against data theft, malware and viruses in the cloud is self defense, researchers at the Hack In The Box (HITB) security conference said. But getting people to change how they use the Internet, such as what personal data they make public, won't be easy.

People put a lot of personal information on the Web, and that can be used for an attacker's financial gain. From social-networking sites such as MySpace and Facebook to the mini-blogging service Twitter and other blog sites like Wordpress, people are putting photos, resumes, personal diaries and other information in the cloud. Some people don't even bother to read the fine print in agreements that allow them onto a site, even though some agreements clearly state that anything posted becomes the property of the site itself.

The loss of personal data by Sidekick smartphone users over the weekend, including contacts, calendar entries, photographs and other personal information, serves as another example of the potential pitfalls of trusting the Cloud. Danger, the Microsoft subsidiary that stores Sidekick data, said a service disruption almost certainly means user data has been lost for good.

Access to personal data on the cloud from just about anywhere on a variety of devices, from smartphones and laptops to home PCs, shows another major vulnerability because other people may be able to find that data, too.

"As an attacker, you should be licking your lips," said Haroon Meer, a researcher at Sensepost, a South African security company that has focused on Web applications for the past six years. "If all data is accessible from anywhere, then the perimeter disappears. It makes hacking like hacking in the movies."

A person who wants to steal personal information is usually looking for financial gain, Meer said, and every bit of data they can find leads them one step closer to your online bank, credit card or brokerage accounts.

First, they might find your name. Next, they discover your job and a small profile of you online that offers further background information such as what school you graduated from and where you were born. They keep digging until they have a detailed account of you, complete with your date of birth and mother's maiden name for those pesky security questions, and perhaps some family photos for good measure. With enough data they could make false identification cards and take out loans under your name.

Identity theft could also be an inside job. Employees at big companies that host e-mail services have physical access to e-mail accounts. "How do you know nobody's reading it? Do you keep confirmation e-mails and passwords there? You shouldn't," said Meer. "In the cloud, people are trusting their information to systems they have no control over."

Browser makers can play a role in making the cloud safer for people, but their effectiveness is limited by user habits. A browser, for example, may scan a download for viruses, but it still gives the user the choice of whether or not to download. Most security functions on a browser are a choice.

Lucas Adamski, security underlord (that's really what his business card says) at Mozilla, maker of the popular Firefox browser, offered several bits of cyber self defense advice for users, starting with the admonition that people rely on firewalls and anti-virus programs too much.

"You can't buy security in a box," he said. "The way to be as secure as possible is about user behavior."

There is a lot of good built-in security already installed in browsers, he said. If you get a warning not to go to a site, don't go to it. When you do visit a site, make sure it's the right one. Are the images and logos right? Is the URL correct? Check before you proceed with filling in your username and password, he counseled.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitycloud computingweb-based apps

More about Adobe SystemsAdobe SystemsAmazon.comAmazon Web ServicesFacebookGoogleMicrosoftMozilla

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Dan Nystedt

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts