Partly Cloudy79° WeatherPartly Cloudy79° Weather

Hackers having field day as sensitive data moves to 'cloud'

LOS ANGELES — As hackers continue their rampage against the world's largest banks, defense contractors and technology companies, executives and government officials are confronting a sobering truth: The bad guys are winning.

The seemingly unending string of high-profile attacks, most recently against Citigroup and Sony, has shown that nearly every organization is vulnerable to a growing contingent of well-trained and agile attackers who are finding security holes faster than they can be plugged.

"It's gotten very dangerous out there," said Stan Stahl, a security consultant and president of the Los Angeles chapter of the Information Systems Security Association. "There's an epidemic of this stuff going on right now."

The increase in high-profile attacks comes as companies are looking to move more of their business operations online, including to the "cloud," in which computing tasks are outsourced to firms that maintain huge data centers around the world.

Despite the cloud's potential for cost savings and reducing the hassles of running in-house computer servers, security analysts say it may not yet be as safe as advertised — a warning that many companies are taking seriously.

Alex Bermudez, security manager for Beachbody, a Los Angeles company that makes the popular P90X workout videos, said that although his company is beefing up security as it expands overseas, he has held off on shifting operations into the cloud.

"There are a lot of good technology companies doing the cloud well," he said, but having his company's data stored remotely, alongside data from many other firms, "is a little scary."

Concerns about the cloud dominated conversation at a conference this week on cyber security at the University of California at Los Angeles. The conference drew nearly 400 executives, double last year's attendance.

Eugene Schultz, chief technology officer at Emagined Security, said hackers are spending substantial amounts of time and effort looking for ways to penetrate the cloud.

"There are some real Achilles' heels in the cloud infrastructure that are making big holes for the bad guys to get into," he said.

Because data from hundreds or thousands of companies can be stored on large cloud servers, he said, hackers can theoretically gain control of huge stores of information through a single attack — a process he called "hyperjacking."

As attacks yield increasingly lucrative financial and personal data, the crowd of outlaws is growing, too, many from developing nations where unemployment rates are high and programming jobs are in short supply.

In much the same way that YouTube and cell phones have enabled millions to become filmmakers, low-cost hacking tools have automated the hacking process for novices.

"A lot more people understand how to do this now," said Samy Kamkar, a security researcher and former hacker who once created a malicious computer program that crashed MySpace. "It's much easier for any kid with a computer to download software, point it at a company's website and attempt to run various attacks."

A hacker group called LulzSec has taken credit for recent attacks on the websites of the U.S. Senate, the CIA and several video game companies.

In Internet lingo, the word "lulz" means laughs that are had at the expense of others — and it's the group's self-proclaimed raison d'être.

"Vigilantes? Nope. Cyber terrorists? Nope," the group tweeted recently. "We have no political motives — we do it for the lulz."

Hackers having field day as sensitive data moves to 'cloud' 06/17/11 [Last modified: Friday, June 17, 2011 10:39pm]

Copyright: For copyright information, please check with the distributor of this item, Los Angeles Times.
    

Join the discussion: Click to view comments, add yours

Loading...