Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Some cloud storage apps aren't so secure after all

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

March 19, 2013

Internet security researchers at the University of Glasgow have come to the realization that cloud storage apps that they say send files to the cloud also leave retrievable versions of files on the devices themselves, and that this represents a security risk.

To be sure, the files aren't there for all to see, but do represent an easy way for potential attackers to let themselves in. The extent to which data remains on phones is detailed in a paper titled Using Smartphones as a Proxy for Forensic Evidence contained in Cloud Storage Services, delivered at the 46th Hawaii International Conference on System Sciences and authored by George Grispos, William Bradley Glisson and Tim Storer.

The paper explains the authors performed a hard reset on an iPhone 3G running iOS 3 and an HTC Desire running Android 2.1. Those devices were then equipped with Dropbox (iOS version 1.4.7, Android version 2.1.3), Box (iOS version 2.7.1, Android version 1.6.7) and SugarSync (iOS version 3.0, Android version 3.6).

In all, 20 files - JPGs, .DOCS, .PDFs, .MP3s and .MP4s - were created on each device. Some of the files were opened or altered and some left alone. The phones were then “manipulated in one of the following ways”:

  • Active power state -- the smartphone was not powered down and the application's cache was not cleared;
  • Cache cleared -- the applications cache was cleared;
  • Powered off -- the smartphone was powered down;
  • Cache cleared and powered off
  • Next, the phones were “processed to create a forensic dump of its internal memory.” Which is when the researchers found lots of files in lots of places.

    The long and short of the study is that the HTC Desire's Micro-SD card and the iPhone's main storage both yielded files users would reasonably expect to have been vaporized and condensed in the cloud services mentioned above, rather than remaining on the mobile handsets.

    Both phones even yielded the unique file ID number for items uploaded to Box, an authentication token for that service and a URL. Together, “This information can be merged to reconstruct a URL, which will result in the file associated with the ZBOXID being downloaded.”

    The paper offers the following conclusion: “The results from this research have shown that smartphone devices which access cloud storage services can potentially contain a proxy view of the data stored in a cloud storage service. The recovery of data from these devices can in some scenarios provide access to further data stored in a cloud storage account."

    "From the client perspective, it can potentially provide a partial view of the data without access to the data provider. The recovery of this evidence is dependent on two factors. First, the cloud storage application has been used to view the files in the cloud. Second, the user has not attempted to clear the cache of recently viewed files,” the paper read.

    This also suggests more research is needed in this segment, because the whole point of cloud storage is access from multiple devices and security of those devices is therefore very critical.

    More research also seems essential because the authors used superseded versions of the apps. Dropbox on iOS, for example, is now at version 2.1.3, many updates beyond the version 1.4.7 were used for this analysis, so this can present some inconsistencies.

    To be sure, the authors' long-term plan is to get that additional research done and to eventually “propose a set of security measures for both cloud providers and smartphone users to mitigate the potential risk of data leakage and of potential security breaches.”

    In other internet security news

    James Clapper, Director of National Intelligence told Congress on March 12 that America's biggest national security threat could come not from bullets or bombs in a terrorist attack, but from computer hackers, located in the U.S. as well as in other countries.

    That's the assessment of a group of the nation's top intelligence officials, who told Congress Tuesday that cyber attacks lead the numerous national security threats the United States has ever faced in its history.

    It's the first time since the Sept. 11, 2001 terrorist attacks that anything other than the an extremist threat has been the top concern in the Intelligence Community Worldwide Threat Assessment, which is presented annually to the Senate Select Committee on Intelligence and Security.

    Clapper told the panel that cyber and financial threats were being added "to the list of weapons being used against the United States" and which help define a new "soft" kind of war.

    "When it comes to the distinct threat areas, our statement this year leads with cyber and it's hard to overemphasize its significance" said Clapper.

    According to him, state and non-state actors are increasingly gaining "cyber expertise" which they use "to achieve strategic objectives by gathering sensitive information from public- and private-sector entities, controlling the content and flow of information, and challenging perceived adversaries in cyberspace."

    He said that those cyber capabilities "put all sectors of our country at risk, from government and private networks to critical infrastructures."

    Clapper warned that the intelligence community is seeing indications that some terror groups are interested "in developing offensive cyber capabilities and that cybercriminals are using a growing black market to sell cyber tools that fall into the hands of both state and non-state actors."

    He also warned that the budget cuts and civilian furloughs being imposed by sequestration will have an impact on the intelligence community's efforts to counter a cyber threat.

    "Critical analysis and tools will be cut back, so we'll reduce global coverage and may risk missing the early signs of a threat," added Clapper.

    When Senator Angus King (I-Maine) asked if cyber threats were accelerating, newly-minted CIA Director John Brennan gave an unequivocal "Absolutely."

    Brennan explained that "the seriousness and the diversity of the threats that this country faces in the cyber domain are increasing on a daily basis".

    Despite the widespread recognition of the threat, Brennan said the U.S. still has a lot of work to do to prepare itself for the future of cyber warfare -- "to address the security vulnerabilities that we have and take the steps that we need to take in order to protect our infrastructure, our networks from these types of cyber attacks."

    FBI Director Robert Mueller also told the panel that the cyber threat is one that keeps him awake at night. What is happening in the cyber arena, he said, "cuts across any of our disciplines, whether it be counterintelligence or counterterrorism as well as criminal."

    Mueller described the convergence of "the various objectives, goals and discrete individuals utilizing the cyber arena, whether it be for criminal purposes or for terrorist purposes, has grown to be right up there with al Qaeda affiliate AQAP, homegrown terrorists and cyber attackers."

    In other internet security news

    New cryptographic security vulnerabilities have been discovered this week in the technology used by Google and other large companies to encrypt online shopping, banking and web browsing.

    The attack, developed by security researchers at Royal Holloway, University of London and University of Illinois at Chicago, targets weaknesses in the ageing but popular RC4 stream cipher.

    RC4 is quick and simple, and is used in the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols of the HTTPS protocol to protect sensitive internet traffic from prying eyes.

    However, data encrypted by the algorithm can be carefully analyzed to silently extract the original information, such as an authentication cookie used to log into a victim's Gmail account.

    But cracking the encryption on a user's web traffic is difficult to pull off, at least for now. The security researchers explain: "We have found a new attack against TLS that allows a hacker to recover a limited amount of plaintext data from a TLS connection when RC4 encryption is used. The attacks arise from statistical flaws in the keystream generated by the RC4 algorithm which become apparent in TLS cyphertexts when the same plaintext is repeatedly encrypted at a fixed location across many TLS sessions."

    An attack using the researchers' findings could work like this: a victim opens a web page containing malicious JavaScript code that tries to log into Google Gmail on behalf of the user via HTTPS.

    Doing so sends the victim's RC4-encrypted authentication cookie, created the last time the user logged in, this time using a new session key.

    Someone eavesdropping on the network then records the encrypted data sent and the JavaScript terminates the connection. It repeats this continually, forcing new keys to be used each time, and thus allows someone snooping on the connections to build up a treasure trove of encoded messages.

    Ideally, this data should appear to be random, but RC4 suffers from statistical biases that will reveal parts of the encrypted sensitive information over time, provided the attacker can gather millions of samples to process.

    In this manner, it is similar to the earlier BEAST attack on SSL connections. The Royal Holloway and Chicago team argue that the most effective countermeasure against the attack is to stop using RC4 in TLS.

    "There are other, less-effective countermeasures against our attacks and we are working with a number of TLS software developers to prepare patches and security advisories," the computer scientists revealed in an advisory on their research.

    Overall, RC4 is used by many websites to provide HTTPS encryption, including Google. Dan Bernstein, one of the researchers, unveiled the attack at the Fast Software Encryption conference in Singapore this week.

    "Unfortunately, if your internet connection is encrypted using RC4, as is the case with Gmail, then each time you make a fresh connection to the Gmail site, you're sending a new encrypted copy of the same cookie," explained Matthew Green, a cryptographer and research professor at Johns Hopkins University in Maryland.

    "If the session is renegotiated (ie, uses a different key) between those connections, then the attacker can build up the list of ciphertexts he needs.

    "To make this happen quickly, an attacker can send you a piece of JavaScript that your browser will run - possibly on a non-HTTPS tab. This JavaScript can then send many HTTPS requests to Google, ensuring that an eavesdropper will quickly build up thousands, or millions, of requests to analyse."

    Other security experts say there's no need to panic. "It's not a very practical attack in general, requiring at least 16,777,216 captured sessions, but as mentioned, attacks will only improve in time," said Arnold Yau, lead developer at mobile security firm Hoverkey.

    "I think it'd be wise for TLS deployments to migrate away from RC4 as advised," he added.

    RC4 was invented by Ron Rivest ( the 'R' in RSA Encryption) in 1987. Various attacks have been developed against RC4, which is used in Wi-Fi WEP protection, but the technology is still widely used. About 50 percent of all TLS traffic is protected using RC4, and its use is growing after another encryption algorithm in TLS, Cipher-block Chaining (CBC), was broken by experts.

    TLS in CBC-mode was cracked by the BEAST and Lucky 13 techniques, which use so-called padding oracle attacks to defeat HTTPS encryption. Cryptographers at Royal Holloway, University of London developed the Lucky 13 breakthrough.

    BEAST was unleashed by Juliano Rizzo and Thai Duong - who also designed the CRIME attack on HTTPS that exploits the use of data compression in TLS rather than abusing ciphers.

    "I will say, it's funny seeing the RC4 breakers recommend CBC, and vice versa," said noted security researcher Dan Kaminsky.

    Marsh Ray, of PhoneFactor, a recent Microsoft acquisition, offered a different take: "Until I see three practical ways Duong and Rizzo can decrypt a cookie as a stage trick over RC4, I'll continue to recommend it over CBC."

    Separately, another team of crypto-researchers took the wraps off a refinement of the CRIME attack-- the TIME (Timing Info-leak Made Easy) technique could be used to decrypt browser cookies to hijack online accounts in the process.

    Tal Be'ery and Amichai Shulman of Imperva unveiled their research at the Black Hat conference in Amsterdam, the Netherlands last week.

    In other internet security news

    The U.S. Computer Emergency Response Team (CERT) warns that a whole range of HP LaserJet printers appear to be suffering a new security flaw that can leak data and passwords. Users have been told to apply the firmware patches issued by HP that resolve the security problem.

    Hewlett-Packard says that the security risk arose after it was discovered that several models of HP LaserJets feature a "telnet debug shell" which could allow a remote attacker to gain unauthorized access to data. Essentially, this means the printers can be accessed through a telnet session without requiring a password thereby allowing unauthenticated remote attackers to gain access to unencrypted data using this telnet daemon.

    Security experts have suggested that HP's developers mistakenly left the debugging aid in the firmware of the affected printers.

    "Debugging code is an all-but-unavoidable part of any development project, aimed at helping you to understand more precisely how your code behaves internally," explained Paul Ducklin, Sophos's head of technology for Asia Pacific.

    "This often means that debugging code is a security nightmare, since it may allow software behaviour which is unsuitable for a shipping product, such as introspection (a fancy word for peeking inside data structures that are usually off limits to other users), and authentication bypasses."

    So, debug code is typically compiled out altogether in a release build. Ducklin added that Telnet is "unencrypted, insecure and out of place in 2013". All the security experts we spoke to agree with Ducklin.

    HP has patched the afflicted firmware for the affected printers. Users of a wide range of HP printers are advised to apply the update. It listed the vulnerable kit as HP LaserJet Pro P1102w, HP LaserJet Pro P1606dn, HP LaserJet Pro M1213nf MFP, HP LaserJet Pro M1214nfh MFP, HP LaserJet Pro M1216nfh MFP, HP LaserJet Pro M1217nfw MFP.

    HP HotSpot LaserJet Pro M1218nfs MFP, HP LaserJet Pro M1219nf MFP, HP LaserJet Pro CP1025nw and HP LaserJet Pro CP1025nw are also on the list.

    German security researcher Christoph von Wittich of Hentschke Bau gets the tip of the hat for finding the security vulnerabilities.

    In other internet security news

    JP Morgan Chase's website yesterday suffered a DDoS attack when the bank became the latest U.S. financial institution to get hit by such a vicious assault on its infrastructure.

    Visitors to were shown a "website temporarily down" message on the front page, although the bank's mobile apps were said to be still working at that time.

    Iran and a group of Islamic activists that call themselves the 'Izz ad-Din al-Qassam Cyber Fighters' have been linked in the past to such internet attacks on major American banks, including U.S. Bancorp, Citigroup, Wells Fargo and Bank of America.

    The hacktivists claimed responsibility for a series of distributed denial-of-service attacks that hit those financial organisations in September, and then declared JPMorgan Chase, SunTrust and PNC Financial Services Group were all possible targets for a second attack in its ill-fated operations.

    "In a new phase, the wideness and the number of attacks will increase explicitly and offenders and subsequently their governmental supporters will not be able to imagine and forecast the widespread and greatness of these attacks," the group said in a statement posted on the Pastebin website in December.

    The Cyber Fighters said that the reason for the computer network offensive was the continued availability of the inflammatory Innocence of Muslims video on YouTube.

    But when the video was taken down, the group said it had suspended its attacks. A former American government official claimed earlier this year that Iran was orchestrating the attacks. James Lewis of the Center for Strategic and International Studies in Washington believed that the aim was retaliation over the nuclear-fuel-centrifuge-hacking virus Stuxnet and other cyber-barrages against Iran.

    JP Morgan Chase's site now appears to be working, although DDoS attacks can result in intermittent service. In December, Wells Fargo customers had trouble using the bank's site for at least four days as it dropped in and out of view. But security experts have said that there's no real evidence to show that Iranian officials are behind the campaign.

    In other internet security news

    Microsoft said Friday that it's planning to deliver no less than seven complex security patches on next Tuesday, March 12. In all, there are four patches deemed 'critical' and three 'important' as part of the March edition of its now regular-like-clock-work Patch Tuesday security upgrade program.

    The most troublesome of the critical security vulnerabilities implies a remote code execution risk and affects *every* version of Windows - from XP SP3 up to Windows 8 and Windows RT as well as all versions of Server 2003, Server 2008, Server 2012 and of course, the Internet Explorer browser.

    So the software engineers in Redmund have been very busy the past few days, and it's not over yet. A second critical update addresses critical security vulnerabilities in Microsoft Silverlight both on Windows and Mac OS X.

    Silverlight is widely used as an alternative to Flash, in particular to run media applications, for example Netflix.

    Third on the critical list is a security vulnerability in Visio and the Microsoft Office Filter Pack.

    If you need reliability when it comes to SMTP servers, get the best, get Port 587.

    Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

    Share on Twitter.

    Source: The University of Glasgow.

    Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

    You can link to the Internet Security web site as much as you like.

    Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
    Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

    Click here to order your new fully dedicated Plesk server with the Linux operating system.

    Get your Linux or Windows dedicated server today.

    Click here to order your new fully dedicated Plesk server with the Linux operating system.

    Click here to order your new fully dedicated Plesk server with the Linux operating system.