Apple, clouds and personal data
Hi, Habrahabr! We here fished out an interesting interview with our expert Alexander Gostev, and are ready to share it with you: suggestive ...
Apple representatives argue that the future is for cloud services, largely because the cloud approach eliminates the dangers of spam, virus infection, hitting the botnet and other dangers caused by the “independent” access of the computer device to the Internet. Do you agree with this statement?
I agree that cloud technologies have a great future. However, one should not exaggerate their properties and role in information security ...
The use of cloud technologies not only does not eliminate the existence of spam or viruses, but on the contrary - it increases the risks even more. Moreover, cloud technologies are already being used by cybercriminals themselves. Facts are known when cloud resources were used to send spam, viruses , phishing , storage of data stolen from users, etc.
')
Do not forget about the risks of data loss located in the clouds or access to them by third parties. To assert that the possibility of storing data somewhere, and not just on your personal device, somehow eliminates the problems with the infection of this device - extremely imprudently. These devices still need to interact with the cloud, and once infected they will allow intruders to gain access to them through the attackers.
Cloud technologies were not originally conceived as a means of solving information security problems and the essence of their technology in completely different benefits. We are skeptical about assurances about the security of their cloud solutions. Worst of all, many users really believe in security, behaving even more carelessly and carelessly.
As for the attitude of Apple itself to the realities of modern cyber threats, here we have to state that gradually from the position “antivirus for Mac is not needed, there are no viruses for Mac” , this company has evolved to create its own anti-virus scanner built into OS X version and before the release of special articles on solving problems for their users, who became victims of the next Trojan for Mac.
According to your estimates, how safe is such a service for the user, in terms of the security of personal data? Should iCloud be responsible for maintaining the personal data of users from other countries? If yes, then what country's laws on non-disclosure of personal data should obey this responsibility?
As I said above - if the attacker has access to your computer - he has access to your data in the cloud. Moreover, in addition to attacks on users themselves, attackers have a new object to attack - the cloud itself. And if there are gaps in the security system of this cloud, all users' data can be stolen.
Apple iCloud is located in the USA, the list of data centers is known, and any experienced user can easily determine where his data is sent. From a legal point of view, this data is subject to US law. Not only at the place of storage, but also as belonging to Apple itself, which is an American company.
I have not yet seen the EULA iCloud, but I suppose that by tradition, users of the free version of the service will be offered an “as is” operator limited liability scheme. For paid accounts, the situation may be different, but you know, to sue Apple in the United States for the loss or leakage of personal data to a user, for example, from India, will be very problematic.
Apple iCloud announces that email will also be sent to the cloud. Are there any risks for the user in this situation, for example, in terms of the danger of disclosing the secrets of correspondence?
Exactly the same risks that exist for many years when using any webmail services, such as Hotmail or Gmail. Any information that is stored on the servers can be obtained, for example, by law enforcement agencies if there is an appropriate court decision and so on.
It is known that many businessmen and government officials use Apple products. At the same time, the line between corporate and personal use of a smartphone or laptop is erased. Can they, by ordering the Apple iCloud service for household needs (personal photos, music, e-books, etc.), randomly transfer business information to the cloud? Can this possibility be checked and stopped by the security service of a company or department?
Yes, what you describe is the most important trend of modern society - Consumerization. The use of personal devices for work and vice versa - corporate for personal purposes. Undoubtedly, the cases of such “leaks” of data to the clouds will be numerous.
Consumerization puts on the agenda the pressing issue of data security in a new information landscape. Organizations will need to develop and implement a new generation of security policies that address this trend. It is good that the security industry already offers the necessary range of tools and is ready to develop new technologies.
Do you think that writers who write their works on a computer, computer artists, scientists and other creative and research brethren who regularly work at home, creating intellectual property, are ordered into the clouds?
No way. Do not think that everything that goes into the cloud will immediately become available to someone else. It is on the user's trust in the clouds that the whole principle of their existence is built. If there is no trust, the technology will disappear. While this trust is, but relatively weak. And the recent Sony PSN hacking (details here and here ), when the personal data of tens of millions of users leaked as a result of just one attack, did not contribute to confidence building at all.
The future will show whether confidence will grow stronger or vice versa. For those who want to use the cloud, but fear the leakage of personal data, I can recommend using additional encryption tools.
What other unpleasant surprises, from the point of view of information security, can users expect to give all their digital assets to the Apple cloud?
In addition to all that has already been described above, there are risks associated with the availability of the cloud itself. An example of a story with Sony and attacks on its PSN service, which in fact caused the inoperability of the cloud, is one of the illustrations. You may not receive your data when you need it. I do not rule out the appearance of malicious programs that, having infected the device, will disable your access to the cloud and, for example, demand money for its restoration. There can be a lot of scenarios of threats and problems here.
Do you think that cloud structures like Apple iCloud can be vulnerable to hacker hacking? Is it possible the emergence of fake clouds, masquerading as Apple iCloud - popular today scammer? If so, how can a simple user verify that the contents of his computer are scanned by the Apple service, and not by scammers pretending to be Apple?
I would not like to now theorize on the vulnerability of Apple cloud services. On the one hand, for such a response, it is necessary to sort out in detail how everything will be organized there, but there is no such possibility yet. On the other hand, we still first inform the company about the vulnerabilities of the system to the owner to correct the problem, and not to the general public. In general, I believe that the end user, the client, the person who interacts with this cloud will be the most vulnerable point of the system.
The appearance of fake clouds is probably possible, but I do not really see the point in their existence. To deceive the user by forcing him to save his data in the wrong place? Yes, but to achieve this goal, different techniques are possible, much simpler and cheaper to implement.
What do you think should be written in large letters in the instructions for using an Internet data synchronization service like Apple iCloud, from the category “You need to know this to avoid any trouble”?
After you have transferred your data outside of your computer, this data is no longer just yours.
Apple representatives argue that the future is for cloud services, largely because the cloud approach eliminates the dangers of spam, virus infection, hitting the botnet and other dangers caused by the “independent” access of the computer device to the Internet. Do you agree with this statement?
I agree that cloud technologies have a great future. However, one should not exaggerate their properties and role in information security ...
The use of cloud technologies not only does not eliminate the existence of spam or viruses, but on the contrary - it increases the risks even more. Moreover, cloud technologies are already being used by cybercriminals themselves. Facts are known when cloud resources were used to send spam, viruses , phishing , storage of data stolen from users, etc.
')
Do not forget about the risks of data loss located in the clouds or access to them by third parties. To assert that the possibility of storing data somewhere, and not just on your personal device, somehow eliminates the problems with the infection of this device - extremely imprudently. These devices still need to interact with the cloud, and once infected they will allow intruders to gain access to them through the attackers.
Cloud technologies were not originally conceived as a means of solving information security problems and the essence of their technology in completely different benefits. We are skeptical about assurances about the security of their cloud solutions. Worst of all, many users really believe in security, behaving even more carelessly and carelessly.
As for the attitude of Apple itself to the realities of modern cyber threats, here we have to state that gradually from the position “antivirus for Mac is not needed, there are no viruses for Mac” , this company has evolved to create its own anti-virus scanner built into OS X version and before the release of special articles on solving problems for their users, who became victims of the next Trojan for Mac.
According to your estimates, how safe is such a service for the user, in terms of the security of personal data? Should iCloud be responsible for maintaining the personal data of users from other countries? If yes, then what country's laws on non-disclosure of personal data should obey this responsibility?
As I said above - if the attacker has access to your computer - he has access to your data in the cloud. Moreover, in addition to attacks on users themselves, attackers have a new object to attack - the cloud itself. And if there are gaps in the security system of this cloud, all users' data can be stolen.
Apple iCloud is located in the USA, the list of data centers is known, and any experienced user can easily determine where his data is sent. From a legal point of view, this data is subject to US law. Not only at the place of storage, but also as belonging to Apple itself, which is an American company.
I have not yet seen the EULA iCloud, but I suppose that by tradition, users of the free version of the service will be offered an “as is” operator limited liability scheme. For paid accounts, the situation may be different, but you know, to sue Apple in the United States for the loss or leakage of personal data to a user, for example, from India, will be very problematic.
Apple iCloud announces that email will also be sent to the cloud. Are there any risks for the user in this situation, for example, in terms of the danger of disclosing the secrets of correspondence?
Exactly the same risks that exist for many years when using any webmail services, such as Hotmail or Gmail. Any information that is stored on the servers can be obtained, for example, by law enforcement agencies if there is an appropriate court decision and so on.
It is known that many businessmen and government officials use Apple products. At the same time, the line between corporate and personal use of a smartphone or laptop is erased. Can they, by ordering the Apple iCloud service for household needs (personal photos, music, e-books, etc.), randomly transfer business information to the cloud? Can this possibility be checked and stopped by the security service of a company or department?
Yes, what you describe is the most important trend of modern society - Consumerization. The use of personal devices for work and vice versa - corporate for personal purposes. Undoubtedly, the cases of such “leaks” of data to the clouds will be numerous.
Consumerization puts on the agenda the pressing issue of data security in a new information landscape. Organizations will need to develop and implement a new generation of security policies that address this trend. It is good that the security industry already offers the necessary range of tools and is ready to develop new technologies.
Do you think that writers who write their works on a computer, computer artists, scientists and other creative and research brethren who regularly work at home, creating intellectual property, are ordered into the clouds?
No way. Do not think that everything that goes into the cloud will immediately become available to someone else. It is on the user's trust in the clouds that the whole principle of their existence is built. If there is no trust, the technology will disappear. While this trust is, but relatively weak. And the recent Sony PSN hacking (details here and here ), when the personal data of tens of millions of users leaked as a result of just one attack, did not contribute to confidence building at all.
The future will show whether confidence will grow stronger or vice versa. For those who want to use the cloud, but fear the leakage of personal data, I can recommend using additional encryption tools.
What other unpleasant surprises, from the point of view of information security, can users expect to give all their digital assets to the Apple cloud?
In addition to all that has already been described above, there are risks associated with the availability of the cloud itself. An example of a story with Sony and attacks on its PSN service, which in fact caused the inoperability of the cloud, is one of the illustrations. You may not receive your data when you need it. I do not rule out the appearance of malicious programs that, having infected the device, will disable your access to the cloud and, for example, demand money for its restoration. There can be a lot of scenarios of threats and problems here.
Do you think that cloud structures like Apple iCloud can be vulnerable to hacker hacking? Is it possible the emergence of fake clouds, masquerading as Apple iCloud - popular today scammer? If so, how can a simple user verify that the contents of his computer are scanned by the Apple service, and not by scammers pretending to be Apple?
I would not like to now theorize on the vulnerability of Apple cloud services. On the one hand, for such a response, it is necessary to sort out in detail how everything will be organized there, but there is no such possibility yet. On the other hand, we still first inform the company about the vulnerabilities of the system to the owner to correct the problem, and not to the general public. In general, I believe that the end user, the client, the person who interacts with this cloud will be the most vulnerable point of the system.
The appearance of fake clouds is probably possible, but I do not really see the point in their existence. To deceive the user by forcing him to save his data in the wrong place? Yes, but to achieve this goal, different techniques are possible, much simpler and cheaper to implement.
What do you think should be written in large letters in the instructions for using an Internet data synchronization service like Apple iCloud, from the category “You need to know this to avoid any trouble”?
After you have transferred your data outside of your computer, this data is no longer just yours.
Source: https://habr.com/ru/post/127763/
All Articles