I’m glad the first part of our In-the-Spotlight series featuring Costin G. Raiu received so much attention and positive feedback on both Twitter and Facebook.
My special guest today is Aleks Gostev, Chief Security Expert at KL and highly valued member of the company’s Global Research & Analysis Team (GReAT).
Aleks is a unique multi-disciplinary infosec guy – one of the world’s most prominent security experts, who regularly appears in the mass media in interviews or writing op-eds. He became involved in anti-malware research in 1996 when he founded an anti-virus expertise center in the Komi Republic – a large territory in the North-West of Russia. Since 1998 he’s been Project Coordinator of Wildlist Russia – an initiative aimed at collecting and analyzing data about malware outbreaks in the country.
We first met in 2002, and I recall I felt he was the right guy for the company from the word go. Our first chat went something like:
- Birth date?
- Mine or the wife’s?
Nice! That convinced me to give him a job tout de suite, and frankly speaking I’ve never regretted it. Aleks’ first big assignment was dealing with the notorious Slammer (Helkern) worm, which caused a major Internet outage in South Korea and infected hundreds of thousands of computers worldwide. He managed the case perfectly: we were one of the first AV companies to report the outbreak and provide protection.
Aleks founded and led the Global Research & Analysis Team (GReAT) from 2008 before moving to his current position as Chief Security Expert with the team in 2010. Aleks analyzes all aspects of information security, with a focus on new threats and global outbreaks. His responsibilities include deep investigation of new malware and expert positioning of Kaspersky Lab. He is also editor-in-chief of Securelist. Before joining the company in 2002 he held various IT and security related positions in both public and private organizations.
He also does lots of rock climbing, traveling and extreme sports:
However, in this spotlight piece we will concentrate on Aleks’ expertise in cloud security.
It seems everybody is talking about the cloud nowadays. Cloud this, cloud that, yada, yada, yada. Of course the cloud is a cool thing, providing new tech possibilities and speeding up protection. But is it really all it’s cracked up to be? Wouldn’t there be inevitable security vulnerabilities we’d be exposed to if we completely relied on the cloud in our daily work?
The recent announcement of Apple iCloud becoming available this fall is of course contributing to the hype, but it failed to mention many of the security issues that users should be aware of when considering using the cloud.
Apple has stated that the future will belong to cloud-based services – since the cloud approach bypasses all the risks connected with spam, virus infections, botnets and other threats, which arise when one connects to the Internet directly. What do you think about that? Do you agree?
I agree that cloud technologies have a bright future. However, I don’t think we should exaggerate their capabilities and role in information security.
Use of cloud technologies does not eradicate spam and viruses; in fact it does just the opposite – it further increases the risks they pose! What’s more, cloud technologies are already used by cybercriminals themselves. It’s widely known that cloud resources are used for mass spam mail-outs, viruses, phishing, storing stolen personal data, and so on.
And we shouldn’t forget the risks of loss of data stored in clouds or unsanctioned access to that data by third parties. To contend that storing data somewhere other than one’s personal device in some way solves the problem of that device being infected I would say is rather rash or naïve, or both. Personal devices need to connect to the cloud anyway and, if infected, they can present hackers with access to the cloud too.
Cloud technologies were never intended to be a way of solving information security issues. Indeed, the essence of cloud technologies makes them more suitable for other uses. We view skeptically any assurances companies make about the security of their cloud solutions. Worst of all is the fact that most users believe the security is 100% guaranteed, and thus let their guard down and conduct themselves in a more relaxed and carefree way.
In regard to how firm a grasp Apple has of the reality of contemporary cyber-threats, here we need look no further than the gradual move from its position of “antivirus for Mac isn’t needed since Macs aren’t affected by viruses”, to the creation of its own antivirus scanner built into OS X (read more here and here) and to the publishing of special items on solving problems its users encounter after becoming victims of the latest Trojan for Macs.
Still on the theme of Apple’s cloud offerings, in your opinion, how much risk is involved in using iCloud from the point of view of security of personal data? Should iCloud be responsible for the safety of the personal data of users from different countries? If yes, then which country’s laws on non-disclosure should be applied?
As I’ve already touched upon, if a hacker has access to your computer, he or she has access to your data in the cloud too. Besides, apart from attacks on users themselves – on both their computers and on their cloud-stored data in the cloud – hackers get a further target to attack – the cloud itself. And if the security system of the cloud is breached the data of all users stored in it may be stolen.
The Apple iCloud is located in the USA. The locations of its data-centers are well known, and any experienced user can easily establish exactly where his data are being sent. From the legal standpoint these data fall under the jurisdiction of US law – based on both the location of the storage and the fact that the cloud belongs to Apple, which is a US firm.
I haven’t yet seen the end-user license agreement (EULA) of iCloud, but I imagine that as per tradition users will be offered an “as is” arrangement with limited liability for the operator. For paid accounts the situation may be different, but it’s clear that to take Apple to court in the US and win for loss of personal data, for example, from India, will be no cakewalk.
In its announcement about iCloud, Apple said that the cloud will also be used for transferring emails. Will this pose any danger to users in terms of the risk of divulgence of private correspondence?
The risk of divulgence of private correspondence has existed for years for users of public web mail services like Hotmail and Gmail. Any information that is stored on servers can be obtained, for example, by law enforcement agencies with a court order, and so on.
More and more businesspeople and officials are using Apple products, while at the same time the dividing line between corporate and personal use of mobile devices is fast becoming blurred. In signing up for Apple iCloud for home needs (personal photographs, music, e-books, etc.), is it possible that business users could accidentally transfer business information to the cloud? Could the security service of a company or state body control/prevent this?
Yes, what you’ve just described is a significant trend in modern consumerized life. Personal devices are used for work purposes and vice-versa. Without a doubt data loss from the cloud is bound to occur, and not infrequently.
Consumerization in the new IT landscape is forcing the new data security issue onto the agenda. Organizations will need to develop and introduce a new generation of security policies that will need to take this IT consumerization into account. What is encouraging is that the IT security industry is already offering the necessary range of security tools and is ready to adapt to the ever changing environment and develop the required new technologies.
Concerning writers, designers, artists, scholars, scientists, musicians, and others from creative/research persuasion who regularly work on their computers at home and create intellectual property – do you think they’ll be signing up for the cloud?
By all means. One needn’t think that absolutely everything that gets into the cloud will become accessible to someone else.
It is on the trust users put into the cloud that its existence depends. If there’ll be no trust – the technology will wither away and die. At present a degree of trust exists, but it could go either way yet. Of course, the recent hack into the Sony PSN (details here, here and here), where just a single break-in caused personal data loss of millions of users, in no way helps raise trust.
The future will show whether the trust will go up or down. For now, for those who may want to use the cloud but are afraid of personal data leakage, I’d recommend using extra encryption.
From the standpoint of information security, what other unpleasant surprises could users expect in giving all their digital possessions to the Apple cloud, or, in fact, any cloud service?
In addition to all that we’ve already discussed above, let me say that risks exist concerning the accessibility of the cloud itself. The example of the attacks on Sony’s PSN service, which brought the whole cloud down in one fell swoop is an illustration of this: there may be times when you may not be able to receive your data when you need them. And I do not rule out the appearance of malware that will infect devices and then shut down access to the cloud and, for example, demand money for reconnection. The different scenarios relating to different threats and problems are many.
How vulnerable do you think cloud structures like iCloud are to hackers’ break-ins? Is it possible that fake clouds could appear that imitate iCloud? If yes, how can a user be sure that the contents of his or her computer are scanned by the Apple service, and not cybercriminals pretending to be Apple?
I wouldn’t really want to theorize about Apple’s cloud services’ vulnerabilities here. On the one hand, to give a reasonable answer I’d need to get to grips with the finer details of how it will all be organized, and I don’t have such a possibility. On the other hand, information on vulnerable points we first give to the owners of the companies for remedying problems, not the general public. On the whole though, I think the most vulnerable point in the system will be the end user – the client who interacts with the cloud.
The appearance of fake clouds I guess is possible, but I don’t really see much point in their existence. Would this be to con the user, to have him/her save data where he/she shouldn’t? Well, one can use many different technical approaches to achieve this aim – ones that are much simpler and cheaper to implement.
What in your opinion should be written in big letters in the user instructions for an Internet data synchronization service similar to Apple iCloud – along the lines of “what it is vitally important to understand to avoid any unpleasant surprises”?
“After you transfer your data outside the confines of your computer, that data is already not only yours”!
Thanks Aleks. Let’s return to iCloud once the service is up and running this fall!