Why the cloud may be the final frontier for scammers

by Jay on December 23, 2009

Poison gas clouds over London
Image by Slugger O’Toole via Flickr

Unless you’re really an IT security hawkeye, you probably missed the story a couple weeks ago about the Zeus botnet infiltrating Amazon’s cloud service. We noticed it because Backupify runs on the Amazon cloud service, so the reliability therein is of great concern to us. (This is why Backupify has plans to expand to a second cloud provider, so we can be redundant to multiple systems.)

In Amazon’s defense, the Zeus infection lasted only a few hours, had no major service impact,  and was the product of a lucky chain of events, rather a successful planned attack. But it brought up an interesting point: Infecting a cloud service is the holy grail for virus authors.

Malware botnets or zombienets are in effect jury-rigged cloud systems created by viruses. As the virus spreads through multiple systems, it enlists each system in a common cause. If any one PC is disinfected, the whole network is largely unaffected. But why go to the trouble of defeating multiple individual PCs when — if you can pull it off — subverting even a portion of a major cloud system gives you huge computing power and net bandwidth to play with?

How much damage could a denial of service attack incur with even one percent of Salesforce.com’s server power? How about a brute force password crack run by Microsoft’s Azure network? Or a phishing scam distributed by some subverted Amazon cloud account?

More importantly, what happens to the data stored in those virus-subverted cloud accounts? In the best case scenario, you simply lose access for the duration of the viral infection. Worse, all your data becomes infected with the virus, so anything you pull to your local machine becomes a carrier. And the doomsday scenario? The cloud provider has to permanently wipe some portion of your data to revoke the infection.

Who’s glad they have a Backupify account in those situations? Yes, we could ourselves be the victim of an Amazon takedown — which is why we’re looking into a second cloudstore — but you’ll be glad to have us when (not if) Facebook gets its first major infiltration.

Related articles by Zemanta
Reblog this post [with Zemanta]
  • http://www.timothypost.com Timothy Post

    I just heard about you guys on the TWIT podcast today. Couple thoughts:

    1. While it’s great that you guys use Amazon S3 to back-up client files, what would be even better and ground breaking would be if you would enable clients to back-up files to their own Amazon S3 accounts.

    The whole reason for backing up your content from the cloud is that things change and companies go bankrupt, fail, are bought, merge, etc. So while it’s great to have a second copy of our files on your S3 account, there’s nothing saying you guys won’t change in the future.

    Therefore, it would be much better for those of us who are super serious about guaranteeing our data to back it up to our own accounts.

    2. Currently, you are offering clients the opportunity to “pull” data out of various cloud web services and back it up. While this is cool, the holy grail of cloud computing would be if you could offer us the opportunity to “push” certain files out to those same services.

    For example, let’s say I’ve backed up all my Flickr files to Backupify but decide that I want to migrate to another newer web based photo sharing service. In this case, I would delete my photos from Flickr, download the same photo files from Backupify to my desktop, and then upload them to the new service. What would be much better would be if within Backupify I had a dashboard which would enable me to “turn-off” Flickr permenantly and thus, delete the photos but also to enter my new username and password for the new photo web service and Backupify would “push” those photos into my new account and automatically populate it.

    Such a pull-push option is what everyone is dying to have available. Eberyone is sick and tired of having to manually populate every new web service.

    So, how about it? Any chance either of these options might be possible?