Welcome!

Eclipse Authors: Pat Romanski, Elizabeth White, Liz McMillan, David H Deans, JP Morgenthal

Related Topics: Eclipse, Java IoT, Containers Expo Blog, @CloudExpo

Eclipse: Article

SMB Cloud Is A Hacker's Paradise

User Ignorance, Provider Apathy, and Hidden Cost Make Cloud A Big Risk for Small Business

Cheaper, Easier, Scarier -

Small and medium-sized businesses are increasingly turning to cloud computing as an easier, cheaper alternative to in-house IT or shared and dedicated server hosting solutions. And, they are finding social media to be an accessible, inexpensive way to build brands, distribute content, and assist customers.

Correspondingly, cloud services and social networking providers are increasingly targeting the SMB segment for revenue they can't get from consumers and margins they can't get from large businesses.

Meanwhile, abetted by user ignorance, provider apathy, and the high cost of security solutions, hackers are turning to cloud computing and social media as an easier, cheaper alternative to botnets; and they are finding small business tenants and users to be accessible, inexpensive targets for crime and violence.

The biggest cloud security problems are largely unique to SMB and often ignored and downplayed by naïve or cynical cloud boosters, but they are real and growing faster than public awareness or available solutions. Consumers using public clouds primarily for storage and backup or using social networks for communication and file sharing are already pretty safe and getting safer. And, enterprises using private clouds for IT flexibility and efficiency or using social networks for crowdsourcing and brand building are also not facing particularly higher risks than with other, more established technologies.

However, small and medium businesses are increasingly using public clouds for business applications and commercial web sites, and they are using social networks for collaboration, communication and customer care. In so doing, they are leaving themselves open to a growing array of risks from an increasing number of sources. These include Distributed Denial or Service Attacks (DDoS), receiving and spreading trojans and other malware, criminal extortion, competitive dirty tricks, phishing and spoofing attacks, and more.

People in small businesses often think that hackers are only interested in attacking large companies and government agencies, but that is not true.  Most large enterprises employ concentrated IT resources that are very difficult to hack and not of much value to most exploits.

Most hacking schemes benefit from the availability of large numbers of unprotected systems.  In the past, this has mainly meant personal computers in homes and small businesses and, to a lesser extent, distributed embedded and industrial systems.  But, now it also includes cloud-based virtual servers.  One such server, closely connected to fast fiber, can do the dirty work of many compromised home computers.  This makes the less secure cloud hosting infrastructure increasingly used by small businesses a very attractive target for hackers.

Attacks From the Cloud
At DEFCON 18, a computer hacking convention held last month in Las Vegas, one of the most talked-about presentations was one given by two young network security consultants and entitled Cloud Computing, A Weapon of Mass Destruction? The question mark in the title proved to be a bit gratuitous and the title overall only slightly hyperbolic.

As reported on the highly respected DarkReading security site, (http://tinyurl.com/2d38kee) the presenters showed how, by spending $6 with a credit card "that could have been stolen" to deploy a simple computer program on a few virtual servers in the Amazon EC2 cloud, they were able launch a DDoS attack that took a small financial services company, their client, off the internet for a long time.  "With the help of the cloud, taking down small and midsize companies' networks is easy." one presenter said, "It's essentially a town without a sheriff."

DarkFire goes on to report that the presenters claimed they found no bandwidth restrictions in their Amazon agreement, there was no apparent automated malicious server detection operating in the cloud, and complaints to Amazon by the test victim went unanswered.  Amazon responded to DarkFire only in general terms, asserting that they have both detection and complaint response mechanisms in place.

Infrastructure-as-a-Service clouds are a place where it is easy and inexpensive for attackers to set up and run DDoS and other types of attacks that, in many cases, go undetected for long periods of time.

Attacks In the Cloud
In the previous case, the attack originated from a few virtual servers within the cloud and was directed against a conventional web site on the internet.  A more common case is where an attack originates on a conventional botnet and is directed against cloud-based web sites and services.

Many sites built with social media and content management services or software are run on public cloud infrastructure and can lead to a variety of cloud security problems, owing to the inherent complexity in the interplay of multiple companies, programs and services.  Such might be the case with, say, a commercial web built using the Wordpress open source content management system, run in the Rackspace public cloud with an address resolved through a third-party DNS service.  Some problems are technical, while others pertain to weaknesses in security management processes and accountability between the software and services companies.

Here is a technical problem example.  Posterous is a web-based service that allows people and businesses to upload and share content with others through Posterous web pages, emails, and social networks.  The Posterous service and the sites created with it run on the Rackspace cloud.  Posterous was recently the target of two virulent DDoS attacks that forced them to take technical measures that included circumventing Rackspace's security provisions after those failed.  Here are the real-time tweets from the incident.

"Our datacenter is experiencing heavy packet loss. We're on the line with Rackspace now.

"Network issues have been resolved for now. We're working with Rackspace to determine the cause.

"The DDoS attackers have returned and evolved their attack around our countermeasures. We expect to be back online ASAP w/ @gigenet antiddos

"We're back online thanks to @gigenet DDoS prevention. We're verifying all systems now.

"We're catching up on email queues and circling back to do everything we can to stay ahead of the attack.

"We're back online and systems are operational. Fools can't hold us back! Still see problems? Please email us at [email protected]

Our anti-DDOS layer provided by @gigenet is holding up well. Beer time.

The short duration of the event and sanguine tone of the last two tweets in the series belie the seriousness of the event and the impact it had on the company.  Those are better reflected in the following text from an email sent by the Posterous CEO to his customers.

"On Wednesday and Friday, our servers were hit by massive Denial of Service (DoS) attacks. We responded quickly and got back online within an hour, but it didn’t matter; the site went down and our users couldn’t post.

"On Friday night, our team worked around the clock to move to new data centers, better capable of handling the onslaught. It wasn’t easy. Throughout the weekend we were fixing issues, optimizing the site, some things going smoothly, others less so.

"Just at the moments we thought the worst was behind us, we’d run up against another challenge. It tested not only our technical abilities, but our stamina, patience, and we lost more than a few hairs in the process.

"I’m happy to report Posterous is at 100% and better than ever. Switching to a new data center will help us avoid the type of attacks we saw last week, and the new, bigger, beefier servers will speed up the site and increase capacity. We were hit pretty hard, but we’ve come out stronger in the end.

"While we were certainly frustrated, we know that no one was more frustrated than you. Your website was down, and I humbly apologize for that. Know that throughout these six days, restoring your site and your trust has been our number one priority."

Now, here is an example of the personnel and policy clashes that often add to the problems of cloud security.  Alison Gionotto is a technical author and experienced web developer who builds and manages web sites that include many built with WordPress and hosted in the Rackspace cloud.  After suffering through many security problems with those sites, she happened to receive a form letter from Rackspace listing security tips that included this one:

"Many applications, like WordPress, have optional plugins developed by the community. Since these add-ons are often not as well vetted, it’s extremely important to carefully evaluate and manage third party application plugins, themes, or other functionality that is introduced to a running web application. Most hackers are exploiting these plug-ins."

That was apparently the wrong thing to say to Alison.  She said it made her "brain melt", and it also made her write and post a furious public open letter to Rackspace that, in addition to containing numerous specific things about Rackspace that make it difficult for her to do her job, included the following passages:

"This week, I have personally had to repair 11 WordPress websites hosted on the [Rackspace] Cloud that were hacked, all were running [the latest WordPress version] and had very few plugins in common. The plugins they do have in common, like WP-Supercache, are plugins Rackspace suggests to keep the CPU-cycle raping down to a minimum.

"I would like to know what Rackspace is doing to help developers isolate these issues?

"If I am going to continue hosting with Rackspace, I want to be assured that Rackspace is actually doing something to help us protect ourselves other than send emails that overstate the obvious.

"Your customers are under attack, and I want to know what you plan to do to help us protect ourselves and our clients, or I am taking my business to a company that values my time and reputation."

The Rising Cost of Safety and The Dropping Price of Mayhem
Cloud computing can significantly lower the regular and predictable costs of IT for small business, but, as the examples above show, it comes with a potential for unpredictable problems that can be very costly to fix and, in some extreme cases, can even kill a company.  And, as bad as these problems were, they occurred in relation to some of the largest, most secure cloud service providers.

For every such major provider, there are many dozens of companies jumping into the cloud computing land rush who lack the mass of companies like Amazon and Rackspace.  In order for these much smaller companies to be price-competitive with the bigger players they must cut corners, often in the area of security software and personnel.  Phrases like "bare bones" are code for "limited security".

Such offerings are creating opportunities for Security-as-a-Service providers, like Zscaler.  They sell add-on security solutions directly to end users and also to cloud service providers, adding cost for customers, one way or another.  But, any small business considering using cloud computing or relying on social networking cannot afford not to do everything they can to ensure security, even if it ends up costing more than they thought it would.

While the cost of prevention and protection will continue to rise as threats multiply, until better solutions are deployed en mass, the cost of making mischief continues to go down.  For example, botnets of the type that attacked Posterous can be rented - by a competitor, disgruntled user, extortionist, or anybody else - for as little as $200/day for a 10,000 agent network.  Or, the Eleonore Exploit Pack, a toolkit for exploiting browser flaws and spreading viruses, which was used recently to bring down a US Treasury Dept. site running in the Network Solutions cloud (another top-tier provider) only costs $700 and requires very modest programming skills to use.

The Real Solution is Warmware
Hackers, security consultants, cloud service providers, and experienced users all agree on one thing, security software and hardware are not enough.  Safety in the cloud also requires warmware - geek speak for "people".

Even the smallest companies usually have somebody on staff who handles things like setting up email accounts and passwords or helping users with applications.  Those people should be trained to be on the lookout for trouble and in what to do if/when it happens.  There may be someone who manages the relationship with the company's cloud service provider, the social network accounts, the web site content, and so forth.  Those people may think of themselves as accounting or creative types, but, as the people with their hands on "the stuff", they are in the best position to ensure that things are setup right for maximum security and that vendors are held accountable for doing their part.

Better still, though, even the smallest company should consider the wisdom of making cloud security management something that is purposefully budgeted and staffed.  The Cloud Security Alliance is a non-profit organization founded and supported by a large number of technology vendors and service providers that is dedicated to making cloud computing more secure and helping users protect themselves.

The CSA coordinates the implementation of cloud security standards and provides educational resources for end-users, and last week announced a new certification program called the Certificate of Cloud Security Knowledge.  It is a web-based training program and certification test designed to cultivate and certify cloud security management competence.  See http://www.cloudsecurityalliance.org/ for more  details.  It is something worth looking into for any size of company using cloud computing technology. The test costs $195 until the end of the year and $295 thereafter, either way a bargain compared to the cost of ignorance.

More Stories By Tim Negris

Tim Negris is SVP, Marketing & Sales at Yottamine Analytics, a pioneering Big Data machine learning software company. He occasionally authors software industry news analysis and insights on Ulitzer.com, is a 25-year technology industry veteran with expertise in software development, database, networking, social media, cloud computing, mobile apps, analytics, and other enabling technologies.

He is recognized for ability to rapidly translate complex technical information and concepts into compelling, actionable knowledge. He is also widely credited with coining the term and co-developing the concept of the “Thin Client” computing model while working for Larry Ellison in the early days of Oracle.

Tim has also held a variety of executive and consulting roles in a numerous start-ups, and several established companies, including Sybase, Oracle, HP, Dell, and IBM. He is a frequent contributor to a number of publications and sites, focusing on technologies and their applications, and has written a number of advanced software applications for social media, video streaming, and music education.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
DX World EXPO, LLC, a Lighthouse Point, Florida-based startup trade show producer and the creator of "DXWorldEXPO® - Digital Transformation Conference & Expo" has announced its executive management team. The team is headed by Levent Selamoglu, who has been named CEO. "Now is the time for a truly global DX event, to bring together the leading minds from the technology world in a conversation about Digital Transformation," he said in making the announcement.
"Space Monkey by Vivent Smart Home is a product that is a distributed cloud-based edge storage network. Vivent Smart Home, our parent company, is a smart home provider that places a lot of hard drives across homes in North America," explained JT Olds, Director of Engineering, and Brandon Crowfeather, Product Manager, at Vivint Smart Home, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that Conference Guru has been named “Media Sponsor” of the 22nd International Cloud Expo, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. A valuable conference experience generates new contacts, sales leads, potential strategic partners and potential investors; helps gather competitive intelligence and even provides inspiration for new products and services. Conference Guru works with conference organizers to pass great deals to gre...
The Internet of Things will challenge the status quo of how IT and development organizations operate. Or will it? Certainly the fog layer of IoT requires special insights about data ontology, security and transactional integrity. But the developmental challenges are the same: People, Process and Platform. In his session at @ThingsExpo, Craig Sproule, CEO of Metavine, demonstrated how to move beyond today's coding paradigm and shared the must-have mindsets for removing complexity from the develop...
In his Opening Keynote at 21st Cloud Expo, John Considine, General Manager of IBM Cloud Infrastructure, led attendees through the exciting evolution of the cloud. He looked at this major disruption from the perspective of technology, business models, and what this means for enterprises of all sizes. John Considine is General Manager of Cloud Infrastructure Services at IBM. In that role he is responsible for leading IBM’s public cloud infrastructure including strategy, development, and offering m...
"Evatronix provides design services to companies that need to integrate the IoT technology in their products but they don't necessarily have the expertise, knowledge and design team to do so," explained Adam Morawiec, VP of Business Development at Evatronix, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. In his session at @BigDataExpo, Jack Norris, Senior Vice President, Data and Applications at MapR Technologies, reviewed best practices to ...
Widespread fragmentation is stalling the growth of the IIoT and making it difficult for partners to work together. The number of software platforms, apps, hardware and connectivity standards is creating paralysis among businesses that are afraid of being locked into a solution. EdgeX Foundry is unifying the community around a common IoT edge framework and an ecosystem of interoperable components.
Large industrial manufacturing organizations are adopting the agile principles of cloud software companies. The industrial manufacturing development process has not scaled over time. Now that design CAD teams are geographically distributed, centralizing their work is key. With large multi-gigabyte projects, outdated tools have stifled industrial team agility, time-to-market milestones, and impacted P&L stakeholders.
"Akvelon is a software development company and we also provide consultancy services to folks who are looking to scale or accelerate their engineering roadmaps," explained Jeremiah Mothersell, Marketing Manager at Akvelon, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"IBM is really all in on blockchain. We take a look at sort of the history of blockchain ledger technologies. It started out with bitcoin, Ethereum, and IBM evaluated these particular blockchain technologies and found they were anonymous and permissionless and that many companies were looking for permissioned blockchain," stated René Bostic, Technical VP of the IBM Cloud Unit in North America, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Conventi...
In his session at 21st Cloud Expo, Carl J. Levine, Senior Technical Evangelist for NS1, will objectively discuss how DNS is used to solve Digital Transformation challenges in large SaaS applications, CDNs, AdTech platforms, and other demanding use cases. Carl J. Levine is the Senior Technical Evangelist for NS1. A veteran of the Internet Infrastructure space, he has over a decade of experience with startups, networking protocols and Internet infrastructure, combined with the unique ability to it...
22nd International Cloud Expo, taking place June 5-7, 2018, at the Javits Center in New York City, NY, and co-located with the 1st DXWorld Expo will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud ...
"Cloud Academy is an enterprise training platform for the cloud, specifically public clouds. We offer guided learning experiences on AWS, Azure, Google Cloud and all the surrounding methodologies and technologies that you need to know and your teams need to know in order to leverage the full benefits of the cloud," explained Alex Brower, VP of Marketing at Cloud Academy, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clar...
Gemini is Yahoo’s native and search advertising platform. To ensure the quality of a complex distributed system that spans multiple products and components and across various desktop websites and mobile app and web experiences – both Yahoo owned and operated and third-party syndication (supply), with complex interaction with more than a billion users and numerous advertisers globally (demand) – it becomes imperative to automate a set of end-to-end tests 24x7 to detect bugs and regression. In th...
"MobiDev is a software development company and we do complex, custom software development for everybody from entrepreneurs to large enterprises," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection between Coke and its customers. Digital signs pair software with high-resolution displays so that a message can be changed instantly based on what the operator wants to communicate or sell. In their Day 3 Keynote at 21st Cloud Expo, Greg Chambers, Global Group Director, Digital Innovation, Coca-Cola, and Vidya Nagarajan, a Senior Product Manager at Google, discussed how from store operations and ...
"There's plenty of bandwidth out there but it's never in the right place. So what Cedexis does is uses data to work out the best pathways to get data from the origin to the person who wants to get it," explained Simon Jones, Evangelist and Head of Marketing at Cedexis, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buye...
SYS-CON Events announced today that Telecom Reseller has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.