Phone Hacking and The Cloud.

Over here in the UK, there's a huge political storm over a News International title - the News of the World - being caught 'hacking' phones. That is, they dial into the persons mobile phone account and use the default password to access voicemails.

Apparently, this was all accepted by the UK public - till it transpired that a missing (and later found murdered) girl - Milly Dowler - had her phone hacked. And the scumbag (I think thats a fair sobriquet under the circumstances) actually DELETED messages as her voicemailbox was full, in order to capture some more.

Well. This rather put the cat among the pigeons, and has led to the News of the World being closed down, 200 Journos being made 'redundant' (I suppose it beats being burnt at the stake), and Rupert Murdoch - the Dirty Digger himself - being flown into the UK to supervise damage limitation.

Even our Prime Minister - David Cameron - has been used as a human shield (IMHO) in order to protect James Murdoch - Rupert Murdochs' son. Charming.

(Those of you who think that is is a UK-only problem might like to look at this link).

So. What has all this got to do with 'The Cloud'.

I think Mobile Phones' voicemail was probably the first publicly accessible cloud technology. Its almost 20 years old. Hundreds of millions of folks would routinely access confidential voicemail information with scant knowledge over the security and data-handling of that very voicemail. And as end-users are more concerned over ease-of-use than security, many would not change the pin number on their voicemail account. 

So what has happened? We now know that certain Journalists and 'hackers' routinely found these users accounts (by bribing phone company employees and policemen) and then used their limited powers and imagination to pick up voicemails.

In our rather rarified IT consultant clique, we might assume that non-IT folks would treat voicemail as we do - unsecured, unreliable cloud-based data storage - and do as we do. That is - bypass voicemail completely, and use more immediate and reliable communications such as email, text, etc. However, out there in end-user-land, as we have found out, confidential information and messages were routinely left. 

This has a greater significance to us. We need to remind our cloud-rabid CIOs that no matter the flavour or colour of the cloud, that it is still a cloud-based service, and as such, open to front-door brute force attacks. One story leaking back to Casa Buchan involves Google, spoofing a google website internally, and capturing the users authentication cookie, and using this to easily open his mailbox.

Scary, technically simple, and possibly completely untraceable stuff. A single cached password or cookie. Not good.

I would use this moment to demand of these cloud vendors that we have a more secure two-part rolling key mechanism as an option in our cloud implementations - such as SecureID - in order to boost the rather trivial security that we've seen so far. 

I would suspect the first Cloud implementation to offer this level of security, as well as expiring passwords and passwords of particular complexity - might be a winner in this space.

Those who do not study history are doomed to repeat it. In this case, remember - whilst all the hype about Cloud is burning through our organisations - its our job as the guardians of the data to erect sufficient security in order to prevent corporate reputational damage. Remember that.