Tuesday, May 25, 2010

10 Major security and privacy issues of your Cloud Services, and solutions.

This article describes some of the major security and privacy issues for your Cloud Services and tools e.g. Google, Salesforce, Amazon, ReadItLater, Delicious, Firefox, LinkedIn, Facebook and Twitter. More importantly, it gives you valuable solutions and tips.

Starting with number 10) Governments, Broadband Operators, Cloud Providers and Hackers can access your data stored in the cloud.

Cloud and Web service providers sometimes make your data public without telling you. Most data in the cloud is not encrypted. Governments like the US and China do not always need a court order to look into your data. All data passing through central nodes is monitored and filtered by several European countries. Hackers can use PDF email attachments and Wireless networks to capture your passwords.
Solution: This is not as big of a problem as it may sound like. Your data is usually interesting to someone close rather than some foreign government. There are no good technical solution to encrypt (protect) all your data. Choose providers that you trust have good privacy and security. Read this article in order to check if someone else is reading your Gmails http://www.friedbeef.com/how-to-check-if-your-gmail-account-has-been-hacked/

9) Internet Archive – Your Web-history is saved: your blogs, websites, comments, searches, conversations, emails and what you watch on YouTube.

Many services around the web store historical data. There are even major libraries that try to save all web pages. Google has been heavily criticized regarding its privacy. The most intrusive privacy decisions e.g. what you search, read, chat about and watch is logged, and it is difficult, sometimes impossible, to disable this “History feature”. If you are using several Google Services you are constantly logged into Google. Google stores most of your actions by default. Even other major cloud services have similar issues. The following section is from Facebook Privacy Policy May-2010: “Even after you remove information from your profile or delete your account, copies of that information may remain viewable ...”
  1. Post only if you would not mind seeing your post (today or in 20 years) with your signature on the front page of your local newspaper.
    Also monitor your children's online behavior since they are not familiar with privacy issues. See articles below for Facebook Usage.
  2. Go to https://www.google.com/accounts/ManageAccount?hl=en. From there you should look into all your Google privacy settings.
  3. Don’t use Google Toolbar. Read http://www.gtricks.com/google-tricks/how-to-remove-web-history/ for more similar tips.
  4. You can clear your YouTube history manually (see screenshot below).
  5. Disable Google Web History: go to http://www.google.com/history/?hl=en and click “Pause” (See screenshot below).
  6. Disable Chat History in Gtalk (See screenshot below). You can also disable chat history for your entire Google Apps domain here https://www.google.com/a/cpanel/YOUR_DOMAIN/ChatSettings. The latter is probably the best option since even if you disable your personal chat, the person you are chatting with will probably have their chat history turned on and your chats will be saved there.
Congratulations! Now, only your email history is still available in the cloud, but that's convenient. Just remember, even if you delete an email its still available in the trash (https://mail.google.com/a/YOUR_DOMAIN/#search/in%3Atrash). The issues mentioned above are still not huge since only Google has this data, and security has been good so far. Please comment this thread with additional tips on disabling the Google History features.

8) You may loose your valuable Data. Providers Privacy & Security Policies are not on your side.

Who reads the long and boring legal texts and policies, right? Looking into Privacy Policies from leading providers you’ll find that you can actually loose your business data or that you don’t own the complete rights to it.
According to Salesforce privacy statement (http://www.salesforce.com/company/updated_privacy.jsp), Salesforce will review, share, distribute, or reference Customer Data and view Individual records of your Customer Data. Well, that's one interpretation of the actual terms below :-).
Salesforce.com will not review, share, distribute, or reference any such Customer Data except as provided in the salesforce.com Master Subscription Agreement, or as may be required by law. Individual records of Customer Data may be viewed or accessed only for the purpose of resolving a problem, support issues, or suspected violation of the salesforce.com Master Subscription Agreement, or as may be required by law. Customers are responsible for maintaining the security and confidentiality of their salesforce.com usernames and passwords.”
Usually, the legally binding terms your sign up for can be modified at any time by the Cloud Service Providers, but not by you. Amazon Web Services (http://aws.amazon.com/agreement/) writes:
“You agree that we may modify this Agreement or any policy or other terms referenced in this Agreement (collectively, “Additional Policies”) at any time
Since you might store your data in the Amazon Cloud you might loose it if you get into conflict, or perhaps for no reason at all. Amazon writes:
We may suspend your right and license to use Amazon FPS  or Amazon DevPay and any associated Amazon Properties, or, if you are only using Amazon FPS, terminate this Agreement in its entirety (and, accordingly, cease providing all Services to you), for any reason or for no reason, at our discretion at any time, immediately upon notice…”
Solution:  This is still not a major issue for most people and companies. You can backup your data to offline or another provider. The most important thing you can do is to Read the terms to understand what you are getting into.

7)  Anyone can see what your are reading or bookmarking.

ReadItLater is maybe the most popular service to bookmark articles to be read later when you have time. Services like this sometimes make your data available to the public without telling your. Everything on your ReadItLater list is public by default. Bookmarks to Delicious are public by default. This means that anyone can see what you are reading and bookmarking.
Solution: Disable RSS in ReadItLater (See screenshot) and add following flag to the Delicious Bookmarklet: &share=no
Delicious Bookmarklet

6) What is your opinon?

Please post your comment on what’s missing from this list and I’ll write the best ones here with your reference.

5) Facebook, Facebook, Facebook

OK, this one is obvious. Facebook default privacy settings are to make your private data publicly available (your posts, photos, groups and applications). Facebook has also had some major bugs allowing other people to look into your profile, peek into your private chats etc. Your Facebook information is available to external applications i.e. other companies can download your data. Facebook is giving your data to advertisers. The new Facebook “Like” button can point to any web page, not the one you think you are Liking (this is a permanent bug since there is nothing FB can do about it).
Facebook is not actually a big issue since you can do something about it by following these rules:
  1. Remove all people from your friends list that are not your actual friends. Use LinkedIn instead of Facebook for your connections that are not your friends.
  2. Read this article on how to configure your privacy settings http://www.allfacebook.com/2009/02/facebook-privacy/.
  3. Read this to learn more on Facebook critique http://en.wikipedia.org/wiki/Criticism_of_Facebook
  4. Use the Like-button on credible sites (or logout from Facebook first).
  5. Most important: Post only if you would not mind seeing your post with your signature on the front page of your local newspaper.

4) LinkedIn – A competitor can see your business connections, customers, leeds, partners

LinkedIn will by default allow all your connections to see other connections in your list. This setting is not a problem for most people. However, if you are a business owner, you don’t want you valuable information such as connections, customers, leads etc. to be available for free to your competitors.
Solution: Disable features as shown in the screenshots below

3) Anyone might be able to see your location!

Location Aware services are great, can be very useful, and are growing rapidly. You don’t need a GPS. All you need a device with IP address or WiFi connection, in other words any modern device. You have probably notice them when using your iPhone and the Maps application. New web standards allow for the same functionality in your Desktop browser. Any webpage can ask you for your current location. Google Buzz for mobile and other mobile services has this enabled by default.  Most websites will just look into your IP address to approximately guess your location. Many Twitter users post location information within or as metadata to the Tweets. Your location information is sensitive and could be used by burglars to rob your house while you are away on vacation etc. There are probably other bad scenarios you can think of.
Solution: Learn more about Location Aware services (e.g. http://en.wikipedia.org/wiki/Location_awareness). Learn more About Google Latitude (http://www.google.com/intl/en_us/latitude/intro.html). Enable you location (if possible) only to you and your family members. Add this blog to your Google Reader and I’ll post more information in the future.

2) …and the biggest security issue is: Anyone with access to your PC can see you Web passwords!

FireFox is currently the best Web Browser. This issue however applies to all FireFox users. Go into Menu->Settings->Saved Passwords->Show Passwords. All your passwords are visible in plain text! With this information a person can hijack your business data, social accounts, email and domains.
Solution: Disallow access to your PCs and/or use a Master password in Firefox (Options—>Security—>Master Password). You should also use different passwords dependant on security level. Save only passwords with low or medium security level when prompted by Firefox. Keep passwords with high security in your head and/or a safe location. Remember: Web browsers are not very safe.

1) …and the biggest privacy issue is: Your Boss sees what your are really up to!

Most privacy intrusions will happen with somebody who is interested in you, someone close, like your Manager :) This example applies to all Google Apps users (and probably other similar systems). I, as an Admin in Google Apps, can see all calendars in the domain and there is no way for me to disable this feature. This is not a bug according to Google and they have currently no intention of changing this. If you work at a small company and you are using Google Apps you will have to rely on your bosses integrity that he/she will not peek into your private data.
Solution: Use a private Google Account for private email, Calendar etc.
Follow wedran on Twitter
Twitter Facebook Facebook Digg Digg Facebook

blog comments powered by Disqus