A cloud of suspicion hangs over online security

There’s a lot of hype about IT services living “in the cloud” these days. But is this approach to computing safe? If the recent experience of one software developer is anything to go by, then potential customers ought to have second thoughts.

Marko Karppinen, who uses Apple’s .Mac online services, got a shock when he tried to log into his Apple Developer Connection account (see his blog here). He found that the password and the email address associated with his account had been changed. Apparently, someone other than himself contacted Apple’s Developer Relations unit claiming to have forgotten the password, and Apple responded by changing both the email and password without any further checks - ­ effectively handing over the account to the hacker.

No doubt this was an isolated incident, but it is one that highlights several security issues. First, it underlines the drawbacks of single sign-on. Apple is one of several IT giants offering a suite of services linked to a single user account. What Karppinen lost, as he noted in an indignant email, was not just his developer account, but files stored in the iDisk remote storage services, an iTunes account, personal email, and more. Single sign-on is convenient, but increases the risk to you, and the value to criminals, if that flimsy username and password combination is discovered.

Apple has just launched its MobileMe service, a revamped version of .Mac that synchronises email, contacts, calendar and files to the web, and to all your devices. The service looks compelling, but the more usage grows, the more likely it is that stolen password incidents will come to rival stolen laptop incidents for putting confidential data at risk.

Second, Apple’s identity management is weak even disregarding Karppinen’s story. It has an automated forgotten password service that lets you reset your password either through an email sent to the registered email address, or by answering a secret question that you specified when signing up.

Password reset via email is common, but desperately vulnerable. Emails generally travel through the internet unencrypted, so there is risk of interception. Further, once it arrives at its destination server, its security is dependent on the ISP running that server. Finally, the user may read that email through unencrypted POP3 collection, or in plain text on a web email service. If you put this together with the popularity of public Wi-Fi services, it is clear that resetting or reminding users of passwords via email is no security at all.

The secret question idea is no better. Users are often encouraged to use semi-public information, such as their mother’s maiden name. Apple makes you state your date of birth as well, but that is no better.

The difficulty for businesses is that services like Apple’s MobileMe, Microsoft’s Live SkyDrive or Google Docs are effectively unmanageable. But at the same time they are so useful that they gradually cross over from personal to business use, while staff may not realise that data stored online is just as vulnerable as it is on laptops or USB storage devices.

Security practices in some parts of the industry are astonishingly immature. We are long past the time when no passwords should be sent in the clear, yet the FTP protocol, for example, still does exactly that. Data stored online can and should be more secure than it is when stored locally. The technology is there, but it is frustrating to see stronger authentication schemes like Microsoft’s CardSpace languishing with little use even by Microsoft itself.

In 2008 you would have thought it would be easy to send a sensitive email signed and encrypted, but it is not. Password reset can be done securely too, by doing what banks do and sending a real letter to a physical address. Apple, please take note.

itweek.co.uk @ 2010 Incisive Media

a cloud hangs of online over security suspicion