Cloud Storage: How to protect user credentials against malware

Hi there,

recently, during the Black Hat USA 2015 event, some cyber security experts from Imperva unveiled a serious vulnerability that affected (it’s been fixed now) several major Cloud Storage services such as Google Drive and Dropbox. Also, they put in place a practical attack named “Man in the Cloud” (in French).

man in the Cloud Attack

The vulnerability and the corresponding attack can be explained in very simple words: most of the Cloud Storage services store user credentials (authentication token) on the user machine. Of course, credentials must (should) be carefully protected in order to make sure that a malicious user or software cannot gain access to them. This is why cloud storage clients usually encrypt files where credentials are stored. However, it is well-known that encrypting isn’t enough if encryption isn’t done the right way or the encryption key isn’t well protected. This is exactly the reason behind the vulnerability that has been exploited by Imperva.

More precisely, for most of the Cloud Storage services, they managed to build a malware that is able to access the location where the authentication token is stored and decrypt it without needing any particular authorization or privilege. Once the authentication token is acquired, the program can send it to a remote machine on which the authentication token will be exploited in order to obtain user’s files and do any operation (read, edit, delete, etc.) the attacker wishes. The only missing step is how to transfer the malware on the victim’s machine and run it, but we already know a few ways of achieving that (e.g. phishing). The fact that such a vulnerability was found on almost all popular cloud storage clients is quite surprising… and scaring. This is an additional evidence of the difficulty of finding an “actually” secure cloud storage solution for everybody at competitive prices.

That being said, it’s reasonable to wonder what can be done to avoid this risk without negatively affecting usability by introducing unneeded complexity for the user. The answer isn’t straightforward. First of all, authentication tokens and other sensitive information must not be stored in clear, rather they must always be encrypted. At this point, the encryption method and the storage location become crucial for protecting the authentication token.

A first solution consists of relying on the underlying operating system. Nowadays, most of the operating systems provide out-of-the-box secure ways for storing confidential information (e.g. passwords), therefore it is clever to take advantage of these tools and let them do the job. In practice, they usually go by the name of “keychain” (e.g. Apple’s keychain).

Windows Vault

An alternative solution, which is quite common in enterprise security scenarios, requires to rely on a trusted, secure and robust key server which will take care of storing and protecting all encryption keys. Also, such a server must send a given key to a user only upon a successful authentication attempt. In the market, these solutions go by the name of Hardware Security Modules (HSM). Unfortunately, these devices are usually expensive and don’t fit well in common scenarios such as personal cloud storage, where users want low-budget security.

Hardware Security Module

Finally, a simple yet effective solution is to build a protection mechanism on your own. More generally, the key to properly protect a confidential information is to rely on a secret that isn’t stored anywhere and that only the user knows, such as a code or a password. This way, when the encrypted information needs to be accessed, the decryption operation requires the user to provide (e.g. type) his secret, without which the desired information cannot be accessed. Once the information has been decrypted, it should be kept “in memory” for the time it’s needed and never stored in an unsafe location. This is the strategy we adopted at SecludIT when building ClouDedup, our unique solution for secure cloud storage which provides deduplication and full confidentiality at the same time, along with automatic file synchronization and much more.

ClouDedup

Hope this post cleared your mind and helped you better evaluate the solutions that are out there.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s