top of page
  • OSAM

Mismanaged cloud services put user data at risk

Attackers can "squat" on unused cloud IP addresses to steal personal data meant for other organizations when cloud services are not properly maintained.

The big idea

According to study my colleagues and I performed, organizations' failure to properly manage the servers they lease from cloud service providers can allow attackers to access confidential data.

Businesses can lease servers in the same way they lease office space using cloud computing. When organizations don't have to worry about owning and operating servers, it's easier for them to design and manage mobile apps and websites. However, this method of hosting services presents security issues.

Each cloud server has its own IP address, which users can use to connect and transfer data to it. When an organization no longer need this address, it is passed on to another service provider customer, maybe with nefarious intent. As enterprises alter the services they employ, IP addresses might change hands as frequently as every 30 minutes.

When companies quit using a cloud server but don't delete references to the IP address from their systems, users may believe they're still communicating with the original service. User devices automatically submit sensitive information such as GPS position, financial data, and browsing history because they trust the service that previously used the address.

An attacker can exploit this by "squatting" on the cloud, claiming IP addresses in order to intercept traffic meant for other companies. Because IP addresses change often, there is little time to identify and repair problems before attackers begin obtaining data. Once the attacker has control of the address, they can keep receiving data until the company notices and corrects the problem.

Thousands of firms were potentially leaking user data, including data from mobile apps and advertising trackers, according to an analysis of a small fraction of cloud IP addresses. These apps were designed to exchange personal information with businesses and advertisers, but instead leaked information to whoever owned the IP address. Anyone with access to a cloud account might obtain the same information from vulnerable companies.

Why it matters?

Users of smartphones exchange personal information with businesses via the apps they download. According to a recent study, half of smartphone users are comfortable disclosing their locations via smartphone apps. However, the personal information that users give on these apps could be used to steal their identities or damage their reputation.

In recent years, personal data has been more regulated, and users may be willing to believe that the firms with whom they deal would adhere to those standards and respect their privacy. However, these rules may not be sufficient to protect consumers. Even when firms seek to utilize data responsibly, our research indicates that weak security policies can leave that data vulnerable.

What other research is being done in this field

Academics and industry are concentrating on the collecting of user data in a responsible manner. Google has recently made an effort to limit the acquisition of personal data by mobile adverts, guaranteeing that users' security and privacy are protected.

Simultaneously, researchers are attempting to clarify what programs do with the data they collect. By matching permission prompts to how apps actually behave, this effort attempts to ensure that the data users supply with apps is utilized in the way they anticipate.

What’s next?

We're looking into new smartphone and device technologies to see how well they safeguard consumer data. For example, a study done by one of my colleagues describes a method for protecting personal data obtained by smart cameras. Our unique perspective on traffic in the public cloud is allowing for fresh research into the internet as a whole. We're continuing to work with cloud providers to ensure that user data stored in the cloud is secure, and we're developing new approaches to protect businesses and their consumers against cloud-based attacks.

Author: Eric Pauley, PhD student in Computer Science and Engineering, Penn State

Source: GCN


Read more:

10 views1 comment

תגובה אחת

The potential risks of mismanaged cloud services are concerning, especially regarding user data security. It's crucial to address these issues. Just as you sought help at during your studies, organizations must also seek expert assistance to navigate the complexities of cloud management, ensuring data safety. Your proactive approach reflects a commitment to success, both in academics and data security.

bottom of page