20th Anniversary of VAWA: "...the decency of the A... » JB...advancing Bidenism with respect to womenfolks Watch the Video: www.youtube.com/embed/HpL-A6Z... Lord-Lieutenant of Hampshire presents Sonardyne wi... » Lord-Lieutenant of Hampshire presents Sonardyne with Queen’s Award for 6G Sonardyne International L... Rehousing TYphoon Aircraft of Number 1 (Fighter) ... » The Rt Hon Michael Fallon MP, UK Secretary of State for Defence The Typhoon aircraft of Number 1(Fi... Peplink signs distribution agreement with 4Gon » Wireless connectivity innovator and specialist wireless technology distributor form partnership UK:... Independent Scotland: Naked and Alone as UK Counte... » In the great debate on Scottish independence, little has been said by either side as to how a ‘yes’ ... Foundry in Nigeria: Investment Opportunities, Chal... » Introduction For the interest of the uninitiated and to further appreciate the subject, a definitio... ExtraHop unveils healthcare edition combining re... » SEATTLE, WA: ExtraHop Networks has announced the ExtraHop Healthcare Edition, the first and only IT ... Openwave Mobility wins seven customers in seven mo... » Operators in North America, Europe and APAC turn to Openwave Mobility to improve peak RAN capacity b... Pulsant announces expansion of largest commercia... » Reading, UK: Pulsant has announced the expansion of its well-established South Gyle tier 3 data cent... SeSys delivers 500th ATEX certified digital IP C... » UK: MOBOTIX AG has announced that SeSys, an Advanced Partner has shipped its 500th ATEX / IECEx digi...

CLICK HERE TO

Advertise with Vigilance

Got News?

Got news for Vigilance?

Have you got news/articles for us? We welcome news stories and articles from security experts, intelligence analysts, industry players, security correspondents in the main stream media and our numerous readers across the globe.

READ MORE

Subscribe to Vigilance Weekly

Information Security Header

London: Commenting on Kim Dotcom’s offer of a 10,000 euro bounty on the first person to crack his new Mega file storage and sharing service, Venafi says the bounty is likely to be collected, as the encryption keys are stored along with the users’ files on the system.

According to Calum MacLeod, EMEA Director with the Enterprise Key and Certificate Management (EKCM) experts, this means that anyone gaining access to a user’s ID and password will gain access to their encryption key as well, dramatically increasing the compromise likelihood.

“This bizarre, and quite frankly, less secure approach to encryption seems to be in place solely to protect Mr Dotcom from prosecution, on the basis that he and his staff cannot have any knowledge of the data that is being stored on their cloud computing servers,” he said.

“While this is perhaps understandable given the fact that Mr Dotcom was arrested in New Zealand 12 months ago in connection with copyright infringement surrounding his original MegaUpload file storage and sharing service, the lack of security surrounding the encryption keys leaves the system vulnerable,” he added. The encryption keys are the figurative keys to the kingdom, and the attackers can wreak havoc with unfettered access to data and systems with the keys in hand.

The Venafi EMEA Director went on to say that Mr Dotcom’s offer of a bounty to successful crackers of his new system is good publicity, but a more practical governance approach would have been to stage a private launch of Mega, inviting cryptographers to use - and abuse - the system, and then offer up their recommendations in return for a lifetime paid-for subscription.

The problem with Mega, MacLeod explained, is that the user’s password has the double burden of supporting account authentication - without disclosing that password to Mega’s servers – as well as outer level data encryption.

The outer level key, he says, is derived from the user’s password using a key derivation approach, generating a master key for symmetric AES encryption – all data from that point on is encrypted to the master key or its subsets.

When the user logs into the Mega service, he adds, their email address and user hash data is used to authenticate them, with Mega’s servers returning the user’s master key, as well as a session identifier.

This approach, says MacLeod, is a weak security system as obtaining the master key is based on a simple token system that can be replayed, rather than the more usual secure challenge/response technology seen on commercial services.

“This weakness could be exploited through the use of a timing vulnerability when the server compares the user’s hash data, allowing a hacker to progressively learn how to access the system using multiple attempts. We fully expect this methodology to be exploited by would-be crackers wanting to collect the 10,000 euro bounty,” he said.

In the end, it’s critical that the encryption keys that secure the data and authenticate systems and applications are properly controlled and managed. The admins who create and issue the keys should not be the same as the admins and app owners who use the same keys to encrypt, decrypt and access the data