Attackers can access Dropbox, Google Drive, OneDrive files without a user's password (http://www.zdnet.com/article/dropbox-google-drive-onedrive-files-man-cloud-attack/)
Quote
Hackers don't even need your password anymore to get access to your cloud data.
Newly published research, released at the Black Hat conference (https://www.blackhat.com/us-15/sponsored-sessions.html#man-in-the-cloud-attacks) in Las Vegas on Wednesday by security firm Imperva, shows how a "man-in-the-cloud" attack can grab cloud-based files -- as well as infecting users with malware -- without users even noticing.
The attack differs from traditional man-in-the-middle attacks, which rely on tapping data in transit between two servers or users, because it exploits a vulnerability in the design of many file synchronization offerings, including Google, Box, Microsoft, and Dropbox services.
This is not just an issue for consumers, but also businesses (http://www.zdnet.com/article/dropbox-skydrive-google-drive-which-one-is-right-for-you/), which increasingly use cloud-based services to share sensitive customer and corporate data.
The report by Imperva (https://www.imperva.com/DefenseCenter/HackerIntelligenceReports), which has a research unit as well as having a commercial stake in the security space, said in some cases "recovery of the account from this type of compromise is not always feasible."
The attack works by grabbing the password token, a small file that sits on a user's devices for convenience (which saves the user from entering their password each time). When the token is obtained, either through a phishing attack or a drive-by exploit, it can be used to fool a new machine into thinking the attacker is the account's owner. From there, the attacker can access and steal files, and even add malware or ransomware (which is on the rise (http://www.zdnet.com/article/cryptowall-ransomware-costs-victims-millions-dollars-fbi/)) to the victim's cloud folder, which can be used for further attacks.
Making matters worse, account owners are almost powerless. Because the tokens are tied to the user's device, changing the account password would not lock out the attacker.
"We should be really worried about this," said Amichai Schulman, chief technology office at Imperva, speaking to ZDNet on the phone earlier this week. "Attackers are looking at methods of being less detectable. But the reality is that it's already happening."
Recent research pointed to a sophisticated Russian hacker group targeting the cloud (http://www.zdnet.com/article/hammertoss-russian-hackers-target-the-cloud-twitter-github-in-malware-spread/) with Hammertoss, malware which sifts through network traffic, looking for ways to pilfer files and documents. Imperva also cited a paper by security firm Blue Coat, which showed a similar attack method (https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware) in the wild.
Must-Read: Security
- Neiman Marcus: 1.1 million cards compromised (http://www.zdnet.com/article/neiman-marcus-1-1-million-cards-compromised/)
- Emerging nations' security critical to future internet: Microsoft (http://www.zdnet.com/article/emerging-nations-security-critical-to-future-internet-microsoft/)
- Most CEOs clueless about cyberattacks – and their response to incidents proves it (http://www.zdnet.com/article/most-ceos-clueless-about-cyberattacks-and-their-response-to-incidents-proves-it/)
- TECH PRO RESEARCH: IT Anti-Virus Policy (http://www.techproresearch.com/downloads/it-anti-virus-policy/)
But coming to the defense of the cloud providers, Schulman was somewhat hesitant to call the vulnerability a flat-out "design flaw."
"These services are meant to deliver files seamlessly from your computer to the cloud to other devices around the world. These services aren't dangerous or insecure," he added.
"It's kind of a trade-off between usability and security. It's just the way things work," he said.
"There isn't a simple fix," he said. Although many services now offer two-factor authentication and notifications when unauthorized access is detected -- such as from a new computer or an entirely different geography -- Schulman said many people either ignore those notifications or choose not to do anything about them.
Dropbox declined to comment on the record. Google did not return an email requesting comment.
They don't have your password but they have something better they stole from a device.
Now that's fearmongering for ya.
This is hardly news. That's why you buy dedicated server capacity rather than use various cloud services.
Quote from: Norgy on August 07, 2015, 04:59:48 AM
This is hardly news. That's why you buy dedicated server capacity rather than use various cloud services.
Yeah, I'm building my server at the office. I'm still far away from being able to use it as a real cloud, when I'm out of the office, I'm kinda lost in all that, but eventually, I'll have time to figure it out.
Excellent. Lots of people here have suggested that I use cloud storage. I'll point them to this thread.
Quote from: viper37 on August 07, 2015, 03:06:58 PM
Quote from: Norgy on August 07, 2015, 04:59:48 AM
This is hardly news. That's why you buy dedicated server capacity rather than use various cloud services.
Yeah, I'm building my server at the office. I'm still far away from being able to use it as a real cloud, when I'm out of the office, I'm kinda lost in all that, but eventually, I'll have time to figure it out.
I buy capacity from a local company. The contract is basically waterproof for me. Also, I know the owner.
I'd not buy from Amazon or say Google. Too risky.
Quote from: Norgy on August 07, 2015, 04:59:48 AM
This is hardly news. That's why you buy dedicated server capacity rather than use various cloud services.
You don't understand the magic of the cloud. Managers are fascinated by it.
Quote from: Darth Wagtaros on August 10, 2015, 06:57:37 AM
Quote from: Norgy on August 07, 2015, 04:59:48 AM
This is hardly news. That's why you buy dedicated server capacity rather than use various cloud services.
You don't understand the magic of the cloud. Managers are fascinated by it.
I am not. Really not fascinated.
Quote from: viper37 on August 10, 2015, 10:11:45 AM
Quote from: Darth Wagtaros on August 10, 2015, 06:57:37 AM
Quote from: Norgy on August 07, 2015, 04:59:48 AM
This is hardly news. That's why you buy dedicated server capacity rather than use various cloud services.
You don't understand the magic of the cloud. Managers are fascinated by it.
I am not. Really not fascinated.
Then get with the program. The Cloud is cheap, easy, and mean syou don't pay people onsite anymore.
Yeah, the HK government is keen about cloud too. The big departments like treasury, inland revenue and police want to be left alone. It is the small departments, some of them can't afford to have an IT section, that really want it.
Quote from: Darth Wagtaros on August 10, 2015, 07:20:46 PM
Quote from: viper37 on August 10, 2015, 10:11:45 AM
Quote from: Darth Wagtaros on August 10, 2015, 06:57:37 AM
Quote from: Norgy on August 07, 2015, 04:59:48 AM
This is hardly news. That's why you buy dedicated server capacity rather than use various cloud services.
You don't understand the magic of the cloud. Managers are fascinated by it.
I am not. Really not fascinated.
Then get with the program. The Cloud is cheap, easy, and mean syou don't pay people onsite anymore.
I need to pay myself anyway. So why not have my own stuff? :P
Obama administration officials scrambled to ensure intelligence of connections between the Trump campaign and Russian officials was preserved after they left office
More Obama Administration Rushed to Preserve Intelligence of Russian Election Hacking (http://dispute.press/news/2549899)
another fake account. Is there no end to this madness? :)