Mismanaged cloud services put user data at risk

April 12, 2022

By Eric Pauley, Penn State 

The Research Brief is a short take about interesting academic work.

The big idea

Organizations’ failure to properly manage the servers they lease from cloud service providers can allow attackers to receive private data, research my colleagues and I conducted has shown.

Cloud computing allows businesses to lease servers the same way they lease office space. It’s easier for companies to build and maintain mobile apps and websites when they don’t have to worry about owning and managing servers. But this way of hosting services raises security concerns.

Each cloud server has a unique IP address that allows users to connect and send data. After an organization no longer needs this address, it is given to another customer of the service provider, perhaps one with malicious intent. IP addresses change hands as often as every 30 minutes as organizations change the services they use.

When organizations stop using a cloud server but fail to remove references to the IP address from their systems, users can continue to send data to this address, thinking they are talking to the original service. Because they trust the service that previously used the address, user devices automatically send sensitive information such as GPS location, financial data and browsing history.


Free Reports:

Get our Weekly Commitment of Traders Reports - See where the biggest traders (Hedge Funds and Commercial Hedgers) are positioned in the futures markets on a weekly basis.





Sign Up for Our Stock Market Newsletter – Get updated on News, Charts & Rankings of Public Companies when you join our Stocks Newsletter





An attacker can take advantage of this by “squatting” on the cloud: claiming IP addresses to try to receive traffic intended for other organizations. The rapid turnover of IP addresses leaves little time to identify and correct the issue before attackers start receiving data. Once the attacker controls the address, they can continue to receive data until the organization discovers and corrects the issue.

Poorly managed cloud services are another opportunity for attackers to steal data. Video by Penn State.

Our study of a small fraction of cloud IP addresses found thousands of businesses that were potentially leaking user data, including data from mobile apps and advertising trackers. These apps initially intended to share personal data with businesses and advertisers, but instead leaked data to whoever controlled the IP address. Anyone with a cloud account could collect the same data from vulnerable organizations.

Why it matters

Smartphone users share personal data with businesses through the apps they install. In a recent survey, researchers found that half of smartphone users were comfortable sharing their locations through smartphone apps. But the personal information users share through these apps could be used to steal their identity or hurt their reputation.

Personal data has seen increasing regulation in recent years, and users may be content to trust the businesses they interact with to follow those regulations and respect their privacy. But these regulations may not sufficiently protect users. Our research shows that even when companies intend to use data responsibly, poor security practices can leave that data up for grabs.

Users should know that when they share their private or personal data with companies, they are also exposed to the security practices of those companies. They can take steps to reduce this exposure by reducing how much data they share and with how many organizations they share it.

What other research is being done in this field

Academics and industry are focusing on responsible collection of user data. A recent push by Google aims to reduce collection of users’ personal data by mobile advertisements, ensuring that their security and privacy is protected.

At the same time, researchers are working to better explain what applications do with the data they collect. This work aims to ensure that the data users share with applications is used how they expect by matching permission prompts with how the apps actually behave.

What’s next

We’re conducting research into new technologies on smartphones and devices to ensure they protect user data. For instance, research led by a colleague of mine describes an approach to protect personal data collected by smart cameras. Our vantage point on traffic in the public cloud is also enabling new studies of the internet as a whole. We are continuing to work with cloud providers to ensure that user data stored on the cloud is secure, and are introducing techniques to prevent businesses and their customers from being victimized on the cloud.

About the Author:

Eric Pauley, PhD student in Computer Science and Engineering, Penn State

This article is republished from The Conversation under a Creative Commons license. Read the original article.

InvestMacro

Share
Published by
InvestMacro

Recent Posts

Bitcoin price is approaching 100,000. Natural gas prices rise due to declining inventories and cold weather

By JustMarkets At Thursday’s close, the Dow Jones Industrial Average (US30) was up 1.06%. The…

19 hours ago

USD/JPY Awaits Potential Stimulus Impact

By RoboForex Analytical Department The USD/JPY pair remains stable at approximately 154.30 amid global economic…

21 hours ago

Companies are still committing to net-zero emissions, even if it’s a bumpy road – here’s what the data show

By L. Beril Toktay, Georgia Institute of Technology; Abhinav Shubham, Georgia Institute of Technology; Donghyun…

22 hours ago

Asking ChatGPT vs Googling: Can AI chatbots boost human creativity?

By Jaeyeon Chung, Rice University  Think back to a time when you needed a quick…

1 day ago

RBNZ may cut the rate by 0.75% next week. NVDA report did not meet investors’ expectations

By JustMarkets At Wednesday’s end, the Dow Jones Index (US30) rose by 0.32%. The S&P…

2 days ago

This website uses cookies.