After the celebrity photo scandal, can you trust the cloud?

The recent thefts of celebrity photos from their smartphones have left many concerned over whether the cloud is safe.

The Duke Of Cambridge Celebrates The Royal MarsdenBritish actress Emma Watson has been one of the latest celebrities targeted. After her gender equality speech for the United Nations HeForShe campaign, there was a threat by internet trolls to release nude photos of the actress.

Although the threat has since been revealed as a hoax, Academy Award-winning actress Jennifer Lawrence had nude photos stolen from her iPhone leaked, prompting Apple to launch an investigation over the security of the iCloud and Find my iPhone.

After more than 40 hours of investigation, Apple discovered none of the cases was the result of any breaches to the iCloud or Find my iPhone. The company said that certain celebrity accounts were compromised by a targeted attack on usernames, passwords and security questions, a practice that has become common on the internet.

Oliver Crofton, mobile and digital security specialist at SELECT Mobile Network, says: “When there is a high-profile hacking case like the leak photos on the iCloud, people start to worry about it, but in almost all of those breaches that involve a high-profile celebrity, it revolves around how the device authenticates to the cloud environment.

“They will be looking at weak passwords, weak security questions, easily guessable credentials that are used to log into it, whereas the corporate environment tends to have two-factor identification – you normally use a randomly generated code to access it.

“There is software out that can guess your passwords in minutes on devices used to connect to the cloud. It is important to put anti-virus security on your password.”

Hollywood stars are not the only people who are potentially vulnerable, however – big businessmen can also be targets.  “CEOs have celebrity status and they have background which is published on them,” says Crofton. “People know what their mother’s maiden name is and can fill in the answers to the security questions. Using a publically available cloud is a no-go measure where you have no idea where the server is and what jurisdiction it is in.”

Although there are also benefits for a business to use the cloud, Crofton suggests no sensitive information should be put into the public cloud, and that people should be mindful about where it could end up. There are also many things companies need to be wary about before choosing a provider, he says.

Photo scandal 2

Crofton explains that it can be an attractive method for an IT environment, as the updates for the cloud environment are often taken care of by a provider, meaning businesses do not have to have a team running software patches every month or running updates on the equipment. It is a cost-effective way of doing business.

“But that also means you are reliant on the cloud provider to be doing those updates on your behalf for all your clients, which is risky,” Crofton says. “There are a number of incidents where people have fallen down in this scenario, or have jumped in too soon using the cloud without thinking it through.”

Crofton recommends using a private cloud, but has a stark warning to visit the data centre where the data is being held to ensure it has adequate security in place. “You do not want your data to be stuck in some back corner of a data centre, where someone can potentially pop a memory stick in and steal information.”

According to Crofton, this includes looking at the steps the data centre has taken to make sure their equipment is up to date and patched, and the accolades of the cloud provider should also be examined.

Another issue Crofton identifies is people not fully understanding the terms and conditions of the contract of their cloud provider or what they are committing to. He believes that often the biggest threat to the cloud is the people using it themselves.

He says: “An IT director may be sitting down and saying, I need to do this, I’m getting pressure from the board – they are running servers that are six years old, they need to get everything moved. They are not taking the time to go back and say, we need to get legal involved to read the terms and conditions of what we are actually signing up to.”

Cloud security is certainly a concern, especially in the light of celebrity phones being hacked. But if businesses take steps to protect themselves and ensure sensitive information is safe, it represents a real opportunity to boost cost-savings and efficiency.

Tags:

  • Ulf Mattsson

    I agree that “if businesses take steps to protect themselves and ensure sensitive information is safe, it represents a real opportunity to boost cost-savings and efficiency” and I think that a balanced use of different cloud models can be very attractive since modern cloud security gateways can even help to secure sensitive data before it is sent to the any cloud, including public cloud.

    I agree that “You do not want your data to be stuck in some back corner of a data centre, where someone can potentially pop a memory stick in and steal information.” But I think that you should assume that you are breached in any environment, cloud or not cloud and there are so many ways to attack our systems at different points across the entire data flow. I think it is time to secure the sensitive data in the entire data flow with modern approaches.

    Modern cost effective data protection, like data tokenization, should not only be used for compliance with regulations. Recent studies reported that data tokenization can cut security incidents by 50 %.

    Ulf Mattsson, CTO Protegrity