Cracks emerge in the cloud

Jun 20, 2014

A systematic analysis reveals that cloud storage services have security weaknesses that can inadvertently leak users' data.

As individual computer users increasingly access the Internet from different smartphones, tablets and laptops, many are choosing to use online cloud services to store and synchronize their digital content. Cloud storage allows consumers to retrieve their data from any location using any device and can provide critical backups in the case of hard disk failure. But while people are usually vigilant about enacting security measures on personal computers, they often neglect to consider how safe their files are in the cloud.

Now, findings from a team led by Jianying Zhou of the A*STAR Institute for Infocomm Research in Singapore promise to improve the security of popular online services and better protect users by revealing hidden flaws associated with an important feature—the ability to share files with friends, co-workers or the public.

Sharing content is an attractive way to let far-flung colleagues view and collaborate on projects without using email attachments, which often have strict file size limitations. Data sharing can be: public, with no access controls; private, in which the cloud service provider authenticates sharing through login controls; or 'secret' uniform resource locator (URL) sharing where people without an account on the cloud service can access data by following a specific web link.

The A*STAR-led researchers analyzed the security of three well-known providers—Dropbox, Google Drive and Microsoft SkyDrive—and found that all three had vulnerabilities many users might encounter. They uncovered several risks related to the sharing of secret URLs. Because URLs are saved in various network-based servers, browser histories and Internet bookmarks, frequent opportunities exist for third parties to access private data. Furthermore, the URL recipient may send the link to others without the data owner's consent.

Another danger lies in the practice of URL shortening—reducing long web addresses to brief alphanumeric sequences for easier sharing on mobile devices. Although the original URL may point to a privately shared file, shortening changes this address into plain text unprotected by encryption. Zhou also notes that because short URLs have very limited lengths, they are susceptible to brute-force attacks that can dig out supposedly secret files.

Zhou explains that the root cause of cloud security problems lies in the need to balance usability with privacy protection. "Users should be careful when they share files in the cloud because no system is perfectly secure. The cloud industry, meanwhile, needs to constantly raise the bar against new attacks while keeping the service as functional as possible."

Explore further: Trouble in the cloud leaves businesses tied to their servers

More information: Chu, C.-K., Zhu, W.-T., Han, J., Liu, J. K., Xu, J. & Zhou, J. "Security concerns in popular cloud storage services." IEEE Pervasive Computing 12, 50–57 (2013). DOI: 10.1109/MPRV.2013.72

add to favorites email to friend print save as pdf

Related Stories

Google might launch Drive for cloud storage soon

Feb 12, 2012

(PhysOrg.com) -- Google's next big move, according to the Wall Street Journal, is a cloud storage service called Drive. Hardly first to the plate, Google is simply catching up to introducing its cloud reposi ...

Recommended for you

Humans are largely the problem in cyber security failures

4 hours ago

When people think about cyber and information security they often think about anti-virus software and firewalls; however, according to an information security expert from the University of Adelaide, organisations would become ...

Pirate Bay founder jailed for hacking Danish data

5 hours ago

A Danish court on Friday sentenced the Swedish founder of file-sharing site The Pirate Bay to 3½ years in prison after he was found guilty of hacking into a private company handling sensitive information for Danish authorities.

What's causing the recent string of data breaches?

Oct 30, 2014

It's Cyber Security Awareness month, which has me wondering: are we doing all we can to protect our data? To help answer this question, I sat down with Girish Bhat of Wave Systems—an important collaborator of Micron's—to ...

Court: UK spies get bulk access to NSA data

Oct 29, 2014

The British government's insistence that its spies don't use the vast espionage powers of the U.S. National Security Agency to sidestep U.K. restrictions on domestic eavesdropping was called into question by a court document ...

User comments : 1

Adjust slider to filter visible comments by rank

Display comments: newest first

IamVal
not rated yet Jun 21, 2014
these do not seem to be cracks in the system, but just an intrinsically insecure way to share that many users find very useful.
the answer here, If you're cloud has 'secret' data on it, Don't use the URL feature.
The question seems to be whether or not you can turn this feature off or whether you have to sign up for it to begin with. The earlier being an obvious flaw.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.