First and foremost let’s get the “who the hell is this†out of the way. My name is Matt Johansen and I’m a recent college graduate starting on my path in Information Security. I have a technical background professionally and in my education but am growing more interested in the business aspects of security as I study for my CISSP exam. I’ve met a lot of great people that have been helping me along the way (honorable mention to my professor Kees Leune and all you Security Twits) including the LiquidMatrix team.
I came across some interesting stories about the all mighty Google cloud features in the past couple of days. The first was about Gdrive, a specific example of a broader idea of online storage space. This idea is growing ever more popular now that the “cloud” is becoming a buzz word in the community and Google is taking another step towards being the all mighty one. This is an old idea done a new way with most likely lots of Google flare such as booting from an online hard drive and automated backups.
Very interesting ideas that of course people are very excited about but leave it to the security people to kill the hype.
If done right this would be a great service just as network share drives with group or personal permission folders are great on closed networks. But an interesting point was discussed on a recent episode of Diggnation when Kevin Rose spoke of a certain targeting problem. In general the everyday user of this service would most likely be left alone but what about people more under a public spotlight. Kevin referred specifically to him or his co-host Alex putting up personal photos that some hacker savvy fan would love to get their hands on. Even without the ability to gain access to the drive a MITM attack would be very feasible as demonstrated on Gmail with The Middler at Shmoocon.
As for the confidence in Google and its ability to protect your privacy, I stumbled across another article about a Google Docs sharing bug. Google has sent a letter to users who have been affected by this bug explaining that some of their documents were shared with previous collaborators without you knowing it.
Alice: “Honey, who is this Eve woman and why are we working on a list of gifts for her?”
Bob: “…”
Actual letter sent by Google:
Dear Google Docs user,
We wanted to let you know about a recent issue with your Google Docs account. We’ve identified and fixed a bug which may have caused you to share some of your documents without your knowledge. This inadvertent sharing was limited to people with whom you, or a collaborator with sharing rights, had previously shared a document. The issue only occurred if you, or a collaborator with sharing rights, selected multiple documents and presentations from the documents list and changed the sharing permissions. This issue affected documents and presentations, but not spreadsheets.
To help remedy this issue, we have used an automated process to remove collaborators and viewers from the documents that we identified as being affected. Since the impacted documents are now accessible only to you, you will need to re-share the documents manually. For your reference, we’ve listed below the documents identified as being affected.
We apologize for the inconvenience that this issue may have caused. We want to assure you that we are treating this issue with the highest priority.The Google Docs Team
It has been reported to have affected around .05% of Google Doc users which could still be a pretty large number but isn’t a major leak. This still raises a few questions especially when it comes to your confidence in upcoming services such as Gdrive and other people’s ability to access your data.
Just some food for thought!
-Matt Johansen