Posted by Jamie Boote on September 3, 2014
This Labor Day weekend, a number of photographs of a personal nature were released to the public. The data leak can be traced back to personal devices and the Apple iCloud, but even though businesses aren’t usually the target of this kind of leak, there are still lessons applicable to businesses who elect to use cloud hosting for data.
The biggest public reaction will be “OMG! they hacked our phones and got our selfies!” but corporations should be thinking about the circumstances that lead to this weekend’s leak. A group of individuals, using a variety of social engineering based credential/account compromises and more sophisticated device/service hacks on high value targets, sold information of a private manner to the highest bidder. This anonymous individual released the information publicly instead of continuing to use the information privately.
The victims may have been compromised a year or more ago and had no idea their private information was being traded below the radar. It is almost a guarantee none of the individuals were using 2 factor auth if available to them. Instead, their data was compromised via password reset/security question social engineering methods. Allowing web browser access with a potentially recyclable username/password combo is a weak point which is akin to securing a supermax prison with a TSA approved luggage lock.
Figure 1: The places photos from a smartphone can propagate to and some of the protections in place
Examining this release allows us to tease out a variety of questions businesses can ask themselves about the data they are hosting on the cloud. Some of these questions are obvious, would the individuals have been safe if they were on one cloud provider versus another. Others are less obvious, like how rigorously should a data retention policy be applied to data.
Let’s address cloud security first. This is a topic studied at the federal level and in academia as well. Marketing teams will tell you that data stored on the cloud is perfectly safe and outsourcing the data also means outsourcing the worries. In practice, the cloud is a data center hosted by another company and their security is only as good as their patch levels, access controls, and authorization methods. The fact that the compromised information was hosted on the cloud wasn’t the problem. The ability to socially engineer one’s way into the accounts was. Cloud hosting is a tool, and just like a hammer, it may not be appropriate for all situations and can be harmful if used improperly. An architectural risk analysis can analyze whether the access methods are susceptible to an attack. For example, an analysis might show that an attacker with a link and compromised credentials can gain access to the sensitive information via a variety of vectors, some of which have hard-coded access.
The leak also occurred because of the social engineering techniques used to secure the password reset functionality and accounts. It is possible to evaluate whether an application or helpdesk is vulnerable to social engineering techniques, such as relying on publicly available or “in wallet” information such as the ssn, address, or place of birth. Additionally, controls set in place by a software security group can mandate the how passwords are provided to the end user and what kind of additional factors are required to gain control of an account.
Right now, the media is reporting on this and it is up to the PR teams of the victims to control the tone of the conversation. If a business is not prepared for a data leak, the public image can be damaged just as much by poor PR as by the original leak. Maintaining a complete list of information assets and performing a complete risk assessment, to include reputational risk, will better posture a business should the worst happen.
Businesses should also have data retention policies and examine how they are being applied to their applications. Just like the leaked images, some data may be best expired shortly or immediately after generation or never committed to disk. An application should have or allow data aging controls to delete data to keep the amount of information that can be leaked to a minimum.
Finally, from an organizational standpoint, people use mobile devices all the time. Are employees taking photos of whiteboards from meetings that discuss trade secrets? Could these photos be propagating to personal computers and social media sites? When it comes to securing the device itself, Microsoft offers bitlocker and implementing it can cost less than a single stolen laptop incident in the grand scheme of things.
So, in closing, this cloud leak raises some very interesting questions and has sparked a privacy dialogue. There are some lessons to be learned from this that can apply to everyone that uses remote storage.