They had to arrive sometime--criminals using the cloud. And why not, the cloud is an equal opportunity technology. Pay the bill and you're in. The criminal can mix in with a vast number of legitimate users.
Whose job should it be to detect the criminal? Very few people or organizations would want the government to oversee the cloud. But would the cloud providers want the job of criminal detection? I think not.
I have long considered cloud criminals possible. And now it's clear that criminals are already using the cloud for their benefit, as shown by the article, "The Criminal Cloud; Criminals are using cloud computing to share information and to superpower their hacking techniques" published on Monday, October 17, 2011 by Simson L. Garfinkel in the Technology Review published by MIT.
The first paragraph sums it up well:
"The cloud opens a world of possibilities for criminal computing. Unlike the zombie computers and malware that have been the mainstay of computer crime for the past decade, cloud computing makes available a well-managed, reliable, scalable global infrastructure that is, unfortunately, almost as well suited to illicit computing needs as it is to legitimate business."
The cloud keeps growing, amassing information, both personal and business. The information is highly centralized, increasing the potential opportunities to gain access. There have already been numerous discussions about cloud security, but this concern was focused on protecting the cloud information and services from illegal access. Now, the cloud can be the criminals tool as well.
Criminals can use the same encryption technology and anonymous communication channels as legitimate cloud customers. This makes it harder to observe the criminal activities by intercepting the criminal actions. When criminals are pursued, the authorities need to act rapidly to close down the computing resources. But this could also affect legitimate users on the same cloud services. Because of virtualization, forensic analysis will probably find few clues to use to apprehend the criminals.
A criminal can easily become a cloud customer using a fake name to open an account. According to the MIT article, "Criminals are using ...the text-sharing site Pastebin to plan crimes and share stolen information with near impunity. Just navigate to Pastebin.com and type 'Visa' into the search field for a vivid demonstration of how stolen credit card numbers are bought and sold in the cloud." The terms of service for most providers do not allow such uses. It is difficult however for the providers that ban this use to police their sites and discover the criminals.
In the past, when a criminal had access to only one or a few computers, hacking passwords took time and was not always very successful. Today with the cloud, a criminal can rent the use of hundreds of computers temporally to break passwords. What used to take months or weeks can now be accomplished in minutes.
Back in April of this year, Sony's PlayStation encryption keys were cracked by using Amazon’s EC2 cloud service as described in the Bloomberg article, "Sony Network Breach Shows Amazon Cloud’s Appeal for Hackers". The cost to access EC2 can range from pennies per hour to about $2.50 per hour, cheap at any price.
The Bloomberg article went on to state:
"A hacker used Amazon’s Elastic Computer Cloud, or EC2, service to attack Sony's online entertainment systems last month.... The intruder, who used a bogus name to set up an account that’s now disabled, didn’t hack into Amazon’s servers."
"The incident helps illustrate the dilemma facing Chief Executive Officer Jeff Bezos: Amazon's cloud-computing service is as cheap and convenient for hackers as it is for customers ranging from Netflix Inc. (NFLX) to Eli Lilly & Co. (LLY). Last months attack on Sony compromised more than 100 million customer accounts, the largest data breach in the U.S. since intruders stole credit and debit card numbers from Heartland Payment Systems in 2009."
"The incident helps illustrate the dilemma facing Chief Executive Officer Jeff Bezos: Amazon's cloud-computing service is as cheap and convenient for hackers as it is for customers ranging from Netflix Inc. (NFLX) to Eli Lilly & Co. (LLY). Last months attack on Sony compromised more than 100 million customer accounts, the largest data breach in the U.S. since intruders stole credit and debit card numbers from Heartland Payment Systems in 2009."
The problem for Amazon and other cloud providers is that you can't tell the good guys from the bad guys. The PlayStation attack was well planned, generated by professionals and was very highly sophisticated in its implementation. Anyone considering use of the cloud for legitimate reasons will be reconsidering the potential for criminal activities, forcing even more security to be required for cloud usage.
