[real-eyes] Re: File Sharing or Privacy Breaching Service? Beware!
- From: "&&& (Ruthie)" <clark.ruthie@xxxxxxxxx>
- To: real-eyes@xxxxxxxxxxxxx
- Date: Sun, 22 May 2011 13:09:43 -0500
Good for you...always good to see someone security conscious...did you
get the msg from dropbox about changing your master password?
&&& (Ruthie)
I understand cats, men are the mystery!
"We are more than the sum of our parts."
We are the few,
Who speak for the many,
Who cannot speak for themselves.
We are the many,
Who speak for the one,
Who could not speak for herself.
Private mail is *always* welcome here. <mailto:clark.ruthie@xxxxxxxxx>
MSN Messenger ID: clark.ruthie@xxxxxxxxx
Facebook: Ruthie Karme Clark
On 5/21/2011 8:42 PM, Mitchell D. Lynn wrote:
> The only ones I would trust are those that do all the encryption on the
> user's system. The only stuff I have on drop box has been Secure Zipped with
> a monster pw.
>
>
> -----Original Message-----
> From: real-eyes-bounce@xxxxxxxxxxxxx [mailto:real-eyes-bounce@xxxxxxxxxxxxx]
> On Behalf Of Steven Clark
> Sent: Saturday, May 21, 2011 6:47 AM
> To: nut@xxxxxxxxxxxxx; real-eyes@xxxxxxxxxxxxx
> Subject: [real-eyes] File Sharing or Privacy Breaching Service? Beware!
>
>
> Here is an interesting article I read this morning about the security of
> drop box and other file storage services.
> Steve
> The following is from
> http://ere-security.com/blog/file-sharing-or-privacy-breaching-service-bewar
> e
> :
> File Sharing or Privacy Breaching Service? Beware!
> In a perfect world the idea of ubiquitously sharing and using data files
> from anywhere around the globe is a great idea. Some might even invent an
> esoteric term for it like Cloud Computing.
> File hosting services definitely provide convenience to people on the go.
> Until it doesn't; such as the aftermath of security breach, resulting in a
> spill of private or confidential information.
> While there are currently not a plethora of horror stories about such
> breaches, the recent
> Federal Trade Commission complaint about Dropbox certainly should give any
> file sharing service subscriber a moment's pause. The popular Dropbox with
> apparently 25 million customers is being investigated for questionable
> confidentiality and privacy security measures. The first few paragraphs of
> the complaint are as follows:
> 1. Dropbox has prominently advertised the security of its "cloud"
> backup, sync and
> file sharing service, which is now used by more than 25 million consumers,
> many of whom "rely on Dropbox to take care of their most important
> information."
> 2. Dropbox does not employ industry best practices regarding the use of
> encryption technology. Specifically, Dropbox's employees have the ability to
> access its customers'
> unencrypted files.
> 3. Dropbox has and continues to make deceptive statements to consumers
> regarding the extent to which it protects and encrypts their data.
> 4. Dropbox's customers face an increased risk of data breach and identity
> theft because their data is not encrypted according to industry best
> practices.
> 5. If Dropbox disclosed the full details regarding its data security
> practices, some of its customers might switch to competing cloud based
> services that do deploy industry best practices regarding encryption,
> protect their own data with 3rd party encryption tools, or decide against
> cloud based backups completely.
> 6. Dropbox's misrepresentations are a Deceptive Trade Practice, subject to
> review by the Federal Trade Commission (the "Commission") under section 5 of
> The Federal Trade Commission Act.
> Security Anomaly or Business as Usual?
> So is the Dropbox security question an anomaly or consistent with the level
> of security found in other file sharing services. According to a recent
> study entitled Exposing the Lack of Privacy in File Hosting Services
> published by 1DistriNet, Katholieke Universiteit Leuven, Belgium 2Institute
> Eurecom, Sophia Antipolis, France, researchers investigated the privacy of
> 100 file hosting services and discovered that a large percentage of them
> generate download uniform resource identifier (URI) in an insecure manner,
> which jeopardizes the confidential and privacy of user data.
> The file hosting services generate unique file reference numbers for each
> user document, called uniform resource identifier. The way the these numbers
> are generated makes it easy for a person with malicious intent to predict
> what a valid URI might be and query the file sharing service to identify
> client names and ultimately their data.
> The study identified that offending host services generate sequential
> numbers for URIs or generate very short identifiers that can be easily
> guessed by an attacker.
> Upon securing a valid user URI, the researchers found that by querying user
> a user file with a valid URI, sharing services often returned pages
> containing some information about the document (e.g., filename, size, and
> number of times it was downloaded), followed by a series of links which a
> user must follow to download the real file.
> This user information was hacker heaven as an attacker could initially
> scrape the name of each file, and then download only those files that looked
> promising.
> In order to then determine if the URI vulnerability might result be a real
> world security threat, they experimented to see if potential attackers were
> actually aware of the vulnerabilities. They were.
> To determine whether an attacker might try to exploit the identified
> vulnerabilities the researchers created honeypots composed of bogus files
> which they called HoneyFiles.
> Indeed, hackers downloaded these files and then attempted exploits on the
> HoneyFiles, as they contained opportunities for financial gain such as such
> as bogus PayPal accounts and credentials.
> This article deals with security concerns about relatively unsophisticated,
> commodity file sharing services. The next logical question is: Are high
> profile commercial grade cloud computing services doing a sufficient job
> with their security?
> Have a secure week. Ron Lepofsky CISSP, CISM, BA.SC (Mechanical eng)
> www.ere-security.ca
> --
> twit.tv
> Netcasts you love from people you trust
> Listen or watch live! http://live.twit.tv/ Listen live via Winamp
> http://twit.am/listen.m3u
>
> To subscribe or to leave the list, or to set other subscription options, go
> to www.freelists.org/list/real-eyes
>
>
> To subscribe or to leave the list, or to set other subscription options, go
> to www.freelists.org/list/real-eyes
>
>
To subscribe or to leave the list, or to set other subscription options, go to
www.freelists.org/list/real-eyes
Other related posts:
