home Software Applications Cloud computing: cyber security breaches attract hackers

Cloud computing: cyber security breaches attract hackers

Mar 18, 2015

This post is also available in: עברית (Hebrew)

Organizations and business are increasingly turning towards cloud computing in order to streamline their operations and to enable their employees an easier and more available access to their files. A survey among 140 organizational data security managers revealed that 90% of them have already adopted cloud technology or are about to opt for this solution soon. This trend ushers in new challenges as organizations begin using cloud storage for files comprising sensitive data such as medical information, secret financial figures or even passwords. Cloud based internet and mobile applications (apps) are constantly being targeted by hackers who are quick to seize the opportunity security breaches may afford them.

Exactly such a cyber security breach had recently been discovered in the mobile Dropbox app’s source code. Potentially, this vulnerability would have enabled hackers to link their own Dropbox account with the target’s account. Dropbox users might have uploaded files to their account, thereby unwittingly compromising them by effectively transferring the files to the hacker or hackers’ account.

Roee Hay and Or Peles were the two cyber security experts who discovered the breach by analyzing the app’s source code. The two are part of IBM’s X-Force, a global cyber security study team operating in Israel, comprising some 7 professionals from various fields.

“The hackers’ cyberattack usually begins with the target wirelessly surfing to a page the hacker had made or had already broken into,” explains Roee Hay. “From this point on, the hackers makes ample use of the breach, so the next time the victim enters his or her Dropbox account, they will be automatically associated with the hacker’s account.”

Victims of the cyber attack are unaware that their files are effectively ending up at the hacker’s own account, since their mobile Dropbox app shows they did upload the files to their own account. Nevertheless, cross referencing their mobile account with their desktop account would have shown that the files did not get uploaded after all.

One of X-Force’s primary fields of study are developers’ toolkits. These are at the heart of most apps, thereby unwittingly and unwillingly constituting a bridgehead for a cyberattack. In order to deny unwarranted elements to take advantage of their revelations, when they come across a vulnerability or a breach, they first notify the relevant target about the breach. “Contrary to our usual experience, in Dropbox’s case, they reacted very rapidly,” adds Hay. “They responded to my email within seven minutes and fixed the problem within five days.” He also said that even when companies are aware of a breach, they are not quick to take action. Some do not even bother to respond to the team’s alerts, whereas others are very slow to fix and tweak the compromised app.

In the case of Dropbox, the unveiled vulnerability created a need to also fix the source code of its other associated mobile apps. Among them, Microsoft’s mobile toolkit and a AgileBits’ 1Password management app. The update was embedded in Dropbox 1.6.2, and according to Hay, even Dropbox’s own team did not detect any specific malware (malicious software) which took advantage of the breach. Nevertheless, “you can never be certain.”