Todas las entradas hechas por Richard

How an Adwords Campaign Accidentally Exposed Dropbox and Box User’s Confidential Files

We previously reported on a Dropbox Security Snafu (and their correction for it). Now we’re learning more about how it came about, and how it was discovered.

There are several ways users can inadvertently leak confidential files, but the one that is the real head-scratcher is a combination of a user entering the URL of a Dropbox or Box file-sharing link in their browser’s “search box” rather than the “URL box”, combined with Google AdWords campaigns by competitors who want their ads to appear with people “search” for Dropbox or Box (pretty standard stuff).

The sites running such a campaign then — completely innocently — see what users are searching for, and what they are “searching for” turns out to be fully-clickable URLs to files that often contain sensitive personal or company data.

If you think that’s too rare a scenario to worry about, think again:

In one short and entirely innocently designed ad campaign alone, we found that about 5 per cent of hits represented full links to shared files, half of which required no password to download. This amounted to over 300 documents from a small campaign, including several tax returns, a mortgage application, bank information and personal photos. In one case, corporate information including a business plan was uncovered.

That’s from Richard Anstey of Intralink, the people who stumbled on the issue.

Look at this to see (redacted) images of one person’s tax return, and another’s mortgage application. Identity theft, anyone?

Read more about how Intralink discovered all this, along with some good advice on protecting yourself.

TL;DR: sensitive file? Use a sharing application that offers a password or PIN option.

Dropbox Forced to Kill Shared Links Due to Security Snafu

Oops! Dropbox announced it is killing existing shared links where documents include ordinary hyperlinks to websites. The problem is the plain old referrer in the header tells that website the URL the inbound link came from. That’s a standard way sites know where their non-direct traffic is coming from. In this scenario, however, the referrer is the URL of the shared dropbox document.

The symptom Dropbox users will experience? Complaints from recipients that the link they were given doesn’t work (if in doubt check the link yourself).

From the Dropbox post on the issue:

While we’re unaware of any abuse of this vulnerability, for your safety we’ve taken the following steps to make sure this vulnerability can’t be exploited:

  • For previously shared links to such documents, we’ve disabled access entirely until further notice. We’re working to restore links that aren’t susceptible to this vulnerability over the next few days.
  • In the meantime, as a workaround, you can re-create any shared links that have been turned off.
  • For all shared links created going forward, we’ve patched the vulnerability

Here’s how to rebuild affected links.

Cloud Computing Entering Hypergrowth Phase

Cloud services and cloud platforms are now an undeniable part of the IT landscape. Forrester research indicates the shift has begun from exploration of cloud as a potential option, to rationalization of cloud services within the overall IT portfolio.

Cloud platforms, most notably Amazon Web Services, were only collectively $4.7 billion last year but are maturing quickly thanks to stronger recent solutions from traditional IT partners IBM, HP and Microsoft. The growth in use, maturity, and financial viability of public cloud platforms are proving their longstanding value as legitimate deployment options for enterprise applications. While not a one-for-one replacement for on-premise, hosting, or colocation, cloud platforms fit well as ideal deployment options for elastic and transient workloads built in modern application architectures.

For applications and services built in an agile mode with modern architectures, discrete cloud services, such as database, storage, integration and other standalone cloud middleware components, will empower developers by freeing them from the management and maintenance of these components and reduce overall deployment footprint and cost. They are also managed and enhanced by vendors as often as daily delivering new capabilities that can help a company maintain pace with the changing desires of an empowered customer base

As the largest clouds continue to invest in efficiencies that can only be achieved at their massive scales, the gulf between the cost efficiencies that can be had from the cloud and what is possible on-premise or through other outsourcing and hosting options will widen dramatically.

How Forrester came to these conclusions.

Aereo Decision: the Cloud at a Crossroad?

Broadcasters’ latest legal target is 2-year-old upstart Aereo—which retransmits over-the-air broadcast television using dime-sized antennas to paying consumers, who can watch TV online or record it for later viewing. The case, before the Supreme Court, may have impact on cloud computing generally, not just on Aereo’s business. A federal appeals court said that Aereo’s service is akin to a consumer putting a broadcast antenna atop their dwelling. Aereo, the appeals court ruled, “provides the functionality of three devices: a standard TV antenna, a DVR, and a Slingbox”

Companies like Google, Microsoft, Mozilla, Yahoo, and others are worried that a victory for the broadcasters could upend the cloud. The companies, in trade association briefs, told the justices in a recent filing that the “dramatic expansion of the cloud computing sector, bringing with it real benefits previously only imagined in science fiction, depends upon an interpretation of the Copyright Act that allows adequate breathing room for transmissions of content.”

Consider any file-hosting service that allows people to store their own material, such as Dropbox. What if it can be shown they are storing copyrighted work. Do they need a license?

Mitch Stoltz, an Electronic Frontier Foundation attorney, said in a telephone interview that, “If the Supreme Court rules in favor of the broadcasters, their opinion might create liability for various types of cloud computing, especially cloud storage.”

But, in urging the high court to kill Aereo, the broadcasters said that “The disruption threatened by Aereo will produce changes that will be difficult, if not impossible, to reverse.”

More detail and analysis.

Amazon, Google: a Battle to Dominate the Cloud

The cloud is just a vast mass of computers connected to the internet, on which people or companies can rent processing power or data storage as they need it.

All the warehouses of servers that run the whole of the internet, all the software used by companies the world over, and all the other IT services companies hire others to provide, or which they provide internally, will be worth some $1.4 trillion in 2014, according to Gartner Research—some six times Google and Amazon’s combined annual revenue last year.

When that time comes, all the world’s business IT needs will be delivered as a service, like electricity; you won’t much care where it was generated, as long as the supply is reliable.

Way back in 2006, Amazon had the foresight to start renting out portions of its own, already substantial cloud—the data centers on which it was running Amazon.com—to startups that wanted to pay for servers by the hour, instead of renting them individually, as was typical at the time. Because Amazon was so early, and so aggressive—it has lowered prices for its cloud services 42 times since first unveiling them, according to the company—it first defined and then swallowed whole the market for cloud computing and storage.

Even though Amazon’s external cloud business is much bigger than Google’s, Google still has the biggest total cloud infrastructure—the most servers and data centers. Tests of Amazon’s and Google’s clouds show that by one measure at least—how fast data is transferred from one virtual computer to another inside the cloud—Google’s cloud is seven to nine times faster than Amazon’s.

The question is, is Amazon’s lead insurmountable?

 

A Big, Perhaps Watershed Week of Cloud Annoucements

  • Google harmonized its cloud computing business to a single entity, with a pricing model intended to hold customers by enticing them to build ever cheaper and more complex software. 
  • Cisco announced it would spend $1 billion on a “cloud of clouds” project. 
  • Microsoft’s new CEO made his first big public appearance, offering Office for the Apple iPad, partly as a way to sell more of its cloud-based Office 365 product.
  • Amazon Web Services announced the general release of its cloud-based desktop computing business, as well as a deal with to offer cloud-based enterprise software tools to industries like healthcare and manufacturing.

For more detail and opinions read this, and listen to this.

Developers Hit With Big, Unexpected AWS Bills, Thousands on GitHub Exposed

Amazon Web Services (AWS) is urging developers using the code sharing site GitHub to check their posts to ensure they haven’t inadvertently exposed their log-in credentials.

When opening an account, users are told to “store the keys in a secure location” and are warned that the key needs to remain “confidential in order to protect your account”. However, a search on GitHub reveals thousands of results where code containing AWS secret keys can be found in plain text, which means anyone can access those accounts.

From a security perspective it means they can basically go in and gain access to any of the files that are stored in the AWS account.

According to an AWS statement,  ”When we become aware of potentially exposed credentials, we proactively notify the affected customers and provide guidance on how to secure their access keys,”

There is more detail (and some cautionary tales involving big, and unexpected, AWS bills) here.

Stanford Researchers Create Tool to Triple Cloud Server Efficiency

Two Stanford engineers have created a cluster management tool that can triple server efficiency while delivering reliable service at all times, allowing data center operators to serve more customers for each dollar they invest.

“This is a proof of concept for an approach that could change the way we manage server clusters,” said Jason Mars, a computer science professor at the University of Michigan at Ann Arbor.

Kushagra Vaid, general manager for cloud server engineering at Microsoft Corp., said that the largest data center operators have devised ways to manage their operations but that a great many smaller organizations haven’t.

“If you can double the amount of work you do with the same server footprint, it would give you the agility to grow your business fast,” said Vaid, who oversees a global operation with more than a million servers catering to more than a billion users.

How Quasar works takes some explaining, but one key ingredient is a sophisticated algorithm that is modeled on the way companies such as Netflix and Amazon recommend movies, books and other products to their customers. Instead of asking developers to estimate how much capacity they are likely to need, the Stanford system would start by asking what sort of performance their applications require.

Read much more detail here.