A Demonstration of a vulnerability of Cloud Computing.
Careless in the Cloud: Google Accidentally Shares Some Docs — Seeking Alpha
The article above documents a recent security breach in the on-line Google Docs system. Google Docs allows people to create and edit documents, presentations, and spreadsheets in a manor similar to the Microsoft Office software suite. Unlike Office, the Google Docs system is free and provided through a web interface. The documents are actually stored and edited within Google’s servers. That is the core of the issue.
Google provides the ability to share your documents with collaborators. In this breach, Google accidently made a number of documents available to people who were not authorized. While the fraction of documents affected was very small, it is a real wake up call. To get my documents off my computer, you need to specifically breach my computer. A breach of the Google systems could yield the sensitive documents of an enormous number of people. They are a big target. Even accidental releases like this could put huge numbers of people at risk.
This vulnerability is not specific to Google, it applies generally to any provider of cloud computing capabilities. I personally avoid cloud computing when I can because I have high security needs, and because I find that I often need to work on my documents when I am off-line. Google is starting to do a good job of addressing the second issue, but the first is going to be harder.
- Lance Cottrell
March 9th, 2009 at 1:04 pm
Hi Lance, you mention that, quote:
“this vulnerability is not specific to Google, it applies generally to any provider of cloud computing capabilities. I personally avoid cloud computing when I can because I have high security needs”.
Please have a look at http://www.threetags.com
The site claims to be very secure. What do you think of it?
Antrek
March 10th, 2009 at 1:21 pm
This is an interesting site. It looks like they are doing all the encryption with JavaScript loaded from the threetags.com site. The big risk here is in the browser itself. There are many ways an attacker can capture your input from within a browser session. An attacker might also be able to use a man in the middle attack to modify the javascript you are received.
The fundamental issue is that you are re-downloading the software each time you go to the page, and it is difficult to know if the software has been corrupted. If the site were ever hacked, hostile code could be inserted to capture the passwords of every single user. This would be much safer if is used a signed application binary which then lived locally on your computer all the time. A non-technical risk is that I have no idea who these people are or what kind of history they have that should lead me to trust them. This could simply be a scam for all I know (and lets be clear, I neither know nor suspect any such thing).
It looks like they have done some good thinking and hard work on this project. I would certainly not want to imply that it is insecure. The question is always “secure for what purpose?”
In this case, I would consider using it for personal (sensitive but low security) applications, but I would not put my life in its hands.
March 29th, 2009 at 1:57 pm
Security First Video Surveillance Systems…
Maybe, but I’m not sure it’for everyone….
September 18th, 2009 at 3:07 am
I absolutely love Google Docs from a collaboration and functionality standpoint, but the (in)security worries me.
I wish that Google would release an appliance (like their Google search appliance) that I could host in my work network. That would transfer most access risks to within the company network.