Hacks make Internet look lawless, but security just hasn't caught up to spear-phishers yet
IT security needs to catch up to spear-phishing/malware/server-attack combinations
The No-Duh Headline of the Day has to be Reuters' " Hacker attacks threaten to dampen cloud computing's prospects."
There isn't a thing wrong with either the headline or the story except that it's too narrow.
Successful data breaches at Google, Epsilon, Sony, Sony, Sony, Sony, U.S. Rep Anthony Weiner, Lockheed Martin, HotMail, Yahoo,HTC and Sony don't just make consumers and businesses nervous about using the cloud.
They make people nervous about using any kind of computer or network. They don't stop, of course, or even change to more secure passwords, use different usernames and passwords for different sites, try to avoid giving their credit-card or Social-Security or other ultra-sensitive data to every Web site they intend to either buy from or return to.
They do shy away from buying or building those systems for themselves because they perceive that, since all those sites that got hacked are on the Internet, and everything on the Internet is "the cloud," then "the cloud" itself is a security threat.
First, the cloud and the Internet aren't the same thing. The Internet is a thing, for one thing, and "the cloud" isn't – it's just a bit of linguistic abstraction that keeps people from having to type or pronounce "shared-resource infrastructure, platform or application hosting service" a hundred times per day.
Consumers don't know that, and the finance execs that write the checks for big IT systems don't care.
They care that suddenly every high-profile thing on the Web is suddenly bleeding customer data as hackers poke them like underinflated water balloons that refuse to either fail in a satisfyingly catastrophic way, or stop that constant leak down our pants.
Neither "the cloud" nor the Internet are any more insecure than they were a couple of months ago. Some of the attacks – Sony's blockbuster Fubar Series and Epsilon's email-address giveaway, for example – succeeded because of flaws or stupid flaws, or a continuing series of the same stupid flaw in their security plans.
The rest failed because someone with secure access was tricked into giving someone whose identity they couldn't verify a password to get into the system.
Picture the underpaid, terrified guards bribed to open gates in the Great Wall of China to the Mongols, or that idiot in your apartment building who insists on holding open the security door for anyone who doesn't look like a homeless serial killer, whether they have a key or not.
Spear-phishing victims aren't like that.
Usually they're given all the information they think they need to confirm that giving out secure information is not only a good idea, but part of their job descriptions.
That's the whole point of spear-phishing. It works because it satisfies all the security criteria set up to keep people like spear phishers or Mongols or homeless serial killers out of the Circle of Trust. Once they're inside, all bets are off.
Recent history isn't just an alert that Web server and corporate remote-access security systems need to be made more secure.
They're a flashing light and siren drowning out the screaming of panicked users trampling each other to get out of a building that is either on fire, under attack or is filled with enough rumors about being on fire or under attack that everyone panics whether there's a reason to or not.
There's not a single answer to the uber-problem of making the Internet secure.
We've been at this civilization thing for a few tens of thousands of years and haven't made any individual human society completely secure, so it's probably not reasonable to expect it of the Internet.
We can adapt to exploits based on spear phishing – which has proven to be as big a leap in data-theft technology as virtualization and cloud computing have been in legitimate computing – to at least close off some of the more dramatically vulnerable spots.
We can set policies on how and when not to give out security information without visual- or voice confirmation of who we're dealing with, even when the request satisfies all the typical requirements.
We can even do outre things like getting the half of all IT security people who don't know where the files they're supposed to protect are stored to figure that out so they know what to protect.
And – I'm talking to you, Sony – we can plug that stupid SQL injection flaw that has been a swinging door into every network you've ever owned.
Yes, there are a lot of comparatively new, highly effective exploits out there combining social engineering, spear-phishing, malware and traditional attacks. Yes, there are a lot more people, groups and countries hacking at each other online. Yes the Internet is still a dangerous place.
But neither it nor the cloud is not more insecure than it was a month ago.
And not fixing obvious security flaws or even telling all the security managers in the company about the one that hit the most recent of your sites (this is for Sony, again), is just nothing but stupid.