Press delete: the risk of outsourcing your data

Robert vamosi By Robert Vamosi

A recent failure affecting T-Mobile’s Sidekick service caused thousands of customers to lose their personal contact information.

There’s nothing new about servers crashing, and something like this is sure to happen again, so you need to protect yourself against such losses in the future.

On Oct. 2, the servers used by the Sidekick service to store customers’ contacts, calendars, to-do lists, photos, and other personal information failed, as described in a New York Times story. During the process of restoring the servers, which are managed by Microsoft’s Danger subsidiary, the data files on the primary and backup servers were corrupted.

Subscribe to our Windows Secrets Newsletter - It's Free!

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

PC Drive Maintenance (Excerpt)

Subscribe and get our monthly bonuses - free!

Your hard drives store photos, books, music and film libraries, letters, financial documents and so on. This ebook is aimed at helping you understand your hard drives, expand their capacities and length of life, and recover what you can from them when they fail. We're offering you a FREE Excerpt! Get this excerpt and other 4 bonuses if you subscribe FREE now!



T-Mobile apologized to customers and offered subscribers a $100 credit on future products and services, as well as a free month of data service.

As you might expect, the reaction of Sidekick customers to this half-hearted measure has been overwhelmingly negative. Several hundred Sidekick users affected by the outage expressed their displeasure on the Sidekick Help site.

Late on Oct. 14, Microsoft notified Sidekick customers that “most, if not all” of the lost data had been recovered. The company said it would begin restoring the data “as soon as possible.”

This hasn’t prevented several Sidekick users from filing lawsuits related to the outage, as reported by Nick Eaton of SeattlePI.com.

Taking a closer look at on-the-go security

As people rely increasingly on their mobile devices — and Microsoft and other vendors put productivity apps online — the dangers increase for consumers and enterprises alike.

Researchers at several recent computer-security conferences have highlighted the risks of cloud computing, primarily in the area of security and accessibility. “Cloud-busting” and “BlackBerry poisoning” were two of the hottest topics at the Hack in the Box conference in Malaysia in early October.

In his talk, “Clobbering the Cloud,” Haroon Meer — the technical director of South African security vendor Sensepost — pointed out that cloud computing means many things. For some, it describes a platform, such as Microsoft’s Azure or Google’s App Engine. For others, it’s a service, such as Google Maps or Amazon’s Elastic Compute Cloud (EC2) service. Still others see it as a home for such hosted applications as SalesForce.com and the Mint personal-finance service.

Meer says reverse engineering kept Microsoft and other software vendors honest in the past. If the software of the future is hosted in the cloud, how will we verify the security of that software? Without access to the servers that host the code, independent security checks are impossible.

Meer’s presentation emphasized that the marketing folks involved with cloud-based initiatives are using “crypto-pixiedust magic words” in their security assurances. His talk examined where security might break down for SalesForce.com, Amazon, and MobileMe, among other cloud services.

Audio and video recordings of Meer’s presentation are available as a zip file from a conference download page. (The file is labeled D1T1 – Haroon Meer at the top of the file list.)

Bitbucket users become lost in the cloud

People who lose access to their Web-based data have few options. For example, the popular Bitbucket code-hosting and version-control service was offline for about 24 hours last week, as reported by the Register.

Bitbucket uses the EC2 service to host its files and Amazon’s Elastic Block Store (EBS) as the platform for its database, log files, and user data. The idea is that EBS exists to provide persistent storage for EC2 server instances. As it turns out, EBS is public-facing on the Internet and can thus become a target for intruders.

Suspecting that it might have become a target, Bitbucket worked through Amazon to find evidence of a distributed denial of service (DDoS) attack. Apparently, a flood of User Datagram Protocol (UDP) packets was being sent to the servers. The sending computers didn’t wait for an acknowledgment before launching even more packets — a classic DDoS scenario.

It took engineers at Amazon EC2 and Bitbucket several hours to realize they were being attacked. Meanwhile, users of Bitbucket were left scratching their heads for 16 hours. If a cloud-based service is used for mission-critical apps — particularly for health-care and financial services — a few hours of downtime could be disastrous.

A security advisory for BlackBerry users

In another talk at the Hack in the Box conference, Sheran Gunasekera, head of research and development at ZenConsult, stated that there’s no technical way to hack a BlackBerry mobile device, but there are ways to seriously discomfit users. Since Research in Motion (RIM), the BlackBerry’s maker, encrypts everything, a man-in-the-middle attack is unlikely. Because there are few vulnerabilities, criminals have few potential points of entry. But not everything’s perfect.

Gunasekera described various means of attacking a BlackBerry — remote use of its camera, alteration of the contact information it stores, the ability to run up international phone charges, and use of the phone to pump out phishing SMS messages. Gunasekera pointed out that, unlike the Apple iPhone store where every app is tested, BlackBerry apps are not regulated.

Gunasekera’s talk is available via the Hack in the Box download page. (The file is labeled D1T2 – Sheran Gunase and is the 10th item in the file list. Bandwidth-challenged, beware: it’s a 16MB download).

Gunasekera’s advice for BlackBerry users can be summed up in the following four points:
  • Don’t install random, free software on your device.
  • Don’t let others use your phone. If they do, keep a careful eye on their activities.
  • Learn and set default application permissions.
  • Always enable a device password.
WS contributing editor Robert Vamosi was senior editor of CNET.com from 1999 to 2008, writing pieces such as Security Watch, the winner of the 2005 MAGGIE Award for best regularly featured Web column for consumers.
= Paid content

All Windows Secrets articles posted on 2009-10-15:

Robert Vamosi

About Robert Vamosi

WS contributing editor Robert Vamosi CISSP, was senior editor of CNET.com from 1999 to 2008 and winner of the 2005 MAGGIE Award for best regularly featured Web column for consumers. He is the author of When Gadgets Betray Us (Basic Books 2011)