Monday, February 29, 2016

Cloud apps: easy file sharing, easy ransomware sharing

Here's something to keep in mind when sharing files and storage with others: the mistakes of others can put you at risk.

There's not a lot of detail in this report, but it mentions cases where ransomware has spread through shared cloud storage (think iCloud, Dropbox, or Google Drive). If your friend or family member becomes infected, and you sync to the same shared account, you might unknowingly infect your device.

Ransomware is the current scourge of the Internet. Ransomware is malware that encrypts your personal data such as irreplaceable photos, documents, and financial records, making them unusable. It then charges a ransom fee to decrypt the files so you can use them again. The only fully reliable protection against this threat is a current and complete backup of your important data, stored somewhere out of the reach of the malware. Without such a backup, your only choices may be to pay the ransom or sacrifice the data forever.

While I have not personally experienced ransomware spreading in this manner, I did have an "oh crap" moment once when a child deleted music from a shared drive. I had set up a sizable library of (legally-owned!) music that they could download to their devices, and taught them how to use a mobile SMB client to browse the server; alas I was not clear enough in showing them the difference between "local device" and "shared server." When they wanted to remove music from their devices to make room for something new, one of them accidentally deleted some content from my server.

The point is, when sharing things with others, think of how their mistakes can put you at risk. In the music share scenario that I mentioned, I quickly learned to set the share so that my kids could only download music from it, but not change anything on the share itself. Only I could modify the contents of the share, and only from a PC that I controlled.

Similarly, you may consider whether sharing data in a read-only form is appropriate for your needs.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.