Category Archives: Information Securit

Down The Rabbit Hole And Into The Cloud

With Chrome OS on the horizon, there has been a lot of blogging about whether client computers will become more secure. I would just like to take this opportunity to look at this question from an other, less discussed, angle – the angle that follows the data and not the computer that access the data.

Since Chrome OS is basically nothing more than a web-browser, it has been claimed that the client computers running it will become a lot more secure. I don’t necessarily dispute this claim but I want to highlight the real reason why this will be the case. Certainly, the less points of attack there are (i.e. the smaller the system), the less vulnerabilities there will be to exploit. But more importantly, the reason why Chrome OS based clients will be safer, will be that the data that is usually stored locally on PC’s will be stored somewhere in the Cloud. As such, it will become less appealing for criminals to find exploits to access data on the client computers.

And if the hackers will no longer care about client computers, where will they then be focusing their attention? That is right, to the Cloud. We are entering a whole new era of storing, processing and accessing of data. As such I would not be surprised if we see a whole new genre of exploits emerge – you know like buffer overflows for C or SQL injections for databases or XSS for websites. I’m quite certain that we will see a new generation of exploits emerge that are specific to Cloud solutions. I don’t know enough about Cloud architectures to know what these exploits will look like but I’m sure that the principle will be as basic and simple as the principles are for any of the exploit categories I just mentioned.

After all, if Google is sitting on all this data why on Earth would hackers keep writing exploits for client computers when most of them will contain limited amounts of useful information. Sure, the temptation of viruses that collect passwords and credit card details is still luring, but I think that the more hard-core hackers will follow the data, and if the data goes to Google, that is where the hackers will go. It just seems silly to spend time and energy to come up with remote exploits to gain access to local clients, when you can gain access to ALL the data stored by Google of ALL their users. Sure, it’s not going to be easy but after all, Chrome OS will be a (somewhat) trusted client connecting to the Google infrastructure – what else do you need as a starting point?

Furthermore, any exploits that do more then collect keystrokes or credit card numbers entered into a browser on a local computer will need to use the Google infrastructure to collect the user’s data from the Cloud. For example if a virus wants to get the address book of the victim to spread itself, it needs to get into the Gmail interface. So, it will need to communicate with the Cloud. And once it is communicating with the Cloud, why would it not take the next step and check out what else is stored in the Cloud under the user’s account. And if it is already there, why not try to escalate privileges and try to gain access to other people’s data? And while there, might as well see if there are any corporations storing data somewhere near… do you see?

So, sure, the Chrome OS clients will definitely be more secure then your average PC’s (even the ones with updated operating systems and virus scanners), but that does not necessarily mean that your data will be more safe. It just means that another attack vector has been added – that of the Cloud. More and more hackers will be drawn to try to exploit the Cloud infrastructure to gain access to several users’ data from within the cloud, circumventing any interaction from the user.