In 1980, I wrote a letter to Robert Courtney who was the Security Director at IBM, asking him about a technique I proposed to penetrate IBM computers. He wrote back a nice letter which I thought was unusual, but a pleasant surprise to a young guy in security. In it he said "Yes, your technique will work, but you may have the wrong focus. We lose more data by accident than we lose on purpose." I taught that concept for years after. Now, as I hear the same thing coming from Amazon and Microsoft, I think we are missing something by attributing some data losses to "accidents".
US Military data held by Booze Allen Hamilton, including passwords and sensitive files were found in an insecure location at Amazon. Booze says it was put there "by accident" and was removed when discovered. That is only a small part of the BBC story, which is worth reading. It does not sound like an accident at all, and Booze did not react very fast to closing it off. A similar thing happened to Microsoft where files were discovered in publically accessible locations and those too contained passwords and sensitive files.
Maybe they don't like the idea that hackers save files in their clouds and come for them when they have time. Treating these incidents like "accidents " is crazy. They are ignoring the larger problem that hackers have gotten into someone else's data and that data was exposed to the Internet - that part of it may have been an accident, but stealing and storing the data somewhere they can easily get it was not.
These are coverups. As the Chinese and Russians double their efforts to steal from cloud services, they have learned that once in, data from lots of places will be available to them. Clouds are not more secure as people would have you believe - well, not people in general, cloud vendors say that.
They are no more secure than any other institutional vendor would be, and we have no oversight into what they are doing with that data or how it is being protected. The vendors do not want you to hear that the sites are being successfully attacked, so these exposures of data become accidents when they are anything but.
No comments:
Post a Comment