Latest Posts

Latest Comments


New public Cloud faces security breaches


Posted by |

There is a new player on the public Cloud scene, and they have run into issues already. Following the demise of his Megaupload service, Kim Dotcom has launched Mega, a Cloud service which claims to ‘protect your privacy’.

Dotcom has had a high profile in the press recently as he fights extradition charges from New Zealand to the US where he faces charges of racketeering and money laundering. The Megaupload service was shut down, accused of copyright infringement for the huge number of pirated films on the site. Legitimate users also lost access to their files, and have accused the US government of theft of their property.

The new Mega service has already faced criticism from people as it was revealed that a hacker has already managed to find a way of hacking into user’s accounts by extracting passwords from the links contained in confirmation emails. According to Ars Technica:

Mega e-mails a link to all new users and requires that they click on it before they can use the cloud-based storage system, which boasts a long roster of encryption and security protections. Security professionals have long considered it taboo to send passwords in either plaintext or as cryptographic hashes in e-mails because of the ease attackers have in intercepting unencrypted messages sent over Internet.

Despite that admonishment, the link included in Mega confirmation e-mails contains not only a hash of the password, but it also includes other sensitive data, such as the encrypted master key used to decrypt the files stored in the account. MegaCracker works by isolating the AES-hashed password embedded in the link and attempting to guess the plaintext that was used to generate it.

There is a dangerous culture of marketing consumer-grade Cloud as secure. As I have said before, resilience is not always resilience, security is not always security. Businesses need to make sure that they chose Enterprise-grade Cloud and not consumer-grade, best effort Cloud.



Post a comment

Comment submitted! Comments needs approval before being displayed.