back to article Imperva demos cloudy man-in-the-middle attack

Dropbox, OneDrive, Google Drive, and Box can be raided via a man-in-the-middle attack, without an attacker needing access to users' plaintext credentials, according to security bods at Imperva. Instead, in this paper [PDF] presented to BlackHat, the company's Application Defense Center says users' local sync folders serve just …

  1. P. Lee

    >The researchers say the best way to deal with the attack is for users to not use cloud, not load things people of dubious origin send them and not think technology can solve the problem of ignorance and stupidity.

    There, FTFY.

    If you rely on changing file names for security, you're doing it wrong. If you've got a trojan executed, its game over no matter what you deploy. As far as Word macros go, doesn't your AV pick that up on file access?

    You want to buy imperva kit? How much is your addiction to dumb formats costing you? Not that I'm suggesting that this is an MS-only problem, far from it. However, a culture of focussing on data processing rather than data presentation might make less "sophisticated" formats acceptable.

  2. John Robson Silver badge

    Sorry - let me get this straight...

    If the attacker has access to your machine - then why don't they just look in the synced directories?

    1. TReko Silver badge
      FAIL

      Re: Sorry - let me get this straight...

      Good point. Why not just steal the data locally. I don't know if you can use the token for other things, say using a Google Drive token to acces GMail.

      Anyway, this is sloppy program design - the sync apps should encrypt the token locally using the machine ID, so they can't so easily be switched.

      End-to-end encryption of the data is also a good idea, so data is encrypted at rest on the cloud. Truecrypt does this nicely for Dropbox and Syncdocs encrypts Google Drive.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like