Why we need to improve cloud computing’s security
Do you often use Facebook? How about Snapchat, Gmail, Dropbox, Slack, Google Drive, Spotify or Minecraft? Perhaps all of them? Bottom line, if you use an online social network, e-mail program, data storage service or a music platform, you are almost certainly using cloud computing.
Cloud computing is way of giving access to shared resources such as computer networks, servers, storage, applications and services. Individuals and organisations can place their data on the cloud and enjoy unlimited storage free or at a relatively low cost. It also allows services such as email to be offloaded, reducing companies’ development and maintenance costs.
Data breaches happen every day
Despite the tremendous benefits of cloud computing, the security and privacy of data are probably the biggest concerns that individuals and organisational users have. Current efforts to protect users’ data include measure such as firewalls, virtualisation (running multiple operating systems or applications simultaneously) and even regulatory policies, yet often users are required to provide information to service providers “in the clear” – means plain-text data without any protection.
Moreover, because cloud-computing software and hardware are anything but bug-free, sensitive information may be exposed to other users, applications and third parties. In fact, cloud data breaches happen every day.
The cyber-security website Csoonline.com compiled a list of 16 of the biggest data breaches of the 21st century all happened during the past 11 years.
At the top of the list is Yahoo. In September 2016 the company announced that it had been the victim of a huge data breach in 2014 – names, e-mail addresses and other data belonging to half a billion users were hacked. The following December Yahoo revised their estimate, and said that 1 billion accounts were hacked in 2013. In addition to names and passwords, users’ security questions and answers were also compromised.
In October of 2017, Yahoo yet again revised their estimation of the number of compromised accounts. Instead, it was actually 3 billion.
Fighting a new threat model
In a research project that I am leading, we are aiming at providing cloud data security and privacy protection under a new threat model that more accurately reflects the open, heterogeneous and distributed nature of the cloud environment. This model assumes that cloud servers, which store and process users’ data, are not to be trusted to keep users’ data and the processing results confidential, or even to enforce access limitations correctly. This is a radical departure from the traditional threat model for closed enterprise IT systems, which assume that servers can be trusted.
The central approach of our research is thus to embed protection mechanisms, such as encryption and authentication, into the data itself. In this way, data security and privacy remain even if the cloud itself is compromised, all while enabling authorised to access and process shared data.
Protecting the data and its users
In our research project, we have created a suite of techniques for scalable access control and computation of encrypted data in the cloud. We also built an attribute-based secure messaging system as a proof-of-concept prototype. The system is designed to provide end-to-end confidentiality for enterprise users, and is built on the assumption that the cloud itself doesn’t necessarily keep users’ messages confidential.
To understand how it works, imagine that you’re depositing valuables in a house to which you have a key and that, from time to time, you want move these valuables to other friends’ houses where unknown people may come and go. Each of your friends keeps his or her key, but not all have the same access privileges: their keys can only open certain houses based on the access they have. Such privileges and key sets are managed by a keymaster who stays elsewhere.
Pakistani banks hit by biggest cyber attack in country’s history
Pakistan’s banking system has been hit by the ‘biggest cyber attack in country’s history’.
Data from 19,864 cards belonging to customers of 22 Pakistani banks has been put on sale on the dark web, according to an analysis by Pakistan’s Computer Emergency Response Team, PakCERT.
It all started in mid-October when some customers of Bank Islami received text messages, alerting them of transactions (withdrawal of money), which they didn’t do. Noticing the abnormal transactions of Rs.2.6 million, Bank Islami blocked its international payment scheme on October 27.
It was a coordinated cyber attack in which the payment network of Bank Islami and the international payment scheme was compromised. Hackers made these transactions on international ATMs using cards issued by the bank.
In the wake of this incident, the central bank instructed all commercial banks to ensure the security of all payment cards in the country and monitor usage of their cards, especially international transactions.
However, when PakCERT investigated the cyber attack, it emerged that data of almost 20,000 debit cards was compromised—this may also explain the messages some of you have received from your banks recently, informing your card has been blocked for international transactions for security reasons.
Related: Hackers steal Rs2.6m via debit cards issued by Bank Islami
“On 26th October 2018, a data dump was posted on the dark web with over 9,000 debit cards, most of which belonged to customers of Pakistani banks,” says PakCERT. “Just when everyone thought the storm is over, on 31st October 2018, a second dump of over 12 thousand cards was posted on Darknet, comprising of 11000 cards from Pakistani banks,” it said.
Bank Islami was the only bank that came to limelight, but the report says thousands of debit cards of 21 other banks were up for sale on the dark web. Known to be the hotbed of criminal activities, the dark web can’t be accessed without using Tor, a software that enables anonymous communication.
The sale price for these cards ranged from $100 to $160. Among all banks, HBL, the largest bank in the country, was worst hit with more than 8,000 cards, followed by UBL, Standard Chartered Bank, MCB, and Meezan Bank with more than 1,000 cards each. Bank Alfalah, Bank Islami and Bank of Punjab were among banks that saw more than 500 of their cards being dumped on the dark web.
According to PakCERT, the hacked credit card data is available in two formats. First is text-based credit card details: full name, address, phone number, card number, and expiry which can be easily used by someone for illegal online purchases. The second format is skimmed dumps, which means the hacker was physically able to scan the card details possibly at a compromised ATM or merchant machine.
These skimmed card details are used to create a duplicate card which can then be used at an ATM or merchant machine for illegal transactions.
In addition to data of Pakistani customers, cards belonging to banks outside Pakistan like National Bank of Abu Dhabi, Abu Dhabi Islamic Bank, Emirates Nbd, Commonwealth Bank of Australia, Citibank USA, were also dumped, which shows that it includes data from visitors who travelled to Pakistan during this time and used one of the compromised ATM or merchant machine, the report says.
This is still an unfolding story since PakCERT is assessing other information obtained from these dumps, Qazi Mohammad Misbahuddin Ahmed, the author, told SAMAA Digital. More revelations will be made in the next report, he said.
Related: Global cyber attack slows; search on for hackers
Referring to people who could be behind the attack, Ahmed said the people who did the skimming could be visitors from outside Pakistan, who may have used the cards themselves and later dumped them for sale on the dark web. Or they could be people within Pakistan who helped a more advanced group outside Pakistan to make some profit.
This is not the first time, Pakistani banks were hacked. Cyber attacks are taking place almost every day.
In December, a major skimming attack took place when ATMs of HBL were targeted. The issue was highlighted some arrests were made, but it turns out banks are still vulnerable to such attacks.
PakCERT says that statistics about the compromised cards in both dumps will be made available on their website. In the meantime, many banks have blocked international transactions of their customers’ debit and credit cards while others have sent text messages to customers, telling them their accounts are safe. Other than Bank Islami, no bank has publicly reported if any money was stolen from their account, so it is unclear which customers are at risk.
The central bank’s spokesperson didn’t respond to our queries when this report was filed.
What Should Mark Zuckerberg Do?
Facebook’s CEO, Mark Zuckerberg, received a great deal of advice from respondents to this month’s column. It included ideas that haven’t gained much attention in the press.
Along with the advice came comments about the naiveté of users who don’t realize there is a cost for Facebook’s “free” service. Miki Saxon recalled that “Tim Cook once said, ‘If it’s free, then you are the product.’ It seems that Americans are just waking up to that fact …” Malcolm Harper commented, “Relax … it’s still a case of ‘caveat emptor’.” Jacob Navon put it most memorably: “I find myself in a Claude Rains Casablanca moment here: ‘I’m shocked, shocked to find that FB and others are making money off my data when they give me their services for free.’” But “shocked” or not, reality probably will not excuse the company from action, especially if there are many users like Judy who, having archived her data and deleted her account, found that, “The interesting thing is that I only missed the site for one or two days.”
Dyl suggested that the company should move on several fronts, including efforts to: (1) “refund … and revitalize” its security team, giving it more independent leadership, (2) provide more “community training” on the use of user data, (3) “invest in reducing fake articles,” (4) publish a quarterly “report to Congress” regarding “detailed privacy issues/actions”, and (5) “Start a large scale subtle PR campaign to re-communicate Facebook’s vision and mission statement.” Brendan Coffey led the way in proposing that “FB needs a much more active strategy to place the user in a position of control with respect to how their data is used.” Bhanu Ramenani suggested one way this could be done is by creating a “layer between the third party applications/advertisers and users” assigned the task of making sure third party companies are following company guidelines on privacy. Jim suggested, “Total transparency, including what was collected and what was sold FOR EACH MEMBER.”
Most interesting to me was the fact that the most frequent suggestion was that Facebook change its business model to include subscriptions for some users. As Renee put it, “Zuckerberg and his team need to reset their revenue model. Facebook users should be given the choice—use my data and I can use Facebook for free, or give me privacy and let me pay for Facebook.”
Dyl would “allow users to ‘upgrade’ to a premium paid version … where amongst other features (advanced posting abilities, greater post visibility, etc.), ads are not shown and therefore private data is not shared.” Liel noted that, “In developed markets where there is a public outcry, Facebook will be smart to unbundle the services and come out with a pricing table.” As Munyaradzi Mushato put it, “implement an authentic platform strategy where users pay, advertisers pay, and developers pay for the value they get.”
Clearly, changes to a business model such as this would have many ramifications for Facebook’s long-term business success. But can Facebook avoid changing its business model? What do you think?
Mark Zuckerberg, founder and CEO of Facebook, one of the most dominant firms on the internet with 2.2 billion users, has come to you, a trusted adviser, for advice. The company is facing its largest crisis since its inception in 2004. What should it do next?
The genius of the Facebook business model, similar to strategy used by other internet giants, was that it was free, paid for by advertising based on access to user information. Free and open access contributed to the rapid growth of the network. The addition of each user increased the value of the network to everyone: users, the developers of apps made available to users, and advertisers utilizing user information. Although users could fine tune who received access to their data, the vast majority opted for only minimal control in order to create larger personal networks. Further, there was little governmental regulation of social networking companies protecting those users.
In the past two weeks, Facebook’s world had changed with New York Times and London Observer reports that a “psychographic researcher and consultant” identified as Cambridge Analytica used a quiz app on the platform to access personal information of approximately 300,000 Facebook users and, by extension, 49.7 million of their “friends.” The consultant allegedly used the information to influence voters, creating an outcry from users, legislators, and the general public, to force the company to do a better job of protecting private information.
In an initial response, Facebook informed its blog readers that it had suspended the consultancy from the site and suspended such data sharing by app creators. On March 20, Zuckerberg and Sheryl Sandberg, chief operating officer, sent the company’s deputy general counsel to the company cafeteria to meet with employees, sharing with them that Facebook had been deceived by the consultant into thinking that the information it had obtained had been discarded at Facebook’s request. The following day, Zuckerberg personally met with employees and posted a promise to audit and restrict access to user information by the developers of apps. He also agreed to testify before a United States congressional committee in coming days.
Short-term issues remained, among them engineering fixes to allow users easier control over sharing information on their Facebook pages. In fact, Zuckerberg reportedly was working with engineers for several days doing just that while the world awaited follow-up to the initial disclosures.
Dangers of an open platform
The changes were announced March 28, just days before the congressional hearing. The new choices were constrained, however, by knowledge that every new option offered potential for a less open site. This was something that was generally feared within the organization. Since its basic strategy decision in 2007 to open its platform to outside developers, Facebook’s success had been based on an open exchange between users, designers of apps posted on the site, and particularly advertisers making use of user information to design messages, access potential customers, and provide the revenue that had made Facebook one of the world’s most profitable and valuable companies. Further, the open policy had encouraged the production of more than a million apps, many of which were thought to increase the amount of time that Facebook users spent on the site, thus making them more valuable to advertisers and to Facebook.
Security was another issue to be addressed. Up to now, Facebook had little control over the information gathered by app designers, which they could in turn sell to third-party organizations largely unknown to the company. Facebook had, indeed, employed a chief information security officer with a sizeable staff. He had repeatedly argued for greater security of users’ information. But his proposed solutions often were outweighed by the desire to serve the company’s mission of “bringing the world closer together.” Some objected to the security chief’s outspoken and somewhat combative manner. For whatever reason, his staff had been reduced, he had been refused a request to report directly to Zuckerberg, and he had announced that he would be leaving Facebook in August.
Some had proposed that Facebook change its business model from an advertising to a subscription model, with revenue coming from user fees rather than advertising. This had been rejected, largely because it would probably drive millions of users from the site, particularly those in the developing world with little income to spare.
Whatever Zuckerberg were to do, he would have to proceed very carefully, both in public and behind the scenes, to preserve the company’s user base, developer incentives, the value of information to advertisers, and the ability of the organization to continue to hold and recruit outstanding talent.
The US stock market had already begun to weigh in on the company’s prospects for doing so: Facebook’s stock value plummeted by $90 billion in seven trading days. One business columnist had proposed the creation of a federal Digital Protection Agency, whose job would be to “clean up toxic data spills, educate the public, and calibrate and levy fines.” Social media had even turned against Facebook through a #DeleteFacebook address. Employees watched closely the numbers of users who might elect the “DeleteMyAccount” button on Facebook.