As one of the original seed investors in Carbonite (www.carbonite.com), the leading online backup service provider, I often worry about data backup. As we move toward a nearly 100% digital life with digital documents, contacts, calendars, to do lists, music, photos, financial statements, etc it becomes extremely important that we backup our digital data, because the digital data has become our lives.
As we move toward cloud computing, backup becomes more nebulous. Certainly the online providers are backing up our data in mass to protect themselves from major data center disasters, but in a multi-tenant environment, what happens to the individual when they lose their cloud data?
As a huge Gmail fan, I used Outlook to sync with the cloud, so I was less worried about backing up my email in the cloud because it was replicated on my local Outlook database. Also, all of the rest of my personal information was store locally in Outlook and I backed that information up with Carbonite.
The scenario above all changed last fall when I made the move to Android for my mobile computing needs. I was "forced" into the cloud to take full advantage of everything great that Android had to offer. This meant that I had to move all my scheduling and contact data into the sky, and thus I stopped using Outlook all together as Gmail became my full time personal information management (PIM) system. Never again would I have to sync the data between my desktop PIM and my mobile device as they were always in sync wirelessly. I must admit for an old client/server user, the move to the cloud was was a bit of a leap for me as the network of contacts that I have built over 25 years in high tech has become my business lifeblood.
However, I quickly noticed how much more productive I was having all my cloud data available on any computer with a web browser, my Android devices, and my iPad. It worked so well that I stopped worrying about backup. The senior people that I know at Google ensured me that their cloud was backed up in multiple data centers, and that I would never lose my data.
Everything was fine until last week when I got a call from my brother that someone from Nigeria had hacked his Gmail account and changed his password, which locked him out of his account (see log file below).
My first thought was "lights out and game over", how can you manage your business if you don’t have access to your Gmail account. My second thought turned to backup and I realized that I had not backed up my information in Gmail in over six months. I quickly logged into Gmail and exported all of my contacts and re-synched my email database with my old friend Outlook (maybe syncing backup of the cloud will be Outlook’s legacy).
(browser, mobile POP3, etc.)
|Location (IP address)||Date/Time
(displayed in your time zone)
|Unknown||Nigeria (188.8.131.52)||Jun 21 (2 days ago)|
|Browser||* United States (NJ) (184.108.40.206)||9:54 am (0 minutes ago)|
|Browser||Nigeria (220.127.116.11)||9:09 am (44 minutes ago)|
|Browser||Nigeria (18.104.22.168)||8:01 am (1.5 hours ago)|
|IMAP||United States (NJ) (22.214.171.124)||7:58 am (2 hours ago)|
|IMAP||United States (NJ) (126.96.36.199)||3:01 am (6 minutes ago)|
|IMAP||United States (NY) (188.8.131.52)||1:15 am (8 hours ago)|
|Browser||United States (NJ) (184.108.40.206)||10:29 pm (11 hours ago)|
|Browser||United States (NJ) (220.127.116.11)||Jun 22 (20 hours ago)|
|Browser||Nigeria (18.104.22.168)||Jun 22 (21 hours ago)|
To Google’s credit, they were able to restore access to my Brother’s Gmail account quickly. However, when he logged back in, all of his contact data was deleted. I can only image the numerous identity thefts that might come from this data being in the wrong hands, but can you imagine losing all of your contact information? Google has too many users to hand restore individual contact databases for their Gmail users, so I would strongly suggest that all users make an effort to backup through export or sync to an external client-based PIM program like Outlook.
The "hacker 101 rule" after accessing a hacked email account is to immediately change the legitimate user’s password to buy precious time in order to download contacts, send out fraudulent emails, setup simple email rules on the unsuspecting user account like "forward all *.bankofamerica.com emails to Nigeria.com" and the Holy Grail problem of most online accounts that know you not by your name but by your email address. This puts everything you are, who you know and what you have the ability to access online at immediate risk and poses a clear and present danger to your online identity. Why? Simple, if the hacker assumes your email address is your account UserID he would simply try and access every social media site like LinkedIn, Twitter and Facebook as well as the major financial sites like Schwab, eTrade Quicken BoA, Wells, and Chase to name a few and he would simply click the link called "forgot my password" and enter the email address. Within seconds an email would arrive to the hacked inbox allowing the fraudster to gain access and full control to every account that uses this password reset modality.
The next big question is how someone was able to hack the account? The obvious answer is that some sort of spyware was installed on the client machine that was sniffing keystrokes for usernames and passwords. The Nigerian Hacker then used this information to log-in and change my brother’s password. Again, Google was able to "notice" this remote login, and inform the active session, but the real question is why would the Gaia (Google’s single sign on and password system) allow this to happen. The problem is that Gaia is not utilizing strong or any visible multi-factor authentication system for client log-ins.
For example, if Google was using a solution like Delfigo Security (www.delfigosecurity.com), that implements multi-factor authentication including a sophisticated keyboard bio-metric, machine ID, geospatial parameters, etc, they could have flagged this rouge log-in and aborted the password reset by a user that was clearly not the owner of the account.
Delfigo’s DSGateway product analyzes multiple identity factors – in the form of something you are, something you know and something you have – to assure you are who you say you are. It extends well beyond the single factor of the typical login credentials (username/password) typically required by many online applications. In this case, the hackers keystroke biometric would have been analyzed to determine if it matched the genuine users’ pattern. Then several machine identifiers and geospatial parameters would have been analyzed and compared against the behavioral patterns of the genuine user. Upon the completion of the analysis a Confidence Factor (CF) is assigned and the system would transparently provide the appropriate level of system access. More importantly, the flexible nature of DSGateway allows for thresholds to be adjusted based upon the assessment of risk of a particular activity. In this case the hacker needed to access the user’s profile to reset the password. Any change in a user profile is considered a very high risk activity, and Delfigo recommends that thresholds approach maximum levels for all high risk activities.
We have all heard the news about the high profile break-ins to Gmail accounts (http://www.pcmag.com/article2/0,2817,2362858,00.asp) that made Google abandon the Chinese market, but what happens when these break-ins occur to ordinary individuals which is more the norm theses days?
Google needs to do more to protect the access plane and provide more timely out of band notification like SMS’s to registered cell phones. In addition, Google should use the confidence factor of the log-in to prevent features such as export and the deletion of data. All of these features could easily be built into the business logic of Gmail and could be triggered from the confidence factor of the login that is provided by systems like Delfigo.
Lastly, users of Cloud Solutions like Gmail should also be careful not to store sensitive information in the various contact note fields. For example, storing social security numbers, credit card numbers, PIN numbers, account passwords, and physical safe combinations should not be stored in plain text fields that are only protected by username and passwords. User should instead move to more secure solutions like eWallet (http://www.iliumsoft.com/site/ew/ewx_win.php) that encrypts the data that is shared between client computers and mobile devices and thus never gets into the cloud.