Archivo de la etiqueta: security

Advertising, Box, DropBox, File Sharing, Filesharing, Google, Google Adword, Intralink

How an Adwords Campaign Accidentally Exposed Dropbox and Box User’s Confidential Files

We previously reported on a Dropbox Security Snafu (and their correction for it). Now we’re learning more about how it came about, and how it was discovered.

There are several ways users can inadvertently leak confidential files, but the one that is the real head-scratcher is a combination of a user entering the URL of a Dropbox or Box file-sharing link in their browser’s “search box” rather than the “URL box”, combined with Google AdWords campaigns by competitors who want their ads to appear with people “search” for Dropbox or Box (pretty standard stuff).

The sites running such a campaign then — completely innocently — see what users are searching for, and what they are “searching for” turns out to be fully-clickable URLs to files that often contain sensitive personal or company data.

If you think that’s too rare a scenario to worry about, think again:

In one short and entirely innocently designed ad campaign alone, we found that about 5 per cent of hits represented full links to shared files, half of which required no password to download. This amounted to over 300 documents from a small campaign, including several tax returns, a mortgage application, bank information and personal photos. In one case, corporate information including a business plan was uncovered.

That’s from Richard Anstey of Intralink, the people who stumbled on the issue.

Look at this to see (redacted) images of one person’s tax return, and another’s mortgage application. Identity theft, anyone?

Read more about how Intralink discovered all this, along with some good advice on protecting yourself.

TL;DR: sensitive file? Use a sharing application that offers a password or PIN option.

DropBox, File Sharing, HTTP referer, Storage, Vulnerability

Dropbox Forced to Kill Shared Links Due to Security Snafu

Oops! Dropbox announced it is killing existing shared links where documents include ordinary hyperlinks to websites. The problem is the plain old referrer in the header tells that website the URL the inbound link came from. That’s a standard way sites know where their non-direct traffic is coming from. In this scenario, however, the referrer is the URL of the shared dropbox document.

The symptom Dropbox users will experience? Complaints from recipients that the link they were given doesn’t work (if in doubt check the link yourself).

From the Dropbox post on the issue:

While we’re unaware of any abuse of this vulnerability, for your safety we’ve taken the following steps to make sure this vulnerability can’t be exploited:

  • For previously shared links to such documents, we’ve disabled access entirely until further notice. We’re working to restore links that aren’t susceptible to this vulnerability over the next few days.
  • In the meantime, as a workaround, you can re-create any shared links that have been turned off.
  • For all shared links created going forward, we’ve patched the vulnerability

Here’s how to rebuild affected links.

BYOD, Featured, IT Management, Shadow IT

Game of Thrones: Five Takeaways for IT

By Ben Stephenson, Journey to the Cloud

After a long wait, Game of Thrones Season 4 has officially started (no spoilers for the first episode of season 4 – I wouldn’t wish that on my worst enemy).  Amidst the action and excitement, there are some lessons IT can take away from seasons 1-3 of the show. Here are five of them:

The War Lies to the North

After Robert Baratheon dies, there is all out war for rule of the Iron Throne and control of the Seven Kingdoms. Joffrey Lannister usurps power after the passing of the king and executes the Lord of Winterfell, Ned Stark. This sparks Ned’s son Robb to march on King’s Landing to attempt to overthrow Joffrey. Meanwhile Robert Baratheon’s younger brother Renly, his older brother Stannis, and Daenerys Targaryen are also all raising armies to try and defeat Joffrey. By the end of season 3 however, it becomes known that the deadly “White Walkers” are back after thousands of years. Some people realize that the war everyone is fighting right now is insignificant because the real war lies to the north.

The lesson for IT: There is often a good amount of unrest between the IT Department and other business units. Maybe Accounting gets frustrated and places the blame for a systems failure on IT, but IT claims it was the Accounting Department’s fault for not following proper protocols. Maybe there is unrest between Marketing and IT around budget allocation for new tradeshow equipment. The lesson here is that IT needs to partner with the business and work together in order to achieve the overall goals that will determine the success of the company.

Liberate Your Users

Daenerys Targaryen, or Khaleesi, is looking to take back the throne that used to belong to her family. Without an army, she purchases a large number of slave soldiers. Instead of treating them poorly and forcing them to fight for her, she frees them all and says it’s their decision if they would like to stay and fight by her side. She then goes from city to city freeing slaves. The result? An extremely loyal and passionate army.

The lesson for IT: People will respond better if you give them choices as opposed to dictating how everything is going to work. Employees are going to bring their own devices to the workplace whether you allow it or not, so empower them to do so by implementing a BYOD program. Shadow IT is going to happen. Employees are going to bypass IT and use AWS. Provide them with a way to do so while you control costs, security, and governance.

Innovation Is Key

When Stannis Baratheon launches a full scale attack on King’s Landing with a large fleet of ships, things look pretty dim for the Lannister family. Stannis has more man power and weapons and has the advantage of being able to cut off supply lines to the capital. Tywin Lannister, King Joffrey’s uncle, is forced to think outside the box to try and defend his city. He ends up catapulting barrels of deadly wild fire onto the attacking ships, successfully fending off Stannis’ forces. 

The lesson for IT: Continue to innovate and look for creative ways to solve problems. It can be difficult to get to the strategic initiatives when your team is bogged down by day-to-day mundane tasks. IT leaders need to make innovation a top priority in order to keep pace with the needs of the business and the rapidly evolving technology landscape.

The Wall of Security

Security is critical to the survival of any organization. Winterfell and the North always relied on “The Wall” to keep out marauding Wildlings. The Wall is hundreds of feet high, made of sheer ice, and guarded by the Men of the Night’s Watch. Getting a large group of people past The Wall is extremely difficult. However, when an assembly of the Night’s Watch has to abandon their posts to head out beyond the wall, a group of Wildlings is able to scale it and cross to the other side.

The lesson for IT: It’s obviously important to have the proper security measures in place in your organization.  The lesson from the Wall though is that no matter what security you have in place, there are always ways to infiltrate your environment no matter how secure it may appear. This is why you need to proactively monitor and manage your environment.

Choose Your Partners Wisely

As the war with the Lannisters drags on, Robb Stark is in desperate need of more soldiers. Robb strikes a deal with Walder Frey to have one of his uncles marry one of Frey’s daughters to unite the families. Robb chose the wrong partner and things don’t go according to plan (and by not “going according to plan” I mean Robb, his wife, his mother, and his countrymen are brutally murdered during the wedding ceremony…).

The lesson for IT: There are a lot of factors to take into consideration when you’re deciding who to align yourself with. Choosing the right vendor for your organization depends on many factors including the specific project you’re working on, your existing environment, your budget, your goals, your future plans, etc. You don’t want to make a hasty decision on a specific vendor or product without thinking it through very carefully. This is where a company such as GreenPages can act as a trusted advisor to help guide you down the right path.

Any other lessons you can think of?

 

Download this whitepaper to learn how corporate IT can manage its environment as if it is “deployed to the cloud.” So, if and when different parts of the environment are deployed to the cloud, day-to-day management of the environment remains unchanged—regardless of where it is running.

 

 

Amazon AWS, Amazon Web Services, AWS, GitHub

Developers Hit With Big, Unexpected AWS Bills, Thousands on GitHub Exposed

Amazon Web Services (AWS) is urging developers using the code sharing site GitHub to check their posts to ensure they haven’t inadvertently exposed their log-in credentials.

When opening an account, users are told to “store the keys in a secure location” and are warned that the key needs to remain “confidential in order to protect your account”. However, a search on GitHub reveals thousands of results where code containing AWS secret keys can be found in plain text, which means anyone can access those accounts.

From a security perspective it means they can basically go in and gain access to any of the files that are stored in the AWS account.

According to an AWS statement,  ”When we become aware of potentially exposed credentials, we proactively notify the affected customers and provide guidance on how to secure their access keys,”

There is more detail (and some cautionary tales involving big, and unexpected, AWS bills) here.

Journey to the Cloud, Microsoft, Tech News

90 Second Tech News Recap for the Week of 2/3/2014

 

Get your weekly technology new recap for the week of 1/27 in 90 seconds!

 

http://www.youtube.com/watch?v=BXOIAD_gFik

 

Download our whitepaper to learn how corporate IT can manage its environment as if it is “deployed to the cloud.” So, if and when different parts of the environment are deployed to the cloud, day-to-day management of the environment remains unchanged—regardless of where it is running: on premises or at a service provider.

DDOS, Industry & Market Insights

«Syrian Electronic Army» Reminds Us of Importance of Internet Security

by Elliot Curtis, Senior Director, Mass Market Hosting Sector, Parallels

 

The recent attack by the “Syrian Electronic Army” on media outlets including the New York Times and Huffington Post websites are a renewed reminder of the challenges around internet security. While SMB websites are an unlikely target for organized hacking or distributed-denial-of-service (DDOS) attacks, these highly visible and widely reported security issues raise a wareness and concerns for everyone. Most SMBs are exposed to risks from malicious viruses and hacks, as well as, problems caused by bot-nets or even simple content control.

 

Awareness of internet security continues to rise, but high-profile incidents like this presents a specific opportunity for Web Hosters and Service Providers to have a discussion with their customers about solutions to protect their Web presence and cloud applications. Parallels products and ecosystem of partners enables a variety of security solutions including; hacking protection, anti-virus, anti-spam, email security, DDOS prevention, backup & disaster recovery. Our SMB Cloud InsightsTM research shows that security solutions are the most popular and the fastest growing add-on to both Web Hosting and VPS core services, so every Web Hoster and Service Provider should have a security bundle as part of both their core offering and their up-sell strategy.

 

NSA, Opinion, PRISM, Research, Snowden

Survey Shows Extent of NSA/PRISM’s Damage to US Cloud Companies

A survey by the Cloud Security Alliance  found that 56% of non-US residents were now less likely to use US-based cloud providers, in light of recent revelations about government access to customer information.

During June and July of 2013, news of a whistleblower, US government contractor Edward Snowden, dominated global headlines. Snowden provided evidence of US government access to information from telecommunications and Internet providers via secret court orders as specified by the Patriot Act. The subsequent news leaks indicated that allied governments of the US may have also received some of this information and acted upon it in unknown ways. As this news became widespread, it led to a great deal of debate and soul searching about appropriate access to an individual’s digital information, both within the United States of America and any other country.

CSA initiated this survey to collect a broad spectrum of member opinions about this news, and to understand how this impacts attitudes about using public cloud providers.

EMEA, European Union, Foreign Intelligence Surveillance Act, Government, Hosting, Legal, National Security Agency, Opinion, PRISM, Switzerland

PRISM Scandal Generates Renewed Interest in Non-US Cloud Providers

Guest Post by Mateo Meier, founder of Swiss hosting provider Artmotion

Businesses vote with their feet, in light of the recent PRISM scandal. Up until recently, the US had been considered the leading destination for cloud services with its vast infrastructures and innovative service offerings, but recent leaks have sparked panic amongst many business owners and is driving demand for Non US cloud providers.

The most concerning aspect for many is the wide ranging implications of using US-controlled cloud services, such as AWS, Azure and Dropbox. As a result, businesses are now turning to Switzerland and other secure locations for their data hosting needs.

Swiss ‘private’ hosting companies are seeing huge growth because privacy in Switzerland is enshrined in law. As the country is outside of the EU, it is not bound by pan-European agreements to share data with other member states, or worse, the US. Artmotion, for example, has witnessed 45 per cent growth in revenue amid this new demand for heightened privacy.

Until now the PRISM scandal has focused on the privacy of the individual, but the surveillance undertaken by NSA and Britain’s own GCHQ has spurred corporate concern about the risks associated with using American based cloud providers to host data. It is especially troubling for businesses with data privacy issues, such as banks or large defence and healthcare organisations with ‘secret’ research and development needs.

Before PRISM, the US was at the forefront of the cloud computing industry and companies worldwide flocked to take advantage of the scalable benefits of cloud hosting, as well as the potential cost savings it offered.

However the scandal has unearthed significant risks to data for businesses, as well as for their customers. With US cloud service providers, the government can request business information under the Foreign Intelligence Surveillance Act (FISA) without the company in question ever knowing its data has been accessed.

For businesses large and small, data vulnerabilities and the threat of industrial espionage from US hosting sites can present real security risks or privacy implications, and it’s causing a real fear. Business owners are worried that by using US based systems, private information could potentially be seen by prying eyes.

The desire for data privacy has therefore seen a surge in large corporations turning to ‘Silicon’ Switzerland to take advantage of the country’s renowned privacy culture. Here they can host data without fear of it being accessed by foreign governments.

Mateo-Meier

Mateo Meier, founder of Artmotion, spent the early stages of his career in the US before returning home to Switzerland to start Artmotion. Artmotion was started in early 2000 and provides highly bespoke server solutions to an international set of clients.

EMEA, European Commission, European Union, Federal government of the United States, Government, National Security Agency, Neelie Kroes, PRISM

Breaking: US Cloud Companies To Lose Billions In EU Due To PRISM

The European Commission’s vice president Neelie Kroes said in statement that reports of the US government spying on servers held by US cloud providers are creating an “atmosphere of distrust” around cloud services.

“Why would you pay someone else to hold your commercial or other secrets, if you suspect or know they are being shared against your wishes?” Kroes said. “Front or back door – it doesn’t matter – any smart person doesn’t want the information shared at all.”

“If European cloud customers cannot trust the United States government or their assurances, then maybe they won’t trust US cloud providers either. That is my guess. And if I am right then there are multi-billion euro consequences for American companies.”