Privacy and security in the cloud – is there any?

This evening (Monday 30 May 2011), I’ll be lecturing at the New South Wales branch forum of the Australian Computer Society (ACS).

The topic is Privacy and security in the cloud – is there any?

The Cloud - whatever that is - isn't new, whatever the marketing material may imply. But the scale of many modern-day cloud-oriented services is simply enormous. And since those services are run by experts, they readily promise to deliver the "holy trinity" of computer security - confidentiality, integrity and availability.

But do they? Will they? Can they? This thought-provoking presentation will help you advise your colleagues, your friends and your family how to embrace the benefits of the cloud whilst steering clear of the major risks.

Our collective will to rush headlong into cloud computing – especially as the providers of content to global services such as Facebook and YouTube – is enormous. Our desire to publish information and content about ourselves (and, frequently, about other people, with or without their permission) has even led to new units of measure.

For example, YouTube now quantifies its success in “hours per minute”. According to a recent post on YouTube’s official blog, more than 48 hours’ worth of video are uploaded to YouTube each minute, and more than 3 billion videos are viewed each day.

Is this a good thing? Or bad? Or just meaningless on an individual scale?

To an astrophysicist, for example, 48 hours’ upload per minute works out at approximately three kiloseconds per second. (Actually, it’s 2.88 ksec/sec, but astrophysicists are allowed to make approximations.)

But what sort of unit is “seconds per second”, anyway? Surely the seconds simply cancel out and we’re left with a dimensionless number – 2880?

Worse still, as that number increases – and YouTube is delighted to tell us that it’s gone up by 100% over the past year – we’re all compelled to watch more YouTube videos just to keep up.

And with official YouTube video views up by a mere 50% over the past year, it looks as though we’re going to have to spend twice as long watching other people’s pets do much the same sort of repetitious things as our own, but slightly out of focus.

Is it really worth publicising ourselves and sharing personal and business information to the extent we do? Or do we need to take time to re-evaluate the boundary between the data we can safely entrust to other people, and the data we ought to guard more jealously – or, at least, to sell at a higher price?

There are still a few places left at tonight’s lecture. It’s at Circular Quay in Sydney; it’s free to ACS members ($55 for non-members); it starts at 6.15pm (arrive from 5.30pm); and you can register here.

If you’re in the vicinity, why not come along and help us argue through the issues?

(And if you’re a Facebook user, why not review some tips on protecting your identity on social networking sites, or join the Sophos Facebook page, where we have a thriving community of over 85,000 people.)

Honda Canada loses 283,000+ records, now faces lawsuit

Honda Canada disclosed the loss of more than 283,000 records this week. Letters mailed to affected customers explained that the information was stolen in March when hackers broke into the myHonda and myAcura websites.

Honda Canada data breach letter

Honda waited over two months to notify its customers, claiming it needed to assess the gravity of the situation and determine exactly what data may have been stolen. While it is important to determine the facts, Honda appears to have been less forthright than they claim.

The letter mailed to Honda customers stated:

“The incident involved the possible improper access of information, as held in our records in 2009, specifically your name, address and Vehicle Identification Number.”

A few days later they then appended the statement on their website to say:

“and in a small number of cases, Honda Financial Services (“HFS”) account numbers.”

myHonda portalThe Toronto Star reports that this has triggered a class action lawsuit on behalf of affected customers. The lawyers are suing for $200 million in damages for failure to protect personal and confidential information and failure to notify customers in “a reasonable amount of time.”

Similar to one of the Sony attacks, it is being reported that the data was left behind after a mailing campaign in 2009 and not properly deleted. Honda Canada should have been on high alert after a very similar incident at Honda USA.

Honda Canada customers should watch carefully for fraud or contact from parties claiming to be related to Honda or Honda Finance. Fortunately, most of the information that was compromised is public knowledge and did not include birth dates, Social Insurance Numbers or other confidential information.

Has your organization taken the appropriate steps to secure your customers’ data? A little encryption can go a long way in protecting you from a data loss incident and as we see here, even lawsuits.

If you would like to learn more about data protection and the types of threats that can compromise your organization, why not download our free Data Security Toolkit?

SSCC 61 – Sony, Honda, Mac Defender and best practices on securing your organization

Sophos Security Chet Chat logoOn this week’s Chet Chat I interview one of our most experienced technical support account managers and discuss why “we’re doing it wrong”. Paul has worked as a security architect and defended against a slew of targeted attacks in very large environments.

Security is a process not a purchase… Many of us have acquired state-of-the-art high quality tools and yet we fall victim to everyday threats. Paul shares his philosophy on the techniques you can use to get the most out of your security investments.

As usual I also cover the week’s news including the latest attacks on Sony, the data loss event at Honda Canada and the evolution of the fake anti-virus threat facing Apple Mac OS X users.

If you prefer a news summary for the week in text format, visit the Sophos Security News and Trends for the latest selected hot topics or subscribe to our weekly newsletter, Sophos eNews.

(27 May 2011, duration 21:20 minutes, size 8.5MBytes)

You can also download this podcast directly in MP3 format: Sophos Security Chet Chat 61 or subscribe to our RSS.