StoutBy Michael Stout

As if existing in the ether — it’s everything, it’s everywhere – the Cloud is just always there. And it has been in the news a lot lately thanks to a major hack that leaked nude photos of well-known and very attractive celebrities.

I travel a lot and rather than relying on portable hard drives or USB sticks, I take full use of the Cloud to store my data and data backups. I have three Cloud accounts from different services, each having its own purpose in my data management strategy. I also use the other Cloud services as a guest for customers. So despite the latest news I really don’t lose any sleep over the safety of the Cloud as the mechanisms to protect it are beyond my control. So I focus on what I can control, which is my access to it.

Attacks on the Cloud take place every day, but the nature of Cloud infrastructure allows for redundancy and attack mitigation so that most users don’t realize what is going on.

Recent attacks on the Cloud infrastructure were the NTP Amplification and DNS Amplification attacks. NTP is the Network Time Protocol, which keeps the time synchronized on the Internet and business systems. It’s a service out there waiting to be queried and will deliver its information quickly and with little overhead. The same can be said for DNS. The Domain Name System is used to resolve Fully Qualified Domain Names (ie www.michaelstout.com) to an IP Addresses (37.148.20.1) to simplify surfing the Internet.

In these types of attacks, the attacker exploits the connection-less characteristics of the User Datagram Protocol (UDP) used by NTP and DNS. Other common computer services using UDP known to common users include streaming data, such as VoIP, music or video conferencing. With these services some data can be dropped with little or no noticeable degradation on other end.

To understand the vulnerability of UDP requires a basic understanding of how the three-way handshake is used by the Transmission Control Protocol (TCP) to send and verify receipt of data throughout the transfer process.

TCP is commonly used to transfer data when every packet, every byte and bit is necessary on the other end to recreate the object being requested.

Downloading programs or webpages is a good example of this. Using TCP and the HTTP protocol, a user requests to access a webpage. When they do this, their Source IP requests to synchronize with the Destination IP of the web server. If the web server is available, it will acknowledge the Source IP’s synchronization request and send its own request to synchronize with the Source IP. The Source IP in turn will acknowledge the destination IP’s synchronization request and this will form a socket allowing the data to be transferred between the two IP addresses. Fortunately for the common user, this is automated and takes place under the hood away from their control and barring a man-in-the-middle attack, the transfer of data is relatively safe, although encryption is always recommended.

Because of the check and double-check nature of the TCP connection, TCP is referred to as connection-oriented. UDP is not because it is connectionless. UPD simply sends or requests data to a destination and trusts the right thing will happen. In the case of the above attacks, the Source IP address was spoofed to be the Source IP address of the target. In spoofing the target Source IP all the traffic generated by the Destination IP is delivered to the spoofed Source IP. So targeting a third party is as simple as changing the Source IP of the attacker to the Source IP of the target. As there is no three-way handshake there is no verification and the Destination IP simply replies back to the Source IP.

When this is amplified by sending it to hundreds or thousands NTP or DNS servers, a very nice Distributed Denial of Service attack rains down on the target, depleting its resources and ability to respond to legitimate traffic.

Sadly for the common user, mitigating these types of attacks is beyond their control. There are services available that can absorb the attacks or deflect them, but these are in the realm of enterprises environments.

Which brings me back to addressing things I can control in my Cloud strategy.

The attack against Apple’s iCloud service gained a lot of attention not because it took the service out but because of the amount of personal data that was copied (or stolen, if you prefer). iCloud allows users to store documents, photos, calendar events, contact information, location of iOS devices. It may be surprising that this attack was relatively low tech using two of the oldest attack vectors in the hacker’s bag of tricks.

Hackers discovered that by simply sending a fake e-mail to targeting users, an attack vector known as spear-phishing, they were able to get users to give up their users names. Having the user name gave them half of the login credentials. The hackers then used an automated tool to conduct a brute force attack on the account. A brute force attack simply uses every possible password combination until successful. Boom, the hacker is in and owns your data.

So is The Cloud safe? Well, as with all information security, it is as safe as the weakest link.

If you are concerned with the infrastructure and availability‚ use a major Cloud service provider. Chances are they will have the redundancy, encryption and attack mitigation procedures in place as their business relies on their reputation in allowing you access to your data upon demand.

Have a backup of your data available should there be an outage. If you are concerned about your personal data being copied use all of the security features available. If multi-factor authentication is an option, use it. If e-mail notifications are available (which was Apple’s improvement to their security problem) configure it.

Use a complex password, including uppercase and lowercase letters, numbers, symbols. If you are lucky enough to not have a U.S. international keyboard, use an obscure letter or symbol in your password such as £ or Ø. This may not help in the case of an exhaustive brute force attack, but can help if the attacker is using a dictionary of passwords to attack your login.

Change your password as often as you think of it or at least regularly.

Do not access the Cloud from computers that are not secure. No airport kiosks, no public computers. A simple key logger installed on a public computer will give up your password faster than a brute force attack. Backup your Cloud data and store it in a safe place. And most of all, don’t put anything on the Cloud that you wouldn’t want anyone to see.

Barring an international disaster, the redundancy Cloud services offered is enough to keep me satisfied that my data is available when I need it. Knowing I control the access to it and that I take a proactive approach adds to my confidence that my data is secure.

Besides, I just don’t think there is a market for naked photos of 49-year-old information security consultants.

Michael Stout is an American information security consultant based in London.