Is the Cloud a Hacker’s Paradise?

At 11am on October 21, 2016, some of most popular websites of the planet began to go offline simultaneously, including the New York Times, Twitter, Amazon, Netflix, eBay and Spotify. They were all suffering a cyber attack. The incidents brought down the United States websites and then spread rapidly across the Atlantic to Europe. The attack, planned in several phases, lasted almost 11 hours. This denial-of-service attack—more commonly known as DDoS—was not intended to bring down the newspaper and the world’s most important online shopping platforms. It had a bigger purpose—to sink the servers of Dyn, one of the largest Internet providers. At 11am on October 21, 2016, the world realized that the functioning of the Internet depended on only a few.

In 2011, a new trend began to emerge among companies, that of moving to the cloud. This change in model involves leaving parts of one’s services in the “hands” of a cloud provider that ensures accessibility, computing, storage, connection and especially the security of services, applications or data that other companies give it. Thanks to its agility and low costs, some reports suggest that 78% of companies will be using the cloud in about three years. This implies that a few—and very powerful—companies have ‘control’ of banking, electrical, telecommunications or transportation services around the world. Thus, successfully targeting a cloud provider can become a booming business for cybercrime groups.

New ‘bosses’ of the Internet

These new Internet bosses are led by Amazon, which controls a third of the total market, then Microsoft and Google. They are followed by IBM, T-Systems and HP Enterprise. The unstoppable accumulation of power has led these service providers to build huge server farms and data centres, which have become the engines of the Internet. Amazon Web Services (AWS) has 16 of these centres worldwide. “Some of our availability zones [data centre groups] can exceed 300,000 servers. They are designed to be independent both from the supply of power and cooling as well as having physical security,” explains Carlos Carús, solutions architect director at AWS Iberia, to OpenMind.

Las instalaciones de 35.000 metros cuadrados del centro de datos de Google en Council Bluffs, en Iowa. Crédito: Google

One of Google’s server farms in Council Bluffs, Iowa, which provides over 115,000 square feet of space for servers running services like Search and YouTube. Credit: Google

“Big cloud providers like Microsoft and Google have 10 or 15 of these data farms. Each of them is the size of a football field,” explains Marta Beltrán, professor and expert in cyber security at the Rey Juan Carlos University (URJC) in Madrid. There one finds the engine rooms of the Internet containing our data, our information and our applications, which are also the favourite targets of hackers.

“These server farms are constantly being attacked so they have strict physical and logical security measures. The perimeters are fenced and the entrance controls are very strict. They apply the criterion of redundancy. Each centre depends on different providers and Internet infrastructure. Thus, if one falls, the others can take care of that information,” says Beltran. “The ideal is to make it difficult for the attacker. Do not have everything at a single physical point, but be redundant in different locations,” explains Pedro García Villacañas, technical director of Kaspersky Lab Iberia, to OpenMind.

It is no more insecure than other environments

Does this mean that the cloud is less secure than other types of options, such as each company having its own servers? “No. It depends on the starting situation of the company. If you have the resources and the means to establish very high standards of security, to update your systems and maintain them, you are not interested in going to the cloud. But this is not usual. Your resources and your means will be less than those of a serious provider,” says Beltrán, who is also the founder of the Cybersecurity Cluster of the URJC. “For a small or medium-sized company, it costs an unaffordable amount of money to deploy good security controls. However, an experienced and quality cloud service can provide it for a more modest price. The company will be more protected,” adds Anabel González, professor of Computer Security Lab (COSEC) at the Carlos III University in Madrid.

Los servidores de proveedores cloud son un objetivo muy atractivo para los hackers. Crédito: LaboratorioLinux/Flickr

These data farms contain our data, our information and our applications, which are also the favourite targets of hackers. Credit: LaboratorioLinux/Flickr

“One of the main advantages of this type of service is precisely security. Anyone who works on the Internet should realize that people are willing to use the network maliciously. But security, compliance with current regulations and data protection should be the top priority of any company or government institution that operates on the Internet today,” says Carús of AWS, which provides services to institutions such as NASA, Vodafone and BBVA.

But this protection means losing control. “By hiring a cloud service, you have to evaluate the risks to which you are going to submit your data and your applications in the hands of another. If your data is very critical and valuable, it is better to deploy a local cloud, private,” advices Gonzalez. There is not only one type of cloud—it can be public, private or hybrid.

DDoS attack, one of the most frequent

The attack suffered by Dyn in October has become one of the most frequent for cloud providers. DDoS attacks work in a simple way—millions of devices try to access a web page at the same time, so that their servers cannot withstand the traffic saturation and collapse. Behind those devices are not millions of people, but a group of hackers who control them. They use what are called zombie computers, systems that have been previously infected with a virus and are now available to these cybercriminals.

Miles de metros de tuberías recorren los centros de datos de Google, algunos encargados de la refrigeración. Crédito: Google

Miles de metros de tuberías recorren los centros de datos de Google, algunos encargados de la refrigeración. Crédito: GooglePiping in the buildings is coded depending on what it carries – with cool water in blue tubes and warm in red. Credit: Google

The systems vulnerable to infection can range from computers to webcams, smart TVs, routers or any other device connected to the network. “At the end of 2015 was the first time we found that one of the IPs that attacked was that of a refrigerator,” explains García Villacañas. According to this expert, cloud providers are very exposed to these attacks. This is confirmed by the solutions architect director at AWS Iberia: “We’ve seen such attacks grow in popularity lately.”

For users, there are few escapes. “Fear of these attacks is a real but inevitable concern. With today’s society, you can stay isolated if you refuse to use these technologies,” says Gonzalez. However, the growth of cyber attacks has led to the proliferation of other alternatives such as Nextcloud, Owncloud or Cozy.io. “It’s about having your own cloud. Instead of using a commercial and public cloud, you take care of your data yourself and give it security. You can do this if you trust more in yourself than in an outside provider. The option of having your own cave is now arriving.”

Beatriz Guillén for Ventana al Conocimiento

@BeaGTorres