1. Are there criminals hiding in the cloud?
By Alex Hudson
BBC Click
Task 1: Following the exposure of the Sony
Is this the PlayStation 3 security flaws - and with
underlined so much of our data stored online - are
Text we making it too easy for criminals to
get hold of our information?
When over 100 million people's details were
garnered illegally from Sony recently, users
were up in arms about their prized Sony's shares have fallen significantly
information being leaked. in the aftermath of the security breach
Task 2:
But, according to one study, over two thirds of companies are planning to
store at least some of their data in "the cloud" - a term used to describe
putting data online rather than on a hard-drive. The Red coloured text
With more businesses using the cloud, this sort of leak could become a more
regular occurrence.
"While the potential of cloud computing is rapidly being revealed, so too are
its vulnerabilities," Brendan O'Connor, the Australian minister for Home
Affairs, told the International Association of Privacy Professionals.
And, he believes, criminals "can hide data THE SONY CRISIS
in clouds" if they are clever about it. Graham Cluley, security
"Rogue cloud service providers based in consultant
countries with lax cybercrime laws can
provide confidential hosting and data
storage services," he said.
"People need to be more careful with
"[This] facilitates the storage and their passwords and make sure that
distribution of criminal data, avoiding they have different passwords for
detection by law enforcement agencies." different online accounts.
An easy parallel to draw is with the way
Swiss bank accounts were rumoured to
"People should also consider lying
operate in the past.
about some of their details. I have
While bank customers were offered the
given Facebook a phoney date of birth
utmost of discretion with their financial for instance."
transactions, that same courtesy could now Sony crisis: The expert panel
be offered to those wishing to de-encrypt
sensitive data.
Stealing secrets
To safeguard information, details are regularly encrypted to a high level,
Ricardo Norbert Page 1
2. meaning that - until very recently - supercomputers were required to get any
details in a useable form.
But now the internet itself is offering criminals the chance to super-charge
their processing power to make decryption quicker, cheaper and easier than
ever before.
William Beer, director of Price Waterhouse Cooper's security division, says
"even if credit card details are encrypted, there is software that may be able
to decrypt it given enough processing power" once it has been stolen from the
cloud itself.
"Encryption is often seen as a silver bullet.
We need to be very careful because there
are many different types of encryption. It
can introduce an air of complacency into
organisations and what we're starting to see
are criminals actually looking to the cloud.
"It can provide massive amounts of
processing power and [this] can actually de- PM David Cameron says cyber-crime is
encrypt some of the data. The irony of it is a top priority for national security
that they are using stolen credit cards to buy that processing power from the
cloud providers."
And this type of activity has actually been tested by German security
researcher Thomas Roth.
He used a "brute force" technique that could previously only be possible with
super-computers to break into encrypted WiFi networks.
The technique allows 400,000 different passwords to the encryption to be
tested per second, quite literally knocking at the door until it caves in. No
specialist hacking techniques need to be used.
This was done using a cloud computing service costing just a few dollars per
hour.
Roth used Amazon's Elastic Cloud Even if you have
Computing (EC2) system, which allows supercomputers, if your
users to rent increased computing power by encryption is strong enough, it
the hour or for as long as is needed - thus would still take years to break
those passwords
the name elastic.
Amazon says it continually works to make
sure the services aren't used for illegal Mark Bowerman, Financial Fraud
Action UK
activity and takes all claims of misuse of
services very seriously and investigates each one.
While Roth was not doing this for illicit means - and could be done with any
cloud system - the idea could be used, in principle at least, for the purpose of
de-encrypting credit card details.
Ricardo Norbert Page 2
3. He is already experimenting with speeds that could allow one million
passwords a second to be tried.
Hacking 'master key'
What many see as most scary about this idea is that because the criminals
using the cloud are using false information, they are very difficult to trace.
That said, there are data standards in relation to private information kept by
companies which are particularly strict when financial details are held.
"You've got to meet the data security standard - it is the absolute minimum
requirement," says Mark Bowerman, a spokesman for Financial Fraud Action
UK.
"Beyond that, there are reputational issues
to consider. If you are hacked and data is
stolen, then it will be a serious concern both
reputationally and financially as well."
So what can be done to protect information
yourself?
"Unfortunately, people have the habit of
reusing their passwords for multiple Credit card information is heavily
different services," says Rik Ferguson, of encrypted when held online
digital security company Trend Micro.
"Many people will have to consider that these criminals have both their email
address and their common password.
"Once you own someone's email account, that's really the master key to
everything because you can go through the password reset process of [a
number of services] and of course, they come back to that email account. It's
the key to your online life."
But, says Bowerman, if both you and the companies you trust with your data
are careful with it, serious breaches are still very unlikely.
"Even if you have supercomputers, the computing power of hundreds of
thousands of computers linked together, if your encryption is strong enough, it
would still take years and years to break those passwords," he says.
"It boils down to how good your encryption is."
Ricardo Norbert Page 3
4. Task 2:
Names of People Mentioned and their Job Roles.
Bredan O’Conner, Australian Minister for Home Affairs
Graham Cluley, Security Consultant
Thomas Roth, German Security Researcher
Mark Bowerman, Spokesman for Financial Fraud Action UK
, Digital Security
Names of Organisations Mentioned
Sony Playstation
Task 3:
Graham Cluley
People that are
against Fraud
Mark Bowerman
Bredan O’Conner
Rik Ferguson Thomas Roth
Sony PlayStation
Summary:
The spider diagram shows us that the people involved in this article are agreed that fraud should be
stopped and want do their best to prevent this crime.
Ricardo Norbert Page 4