Apple, Amazon prove the "cloud" isn't safe

(MoneyWatch) Everyone in the high-tech industry, along with the usual ardent early-adopters, is betting heavily on the emerging Internet "cloud." What often gets overlooked are the drawbacks, as tech writer Mat Honan learned when hackers destroyed his digital life. Not inconvenienced; not interrupted. Destroyed. He lost all the photos he had of his daughter, as well as many documents and emails that were presumably important to him.

Honan had trusted heavily in the convenience and seeming ubiquitous nature of cloud computing. That approach calls for storing all your content on the cloud, tying all your devices together with grand and expansive systems, and using uber-sophisticated software to control and protect everything. The payback: You always have access to everything you want when you need it.

However, systems and machines ultimately rely on human beings, and getting people to always do what is prescribed is a losing battle.

What happened

Here is the nut of Honan's experience in his own words:

In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

How did hackers pull this off? Was it some powerful new virus or spyware that peeled back all Honan's secrets? Nope. It was a practice called social engineering, when a determined person or group plays on the weaknesses of business processes and the gullibility and laziness of other human beings.

Plenty of blame to go around

The most basic fault was Honan's. He didn't back up his data in his home, trusting that what he put into someone's cloud would always be there and that the security procedures were adequate. He "daisy-chained" his accounts at Apple (AAPL) and Amazon (AMZN) for convenience. That allowed the hackers to crack his Amazon account and then use that information to access his Apple account, which got them into his Gmail account and eventually his Twitter account (apparently what they had wanted all along).

But his nonchalance was aided and abetted by how Amazon and Apple -- and entirely too many other technology companies -- conduct business:

But what happened to me exposes vital security flaws in several customer service systems, most notably Apple's and Amazon's. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information -- a partial credit card number -- that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification.

Vendors aren't ready

Every time new technology comes about, it takes time for industries to realize just how dangerous their previous practices were. ATM receipts were one of the big drivers for banks to realize that printing out the entire account number was dangerous. And how long did it take for credit card companies to eradicate the carbon paper between copies of credit card slips after it became clear that the unscrupulous could walk off with an identity theft cheat sheet? How many companies online still use the last four numbers of an account to verify a user?

If such issues are problematic in general, they are devastating when it comes to cloud computing, especially when people place too much trust in what are, after all, inherently fallible systems (even when they are technically adept and should know better). What does that suggest for the average consumer or business who trusts too unwisely and yet too well?

Erik Sherman On Twitter »
>> View all articles
Erik Sherman is a widely published writer and editor who also does select ghosting and corporate work. The views expressed in this column belong to Sherman and do not represent the views of CBS Interactive. Follow him on Twitter at @ErikSherman or on Facebook.

Popular on MoneyWatch

13 Comments Add a Comment

: linkicon reporticon emailicon
KnowerseekerReturns says:: I will probably never use cloud computing for anything that is important. I do keep some stuff in Google Documents, but none of it is work- or business-related, and it's all expendable. That's as far as I use cloud computing.; reply

linkicon reporticon emailicon

Techgeek141 says:

There definitely can be potential security issues with cloud sharing/storage, however the pros of such services over power the cons. We have endlessly heard of hackers tapping into emails, servers of IT companies, and even the into the Federal Government. There will always be security problems. However, for the average internet user such as myself, choosing a cloud company with a proven track record is crucial. I stopped using dropbox and switched to 4Sync, now I get 15gb of free space and the assurance of a company that never has had any security breaches and all my info 3x backed up through their servers.


eriksherman replies:: linkicon reporticon emailicon; And have you checked to see whether someone other than yourself could pull together enough information to get into your account, as happened with Amazon and Apple? Or get into one account and use that to gain more info to get into another?

linkicon reporticon emailicon

Choons says:

the "Cloud" really only benefits the companies that are trying to sell it.


hypnotoad72 replies:: linkicon reporticon emailicon; Very true.

Subscription schemes they provide offer a quick buck, and with less incentive for them to improve their products... especially when most people standardize on them, which also leads to a greater security risk - "all eggs in one basket" and from many points of view...

: linkicon reporticon emailicon
AsianDudezz says:: When the Cloud Internet turns 'cloudy'; reply

: linkicon reporticon emailicon
AsianDudezz says:: wh; reply

: linkicon reporticon emailicon
Crankypaul says:: I'm not in a position to pass judgement on the author's knowledge, but I will concur that I am one of those who is less than comforted with the idea of cloud computing. We all have accounts in many places but many of us still keep our "stuff" one a home computer or drive. To put it all "out there" is inciting the unscrupulous to mess with it, as Mat Honan has shown. i'm sorry for him that this happened, but OTOH, I'm glad that it may open a few peoples eyes to the possibility of it happening to them as well. When al our files lived in steel boxes a cabinets in our homes we only needed to worry about theft and fire in a specific location. Now we have so much on computers that while fire isn't an issue, theft and hacking has become a very real possibility, and sadly, a probability as well. There ARE ways to back up and secure, but since the probably majority of us don't "do the right thing" we will be leaving our dirty laundry out for anyone to hack.; reply

linkicon reporticon emailicon

CloudAngel says:

Making this statement that the cloud is unsafe proves the author is technically uneducated .
I work as a Cloud systems administrator. My organization has been hosting cloud service for the past 10 years. Yes 10 years no mistake. We have about 10k virtual servers processing mission critical applications such as Exchange, Axapta, MS-CRM to name a few. I have about 32k users in my clouds daily. Without getting in to technical details this uneducated reporting is similar to when you get a flat tire you blame the car.
The hacker used social engineering and weak organizational security policies to complete his hack. Simple as that.
Don't blame the Cloud platform.


eriksherman replies:: linkicon reporticon emailicon; The platform includes the social engineering issues. Maybe you have never had a problem. Many have. That's why talking about not trusting the "cloud platform" makes perfect technical *and* business sense. Because you can't tell too easily whether a vendor really does have the procedures, processes, and personnel that can maintain the necessary security. All three are musts, as you should know since you're touting your expertise. You somehow seem to think that because the activity was done with social engineering, it somehow doesn't count. Tell that to Honan, or others who have found themselves hacked. The social issues *are* part of the platform. That's the point that cloud vendors are proving they don't get.


CloudAngel replies:: linkicon reporticon emailicon; #ERIKSHERMAN
Valid points taken. Sure venders like me learn daily from the mistakes of others but the bottom line is the data is missing. Surely any provider worth considering will have daily backups which will allow the restore of lost data if so requested? A callback policy also helps to validate the end-user request. We can discuss this issue all day long and still not agree. What got me to react with the above posting is the Cloud is stable and headlines like this creates false impressions. Yes like all bussiness models you need to be on top of your game if you want to survive. I value your comment.

: linkicon reporticon emailicon
Quattr0ne says:: Evidently I'm the only person who has never trusted the cloud. In this environment of hackers, why would ANYONE put all their precious digital properties where hackers have unprecedented access to get them?

I've never understood that.; reply