Security through obscurity
Researchers in France and Belgium have uncovered security weaknesses in some of the most popular file sharing sites and gained access to data that was supposed to be private.
Sites such as RapidShare, EasyShare and others allow their users to upload files to a central server and provide a unique URL to access the uploaded file. It is then up to the user whether they post that URL on Twitter for the whole world to see, share it with their family, or keep it a closely-guarded secret for their nearest and dearest. You don't have to be a member of the file sharing service to access an uploaded file. All you need is the cryptic URL unique to that file.
The problem that the researchers have uncovered is the URLs on some of these services are not nearly cryptic enough, and once you know the patterns used, it is possible for a computer to make guess after guess at valid combinations of URL and see if it finds anything. Using this technique, the researchers found the computer had a success rate of around one in every thousand guesses, and they were able to discover 311,000 files over a 30 day period. Of course, many of these files would be shared with the world anyway, but equally many of them would have been uploaded by users who thought they were using a secure system and their data was safe from unauthorised access and prying eyes.
Is this just a theoretical risk? Apparently not. The researchers uploaded some files to file sharing services and made sure the files contained "beacons" so that they could track if and when they were opened. Over the course of a month, they found that their "private" files were opened at least 275 times.
You can never make such a system 100% secure, but by using much longer URLs and assigning them randomly, you can make it a million, a billion or a trillion times harder for the hacker to guess valid keys. However, that also increases the chances of people copying the URL incorrectly when sharing it with their friends, and complaining that the system is hard to use and doesn't work properly. Other techniques these services sometimes use include using Captcha codes to try to establish that there is a human attempting the download but again, that can make it harder for the users who often fail to appreciate that these inconveniences are there to protect them.
If you are going to use public file sharing systems for private data, you should assume it is not nearly as secure as the marketing hype suggests. If you must use it for sensitive private data, try to use encryption so that your data is protected not only by the obscurity of the URL, but also by a password you set yourself and which is unknown to the file sharing service. The drawback here of course is that the people you want to share that file with must also have the appropriate decryption software. Sadly we are still a long way from having standardised encryption and decryption tools built into the desktop, the browser, or email software.
www.usenix.org/events/leet11/tech/full_papers/Nikiforakis.pdf
27th May 2011
This article comes from the SKILLZONE email newsletter, published monthly since January 2008, and covering topics related to technology and the internet. All articles and artwork in the SKILLZONE newsletter are orignal content.