Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    As part of our 2013 predictions, we predicted that legitimate cloud services would be abused by cybercriminals. Unfortunately, that has proven to be the case – and in today’s current climate, it is unlikely to get any better.

    For example, last week we saw a spam run that used Dropbox to host its malicious payload. It’s not the only case we’ve seen where legitimate cloud services have been utilized for malicious purposes – only the most recent noteworthy one.

    The issue is bigger than just one popular service – others like Evernote and Sendspace have been abused as well. It’s natural to ask if these services can prevent such cases from happening again. However, a competing demand has also been heard from the public: privacy.

    Today, people are much more concerned about whether their data is being read by governments or monetized by service providers themselves. They are likely to demand more privacy. For example, in the case of a cloud storage provider, the demand might be that the cloud provider not know anything about what files are being stored on their servers. To the provider, the customer’s data would merely be a blob of indecipherable bits that means nothing to them.

    Fundamentally, there is a clash between the demands of privacy and the demands of security. Say, for example, a storage provider wanted to ensure that their service wasn’t being used to host malware. They could, for example, use very powerful solutions – file scanning, sandbox testing, etcetera – to test all uploaded files. Notwithstanding the obvious effects on costs and server requirements, this would also be perceived as spying by many users. (In today’s climate, that accusation can quite easily destroy a company.)

    The converse is also true: they could provide completely private storage, where all encryption is performed on user devices, and they have no idea what’s being stored on their sites. A service like that would certainly be abused by criminals. Because cloud providers have to meet legitimate customer demands for secure, private services, this creates a system that also shields illegitimate users’ activities from detection”.

    Both examples above, of course, are at extremes – but they illustrate the tradeoff any cloud provider must make. They must strike a balance that suits their strategy and business model. However, this means that some level of abuse will be inevitable – and might even be viewed as an inevitable cost of doing business.

    What should users take away from this?  As we said above, some abuse will be inevitable. It doesn’t even have to be a vendor you chose; it can be a vendor that either another user or a cybercriminal chose. Some writers have implied that as computing moves to the cloud, users can abdicate some responsibility for their security to other parties (like, say, cloud services of one kind or another.)

    Nothing could be further from the truth. Users must still take responsibility for their own security and adopt security solutions that work for them and put them in control. Obviously, this means different things for a family at home and a corporation with thousands of seats – but the principle remains the same. The user, and not the “cloud”, has ultimate responsibility for keeping themselves safe.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • RaulB

      I agree with the idea of cloud providers must scan content. I think they have to do their best on it.

      I have been watching malicious spam with links to malware hosted in Dropbox, Google Docs and Skydrive since an year or so.

      As computer security administrator it is a problem to ban access to links to that providers, nearly impossible to do that.

      And cloud providers reputation falls a bit with each new case of malware hosted on their services.

      For instance, I do not understand Google’s logic, they not allows attach an EXE file into an email (Gmail) but allows store and links pointing to a malware file stored in GoogleDocs/Gdrive. Criminals are already taking advantage of this.

      I agree with the idea of users taking responsability, but on security I try to do defense in depth: this is technically blocking all possible problem AND educating the user.

      I think cloud providers are responsibles on security. They has to commit to be an active part of security equation. They have enough resources.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice