Slashdot Mirror
File-hosting Sites Not a Safe Haven For Private Data
An anonymous reader tips a story at the Register, according to which "Academic researchers say they've uncovered weaknesses in dozens of the most popular file hosting sites that allow people to gain unauthorized access to data that's supposed to be available only to those selected by the user."
"They also used the sites to store private files that contained internet beacons, so they'd know if anyone opened them. Over a month's span, 80 unique IP addresses accessed the so-called honey files 275 times, indicating that the weakness is already being exploited in the wild to harvest data many users believe isn't available for general consumption." Um, what's an "internet beacon"?
Just another reason why you should be using file encryption such as Truecrypt to encrypt everything personal.
Even if it's on your own hard drive. You're only one rootkit away from giving it away to the world.
In Soviet Russia, Trojan exploits YOU!
That link I posted to a rar full of my favorite pr0n pics on /b/ is easy pickings to thousands of other online users? No wai!
I mean, I had no idea most people who used quick upload services like imgur, rapidshare, and mediafire uploaded most of their files with any implied expectancy of privacy. But boy was I wrong!
Why would you upload private data to some file hosting site? These (e.g. RapidShare) aren't the kind of services where you can modify files after uploading (such as Dropbox), so encryption is not much of a hassle. You have no reason not to encrypt the files before uploading them.
I dream of a nation where a man is not judged by his skin color but by an number assigned by a credit rating agency.
This is the kick-off to Slashdot's "No Shit Week"
Academic researchers say they've uncovered weaknesses in dozens of the most popular file hosting sites that allow people to gain unauthorized access to data that's supposed to be available only to those selected by the user.
And is anyone surprised?
And is anyone who has only uploaded *encrypted backups* terribly concerned? They may still change providers do to a loss of confidence but they are probably not losing a lot of sleep.
Allow me to lead /. in a collective "duh!".
How about Mediafire? All those other sites seem like general file hosting sites, media fire always seemed to me to lean itself towards personal storage, and private if you choose not to share it. If I recall you have to choose to share each folder/item instead of it being shared automatically. They looked at the most popular sites but what makes those sites more popular is the public sharing aspect.
The services, which include sites such RapidShare, FileFactory, and Easyshare, allow users to upload large files and make them available to anyone who knows the unique URI (or Uniform Resource Identifier) that's bound to each one. Users may post the link on websites or forums available to the public or share it in a single email to prevent all but the recipient from downloading it. RapidShare, for instance, says it can be used to “share your data with your friends, colleagues or family.”
But according to academics in Belgium and France, a “significant percentage” of the 100 FHSs (or file hosting services) they studied made it trivial for outsiders to access the files simply by guessing the URLs that are bound to each uploaded file. What's more, they presented evidence that such attacks, far from being theoretical, are already happening in the wild.
Stopped reading right there. It's not private just because the URL is some randomly generated string. These sites are not designed to securely transfer files to only the recipient so this is not in any way a "weakness".
“These services adopt a security-through-obscurity mechanism where a user can access the uploaded files only by knowing the correct download URIs,” the researchers wrote in a paper presented at the most recent USENIX Workshop on Large-Scale Exploits and Emergent Threats.
Hey, guess how passwords work? They're hard to guess. How do biometrics work? Your fingerprints are hard to replicate. How do keycards work? It's hard to guess whatever code is stored in it. All security ultimately comes down to some token that is "obscure."
All security is through obscurity. If these sites are being accessed when they shouldn't, it means that there's an information leak, that is, the owners think (or claim) that it is far more obscure than it really is.
duhhhhhhh!! ?? why is this worthy of a story here??
Holy moly, they assured me I could put "private" stuff up there and nobody but me would be able to look at it. I feel like I can't trust anyone's word now.
Those site are really designed to host pirated material. If a user posts say a Photoshop file for another user do download, there is no reason for the recipient to pay for a premium download. (Presumably the primary source of revenue for these sites). No if a user is downloading seasons 5 6 and 7 of a tv series, then they might be willing to pay for the premium service.
Regarding the lost privacy aspect. If you are boneheaded enough to post anything sensitive on a site like that, then it is likely no amount of information would give you pause from doing it in the future.
It is safer and better.
In a contest of brute force, SSH keys are exponentially superior to passwords. You're not going to get passwords to have the same resistance. Period.
Not to mention, keyed access removes a great deal of moronic IT bullshit regarding password policies - you know, the policies that lead to weak passwords, lead to users actively subverting those policies ("Fuck this monthly change shit, I'm using p4ssword02. And next month, I'll use p4ssword03.", et cetera.
ORLY?
Brute-force attacks should never be an issue, regardless of whether passwords or keys are being used. Even shitty authentication systems will lock accounts after a small number of failures, or will at least introduce an exponential delay between subsequent attempts. If you can only perform 20 failed logins per day, if not fewer, for a given account, then it will significantly reduce the potential of a successful brute-force attack.
One of the main problems with keys is that they're much too long for most users to remember, so they almost always end up stored in a file or database of some sort. This act alone reduces the overall security far, far more than the risk of a brute-force attack. Given that they're often stored in common locations, even on different installations of different operating systems, all it takes are slightly incorrect permissions on a user's home directory and their keys are easily accessible. It gets worse if the system or home directory is periodically backed up, with the key being propagated (perhaps unknowingly!) to other media and locations,.
It does no good if you have six deadlocks on your door, but then you leave all six keys sitting inside the house on a window sill next to the door, easily visible and protected only by a fragile pane of glass.
This is very surprising given that this was never an issue? Oh, I think I'll just store this data here..LOL
When are people going to realize that putting anything on the cloud, unless it's uber encrypted, and maybe even then is not safe? It's not safe from prying eyes, and it's not safe from vanishing one day? Personally I will never trust the cloud, and the sooner everyone agrees with me the better off we will be. :)
Mean what you say...say what you mean.
E-mail itself isn't encrypted and any email you send transmits through and may even reside, unencrypted, on several servers between the sender and the recipient. If someone were to gain physical access to whatever server your email is stored on, they can read all your email. Or gain physical access to any server that transmits email and read a lot of email going through that server.
An email provider is a bit like your doctor - they have several motivations for NOT disclosing your private information, but there is no physical restriction preventing them from doing so.
paintball
The recent complaints about Dropbox and similar file storage sites violating users' privacy in return to lawsuits is because the site is doing the encryption, not the user.
If you want to protect your data, you can never hand the storage site unencrypted data, and this includes handing them encrypted data along with the keys. Ideally, depending on the kind of security you're looking for, you'd like their storage system not to store files in ways that are easily traced back to you (for instance, the file gets stored with a filename that's a random string, and the storage site forgets who it belongs to after storing the file, so that anybody who steals the disk drive only knows that there are files named "bunch of random digits", and has know way to know which ones belong to which users. Anybody who wants to recover the file needs to know the filename (so the service can retrieve it) and the decryption key (which the service doesn't know.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
does this surprise anyone?
"He who trusts private data to remote host has head in cloud..."
Even worse than a safe haven are all those unsafe havens! Never put your data there!
At least download peazip.com (crossplatform LGPL.), to encrypt your files.
Using the same password over and over again?
Install passwordmaker.org to generate all your passwords.
Exists for most browsers, as javascript, CLI, also Maemo (in development), android, iphone.
All the above is useless of course, if your OS is not up to date and depending on platform don't use the usual anti-malware/virus.
"If terrorists hate us for our freedom, does that mean they're slowly starting to like us?" -- Philosoraptor.
sky may be blue. News at 11.
If you want to secure some data that only you have, build a bonfire and burn it.
Help stamp out iliturcy.
... is their ULA. Hosts can do ANYTHING with your info and data.
If I upload a file to a public URL, you mean anyone can access it? I'd never have guessed!
I always thought the whole point of those sites was to share it with the public to begin with. This really comes as no big surprise to find this out now. You're putting your data in the hands of a total stranger, of course it's not secure!
Part of the issue is how these sites market themselves. Many sell themselves as "a fast, easy, secure way to send files to friends and colleagues without being hit by such bothersome things as email size limits or limits on sending executables".
The security they provide varies. Some allow you to password-protect the download (so nobody's getting it without entering the password first). Others don't do this, the security stems from the URL they give you to include in the email being apparently-random and not published anywhere. Security through obscurity, in other words. To you and me, this is a disaster waiting to happen, but these products aren't being used by you and me. They're being used by others in the business who are annoyed that the IT department is blocking them from sending out a particular attachment, and rather than ask the IT department to come up with a solution are instead using such a service. It's actually pretty common for these companies to offer corporate accounts so you can give your users a solution which is branded with your company name and logo and allows you to enforce rules regarding what options users may choose when they come to send a file. But corporate accounts cost money, getting the money means setting up a project and will take a minimum of a couple of months. This file needs to reach the recipient in a couple of hours.
These researchers have demonstrated that not only are the URLs generated not particularly random, they're easy to guess and people are already guessing them left and right.
Well e-mail security is poor but that isn't the point. A URL is not a password and should not be treated as one. It's fairly easy to guess random text strings until you get a hit on these URLs. You will eventually find *something*.
Not really, the random string just needs to be random enough and long enough and it will take you longer than the life of the universe to "find something". Since no user needs to remember it, making it unguessable does not impact usability either. And if you want to make sure it does not become known to a MiTM, just do all the file downloading over HTTPs.
Yes, the web is a mess of technologies taped onto each other, but that doesn't mean there aren't right ways and wrong ways of using it from a security point of view.
While you have a point that many security methods such as passwords rely on 'obscurity', one can still make a distinction between methods which rely on poorly measured (and typically low) entropy and methods which rely on well defined entropy. Usually when people talk about the dangers of security through obscurity, they are talking of the former;...
No. Security by obscurity means security achieved by keeping the details of your system secret (architecture, algorithms, etc), so people don't know how to break in. The accepted way to do security, on the other hand, is to build a system that is secure even against adversaries who know everything about your system, lacking only a well defined credential or set of credentials (a password, certificate, fingerprint, etc).
Using "secret" urls to provide access is not security by obscurity if there is enough randomness involved that urls are practically unguessable, though if it does not go over HTTPs it is certainly weak against certain threat models (Man-in-the-middle).
first thought after reading headline: "Well DUH."
I've decided to Diversify my Holdings. I've divided my cash between my left and right pockets, instead of all in one.
FTA: "The researchers said the most effective countermeasure against the attacks is the use of encryption on the user's computer." Enough said.
Mod Me Up. You'll make a grown man cry.
Excuse me. Sure, i trust free web-services, who aehem usually are programmed in the cheapest way to get salting right. Such a thing has never happened before that IDs could be guessed.
Let me say it like this: if you dont want that people access it, then enrcypt it and dont put it to a free filehoster.
How can that be? It's the cloooooooooooooouuuuuuuuuuuuuuuuuuud!
~Syberz
Folks, this is easy to prevent: rather than a sequential numbering (you've got to be kidding me) or a small pseudorandom number (you've got to be kidding me), use a cryptographically-secure hash of the file itself. Heck, for share-site purposes SHA-1 is almost certainly good enough, although I prefer SHA-512. Base64-encode it, slap that in the URL and you're done: hash guessing is a fool's game.
This is so far from rocket science that it's not even funny. Heck, you even get automatic deconfliction (that means you don't store two copies of the same file) for free!