Cloud Storage: The Risks and Rewards


Jérémy Legendre

Norwich University

School of Business and Management

IS340 – Introduction to Information Assurance 2012-11-14

Contents

Introduction 3

Why has Cloud Storage Become Popular? 3

Risks 4

DropBox Compromises 4

iCloud Compromise 4

Google Drive Compromises 5

Security of Data Transfers 6

FTP 6

SSL 6

Encryption in Storage 6

Cloud Storage and the U.S. Government 7

Synoptic Table of Cloud Services 8

Concluding Remarks 12

Works Cited 13

Introduction

Backing up to the cloud means putting your backups on a remote server that can be accessed by Internet connection.1 You can access your information from anywhere you have an Internet connection without taking up space on your machine’s hard drive. Many businesses have started to use cloud computing and it is expected that there will be a “26 percent growth in adoption over the next several years”.2 However, the cloud is not just for businesses; even the U.S. government has started to adopt the cloud model. Cloud storage is offered for personal use (for free or fee) by a number of companies including Apple (iCloud), DropBox and Google (Google Drive). With massive adoption of cloud backups users are increasingly concerned about how secure this backup method is.3 With 100 percent adoption of cloud backups, everything will be available from anywhere. How much should you trust the cloud?


Why has Cloud Storage Become Popular?

Cloud storage is not a new way to backup your files. The idea was first introduced in the 1960s by computer scientists John McCarthy and J.C.R. Licklider.4 So why has cloud storage only become popular in recent years?

Prior to the 1990s, bandwidth and what we consider decent transfer rates were rare. In the 1970s, typical transfer speeds (for those who had the Internet) were around 300 bits per second,5 – 27 seconds per kilobyte or approximately eight hours per megabyte. These speeds are not adequate for transferring large amounts of data. Furthermore, few people had access to the Internet during the 1970s and even into the early 1990s. For example, only two percent of households in the U.S. had access in 1994 and only twenty-six percent had access in 1998.6 There was not much of a market for personal cloud storage services.

Online storage services started to spring up as bandwidth and speeds increased and more people started using the Internet.7 Among the first to popularize this service was DropBox, Inc. in 2007.8 They pioneered seamless operating system integration, competitive prices and even offered a free plan with limited options. Dropbox created the industry standard for remote backup services.9 Apple’s iCloud storage service launched in 2011 and Google Drive in 2012.


image

1 (Freedman 2012)

2 (Clancy)

3 (Krossman)

4 (Mohamed)

5 (12ht)

6 (National Science Foundation)

7 (Rhea, Wells and Eaton)

8 (DropBox, Inc)

9 (Zelman)

Dropbox alone had four million users in February 201010 and more than one hundred million users as of November 2012.11 Apple’s iCloud hit over 190 million users in October of 201212 and Google Drive announced their ten million-user mark in June 2012.13


Risks


Cloud storage may be convenient but is your data secure? No matter which cloud

storage service you choose, the services “have full access to your data and control where it is stored”.14 Cloud servers have been compromised, causing uncertainty or data compromise for customers.

DropBox Compromises

Although DropBox is currently the face of personal cloud storage, it is not because they are the most secure. Back in July 2011 DropBox announced that a code update had “completely disabled the authentication system for an unknown period of time”.15 That means that for a few hours, anyone could access any DropBox account without any credentials. For many of us, that is a pretty scary thought. Although DropBox reassured us that they are “implementing additional safeguards to prevent this from happening again”, they were compromised once again in July 2012.16

The July 2012 compromise ended with a small number of customers’ accounts being subject to unauthorized access. Sound familiar? DropBox launched a full investigation and announced “that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. This may not sound like it is their fault but one of the accounts accessed was “an employee Dropbox account containing a project document with user email addresses”. The email addresses acquired were then spammed. Since the 2012 compromise DropBox has added an optional two-factor authentication system that sends a temporary code to your phone needed to log in and a “new page that lets you examine all active logins to your account”. 17 DropBox has not, to date reported any compromises since the attack.

iCloud Compromise

The iCloud compromise was a scary glimpse into the reality of what a little social engineering and loosely followed internal policies can lead to. In one hour Mat Honan’s “entire digital life was destroyed”.18 Hackers social engineered their way into Honans


image

10 (Ying)

11 (Constine)

12 (Lardinois)

13 (Crook)

14 (Schwartzberg)

15 (Bott)

16 (Ferdowsi)

17 (Kerr)

18 (Honan)


image

iCloud account by calling AppleCare and using his email address, billing address and last four digits of his credit card as identification.19

The hackers obtained his billing address from a simple and public whois lookup.

From there they called Amazon (who also has a cloud storage service) and asked to change the email address on the account to an email address the hackers had access to. Amazon did so without a problem after the hacker provided Honans billing address as identification. The hackers were able to reset the password on the Amazon account by having password reset information sent to the newly changed email and get ahold of the last four digits of his credit card once inside.20

They now had enough information to fulfill AppleCare’s identification requirements and get into Honan’s iCloud account. Once the hackers were in Honan’s iCloud account they were able to “reset his iCloud password, reset his Gmail password, gain control of his Twitter account”.21 Sadly, this is not the end of the destruction of Honan’s “digital life”.

Honan had Find my iPhone turned on for his iPhone/iPad and Find my Mac22 turned on for his MacBook Air. This is a service that allows you to locate your lost or stolen Apple products and even remotely wipe those devises, which is exactly what the attackers did.

Although this attack was not a technological one, this says a lot about how careful Apple really is with you account. Strict enforcement of policies to prevent social engineering attacks like this one is a must in any company holding sensitive information. Do not let this one isolated incident taint your decision-making. There have not been any other breaches reported since this incident and none before.

Google Drive Compromises

There have been no major Google Drive compromises to date. A user reported on Google’s support forum that he received a legitimate email from Google saying there was an “unauthorized attempt to login” to his account from Shanghai. Another user reported the same problem in the thread.23 Luckily, the hackers were not able to access either of these accounts but what would happen if they were to get in?

Google states in their Terms of service that “Anything that has been permanently deleted from Google Drive by the owner, or if the owner's account was deleted, can't be recovered. It’s also not possible to recover anything in Google Drive after a Google Apps domain administrator deletes someone's account.”24 Meaning in the event your Google Drive is compromised and wiped, there is nothing you can do to get your files back.

Google Drive seems like the safest choice on the surface but you risk losing everything you have ever backed up onto your account if there is a breach.


image

19 (Kerr, Apple Responds to Journalist's iCloud Attack)

20 (Manjoo)

21 (Rose)

22 (Apple, Inc.)

23 (Google Support Forum)

24 (Google, Inc)


image

Security of Data Transfers

During transfer is the only time that your files are out of both your and your provider’s hands. Your data can be captured and read or modified during transfer using a man-in-the-middle (MitM) attack if not encrypted.25 Most cloud services have a secure socket layer for safer file transfer.26 Do not choose a service without a valid SSL certificate.27 You can encrypt files yourself before you upload them to your storage device but encrypted transfer is one step safer and practical. There are a few different ways to upload your data depending on your provider.


FTP


FTP or File Transfer Protocol had it’s first standard in 1971, prior to TCP/IP’s

existence. “FTP has traditionally used clear text passwords.”28 Meaning that your log in information can be read by anyone running a MitM attack between you and your provider’s server; even if your data is encrypted your credentials can still be compromised.28 Alternatively, there is SFTP that uses a secure shell to encrypt your credentials when logging in.


SSL


“SSL (Secure Sockets Layer) is the standard security technology for establishing an

encrypted link between a web server and a browser.”29 This means that if your cloud storage service’s website has a valid SSL certificate, any information sent from your browser to the server and vice versa is encrypted. 29 There was a vulnerability in SSL that allowed hackers to strip the encryption that has been fixed but many service providers have yet to update their versions of SSL.30 Be sure to check the encryption offered by a service before subscribing.


Encryption in Storage

“As innovators like Apple and Microsoft, Google and Amazon, turn their customers on to the benefits of storing in the cloud, the importance of data encryption steps to the forefront.”31 You can back up any legal file you would like to your cloud storage including tax forms, utility bills, pay stubs, ebill receipts and medical records. These are files you do not want getting out as they may contain sensitive information like credit card numbers, social security numbers, addresses, phone numbers, email addresses which can all be used for identity theft.

Many cloud storage providers have built in storage encryption for no extra charge.26 You can also encrypt your files yourself or use an additional cloud storage encryption


image

25 (Peterson and Reiher) 26 (Kabay and Legendre) 27 (Jefferies)

28 (Process Software)

29 (SSL)

30 (Kumar)

31 (Top 10 Cloud Storage)


image

service such as Box Cryptor for additional security.32 SSL tunnels only encrypt your data during the transfer to your cloud storage server, so your data will be readable by anyone who compromises your account if there is no encryption during storage.


Cloud Storage and the U.S. Government

The U.S. government has even started using the cloud. In June 2012, The U.S. General Services Administration launched an “Effort to Transition Federal Government to Cloud Computing”33 Before this announcement the General Services Administration had already accomplished two things:

“1. First to Move Email to the Cloud:

Last year, GSA was the first federal agency to move to a cloud based email system, which has saved $2 million dollars in costs so far. In addition, email system operating costs are expected to see additional 50 percent in savings with an estimated $15 million in savings over five years.

2. Working to Standardize Security of Cloud Services:

FedRAMP is an initiative to standardize security assessments of cloud products and services. By addressing one of the key barriers to cloud adoption, this program will accelerate adoption by federal agencies. It will allow agencies to share authorizations, saving time and money otherwise spent on duplicative security reviews.”33

During the next year they are:

“3. Working on Blanket Purchase Agreements for the Federal Government:

Everything agencies need to move to the cloud is available right now through GSA. The products currently available from GSA include data storage, virtual machines, and web hosting. GSA is working to provide more cloud services to federal agencies, including email services.”33


image

32 (Box Cryptor)

33 (General Services Administration)


image


Synoptic Table of Cloud Services

ADrive

Files, sharing

Personal, Business, Adrive Enterprise

50 GB -

10 TB -

unlimited

free- $7/mo - $16/mo

Manual

SSL

transfer for paid services

PCs, Mac, Unix

BACKBLAZE

System, versions, locate stolen computer

1

unlimited

$5/mo

Continuous, scheduled, or manual

encrypted on client; user- added key

Windows, Mac

BackupGenie

Automated backup, versions, sharing

3

75 GB,

250 GB,

unlimited

$5/mo, $7/mo, $10/mo

daily

SSL

transfer, 256bit AES

storage

Windows, Mac, iPad, iPhone

BackupandShare

Automated backup, versions, sharing

Individual, Business

10 GB,

unlimited

free, $50/mo, $150/mo

daily or manual

SSL

transfer

Windows, Mac, iPad, iPhone, Android, Windows Mobile

backupify | Google Apps

backup, restore, search

Professional, Enterprise, Enterprise +

unlimited

$3/user-mo, $4/user-mo,

$990/domain-mo

daily or manual

SSL

transfer, storage

Google Apps domains

backupify | Salesfore

backup, restore, search, export

Professional, Enterprise, Unlimited Salesforce

1

GB/user

$50/mo for 10 users base + $5/user-mo additional

daily or manual

SSL

transfer, storage

Salesforce CRM

software

backupify | Personal Apps

backup, restore

MyCloud Personal, 100 & 500

1 GB, 10

GB, 50 GB

free, $5/mo, $20/mo

weekly, nightly

SSL

transfer, storage

Facebook, Twitter, Gmail, Google Drive, Google Calendar, Google Sites, Google Contacts,


Flickr, Picasa, LinkedIn, Blogger, Zoho

Barracuda

backup appliance, cloud, private cloud, revisions history, restore

Models 190, 390,

490, 690, 890, 990,

1090

from 500GB to

80 TB

from $1,000 to $135,000

total control

SSL

transfer, storage

Windows

Box

Box Backup

open-source software

n/a

n/a -- do- it-yourself

free

total control

SSL

transfer, storage

UNIX,

Windows

Carbonite

backup, restore

Home, HomePlus, HomePremier, Business, BusinessPremier

unlimited, 250 GB,

500 GB

$60/year through

$600/yr

continuous or scheduled

SSL,

Blowfish storage; user- added key

Windows, Mac

CRASHPLAN

backup, restore, versions, multiple storage sites

CRASHPLAN, CRASHPLAN+, CRASHPLANPRO, CRASHPLANPROe

unlimited

free through $25/yr; also perpetual licenses -- e.g., $3,000 for 50 users

+ annual support

daily

encrypted on client; user- added key

Windows, Mac, Linux, Solaris

Dropbox

sharing, backups, restore, two factor authorization

Free, Pro, Teams

2 GB up

to 1 TB

free through $63,000 for 500 users

continuous

by client

Windows, Mac, Linux, iPad, iPhone, Android and BlackBerry.

Druva

sharing, backups, restore, data analytics, remote deactivation

Professional, Enterprise, Unlimited

15

GB/user up to 100 GB/user

$6/user-mo up

scheduled

SSL

transfer, 256bit AES

storage

Windows, Mac, Linux, iPad, iPhone, Android and BlackBerry.



image


egnyte

local cloud, file server, file sharring, file transfer/FTP, remote file access, mobile apps, third party integration

Group, Office, Business, Enterprise

150 GB

up to 3 TB

$24.99/month -

$129.99/month.

Enterprise:

$12.99/employee/month

continuous or scheduled

SSL

transfer, 256bit AES

encryption in transit and at rest,

PC, Mac, iOS,

Android, Windows Mobile, WebOS

Elephantdrive

web access, secure sharing/sending,

Free, Personal, Business

2 GB up

to 2 TB

Free - $169.95/month, Variation in Business Tier

Automated

256bit AES

encryption, optional personal key encryption

PC, Mac,

Android (Beta), NAS

Google Drive

web access, OS integration

Free, 25 GB, 100

GB, Peronalized Plan

5 GB up

to 16 TB

Free - $799.99/month

N/A

SSL

transfer

PC, Mac,

Android, iOS

IBackup

API for 3rd party developers

n/a

10 GB up

to 300 GB

$9.95/month -

$299.95/month

N/A

SSL

transfer, 256-bit AES

encryption

PC, Mac,

Linux, Android, iOS

iCloud

iTunes, Photo Stream, Documents, Safari, Calendar, Contacts, Mail, Apps, iBooks, Backup, Restor, Find my iPhone, Find my Friends

n/a

5 GB up

to 55 GB

Free - $100/year

Automatic

SSL

Transfer, 128-bit AES

encryption

Mac, iOS

Jungle Disk

web access

Personal, Business

Unlimited

$2/month - $5/month +

$0.15/GB

Automatic

AES-256

encryption

PC, Mac,

iOS

Justcloud

sync multiple computers, web access, file sharing, mobile access

n/a

Unlimited

n/a

Automatic

265 Bit Encryption

PC, Mac, iOS,

Android, Blackberry


Keepit

backup history, restore from backup, replicated backups,

Home Plan, Business Plan

Unlimited

£4.95/month -

$49.00/month

Automatic

256-bit Rijndael encryption

PC, Mac,

Linux

livedrive

Reseller options

Backup, Briefcase, Pro Suite, Business

Unlimited, 2 TB,

10TB+

$7.95/month -

$159.95/month

Automatic

"256-bit military grade encryption"

PC, Mac,

Android, iOS

Microsoft SkyDrive

remote access, version tracking, online slide shows

n/a

7 GB up

to 107 GB

Free - $50.00/year

Automatic

SSL

transfer

PC, Mac,

Windows Phone, Android, iOS

mimedia

access media on demand,

music, photo, and video streaming

Free, Premium

7 GB up

to 100 GB

Free - $4.99/month

Automatic

SSL

transfer, NSA level 256-bit encryption

PC, Mac, iOS,

Android

Mozy

local backup service, bandwidth throttling, web based and DVD restore, server support, custom domain, custom install

Home, Pro, Enterprise

50 GB - 1 TB

$5.99/month/computer -

$379.99/month/computer

Automatic

SSL

transfer, 256-bit AES

encryption

Mac, PC, iOS,

Android

MyOtherDrive

collaboration, secure links, DDL for your files, USB drive backup

Free, Pro, Enterprise

2 GB - 10 TB

Free - $2,400/year

Automatic

SSL

transfer, AES 128-

bit

PC, Mac

myPCBackup

multiple computer sync, web access, free trial, file versioning

n/a

unlimited

Pay-as-you-go

Automatic

SSL

transfer

PC, Mac, iOS,

Android, Blackberry

OpenDrive

file sync, web

Personal, Business

5 GB - 1 TB

Free - $25/month

Manual

SSL

transfer,

PC, Mac, iOS,


access

(custom plan available)

custom encryption

Android

PennyBackup

fast backups, free software, data recovery

n/a

unlimited

$0.089/GB

Manual

256-bit AES

encryption

PC

S3

Encryption client, versioning

Free, Paid

5 GB -

Unlimited

Free - Pay as you go

Manual

SSL

transfer, server side encryption

n/a

SOS Online Backup

Mobile bakcup

Home, Business

5 GB - 2 TB

$79.99/year -

$7,490.00/year

Manual

military- grade encryption

PC, Mac, NAS, iOS,

Android

SugarSync

Sync multiple devices, mobile apps, remote access, outlook integration, versioning

n/a

5 GB -

Custom

Free - Custom

Manual

SSL

transfer, 128-bit AES

server side encryption

PC, Mac, iOS,

Android, Kindle, Symbian

Zip cloud

Sync multiple computers, web access

Personal, Business, Partner

75 GB - 5 TB

$4.95/month -

$791.20/month

Automated

256bit SSL encryption

PC, Mac, iOS,

Android, Blackberry


Concluding Remarks

Cloud storage is the future of storing digital data and early adapters will definitely benefit in the long run.34 However, you must make sure your data is well protected. Above is a chart that Dr. M. E. Kabay and I have put together for you to take a look at and see which service fits your needs the best. While it is easier to not deal with encryption, the risk is not worth the ease.


image

34 (Maltais 2012)


image


image


Works Cited


Apple, Inc. “Find my iPhone, iPad, and Mac.” (2012-11-13) http://www.apple.com/icloud/features/find-my-iphone.html


Bott, Ed. “Why I Switched from DropBox to Windows Live Mesh.” ZDnet (2011-04-07) http://www.zdnet.com/blog/bott/why-i-switched-from-dropbox-to-windows-live- mesh/3512


Box Cryptor. 16 November 2012 https://www.boxcryptor.com/


Clancy, Heather. “Cloud storage and backup: Is it safe?” (2012-02-20). http://www.zdnet.com/debate/cloud-storage-and-backup-is-it-safe/10086847/


Constine, Josh. “Dropbox Is Now The Data Fabric Tying Together Devices For 100M Registered Users Who Save 1B Files A Day.” TechCrunch (2012-11-13). http://techcrunch.com/2012/11/13/dropbox-100-million/

Crook, Jordan. “Google Drive Now Has 10 Million Users: Available On iOS and Chrome OS.” TechCrunch (2012-06-28). http://techcrunch.com/2012/06/28/google-drive-now-has- 10-million-users-available-on-ios-and-chrome-os-offline-editing-in-docs/


CSGNetwork. CSGNetwork. http://www.csgnetwork.com/bandwidth.html


DropBox, Inc. “About DropBox.” DropBox, Inc. https://www.dropbox.com/about

Ferdowsi, Arash. “Yesterday's Authentication Bug.: (2011-06-20). https://blog.dropbox.com/?p=821


Freedman, A. Computer Desktop Encyclopedia. http://www.computerlanguage.com/


General Services Administration. “GSA Launches Effort to Transition Federal Government to Cloud Computing.” (2012-06-06). http://www.gsa.gov/portal/content/136575


Google Support Forum. “Google password hacked from China - anybody had similar issues after installing Google Drive?” (2012-09-19). https://productforums.google.com/forum/?fromgroups=#!topic/drive/4-_Hvz20mBY

Google, Inc. “File deletion and recovery policy.” http://support.google.com/drive/bin/answer.py?hl=en&answer=2405957

Honan, Mat. “How Apple and Amazon Security Flaws Led to My Epic Hacking.” Wired (2012-08-06). http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan- hacking/


Jefferies, Charles P. “Google Drive vs. Dropbox: Ranking the Top 6 File Sync Services” Backupify (2012-05-17). http://blog.backupify.com/2012/05/17/ranking-the-top-online- file-sync-services/


image

Kerr, Dara. “Apple Responds to Journalist's iCloud Attack.” C|net (2012-06-08). http://news.cnet.com/8301-1009_3-57487873-83/apple-responds-to-journalists-icloud- hack/


Kerr, D. “Dropbox Confirms it was Hacked, Offers Users Help.” C|net (2012-7-31). http://news.cnet.com/8301-1009_3-57483998-83/dropbox-confirms-it-was-hacked- offers-users-help/


Krossman, Rachel. “Users report cloud storage security concerns in surveys.” TechTarget | SearchCloudStorage (2011-11-21). http://searchcloudstorage.techtarget.com/news/2240111421/Users-report-cloud- storage-security-concerns-in-surveys-more-news

Kumar, Mohit. “90% SSL sites vulnerable to the BEAST SSL attack.” The Hacker News (2012- 04-09). http://thehackernews.com/2012/04/90-ssl-sites-vulnerable-to-beast-ssl.html


Lardinois, Frederic. “Apple’s iCloud Now Has Over 190M Users, Up From 150M Last Quarter And Seeing Steady Growth.” TechCrunch (2012-10-25). http://techcrunch.com/2012/10/25/apples-icloud-now-has-190-million-users/


Maltais, Michelle. “Future of Computing: The tablet and cloud will be king report says.” Los Angeles Times (2012-04-23). http://articles.latimes.com/2012/apr/23/business/la-fi-tn- tablets-forrester-report-20120423

Manjoo, Farhad. “How not to get Hacked: The four things you need to do right now to avoid the fate of tech writer Mat Honan.” (2012-07-08). http://www.slate.com/articles/technology/technology/2012/08/mat_honan_the_four_thi ngs_you_need_to_do_right_now_to_avoid_getting_hacked_.html

Mohamed, Arif. “A History of Cloud Computing: Cloud computing has evolved through a number of phases which include grid and utility computing, application service provision (ASP), and Software as a Service (SaaS).” ComputerWeekly (2012-11-13). http://www.computerweekly.com/feature/A-history-of-cloud-computing


National Science Foundation. “The Sociodemographics of Access and Adoption.” (2012-11- 13). http://www.nsf.gov/statistics/nsf01313/socio.htm

Peterson, Peter A. H. and Peter Reiher. “CS448. Lab 3: Network Attacks.” (2011. 15 11). http://mathcs.slu.edu/~chambers/spring11/security/assignments/lab04.html

Process Software. "A Comparison of Secure File Transfer Mechanisms." (2008-04-03). http://www.process.com/tcpip/sft.pdf


Rhea, Sean, et al. “Maintenance-Free Global Data Storage.” IEEE Internet Computing, (Sep- Oct 2001). http://www.oceanstore.org/publications/papers/pdf/ieeeic.pdf


Rose, Michael. “Hacked iCloud Password Leads to Nightmare.” TUAW (2012-08-04). http://www.tuaw.com/2012/08/04/hacked-icloud-password-leads-to-nightmare/

Schwartzberg, David. “Cloud Storage Data Risks and Encryption.” nakedsecurity (2012-08- 03). http://nakedsecurity.sophos.com/2012/03/08/cloud-storage-data-risks-and- encryption/


SSL. “What is SSL?” http://info.ssl.com/article.aspx?id=10241

Top 10 Cloud Storage. “The Importance of Data Encryption in Cloud Storage.” (2012-11-16). http://www.top-10-cloud-storage.com/the-importance-of-data-encryption-in-cloud- storage/

Ying, Jon. “DropBox Around the World!” (2012-11-13). https://blog.dropbox.com/?p=339


Zelman, Josh. “How DropBox got its First 10 million Users.” TechCrunch (2011-11-01). http://techcrunch.com/2011/11/01/founder-storie-how-dropbox-got-its-first-10-million- users/


