To prevent our attacks cloud storage operators should employ data possession proofs on clients, a technique which has been recently discussed only in the context of assessing trust in cloud storage operators.
We conclude by discussing security improvements for modern online storage services in general, and Dropbox in particular. Furthermore Dropbox can be exploited to hide files in the cloud with unlimited storage capacity. Based on our results we show that Dropbox is used to store copyright-protected files from a popular filesharing network.
#SLACK DOWNLOAD WINDOWS 8 SOFTWARE#
We analyze the Dropbox client software as well as its transmission protocol, show weaknesses and outline possible attack vectors against users. Within this paper we give an overview of existing file storage services and examine Dropbox, an advanced file storage solution, in depth. While several of these services provide basic functionality such as uploading and retrieving files by a specific user, more advanced services offer features such as shared folders, real-time collaboration, minimization of data transfers or unlimited storage space. The Amazon Web Services Security Team has acknowledged our findings, and has already taken steps to properly address all the security risks we present in this paper.ĭuring the past few years, a vast number of online file storage services have been introduced. Our findings demonstrate that both the users and the providers of public AMIs may be vulnerable to security risks such as unauthorized access, malware infections, and loss of sensitive information. We describe the design and implementation of an automated system that we used to instantiate and analyze the security of public AMIs on the Amazon EC2 platform, and provide detailed descriptions of the security tests that we performed on each image. In particular, we investigate in detail the security problems of public images that are available on the Amazon EC2 service. This paper explores the general security risks associated with using virtual server images from the public catalogs of cloud service providers. Servers can be quickly launched and shut down via application programming interfaces, offering the user a greater flexibility compared to traditional server rooms. Today, if an organization needs computing power, it can simply buy it online by instantiating a virtual server image on the cloud. We validate PCaaD on widely used PLCs through its practical application.Ĭloud services such as Amazon's Elastic Compute Cloud and IBM's SmartCloud are quickly changing the way organizations are dealing with IT infrastructures and are providing online services. This leads to the targeted exfiltration of operational data, manipulation of control-logic behavior, and establishment of covert command and control channels through unused memory. To support this, we propose the concept of Process Comprehension at a Distance (PCaaD), as a novel methodological and automatable approach towards the system-agnostic identification of PLC library functions. In contrast, we assert that current PLC programming practices open the door to a new vulnerability class, affording attackers an increased level of process comprehension. The consensus from both academics and practitioners suggests stealthy process comprehension obtained from a PLC alone, to execute targeted attacks, is impractical.
Such targeted attacks typically require detailed knowledge of system-specific attributes, including hardware configurations, adopted protocols, and PLC control-logic, i.e., process comprehension. Over the last decade, Programmable Logic Controllers (PLCs) have been increasingly targeted by attackers to obtain control over industrial processes that support critical services. We validate PCaaD on widely used PLCs, by identification of practical attacks. To support this, we propose the concept of Process Comprehension at a Distance (PCaaD), as a novel methodological and automatable approach for system-agnostic exploitation of PLC library functions, leading to the targeted exfiltration of operational data, manipulation of control-logic behavior, and establishment of covert command and control channels through unused memory. In contrast, we assert that current PLC programming practices open the door to a new vulnerability class based on control-logic constructs. The consensus from both academics and practitioners suggests stealthy process comprehension obtained from a PLC alone, to conduct targeted attacks, is impractical. Such targeted attacks typically require detailed knowledge of system-specific attributes, including hardware configurations, adopted protocols, and PLC control-logic, i.e.