File Sharing or Privacy Breaching Service? Beware!

In a perfect world the idea of ubiquitously sharing and using data files from anywhere around the globe is a great idea.

Some might even invent an esoteric term for it like Cloud Computing. File hosting services definitely provide convenience to people on the go. Until it doesn’t; such as the aftermath of security breach, resulting in a spill of private or confidential information.

While there are currently not a plethora of horror stories about such breaches, the recent Federal Trade Commission complaint about Dropbox certainly should give any file sharing service subscriber a moment’s pause. The popular Dropbox with apparently 25 million customers is being investigated for questionable confidentiality and privacy security measures.

The first few paragraphs of the complaint are as follows:

1. Dropbox has prominently advertised the security of its “cloud” backup, sync and file sharing service, which is now used by more than 25 million consumers, many of whom “rely on Dropbox to take care of their most important information.”

2. Dropbox does not employ industry best practices regarding the use of encryption technology. Specifically, Dropbox’s employees have the ability to access its customers’ unencrypted files.

3. Dropbox has and continues to make deceptive statements to consumers regarding the extent to which it protects and encrypts their data.

4. Dropbox’s customers face an increased risk of data breach and identity theft because their data is not encrypted according to industry best practices.

5. If Dropbox disclosed the full details regarding its data security practices, some of its customers might switch to competing cloud based services that do deploy industry best practices regarding encryption, protect their own data with 3rd party encryption tools, or decide against cloud based backups completely.

6. Dropbox’s misrepresentations are a Deceptive Trade Practice, subject to review by the Federal Trade Commission (the “Commission”) under section 5 of The Federal Trade Commission Act. Security Anomaly or Business as Usual? So is the Dropbox security question an anomaly or consistent with the level of security found in other file sharing services.

According to a recent study entitled Exposing the Lack of Privacy in File Hosting Services published by 1DistriNet, Katholieke Universiteit Leuven, Belgium 2Institute Eurecom, Sophia Antipolis, France, researchers investigated the privacy of 100 file hosting services and discovered that a large percentage of them generate download uniform resource identifier (URI) in an insecure manner, which jeopardizes the confidential and privacy of user data.

The file hosting services generate unique file reference numbers for each user document, called uniform resource identifier. The way the these numbers are generated makes it easy for a person with malicious intent to predict what a valid URI might be and query the file sharing service to identify client names and ultimately their data.

The study identified that offending host services generate sequential numbers for URIs or generate very short identifiers that can be easily guessed by an attacker. Upon securing a valid user URI, the researchers found that by querying user a user file with a valid URI, sharing services often returned pages containing some information about the document (e.g., filename, size, and number of times it was downloaded), followed by a series of links which a user must follow to download the real file.

This user information was hacker heaven as an attacker could initially scrape the name of each file, and then download only those files that looked promising. In order to then determine if the URI vulnerability might result be a real world security threat, they experimented to see if potential attackers were actually aware of the vulnerabilities. They were.

To determine whether an attacker might try to exploit the identified vulnerabilities the researchers created honeypots composed of bogus files which they called HoneyFiles. Indeed, hackers downloaded these files and then attempted exploits on the HoneyFiles, as they contained opportunities for financial gain such as such as bogus PayPal accounts and credentials.

This article deals with security concerns about relatively unsophisticated, commodity file sharing services. The next logical question is: Are high profile commercial grade cloud computing services doing a sufficient job with their security?

Have a secure week. Ron Lepofsky CISSP, CISM, BA.SC (Mechanical eng) www.ere-security.ca