Slashdot Mirror

← Back to Stories (view on slashdot.org)

File-hosting Sites Not a Safe Haven For Private Data

Posted by timothy on from the but-then-nowhere-really-is dept.

An anonymous reader tips a story at the Register, according to which "Academic researchers say they've uncovered weaknesses in dozens of the most popular file hosting sites that allow people to gain unauthorized access to data that's supposed to be available only to those selected by the user."

12 of 134 comments (clear)

  1. Encrypt Everything Private by Deathlizard · · Score: 4, Insightful

    Just another reason why you should be using file encryption such as Truecrypt to encrypt everything personal.

    Even if it's on your own hard drive. You're only one rootkit away from giving it away to the world.

    --
    In Soviet Russia, Trojan exploits YOU!
    1. Re:Encrypt Everything Private by x*yy*x · · Score: 4, Insightful

      Crypting your data won't save it from rootkit...

    2. Re:Encrypt Everything Private by TheEyes · · Score: 4, Informative

      But in order to actually use encrypted data, it has to be decrypted at some point, so the rootkit just needs to wait for you to decrypt it. In the case of say, full disk encryption, this is rather easy.

      The idea is that you encrypt the file you send to the filesharing site, that way when the filesharing site is hacked all the attackers get is an encrypted file. In fact this is a "perfect" use for data encryption: the file is never decrypted on the remote machine, only on your local one, so stealing the data off the remote site can never give an attacker access to anything but cyphertext.

  2. Encryption by igreaterthanu · · Score: 5, Informative

    Why would you upload private data to some file hosting site? These (e.g. RapidShare) aren't the kind of services where you can modify files after uploading (such as Dropbox), so encryption is not much of a hassle. You have no reason not to encrypt the files before uploading them.

    --
    I dream of a nation where a man is not judged by his skin color but by an number assigned by a credit rating agency.
    1. Re:Encryption by hairyfeet · · Score: 4, Insightful

      Because you get some dumbass that can't be arsed to bring a flash stick to work and/or they aren't allowed to use a flash stick, so they just upload it to Rapidshit? Hell nobody reads anything or actually thinks anymore, even to this day you can look on any P2P site for the formats that taxes and other personal data are kept in (such as QuickBooks files) and literally find thousands upon thousands of morons sharing their entire C: drive because they don't bother to think.

      To me that is the sad and/or scary part: Your security is only as strong as the biggest moron in the group and when it comes to computers the level of stupid out there is frankly mind boggling.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    2. Re:Encryption by currently_awake · · Score: 4, Insightful

      Considering the cost of hard drives there is no good reason to keep anything in the cloud except for stuff you want to share (free hosting file server).

  3. Re:Bogus by Beryllium+Sphere(tm) · · Score: 4, Informative

    At a guess, an embedded URL that's loaded automatically when someone opens the document, for example an IMG tag.

  4. Like Shark Week? by The+Dawn+Of+Time · · Score: 5, Funny

    This is the kick-off to Slashdot's "No Shit Week"

  5. All security is through obscurity by sco08y · · Score: 5, Insightful

    “These services adopt a security-through-obscurity mechanism where a user can access the uploaded files only by knowing the correct download URIs,” the researchers wrote in a paper presented at the most recent USENIX Workshop on Large-Scale Exploits and Emergent Threats.

    Hey, guess how passwords work? They're hard to guess. How do biometrics work? Your fingerprints are hard to replicate. How do keycards work? It's hard to guess whatever code is stored in it. All security ultimately comes down to some token that is "obscure."

    All security is through obscurity. If these sites are being accessed when they shouldn't, it means that there's an information leak, that is, the owners think (or claim) that it is far more obscure than it really is.

  6. Re:Bogus by Opyros · · Score: 4, Informative

    I suspect it means a Web bug, aka a Web beacon.

  7. Re:How about by wvmarle · · Score: 5, Insightful

    It is on a remote site, out of your control, so it's not secure. End of story.

    Encrypt before it leaves your system if you want to keep it secure. Or only store data on such sites that you really don't care if it becomes public.

    And even if there really are no remote security holes, anyone with admin/root access to the servers can access your data. Without you knowing.

  8. Confucius Say... by seven+of+five · · Score: 4, Insightful

    "He who trusts private data to remote host has head in cloud..."