Security Holes in Cloud Storage

Wednesday, May 16, 2012 @ 01:05 PM gHale

There are vulnerabilities affecting registration and login, encryption and shared access to data for cloud storage service providers, a new report said.

The study looked at CloudMe, CrashPlan, Dropbox, Mozy, TeamDrive, Ubuntu One and Wuala, according to a report from the Fraunhofer Institute for Secure Information Technologoy (SIT). Users can access each of these services directly by means of client software installed on a system. The researchers did not look at services such as Amazon’s S3 which are only accessible via an API.

Cloud Computing Security Woes
Critical Flaw in Encryption Software
Microsoft Adjusts as Duqu Lingers
Microsoft Finds Apple Malware

The functions examined by Fraunhofer were copying, backup, synchronization and sharing. Only TeamDrive and Wuala offer all four of these features. CrashPlan and Mozy only offer a backup service – a service not offered by CloudMe, Dropbox or Ubuntu One.

The worst performer with respect to the security factors tested was CloudMe, according to the report. It does not encrypt data either before or during data transfer. The researchers also criticize CrashPlan, TeamDrive and Wuala for using their own unpublished transport encryption protocol rather than the SSL/TLS standard.

CloudMe, Dropbox and Ubuntu One also lost marks for not using client-side encryption, meaning the service provider could read stored data, according to the study. Wuala does offer this feature, but the deterministic encryption procedure used could enable the provider to recognize duplicate files.

The study also dedicates a chapter to legal issues. The authors note the U.S. Patriot Act means data stored with U.S. companies does not enjoy the same level of data protection as data stored in the European Union. Of the companies studied, only CloudMe (Sweden), TeamDrive (Germany) and Wuala (Switzerland) fall outside the jurisdiction of this legislation.

Leave a Reply

You must be logged in to post a comment.