Cloud Computing and Cybercrime 2.0

Cloud Computing and Cybercrime 2.0

Nir Kshetri The University of North Carolina--

Greensboro

2Addressing security challenges on a global scale Geneva, 6-7 December 2010

Concerns about privacy and security in the cloud Security/privacy-- topmost concerns in cloud adoption decisions– not TCO(Brodkin 2010).

IDC report (Oct. 2008 ): security concern was the most serious barrier to cloud adoption. IDC poll (April 2010) (Asia Pacific): < 10% of respondents confident about cloud security measures.Harris Interactive survey for Novell (Oct. 2010)

90%--concerned about cloud security; 50%--security concerns primary barrier to cloud adoption; 76%--private data more secure when stored on the premises 81%--worried about regulatory compliance.

A commonplace observation: cloud providers offer sophisticated services but have weak performances in policies/practices related to privacy/security.

Cloud: “a largely nascent technology”

3Geneva, 6-7 December 2010 Addressing security challenges on a global scale

Cloud is an opportunity for cyber-criminals as wellObservation: Cloud will make "Healthcare2.0", "Banking2.0" and "Education2.0" realities, especially in developing countries (Economist 2008).Cyber-criminals’ perspective: opportunity for online criminal practices to upgrade to cybercrime2.0.Cloud’s diffusion and that of social media have superimposed onto organizations’ rapid digitization in a complex manner that allows cyber-criminals and cyber-espionage networks to exploit the cloud’s weaknesses.


A framework for understanding security and privacy issues facing the cloud


Institutional factors affecting security/privacy in cloud

Cloud-related legal system/enforcement mechanisms evolving slowly (e.g., legislation in jurisdictions of the user’s, the provider’s or the data’s location will govern the protection of the data?)Overreach by law enforcement agencies. Professional/trade associations--emerging and influencing security and privacy issuesIndustry standards organizations--address some concerns. Concern about dependency on cloud vendors’ security assurances and practices. Cloud users’ inertia effects


Technological factors affecting security/privacy in cloud

The cloud’s newness and unique vulnerabilities Attractiveness and vulnerabilities of the cloud as a cybercrime target

Value of data in the cloudCriminal controlled clouds

Nature of the architectureVirtual and dynamicSophistication and complexity


Cloud’s newness/unique vulnerability Evolution and popularity of virtualization technology: new bugs, vulnerabilities and security issues are proliferating (Brynjolfsson et al. 2010).Cloud--unfamiliar terrain for security companies.

Lack of mechanisms to guarantee security and privacy--an uncomfortable reality for cloud providers.

Dawkins (1982): rare enemy syndrome--a helpful theoretical perspective --victims often fall to new unfamiliar baits or lure.

The enemy’s manipulation is so rare that evolutionary development has not yet progressed to the point that the victim has an effective counter poison.


Cloud’s newness/unique vulnerability (cont.) A problem : a user may be able to access to the provider’s sensitive portions of infrastructure as well as resources of other users (Armbrust et al. 2010).

August 2010: the U.S. National Institute of Standards and Technology announced a vulnerability

a user can cross from one client environment to other client environments managed by the same cloud provider (NIST 2009).

Forensically challenging in the case of a data breach Some public cloud systems may store and process data in different jurisdictions--different laws (McCafferty 2010). Some organizations may encrypt data before storing (Taylor et al. 2010).


Attractiveness/vulnerability as a cybercrime target: Value of data in the cloud

Target attractiveness = f (perceptions of victims). Monetary or symbolic value and portability (Clarke 1995). Accessibility—visibility, ease of physical access, and lack of surveillance (Bottoms & Wiles 2002).

Large companies’ networks offer more targets. Cloud suppliers bigger than clients—more attractive targets.

Offers a high “surface area of attack” (Talbot 2010).

One fear: IP and other sensitive information stored in the cloud could be stolen.

Cloud providers may not notify their clients.

Underreporting of cybercrimes: embarrassment, credibility/reputation damage, stock price drop.


Attractiveness/vulnerability: Value of data in the cloud

Late 2009: Google discovered a China-originated attack on its cloud infrastructures.

The attack was part of a larger operation, which infiltrated infrastructures of at least 20 other large companies.

Information stored in clouds—potential goldmine for cyber-criminals (Kshetri 2010). Early 2010: Yale University postponed plan to move Webmail service to Google Apps tailored for students and faculty.

Reason: Google's size and visibility makes it more susceptible to cyber-attacks.


Attractiveness/vulnerability as a cybercrime target Criminal-controlled cloudsThe cloud is potentially most vulnerable-- viewed against the backdrop of criminal owned-clouds operating in parallel. Diamond is the only material hard enough to cut diamond effectively

Criminal-owned clouds may be employed to effectively steal data stored in clouds.

Cloud may provide many of the same benefits to criminals as for legitimate businesses.


Attractiveness/vulnerability: Criminal-controlled clouds

The Conficker virusMost visible example of a criminal-owned cloud.Arguably the world’s biggest cloudControls 7 million computer systems 230 regional and country top-level domains Bandwidth capacity of 28 terabits per second. Larger footprint/resources--spreads malware to control more computersLess active recently but is still a threat.

last major Conficker attack--April 2009last reported attack: February 2010 on the network of Manchester police department (U.K.).

13Geneva, 6-7 December 2010

Addressing security challenges on a global scale

The Conficker cloud Conficker is available for rent.

Criminals can choose a location they want to rent the Conficker cloud. Pay according to the bandwidth they want Choose an operating system.Customers have a range of options for the type of services to put in the Conficker

denial-of-service attackspreading malwaresending spamdata exfiltration(Mullins 2010).


The cloud as the ultimate spying machine Cyber-espionage2.0. Easier for governments to spy on citizens.

A Google report: governments request for private information and to censor its applications.

Apr. 2010: Report on Shadow network:Targets: Indian Ministry of Defense, the UN, the Office of the Dalai Lama.

The report noted: “Clouds provide criminals and espionage networks with convenient cover, tiered defences, redundancy, cheap hosting and conveniently distributed command and control architectures” (IWMSF 2010).

Atmosphere of suspicion/distrust among states U.S.-China trade and investment policy relationship.

.


Concluding comments Too simplistic to view the cloud as a low-cost security. Legitimate/illegitimate organizations and entities--gaining access to data on clouds through illegal, extralegal, and quasi-legal means. Technological and behavioral/perceptual factors--equal consideration in the design/implementation of a cloud network.New institutions and the redesign of existing institutions needed to confront emerging security and privacy problems.

existing institutions are thickening.

Privacy and security issues related to the cloud undergoing political, social, and psychological metamorphosis.


References Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A., Stoica, I., & Zaharia, M. (2010). A View of Cloud Computing. Communications of the ACM, 53(4), 50-58.Bottoms, A. E., &Wiles, P. (2002). Environmental criminology. Oxford Handbook of Criminology, 620–656.Brodkin, J. (2010). 5 problems with SaaS security. Network World, 27(18), 1-27. Brynjolfsson, E., Hofmann, P., & Jordan, J. (2010). Cloud Computing and Electricity: Beyond the Utility Model. Communications of the ACM, May 2010, 53(5), 32-34.Dawkins, R. (1982) The extended phenotype. Oxford University Press. Information Warfare Monitor/Shadowserver Foundation (2010). Shadows In The Cloud: Investigating Cyber Espionage 2.0, Joint Report: Information Warfare Monitor Shadowserver Foundation, JR03-2010, April 6, http://www.utoronto.ca/mcis/pdf/shadows-in-the-cloud-web.pdfKshetri, N. (2010). Cloud Computing in Developing Economies. IEEE Computer, October, 43(10), 47-55.McCafferty, D. (2010). Cloudy Skies: Public Versus Private Option Still Up In The Air. Baseline, 103, 28-33.Mullins, R. (2010). The biggest cloud on the planet is owned by ... the crooks: Security expert says the biggest cloud providers are botnets, March 22, 2010, available at http://www.networkworld.com/community/node/58829?t51hb. Accessed July 24, 2010.NIST (2009). Vulnerability Summary for CVE-2009-3733, 08/21/2010, The US National Institute of Standards and Technology, available at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3733.Owens, D. (2010). Securing Elasticity in the Cloud. Communications of the ACM, Jun 2010, 53(6), 46-51.Talbot, D. (2010). Security in the Ether. Technology Review, 113(1), 36-42.Taylor, M., Haggerty, J., Gresty, D., & Hegarty, R. (2010). Digital evidence in cloud computing systems. Computer Law & Security Review, May 2010, 26(3), 304-308.


http://www.utoronto.ca/mcis/pdf/shadows-in-the-cloud-web.pdf

http://www.networkworld.com/community/node/58829?t51hb

Documents

Cloud Computing and Cybercrime 2.0