Tuesday, June 21, 2011

Dropbox drops security

I came across a very interesting piece of news today. For about 4 hours you could log in to a Dropbox account using only  the username and with any password. This, once again, brings back to light the main problem in Cloud Computing: The loss of control. As a user, you are totally dependent on the Cloud Provider (in this case Dropbox) to manage your data. It's a great most of the time, as you don't have to bother with all configurations - including security. But it does have its downside. If the Provider does some bad PooPoo you have no way of protecting the data. 

On a personal note, I think Hussein Fahmy, Amalia Brad and I are especially proud of the fact that we foresaw something like this occurring. In my master thesis, "New Threats in Cloud Computing With focus on Cloud Misuse and Cloud Vulnerabilities from the Client Side", I actually presented a threat called Isolation Failure. The presumption was exactly what happened with Dropbox. An attacker somehow manages to gain access to the data stored on the cloud due to a vulnerability in the Cloud Provider. At that point, it was all based on presumptions as no such case had yet happened. Until now. What happened to Dropbox is exactly the way I described the scenario in my Thesis. I am particularly happy of the solution described in Lifehacker as I gave the same solution to the threat in my thesis. So, in essence Dropbox just gave me a proof of concept for one of my suggested Threats.

I am curious to see what the repercussions of this "accident" will be. Will people actually listen and start to also think of the client-side of Cloud Computing? Will providers also inform clients that their data is not entirely safe? Will they inform them that malware on their machine will still leave to data-loss? 

When I first began my studies in this field I was a bit unsure as to the feasibility and need to provide security on the Client-Side when using Cloud Computing. Now, more than ever, I am convinced that I have chosen the correct path in my studies.

Finally I am eager to find out what just happened? Dropbox says they “ made a code update”. From where I’m standing it’s a code downgrade. Did they just comment the part of the code that checked the credentials of the user? As far as I know, Dropbox is built on top of Amazon S3 so I am also wondering if this vulnerability was propagated there as well. Anyways, I am looking forward to seeing what exactly happened. 

1 comment:

  1. In my opinion, "Cloud" Computing is nothing but a hype and is doomed to fall victim of exactly that, plus marketing control.

    "Cloud" solutions have existed since the early 80s (maybe even earlier) and have already been through enough test cases that makes them virtually stable today.

    To me, the term is nothing but the same solutions all over again except with fancy graphics (ie, websites instead of command-line interaction) - and broken security, of course.

    I am glad I rely minimally on such "services" and instead use my own systems for that. X+ssh and rsync+ssh are yet to be beaten by anything else I know on this planet in anyway (ie, security, speed, etc...)

    Hopefully I can get my email off Google too, soon ;)