Monday, 9 May 2011

Obscurity ≠ Security

Unintended File Sharing

In their paper presented at LEET '11, the March USENIX Workshop on Large-Scale Exploits and Emergent Threats, a team of five researchers from Belgium and France draw attention to certain very significant weaknesses in file hosting services (FHS) such as Easyshare, FileFactory, and the daddy of them all, RapidShare.

Basically these sites and many others use the secret URI method of sharing uploaded files. Of the 88 services examined in the study (12 of the original 100 having become excluded, because they offered search features, and therefore no pretence of privacy), 34 were found to employ simple sequential file identifiers. 20 of these used no further mitigation against the simplest attacks. The other 14 appended the original file name, yielding an ID effectively unknown to the attacker.


Unfortunately, those most vulnerable 20 include some of the most popular and highly (Alexa) ranked sites. Their entire collections of private hosted files can be enumerated quite simply, by uploading a test file to acquire a valid file ID; then repeatedly decrementing that.

The researchers confirmed the viability of this attack by actually implementing an automatic crawler for those 20 sites. It managed to retrieve some 10,000 files per day for a whole month. Approximately half of these files had no other visible links on the web, suggesting that their owners do in fact regard them as effectively private data.


Even among the FHSs using additional obscurity, such as the original file name or randomly generated identifiers, short key lengths and restricted character sets were often found, as in many password contexts, still to leave protection relatively weak.

Additional security features available with some FHSs include CAPTCHA and a delay before download. Amusingly, most of these services also offer a paid "PRO" version which removes these "restrictions". Password protection, which makes more sense in real security terms, is only offered in about a quarter of cases.


The paper then goes on to document further vulnerabilities, for example in the publicly available software that even some of the better FHSs use to provide their services. But even that is not its best part. The researchers next went on to develop ingenious techniques utilising decoy documents, to determine the extent to which the security vulnerabilities of these websites are already being exploited by malicious users.

They even geolocated the hundreds of attacks on their "HoneyFiles". Perhaps unsurprisingly, more than half originated in Russia, and a further quarter in Ukraine. But significant contributions from fifteen other countries confirmed the world wide nature of these attack types. The researchers detected repeated attempts to use the fake credentials advertised in their HoneyFiles, as well as attempted SQL injection and file inclusion attacks.


Encryption on the user's local computer is obviously a good mitigation. The researchers have developed a proof-of-concept Firefox add-on, automatically to encrypt and decrypt files on upload and download, and to hide encrypted files through steganography.

No comments:

Post a Comment