Firms must relook what, how they share online
Organizations that tap or are looking to utilize file-hosting sites to share documents with business associates should be wary of the type of content they put online and judicious of data protection policies of such cloud providers.
While file-hosting sites are useful to enable the sharing of files that cannot be sent via e-mail due to limits on mail servers, users and companies need to exercise diligence, said Ronnie Ng, systems engineering manager at Symantec Singapore.
Confidential corporate data should be sent via an alternative channel such as FTP (File Transfer Protocol), he noted in an e-mail. To further improve security, encryption and password protection can be considered, Ng added.
His advice follows the release of a study of 88 file-hosting sites by a group of academic researchers, which disclosed that many such sites generate uniform resource identifiers (URIs) in a predictable fashion. These identifiers are the secret unique links used by the owner of a document to share a file. The study findings were made public at the 4th Usenix Workshop on Large-scale Exploits and Emergent Threats earlier this year.
The five researchers from Belgium and France claimed that in less than a month, they were able to disclose hundreds of thousands of private files. At the same time, by uploading some test "honey files" to a number of these sites, they also found that attackers were actively accessing private data.
Symantec's Ng cautioned that, given the risks highlighted in the report, the use of file-sharing sites can lead to the loss, misuse or theft of company data. Organizations that do make use of such cloud services need to understand that ownership of data privacy and security is shared between service provider and the organization, he added.
"It is an organization's responsibility to ensure the service provider's data privacy policies are either aligned or strengthened to ensure compliance," he said.
He added that organizations should, among other best practices, clearly outline what type of information is sensitive or proprietary in their data protection policy for the cloud, as well as have tools and procedures for classifying corporate information.
They should also formally train employees on mitigating security risks prior to deploying cloud technology, and evaluate the security posture of third-party providers, he said.
Ng said: "The success of leveraging cloud services hinges on the trust and confidence that can only occur when the information security teams have better visibility into the security posture and operations of these file-hosting sites."
At the end of the day, any form of information exchange on the Web, including through file-hosting services, can and will be susceptible to cyberthreats, he cautioned. "Security today is not just about putting up higher walls around information or locking down the use of cloud services within the enterprise network.
"Instead, it is about putting in place solutions that inspire trust and confidence, and enabling users to take advantage of emerging trends that benefit their business," said Ng.
Over at NCS, the sharing of company information or documents via public file-hosting services is not permitted and such sites may be blocked via the corporate proxy, a spokesperson shared in an e-mail to ZDNet Asia.
However, some project teams are sometimes permitted limited access when clients use such services to exchange documents with NCS, he added. To that end, the company ensures the documents are encrypted prior to being uploaded onto the Web, he said.
Sites unmoved by call for greater security
As it is, file-hosting sites do not appear to be too concerned with the use of predictable file URLs.
Nick Nikiforakis, one of the authors of the report, told ZDNet Asia that the team had contacted 20 file-hosting sites regarding the insecure manner of URI generation, but only received three replies.
Of the providers which responded, one proceeded to make changes while another changed the terms of service of its site to state that the user's "files are not guaranteed to be private", Nikiforakis said in an e-mail. Pointing to the latter's action as the worst, he said: "[It's] quite hypocritical since the majority of users do not read the terms of service, let alone every time they…use a service."
A third provider, he added, lamented that making changes to generate more secure URIs would "negatively affect" the performance of the site and did not implement any, despite the researchers' offer of alternatives to increase security without impacting service performance.
RapidShare, which was one of the 88 services studied by the researchers, decided to step up its security "following some misconceptions after the publication of the study", according to its spokesperson, Daniel Raimer.
In an e-mail, he told ZDNet Asia that one of the two components of RapidShare file URIs, which is a nine-digit file ID, now involves a random combination of numbers, compared to its previous sequential format. Other than the file ID, the URI is also made up of a filename chosen by the uploader, said Raimer, who is also the Swiss company's lawyer.
He added that RapidShare's commercial customers often use RapidShare to share larger documents including presentations, which are too big for most e-mail providers.
"Some companies, for example, have used RapidShare to store their accounting data," Raimer noted. "We have never had any complaints about files being accessed by unauthorized third parties."
Paul Massie, senior director of operations and IT at YouSendIt, labeled the results of the study as "interesting". He pointed out in an e-mail that the site has been using "randomly-generated long URLs, which significantly lowers the probability that someone can derive the URL".
YouSendIt, according to Nikiforakis, was not included in the study.