Press delete: the risk of outsourcing your data
By
Robert Vamosi
A recent failure affecting T-Mobile's Sidekick service caused thousands of customers to lose their personal contact information.
There's nothing new about servers crashing, and something like this is sure to happen again, so you need to protect yourself against such losses in the future.
On Oct. 2, the servers used by the Sidekick service to store customers' contacts, calendars, to-do lists, photos, and other personal information failed, as described in a
New York Times story.
During the process of restoring the servers, which are managed by Microsoft's Danger subsidiary, the data files on the primary and backup servers were corrupted.
T-Mobile apologized to customers and offered subscribers a $100 credit on future products and services, as well as a free month of data service.
As you might expect, the reaction of Sidekick customers to this half-hearted measure has been overwhelmingly negative. Several hundred Sidekick users affected by the outage expressed their displeasure on the Sidekick Help site.
Late on Oct. 14, Microsoft
notified
Sidekick customers that "most, if not all" of the lost data had been recovered. The company said it would begin restoring the data "as soon as possible."
This hasn't prevented several Sidekick users from filing lawsuits related to the outage, as
reported
by Nick Eaton of SeattlePI.com.
Taking a closer look at on-the-go security
As people rely increasingly on their mobile devices — and Microsoft and other vendors put productivity apps online — the dangers increase for consumers and enterprises alike.
Researchers at several recent computer-security conferences have highlighted the risks of cloud computing, primarily in the area of security and accessibility. "Cloud-busting" and "BlackBerry poisoning" were two of the hottest topics at the
Hack in the Box
conference in Malaysia in early October.
In his talk, "Clobbering the Cloud," Haroon Meer — the technical director of South African security vendor Sensepost — pointed out that cloud computing means many things. For some, it describes a platform, such as Microsoft's Azure or Google's App Engine. For others, it's a service, such as Google Maps or Amazon's Elastic Compute Cloud (EC2) service. Still others see it as a home for such hosted applications as SalesForce.com and the
Mint
personal-finance service.
Meer says reverse engineering kept Microsoft and other software vendors honest in the past. If the software of the future is hosted in the cloud, how will we verify the security of that software? Without access to the servers that host the code, independent security checks are impossible.
Meer's presentation emphasized that the marketing folks involved with cloud-based initiatives are using "crypto-pixiedust magic words" in their security assurances. His talk examined where security might break down for SalesForce.com, Amazon, and MobileMe, among other cloud services.
Audio and video recordings of Meer's presentation are available as a
zip file from a conference
download page.
(The file is labeled D1T1 - Haroon Meer at the top of the file list.)
Bitbucket users become lost in the cloud
People who lose access to their Web-based data have few options. For example, the popular Bitbucket code-hosting and version-control service was offline for about 24 hours last week, as
reported
by the Register.
Bitbucket uses the EC2 service to host its files and Amazon's Elastic Block Store (EBS) as the platform for its database, log files, and user data. The idea is that EBS exists to provide persistent storage for EC2 server instances. As it turns out, EBS is public-facing on the Internet and can thus become a target for intruders.
Suspecting that it might have become a target, Bitbucket worked through Amazon to find evidence of a distributed denial of service (DDoS) attack. Apparently, a flood of User Datagram Protocol (UDP) packets was being sent to the servers. The sending computers didn't wait for an acknowledgment before launching even more packets — a classic DDoS scenario.
It took engineers at Amazon EC2 and Bitbucket several hours to realize they were being attacked. Meanwhile, users of Bitbucket were left scratching their heads for 16 hours. If a cloud-based service is used for mission-critical apps — particularly for health-care and financial services — a few hours of downtime could be disastrous.
A security advisory for BlackBerry users
In another talk at the Hack in the Box conference, Sheran Gunasekera, head of research and development at ZenConsult, stated that there's no technical way to hack a BlackBerry mobile device, but there are ways to seriously discomfit users. Since Research in Motion (RIM), the BlackBerry's maker, encrypts everything, a man-in-the-middle attack is unlikely. Because there are few vulnerabilities, criminals have few potential points of entry. But not everything's perfect.
Gunasekera described various means of attacking a BlackBerry — remote use of its camera, alteration of the contact information it stores, the ability to run up international phone charges, and use of the phone to pump out phishing SMS messages. Gunasekera pointed out that, unlike the Apple iPhone store where every app is tested, BlackBerry apps are not regulated.
Gunasekera's talk is available via the Hack in the Box
download page.
(The file is labeled D1T2 - Sheran Gunase and is the 10th item in the file list. Bandwidth-challenged, beware: it's a 16MB download).
Gunasekera's advice for BlackBerry users can be summed up in the following four points:
-
Don't install random, free software on your device.
-
Don't let others use your phone. If they do, keep a careful eye on their activities.
-
Learn and set default application permissions.
-
Always enable a device password.
Digg
Del.icio.us
Reddit
StumbleUpon
Other
Permalink