There’s a new threat for IT Managers and this time it can’t simply be patched!
You might have heard of so called Man In The Middle (MITM) attacks; it even has its own Wikipedia page. Now all of a sudden there’s an entirely new phenomenon dubbed ‘Man In The Cloud’ (MITC) Attack.
MITC attacks can afflict considerable damage for which no real solutions exist, other than entirely discontinuing usage of all modern ‘File Sync & Share’ solutions such as Google Drive and Dropbox.
This serious problem arises at the same moment mainstream IT is transferring critical corporate processes to the Cloud, or to enable the Cloud. This trend, combined with other phenomena that are quickly gaining traction, such as BYOD (Bring Your Own Device) and the explosive usage of the ‘File Sync & Share’ solutions offered by Dropbox, Google Drive, BOX and the like, makes for a toxic recipe. This recipe accommodates massive security breaches and data thefts at corporations and institutions without ever being noticed! A report published on the Hacker Intelligence Initiative: Man In The Cloud (MITC) attacks, written by Imperva, provides for a highly comprehensible explanation on this topic.
Although hacking with popular software solutions certainly isn’t new, a new and more worrying aspect is that protection against these MITC hacks cannot be attained with software patches. It seems that no easy solutions are available.
Furthermore, these attacks are virtually undetectable and therefore ‘ideal’ to insert both viruses and malware directly into the digital heart of an organisation. In short: extremely dangerous.
The major flaw is hidden in the fact that a vulnerability is used that is present in all Sync & Share applications. These applications were all designed to accommodate consumers who want to access their personal files with their mobile devices from any location.
The most important criterion while designing consumer solutions is ease of use. The user doesn’t want to enter a password before every synchronisation, while both synchronisation and sharing must be background processes so that users will embrace the application based on its ease of use.
A current trend is that organisations have also started to use these kinds of systems, as their staff members – who are used to the luxury of these personal applications – demand similar accessibility to their professional files with their mobile devices. The various software manufacturers answer to this demand by offering their solutions to corporate IT departments.
And this is exactly where this new risk originates. These systems are simply not developed to be used in corporate environments that are (contrary to those of consumers) subject to various regulatory and security requirements. One may say that it is safe, but the danger of a Man In The Cloud attack is indeed highly realistic, and these systems are not prepared to fend them off.
The only possible conclusion is that Share & Sync systems aimed at corporate IT users must be rethought (or rather: redeveloped) while taking these security requirements into account. New ways must be found to still accommodate end users who are used to remain ‘In Sync’, while ensuring that data always remains encrypted, even in the event of a ‘Man In The Middle attack’.
In other words, when your files end up in someone else’s possession (due to device theft or a MITM attack), the information in these files should not be accessible for anyone else.
At StorGrid we recognised this phenomenon a long time ago. In the design phase of this solution, four years ago, one of the key requirements was to provide for proper security while acknowledging that users don’t want to be hassled by the security settings on their mobile devices every time they use it.
Various risks were therefore taken into account, for instance that if someone wants to steal data, he could simply steal the mobile device itself. A jailbroken or rooted device forms another hazard as files that are normally hidden become visible. And of course, the risk of a Man In The Middle attack.
Another key criterion was to shield end users from having to enter passwords and user names in order to synchronise, and to read and edit files. We coined this design method ‘Zero Knowledge Security’, in which a system is structured in a way that keeps data intrinsically safe for both the user and the system administrator, without requiring them to think about it continuously.
Intrinsically safe means that every file is encrypted separately with a 256bits encryption key, the Private Keys of which can never be stolen. We also wanted to make sure that, despite sharing and syncing, the files can only be accessed by authorised individuals and that the access rights, in case of a security breach, can be immediately revoked from a central location; both on user and group levels.
StorGrid developed a brand new security methodology to answer to all these requirements and risks, called Attribute Based Encryption or ABE. Documents are always opened in a separate container on a mobile device and a new Private Key is retrieved from the server during every individual login, which can only be used on that moment for that specific user, and its PIN code, for that specific device, for that specific session.
This completely eliminates the hazard of a MITC attack. Data can still be easily replicated to another device, but as the hacker does not possess the Private Key and the PIN, he cannot access the encrypted files. Although, in theory, they could still be accessed by decrypting each individual file with the brute force method, the computing capacity required for it is so vast that it becomes a practical impossibility. In addition, the hacker cannot encrypt any files so that secretly uploading infected code into a system becomes entirely impossible.
With the application of its innovative encryption method, StorGrid is a thought leader in the field of safely sharing and syncing files, and the safest corporate ‘File Sync & Share’ solution available at this moment.