Venafi predicts €10,000 Mega bounty will be paid out

Encryption firm calls out Kim Dotcom’s approach to security as “bizarre".

Open padlock key

Enterprise security firm Venafi claims Kim Dotcom's offer of 10,000 for the first person to crack his new Mega file storage site will be collected.

The challenge was announced through the site's blog in response to criticism over its security procedures, including the fact there is no end-to-end encryption.

In its response to the challenge, Venafi added its own criticism, stating that - as the encryption keys are stored along with the users' files on the system - user data was more vulnerable.

Advertisement - Article continues below

Calum MacLeod, EMEA director at Venafi, said: "This bizarre and, quite frankly, less secure approach to encryption seems to be in place solely to protect Mr Dotcom from prosecution, on the basis that he and his staff cannot have any knowledge of the data that is being stored on their cloud computing servers.

"While this is perhaps understandable given the fact that [he] was arrested in New Zealand 12 months ago in connection with copyright infringement surrounding his original MegaUpload file storage and sharing service, the lack of security surrounding the encryption keys leaves the system vulnerable."

Mega's password system also came in for criticism from MacLeod, as users have the double burden of supporting account authentication without disclosing that password to Mega's servers as well as outer level data encryption.

Advertisement
Advertisement - Article continues below

This approach, he claims, is a weak security system because obtaining the master key is based on a simple token system that can be replayed, rather than the more usual secure challenge/response technology seen on commercial services.

Advertisement - Article continues below

"This weakness could be exploited through the use of a timing vulnerability when the server compares the user's hash data, allowing a hacker to progressively learn how to access the system using multiple attempts," he said.

"We fully expect this methodology to be exploited by would-be crackers wanting to collect the 10,000 bounty," MacLeod concluded.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement

Recommended

Visit/security/encryption/355820/k2view-innovates-in-data-management-with-new-encryption-patent
encryption

K2View innovates in data management with new encryption patent

28 May 2020
Visit/software/video-conferencing/355410/zoom-50-adds-256-bit-encryption-and-ui-refresh
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020
Visit/security/hacking/355382/whatsapps-flaw-shoulder-surfing
hacking

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020
Visit/security/cyber-security/355368/microsoft-builds-ai-to-detect-security-flaws-with-99-accuracy
cyber security

Microsoft AI can detect security flaws with 99% accuracy

20 Apr 2020

Most Popular

Visit/server-storage/network-attached-storage-nas/355849/western-digital-sneaked-inferior-smr-tech-into
network attached storage (NAS)

Western Digital accused of sneaking inferior SMR tech into NAS drives

1 Jun 2020
Visit/security/data-breaches/355777/easyjet-faces-class-action-lawsuit-over-data-breach
data breaches

EasyJet faces class-action lawsuit over data breach

26 May 2020
Visit/operating-systems/microsoft-windows/355812/microsoft-warns-against-installing-windows-10-may-2020
Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020