State of Online Private Content Security
After the release of nude celebrity photos of Jennifer Lawrence and Kate Upton from their iCloud account (or wherever the perpetrators sourced it from) it became publicly evident that the so called personal privacy is literally nonexistent. If not that then a knowledgeable peek into the Hidden Web and a quick browse across the most famous hidden web porn site will reveal a nasty surprise of associating Facebook profiles and the respective hacked phone photos and other contents. The hack is so detailed it reveals insane in-depth information of the phone and its user such as following:
On one hand there are hackers who have limitless knowledge and power of hacking into any device possible and on the other there are government agencies who can mend and bend the laws and use it to perpetrate into your private digital enclave.
That doesn’t call us to“live in fear” but to “live in awareness.”
Dropbox, Google Drive and all other popular cloud service or file storage service do not provide security of the content but provide for security of your online communications with their server. What this means is that an image that you uploaded exists in image format on their servers. If someone gains access to their servers they can view the image in plain site. The possible people bearing that power includes surprisingly many people. First the cloud service company itself reserves the rights to look into the cloud for security and piracy concerns. MPAA and other hollywood production houses and lobbies can file a DMCA and gain access to the content which is fairly easy as the DMCA is an ancient law and easily exploited for that purpose. Not to mention NSA and hackers who can gain access based on their power respectively.
A possible solution or circumvent would be a service called MEGA.co.nz by the notorious New Zealand entrepreneur Kim Dotcom.
It boasts of client side end-to-end encrypting of the uploaded content and uses 2048 bit AES encryption which is believed to be very good but to limited avail. A curious google search regarding security concerns with MEGA website leads to popular developer discussion forum StackExchange where a reputed security expert reflects severe doubts in the security of the service. This is again fortified by a similarly dated article which exposes the details of technical flaws.
Steve “Sc00bz” Thomas, the researcher who uncovered the weakness, has released a program called MegaCracker that can extract passwords from the link contained in confirmation e-mails. Mega e-mails a link to all new users and requires that they click on it before they can use the cloud-based storage system, which boasts a long roster of encryption and security protections. Security professionals have long considered it taboo to send passwords in either plaintext or as cryptographic hashes in e-mails because of the ease attackers have in intercepting unencrypted messages sent over Internet.
Despite that admonishment, the link included in Mega confirmation e-mails contains not only a hash of the password, but it also includes other sensitive data, such as the encrypted master key used to decrypt the files stored in the account. MegaCracker works by isolating the AES-hashed password embedded in the link and attempting to guess the plaintext that was used to generate it.
However there is light at the end of the tunnel as MEGA and other cloud security services adopt giving out massive bounties for people who find security holes and report in exchage for money. ARSTechnica depicts some of the bounty paid by MEGA and the vulnerabilities revealed. The bug bounty programs are yet a walk on a rope where it’d only take a genius hacker to slip in his moral and chose the dark side to exploit the bug to invade someone’s privacy, like of Jennifer Lawrence’s.
