Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management //

Encryption

4/6/2018
08:05 AM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Startup PreVeil Challenging Cloud-Based Encryption Standards

Boston-based PreVeil is looking to change the way data is encrypted in the cloud, and it is butting heads with the bigger cloud storage providers to prove its point.

Storing and sharing files in the cloud is the norm these days. But new questions about the robustness of current encryption have sparked rivalry between a Boston-based startup and one of the Big Three cloud storage providers.

Dropbox has come under fire for "using an old security paradigm that has fundamental vulnerabilities," according to a statement from newbie PreVeil, which has patented a new approach to encrypting data not just at rest or in transit, but also during computing and processing.

"Their security architecture allows them to read users' information and so can anyone that hacks them," according to PreVeil's statement targeting Dropbox.

Dropbox was subject to a user name and password breach in 2012, which was exacerbated in 2016 when attackers released a list of 68 million stolen passwords. Dropbox claims that in 2012, it was using the best data protection security available, and then four years later after the stolen material was published, it enforced an obligatory password reset for users.

However, PreVeil's contention appears to be that Dropbox was lax.

"The breach wasn't acted upon until 2016, meaning that in a period of several years, attackers could potentially have stolen user information," PreVeil CEO and founder Randy Battat told Security Now. "This problem extends beyond Dropbox because it's likely that many users had the same password for other services."

It's understood that Dropbox's decision to remediate in 2016 was made on the basis that resetting passwords was for the better good, even though some users may have found a password reset impossible because they had no access to the email address they used to set up the account.

That's now water under the bridge, but it asks questions about how watertight standard encryption technology is, and with the cloud everywhere, whether its counterpart -- "encryption everywhere" -- has found a market opening?

Scale versus statistics
Dropbox has about 500 million end users -- the company also recently went publicin a successful IPO -- and as tends to be standard when running a large-scale service, it holds the data encryption key itself, allowing its users to collaborate using services such as Presence and Paper.

By contrast, PreVeil uses a unique group encryption approach, commercialized from academic research at MIT, which doesn't store the key on a central server, and so the logic goes, it isn't available for theft. The start-up's contention is essentially that, even if a hacker breaks a system, with the new encryption technology, whatever they find will be unintelligible garbage.

Dropbox declined to comment on the record for this story, however, the company has detailed its own encryption standards and how it protects customer data.

Specifically, when Dropbox stores data in the cloud, it's broken up and stored in non-contiguous blocks that don't necessarily relate to one another. The firm believes that the resulting "ocean of encrypted blocks," leaves anyone breaking into the system mathematically in the dark about which blocks go together to form a coherent file, and again, the data's garbage.

Nevertheless, Battat argues that servers are still vulnerable.

"The Dropbox product and user experience are built on the assumption that servers will always be able to read user data," he said. "Changing this assumption challenges the fundamental design and technical principles upon which Dropbox is built. PreVeil was built from the ground up with the understanding that servers should never be allowed to see user data."


Want to hear more about the leading operator use cases for AI technologies? Join us in Austin from May 14-16 at the fifth-annual Big Communications Event. There's still time to register and communications service providers get in free!

Incidentally, PreVeil also singled out Microsoft OneDrive, Google Drive and Box for criticism on the basis they use similar methods.

Who can afford to play the odds?
So, has the time arrived for a better level of encryption in the cloud?

PreVeil thinks so, aiming for the mass market with its own Drive service which launched late March, betting that standard technologies have had their day, no matter the statistics behind the chances of hackers reading data.

"Unless your service provider encrypts information end-to-end, there is a non-zero chance of your information getting leaked from server-side breaches," Battat said.

One can see the need for hugely scalable file storage and transfer to meet the needs of businesses and consumers has required a conventional-wisdom approach from the Big Three.

But one could also speculate that as more data is stored in the cloud, the stakes are raised, the amount of data lost could be huge, and the business disruption very substantial.

Weighted against this is the high cost of a sophisticated, time-consuming attack in order to be successful, when brute-force attacks are still mainstream and are no doubt lower-hanging fruit in terms of time versus gain.

More fundamentally, are the mathematical risks with standard encryption technologies statistically meaningful enough to warrant a reinvestment in security architecture?

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.