We Really Don’t Know Clouds At All

I’m sure I had another post topic in mind before I checked my Google News Alerts. Stupid thing to do if you have any interest at all in maintaining focus. I did not maintain.

One of my searches is for news for “cybersecurity.” While I’m not a coder or hacker, I’m an end-user. I’m a participant (mostly enthusiastic but with serious concerns) in the techno-commercial use of digital technology to run a civilization.

I’m deeply invested in web technology both at home and on the road. The “cloud” has made it so much easier to save and share and retrieve information–and gobs of it–on OneDrive, Box, Google Drive, and Dropbox. I use all of those. So this is NOT good news:

The lastest exploit–call “Man in The Cloud” puts at jeopardy the security of all these cloud storage tools. Once discovered, even changing passwords does not rescue your account (far worse if YOU are a big corporation) from being controlled by the invader or your files held at ransom. This is truer of Dropbox than of Google Drive apparently.

I’m thinking this is a Windows issue and NOT a Mac issue. I could be wrong about that if anybody knows for sure. Now that the story is in the wild, I wonder if we won’t see quick and major use of this before steps can be implemented to minimize if not prevent such attacks.

And if you want a smaller scale threat that’s more up front and personal–your iPhone can also belong to others if you are not VERY careful to ONLY download apps from the Apple App Store.

A “Masque” attack might look like an app from Facebook, Twitter, Whassap, or another legit app provider. It might work like the original. But it is enhanced and wants your data for lunch.

Header image confession: it is a mashup of two of my images.

► Man in the Cloud’: Hackers can access Dropbox, Google Drive accounts without the user’s password – Firstpost

► “Man-in-the-Cloud” Attacks Leverage Storage Services to Steal Data | SecurityWeek.Com

► Fresh Masque iOS security flaw puts iPhone users at risk – Business Insider

Published by

fred

Fred First holds masters degrees in Vertebrate Zoology and physical therapy, and has been a biology teacher and physical therapist by profession. He moved to southwest Virginia in 1975 and to Floyd County in 1997. He maintains a daily photo-blog, broadcasts essays on the Roanoke NPR station, and contributes regular columns for the Floyd Press and Roanoke's Star Sentinel. His two non-fiction books, Slow Road Home and his recent What We Hold in Our Hands, celebrate the riches that we possess in our families and communities, our natural bounty, social capital and Appalachian cultures old and new. He has served on the Jacksonville Center Board of Directors and is newly active in the Sustain Floyd organization. He lives in northeastern Floyd County on the headwaters of the Roanoke River.

4 thoughts on “We Really Don’t Know Clouds At All”

  1. From what I can tell, the hacker would need either physical access or root access to your computer to pull this off. Theoretically possible with any machine, but probably way more likely on Windows boxes as they will be the primary targets of any wide scale attempt to compromise systems.

  2. Chris, I’d be interested in updates from your perspective on the MITC exploits. Physical access if true makes me feel more comfortable for the near term, but not much more.

  3. What they are doing, in a nutshell, is copying the encrypted key of your computer and placing it on another computer, thereby fooling Dropbox or whoever into thinking that other computer is you. Technically, it’s probably a pretty easy problem for the cloud providers to fix. Check the IP address and match it to the password and you pretty much solve the problem. My open source RSS reader does that. if I’m logged in from home when I check RSS feeds from work I have to log in again because the IP address doesn’t match the last time I logged in.

    They will still have to decrypt the key, which will take some computing power. I can’t imagine anybody will really care enough to bother a home user. This seems like something you would target to a corporate user. My company, for example, has pretty much everything synced to Dropbox.

    Obviously, if somebody has physical access to your computer they can get the key file. Otherwise, they generally need to get malware on your box that will send the file to them. I don’t think it’s that big of a deal, and I think it’ll be fixed by the could providers fairly quickly.

  4. But tell me, in your answer above, what role does the fake app serve if not to collect a user’s (or system’s) encrypted key? Doesn’t sound like physical presence is required.

    Definitely more bang for the buck to go after corporate targets with this. It just nags me to realize the fragility of all digitally-dependent economies and to know that they are to no small degree all held at the neck by the same chain. One (like Greece) sinks it threatens to sink all.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.