During Cloud Mania – roughly the decade between 2000 and 2010 – it was virtually impossible for start-up ventures to get funding unless they were cloud-based. Sixteen years on, most modern offerings are in the cloud – and that’s certainly the case for file sharing. Public cloud services are incredibly enticing to cyber-criminals because they’ve conveniently gathered millions of users for them at one attack point.
Before Cloud Mania, bad guys had to go after each person or company one at a time and the number of data loss events was barely newsworthy. But the ability to get access to millions of users' information for a little extra effort makes the decision a no-brainer.
The white line in the chart above shows the alarming increase in “data loss events.” A subset of security events, these occur when cyber-criminals successfully extract corporate data, including the IDs and passwords of registered users. There were 2,100 reported in 2014, and for 2015 Verizon recently reported that number has soared to 3,141 (source, Verizon's annual Data Breach Investigations Report).
The orange line shows the growth in the public cloud market in $B. What is stunning about this is the undeniable correlation between the growth of cloud computing and that of cyber-crime.
You've probably heard John Chambers' quip about cyber-crime: "There are two kinds of companies - those that know they've been breached, and those that don't." Nothing proves this more than the recent discovery by Yahoo! of a 500 million account breach that occurred more than two years ago. (Note: 500 million is essentially all Yahoo! accounts.)
We're not the only ones that see problems with the cloud. In a recent conversation with a knowledgeable source, we learned that no government intelligence agency is allowed to use cloud-based file sharing – they only consider peer-to-peer to be secure enough. As the figure above shows, we are losing the battle with cyber-criminals, and security will become the top criterion for product selection, putting any cloud-based service at a significant disadvantage.
Image Cloudflare / Gizmodo
The latest in the parade of Cloud vulnerabilities, last week The Register reported that large SaaS (security as a service) provider Cloudflare had been exposing sensitive user information – that could also be picked up by search engines – for more than four months. Dating back to last September, a bug named Cloudbleed was causing buffer overflows that resulted in the leakage of passwords and authentication tokens, possibly from more than 3 million of its customers’ users.
Cloudflare provides content delivery, Internet security and distributed DNS services, including reverse proxy functionality, to major websites. Its customers include Uber, Fitbit, Yelp, Zendesk, and about 3,500 others (although Cloudflare says that it detected leaks from “only” 150 of its customer websites). You know you’re in trouble when security companies are unsecure.
The bug was discovered on February 18 by a Google security analyst and patched by Cloudflare within an hour. Since the incident was reported, we’ve learned that the initial fear that millions of user credentials were leaked might have been somewhat of an overreaction, though it didn’t specify which sites had their credentials spilled. Still, who wants to play Russian Roulette with the Russians?
What’s the upshot? Gizmodo senior reporter Adam Clark Estes says it best: “Cloudbleed illustrates a larger problem with internet security. If one major player gets pwned, the consequences can be catastrophic.”
Cybercrime and the Cloud
October 12, 2016 - posted by Nexo
Cloudbleed - A Near Miss
February 24, 2017 - posted by Nexo