File Sharing or Privacy Breaching Service? Beware!

Sunday, May 22, 2011

Ron Lepofsky

39b6d5c1d3c6db11155b975f1b08059f

In a perfect world the idea of ubiquitously sharing and using data files from anywhere around the globe is a great idea.  Some might even invent an esoteric term for it like Cloud Computing.

File hosting services definitely provide convenience to people on the go. Until it doesn’t; such as the aftermath of security breach, resulting in a spill of private or confidential information.

While there are currently not a plethora of horror stories about such breaches, the recent Federal Trade Commission complaint about Dropbox certainly should give any file sharing service subscriber a moment’s pause. 

The popular Dropbox with apparently 25 million customers is being investigated for questionable confidentiality and privacy security measures. The first few paragraphs of the complaint are as follows:

1. Dropbox has prominently advertised the security of its “cloud” backup, sync and file sharing service, which is now used by more than 25 million consumers, many of whom “rely on Dropbox to take care of their most important information.” 

2. Dropbox does not employ industry best practices regarding the use of encryption technology. Specifically, Dropbox’s employees have the ability to access its customers’ unencrypted files. 

3. Dropbox has and continues to make deceptive statements to consumers regarding the extent to which it protects and encrypts their data. 

4. Dropbox’s customers face an increased risk of data breach and identity theft because their data is not encrypted according to industry best practices. 

5. If Dropbox disclosed the full details regarding its data security practices, some of its customers might switch to competing cloud based services that do deploy industry best practices regarding encryption, protect their own data with 3rd party encryption tools, or decide against cloud based backupscompletely. 

6. Dropbox’s misrepresentations are a Deceptive Trade Practice, subject to review by the Federal Trade Commission (the “Commission”) under section 5 of The Federal Trade Commission Act. 

Security Anomaly or Business as Usual?

So is the Dropbox security question an anomaly or consistent with the level of security found in other file sharing services. 

According to a recent study entitled  Exposing the Lack of Privacy in File Hosting Services published by 1DistriNet, Katholieke Universiteit Leuven, Belgium 2Institute Eurecom, Sophia Antipolis, France, researchers investigated the privacy of 100 file hosting services and discovered that a large percentage of them generate download uniform resource identifier (URI) in an insecure manner, which jeopardizes the  confidential and privacy of user data. 

The file hosting services generate unique file reference numbers for each user document, called uniform resource identifier. The way the these numbers are generated makes it easy for a person with malicious intent to predict what a valid URI might be and query the file sharing service to identify client names and ultimately their data. 

The study identified that offending host services generate sequential numbers for URIs or generate very short identifiers that can be easily guessed by an attacker.  

Upon securing a valid user URI, the researchers found that by querying user a user file with a valid URI, sharing services often returned pages containing some information about the document (e.g., filename, size, and number of times it was downloaded), followed by a series of links which a user must follow to download the real file.

This user information was hacker heaven as an attacker could initially scrape the name of each file, and then download only those files that looked promising. In order to then determine if the URI vulnerability might result be a real world security threat, they experimented to see if potential attackers were actually aware of the vulnerabilities.  They were. 

To determine whether an attacker might try to exploit the identified vulnerabilities the researchers created honeypots composed of bogus files which they called HoneyFiles. 

Indeed, hackers downloaded these files and then attempted exploits on the HoneyFiles, as they contained opportunities for financial gain such as such as bogus PayPal accounts and credentials. 

This article deals with security concerns about relatively unsophisticated, commodity file sharing services. The next logical question is: Are high profile commercial grade cloud computing services doing a sufficient job with their security? 

Have a secure week.  Ron Lepofsky CISSP, CISM, BA.SC (Mechanical eng)   www.ere-security.ca

Possibly Related Articles:
14803
General
Service Provider
Cloud Security Storage Vulnerabilities file sharing Dropbox uniform resource identifier
Post Rating I Like this!
Default-avatar
Jon Taylor I don't think users of typical file sharing sites actually expect any reasonable level of privacy or security. After all they are uploading their files to them without any real knowledge of how secure they are, or how trustworthy their staff are.

I've actually been developing a host-proof file sharing solution over the last year or so which I have recently launched. The idea is that all of the data is encrypted on the client before uploading, the challenge is doing all that in javascript so the user doesn't have to download any extra software.

Another advantage of a host-proof design is that the user could (if they so wished) audit the code before logging in or uploading any data to make sure that a security breach is impossible.

Check if out if you want, i'd love it if you gave it a mention in one of your articles!

http://www.senditonthenet.com/
1306176877
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.