password

Image by fixedgear via Flickr

Friends and colleagues have been expressing doubt about entrusting their data to “The Cloud”, especially in light of the recent high profile attacks on the CIA, the Senate, and Sony (among many others).  As educators are increasingly adopting cloud-based tool in instruction, it’s very important to have a clear idea of what we’re really talking about here, and to clear up as much FUD as possible.

“The Cloud” is not one thing—while the many recent hacks are being lumped together in the mainstream media, there were different circumstances in each case, and each teaches us a different lesson about online security.

The Sony hack was a particularly bad one because they stored all their users’ passwords in un-encrypted text. Since so many people use the same password for multiple online services, it’s likely that your playstation password is also the password you use for your email, your bank, and your paypal account. Hackers got these poorly-protected passwords, Sony didn’t notify the public for 5 days, so the hackers had a field day with the data and got into several other accounts.

Lessons:

1. Use unique strong passwords for all of your different “cloud” accounts. This way if one password gets compromised it does not open up all the rest of your accounts as well. Using a password manager like LastPass can help (I swear by it), or you can also create a hard-to-guess-but-easy-to-remember password formula.

2. Don’t store your passwords in your browser’s memory. Again, LastPass is great for this because it encrypts them.

3. Investigate the security practices of cloud services you trust with your sensitive data.

Some of the most high-profile attacks by LulzSec (like the CIA & Senate website attacks) were Denial of Service (DOS) attacks—meaning that they did not actually gain access to any unprotected data. A DOS basically floods a website with so many requests that it can’t process them all and the website goes offline temporarily. It’s like getting everyone you know to go ring someone’s doorbell one after another until they stop answering the door. It might drive that person nuts, but it also doesn’t open the door. These attacks are now commonly performed with botnets—large armies of computers infected with viruses that allow one hacker to direct millions of computers (often unbeknownst to their owners) to access the target website and bring it down. Large cloud services like Amazon and Google are designed to withstand these attacks by re-allocating their enormous computing resources to meet all the requests and keep the websites up and running during the attack. Smaller servers without as many resources are most vulnerable to DoS attacks.

Lesson:

1. Use virus protection software on your computer and perform all necessary updates as soon as they’re released.

2. Keep your browser & plugins up to date. This tool will scan your browser and plugins for security vulnerabilities.

Of course, LulzSec and others have been perpetrating more sophisticated attacks than DoSes. They have been exposing security flaws in their targets’ websites which will eventually lead to better security practices across the board. I know it has forced me to be more careful with my personal security practices and it has been pretty easy to do. (My data was exposed in the Sony hack and last year’s Gawker hack, but I’ve taken some simple steps to minimize the damage that anyone can do.)

In the meantime, there is a lot you can do to protect yourself online—even in “The Cloud”.

Liked this post? Follow this blog to get more.