Cloud computing systems and Web 2.0 applications are still vulnerable to attack via users and clear text transport protocols, according to professional hacker, Chris Gatford.
Gatford, who heads up the boutique penetration testing firm, HackLabs, and was speaking at a recent IDC security conference in Sydney, claimed cloud computing could be broken down into three sensitive segments that can all be hacked.
“You’ve got the device itself that’s providing the application or the device that you’re accessing, you’ve got the transport mechanism that’s providing that communication to the device, and then lastly you have the end-user themselves,” Gatford said. “The main point of compromise in a typical Web 2.0 mechanism is the communication mechanism.”
Gatford claimed even iPhone-maker and tech giant, Apple, made security mistakes in the past that left users and systems susceptible to attack.
“When MobileMe first came out, communication of the iPhone to some of the MobileMe components were being performed over HTTP. Your user credentials were being sent in clear text, so even somebody like Apple had issues with its cloud application offering,” he said.
“It’s tough from a layman’s point of view, because you assume the big boys in town would be doing the right thing and generally they do, but they all make mistakes.”
Gatford also said the rise of Web 2.0 applications like Facebook and Twitter had introduced a wealth of new threats to network security.
“A lot of marketing groups within organisations have flocked to these Web 2.0 systems to market their organisations to show they’re cutting edge, however it’s a double-edged sword,” he said. “The passwords used in Web 2.0 services are probably the same as their LAN passwords.”
But despite the risks, Gatford was keen to point out data security is about more than just hackers.
“You reduce your risk significantly by running stuff internally,” he said. “But technically your data sitting in a cloud server that’s done backups is probably safer from an availability point of view than it sitting in a typical small business environment. There are pros and cons for both.
“Good patch management, good configuration management and good vulnerability management are the three key things. If organisations and even home users did all three of those things, it would be a much safer place.”