Got Cloud? I Got Mail. Your Mail!

And that’s just the beginning. I’ve warned you before that you can’t control the clouds and that they are inherently insecure. But did you listen? Nope. Clouds are gaining in popularity, and, consequently, every day more and more data is there for the taking, by experienced AND novice hackers alike.

As per this recent article in the (MIT) Technology Review, on How to Steal Data from Your Neighbour in the Cloud, a recent study (by researchers at the Universities of Wisconsin and North Carolina) has proven that software hosted in one part of the cloud can spy on software hosted nearby.

This study conducted an experiment in which malicious software was run on hardware designed to mimic the equipment used by cloud companies such as Amazon. The software was able to steal an encryption key that was used to secure e-mails from software belonging to another user. This allowed the researchers to decrypt e-mails sent by the user (which are easily captured by packet sniffers on a compromised machine attached to the cloud).

As per the article, the new attack undermines one of the basic assumptions underpinning cloud computing: that a customer’s data is kept completely separate from data belonging to any other customer. This separation is supposedly provided by virtualization technology. However, because virtual machines running on the same physical hardware share resources, the actions of one can impinge on the performance of the other, an attacker in control of one virtual machine can snoop on data stored in memory attached to one of the processors running the cloud environment (that is used as a cache in a trick known as a side-channel attack).

Remember this before you go for a full-fledged cloud solution. SaaS from a private data centre run by a single vendor is probably okay if they maintain separate database instances for each client (with their own, separate, encryption keys). But shared services on a cloud are probably not a good idea. At least not from a security perspective.