Cloud Computing and Cybercrime 2.0
Nir Kshetri
The University of North Carolina-Greensboro
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
2
Concerns about privacy and security in the cloud
Security/privacy-- topmost concerns in cloud adoption
decisions– not TCO(Brodkin 2010).
IDC report (Oct. 2008 ): security concern was the most serious
barrier to cloud adoption.
IDC poll (April 2010) (Asia Pacific): < 10% of respondents confident
about cloud security measures.
Harris Interactive survey for Novell (Oct. 2010)
90%--concerned about cloud security;
50%--security concerns primary barrier to cloud adoption;
76%--private data more secure when stored on the premises
81%--worried about regulatory compliance.

A commonplace observation: cloud providers offer
sophisticated services but have weak performances in
policies/practices related to privacy/security.

Cloud: “a largely nascent technology”
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
3
Cloud is an opportunity for cyber-criminals as well
Observation: Cloud will make "Healthcare2.0",
"Banking2.0" and "Education2.0" realities, especially
in developing countries (Economist 2008).
Cyber-criminals’ perspective: opportunity for online
criminal practices to upgrade to cybercrime2.0.
Cloud’s diffusion and that of social media have
superimposed onto organizations’ rapid digitization
in a complex manner that allows cyber-criminals
and cyber-espionage networks to exploit the cloud’s
weaknesses.
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
4
A framework for understanding security and privacy
issues facing the cloud
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
5
Institutional factors affecting security/privacy in
cloud
Cloud-related legal system/enforcement mechanisms
evolving slowly (e.g., legislation in jurisdictions of the
user’s, the provider’s or the data’s location will govern the
protection of the data?)
Overreach by law enforcement agencies.
Professional/trade associations--emerging and influencing
security and privacy issues
Industry standards organizations--address some concerns.
Concern about dependency on cloud vendors’ security
assurances and practices.
Cloud users’ inertia effects
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
6
Technological factors affecting security/privacy in
cloud
The cloud’s newness and unique
vulnerabilities
Attractiveness and vulnerabilities of the cloud
as a cybercrime target
Value of data in the cloud
Criminal controlled clouds
Nature of the architecture
Virtual and dynamic
Sophistication and complexity
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
7
Cloud’s newness/unique vulnerability
Evolution and popularity of virtualization technology:
new bugs, vulnerabilities and security issues are
proliferating (Brynjolfsson et al. 2010).
Cloud--unfamiliar terrain for security companies.
Lack of mechanisms to guarantee security and privacy--an
uncomfortable reality for cloud providers.
Dawkins (1982): rare enemy syndrome--a helpful
theoretical perspective --victims often fall to new
unfamiliar baits or lure.
The enemy’s manipulation is so rare that evolutionary
development has not yet progressed to the point that the
victim has an effective counter poison.
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
8
Cloud’s newness/unique vulnerability (cont.)
A problem : a user may be able to access to the
provider’s sensitive portions of infrastructure as well
as resources of other users (Armbrust et al. 2010).
August 2010: the U.S. National Institute of Standards and
Technology announced a vulnerability
a user can cross from one client environment to other client
environments managed by the same cloud provider (NIST 2009).
Forensically challenging in the case of a data breach
Some public cloud systems may store and process data in
different jurisdictions--different laws (McCafferty 2010).
Some organizations may encrypt data before storing (Taylor
et al. 2010).
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
9
Attractiveness/vulnerability as a cybercrime target:
Value of data in the cloud
Target attractiveness = f (perceptions of victims).
Monetary or symbolic value and portability (Clarke 1995).
Accessibility—visibility, ease of physical access, and lack of
surveillance (Bottoms & Wiles 2002).
Large companies’ networks offer more targets.
Cloud suppliers bigger than clients—more attractive targets.
Offers a high “surface area of attack” (Talbot 2010).
One fear: IP and other sensitive information stored in
the cloud could be stolen.
Cloud providers may not notify their clients.
Underreporting of cybercrimes: embarrassment,
credibility/reputation damage, stock price drop.
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
10
Attractiveness/vulnerability: Value of data in the
cloud
Late 2009: Google discovered a China-originated
attack on its cloud infrastructures.
The attack was part of a larger operation, which infiltrated
infrastructures of at least 20 other large companies.
Information stored in clouds—potential goldmine for
cyber-criminals (Kshetri 2010).
Early 2010: Yale University postponed plan to move
Webmail service to Google Apps tailored for students
and faculty.
Reason: Google's size and visibility makes it more susceptible
to cyber-attacks.
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
11
Attractiveness/vulnerability as a cybercrime target
Criminal-controlled clouds
The cloud is potentially most vulnerable-- viewed
against the backdrop of criminal owned-clouds
operating in parallel.
Diamond is the only material hard enough to cut
diamond effectively
Criminal-owned clouds may be employed to effectively steal
data stored in clouds.
Cloud may provide many of the same benefits to
criminals as for legitimate businesses.
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
12
Attractiveness/vulnerability: Criminal-controlled
clouds
The Conficker virus
Most visible example of a criminal-owned cloud.
Arguably the world’s biggest cloud
Controls 7 million computer systems
230 regional and country top-level domains
Bandwidth capacity of 28 terabits per second.
Larger footprint/resources--spreads malware to control
more computers
Less active recently but is still a threat.
last major Conficker attack--April 2009
last reported attack: February 2010 on the network of Manchester
police department (U.K.).
Addressing security challenges on a global scale
Geneva, 6-7 December 2010
13
The Conficker cloud
Conficker is available for rent.
Criminals can choose a location they want to rent the
Conficker cloud.
Pay according to the bandwidth they want
Choose an operating system.
Customers have a range of options for the type of services
to put in the Conficker
denial-of-service attack
spreading malware
sending spam
data exfiltration(Mullins 2010).
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
14
The cloud as the ultimate spying machine
Cyber-espionage2.0.
Easier for governments to spy on citizens.
A Google report: governments request for private
information and to censor its applications.
Apr. 2010: Report on Shadow network:
Targets: Indian Ministry of Defense, the UN, the Office of
the Dalai Lama.
The report noted: “Clouds provide criminals and espionage
networks with convenient cover, tiered defences, redundancy,
cheap hosting and conveniently distributed command and control
architectures” (IWMSF 2010).
Atmosphere of suspicion/distrust among states
U.S.-China trade and investment policy relationship.
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
15
Concluding comments
Too simplistic to view the cloud as a low-cost security.
Legitimate/illegitimate organizations and entities--gaining
access to data on clouds through illegal, extralegal, and
quasi-legal means.
Technological and behavioral/perceptual factors--equal
consideration in the design/implementation of a cloud
network.
New institutions and the redesign of existing institutions
needed to confront emerging security and privacy
problems.
existing institutions are thickening.
Privacy and security issues related to the cloud undergoing
political, social, and psychological metamorphosis.
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
16
References
Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A., Stoica,
I., & Zaharia, M. (2010). A View of Cloud Computing. Communications of the ACM, 53(4), 50-58.
Bottoms, A. E., &Wiles, P. (2002). Environmental criminology. Oxford Handbook of Criminology, 620–656.
Brodkin, J. (2010). 5 problems with SaaS security. Network World, 27(18), 1-27.
Brynjolfsson, E., Hofmann, P., & Jordan, J. (2010). Cloud Computing and Electricity: Beyond the Utility Model.
Communications of the ACM, May 2010, 53(5), 32-34.
Dawkins, R. (1982) The extended phenotype. Oxford University Press.
Information Warfare Monitor/Shadowserver Foundation (2010). Shadows In The Cloud: Investigating Cyber
Espionage 2.0, Joint Report: Information Warfare Monitor Shadowserver Foundation, JR03-2010, April 6,
http://www.utoronto.ca/mcis/pdf/shadows-in-the-cloud-web.pdf
Kshetri, N. (2010). Cloud Computing in Developing Economies. IEEE Computer, October, 43(10), 47-55.
McCafferty, D. (2010). Cloudy Skies: Public Versus Private Option Still Up In The Air. Baseline, 103, 28-33.
Mullins, R. (2010). The biggest cloud on the planet is owned by ... the crooks: Security expert says the biggest
cloud providers are botnets, March 22, 2010, available at
http://www.networkworld.com/community/node/58829?t51hb. Accessed July 24, 2010.
NIST (2009). Vulnerability Summary for CVE-2009-3733, 08/21/2010, The US National Institute of Standards and
Technology, available at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3733.
Owens, D. (2010). Securing Elasticity in the Cloud. Communications of the ACM, Jun 2010, 53(6), 46-51.
Talbot, D. (2010). Security in the Ether. Technology Review, 113(1), 36-42.
Taylor, M., Haggerty, J., Gresty, D., & Hegarty, R. (2010). Digital evidence in cloud computing systems. Computer
Law & Security Review, May 2010, 26(3), 304-308.
Geneva, 6-7 December 2010
Addressing security challenges on a global scale
17