Venafi predicts €10,000 Mega bounty will be paid out

Encryption firm calls out Kim Dotcom’s approach to security as “bizarre".

Open padlock key

Enterprise security firm Venafi claims Kim Dotcom's offer of 10,000 for the first person to crack his new Mega file storage site will be collected.

The challenge was announced through the site's blog in response to criticism over its security procedures, including the fact there is no end-to-end encryption.

In its response to the challenge, Venafi added its own criticism, stating that - as the encryption keys are stored along with the users' files on the system - user data was more vulnerable.

Calum MacLeod, EMEA director at Venafi, said: "This bizarre and, quite frankly, less secure approach to encryption seems to be in place solely to protect Mr Dotcom from prosecution, on the basis that he and his staff cannot have any knowledge of the data that is being stored on their cloud computing servers.

"While this is perhaps understandable given the fact that [he] was arrested in New Zealand 12 months ago in connection with copyright infringement surrounding his original MegaUpload file storage and sharing service, the lack of security surrounding the encryption keys leaves the system vulnerable."

Mega's password system also came in for criticism from MacLeod, as users have the double burden of supporting account authentication without disclosing that password to Mega's servers as well as outer level data encryption.

This approach, he claims, is a weak security system because obtaining the master key is based on a simple token system that can be replayed, rather than the more usual secure challenge/response technology seen on commercial services.

"This weakness could be exploited through the use of a timing vulnerability when the server compares the user's hash data, allowing a hacker to progressively learn how to access the system using multiple attempts," he said.

"We fully expect this methodology to be exploited by would-be crackers wanting to collect the 10,000 bounty," MacLeod concluded.

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Recommended

Researchers send “unhackable” quantum data over 370-mile optical fiber
data protection

Researchers send “unhackable” quantum data over 370-mile optical fiber

11 Jun 2021
New study shows global privacy investments increasing
data protection

New study shows global privacy investments increasing

2 Jun 2021
Barracuda Backup Vx review: Hassle-free hybrid backup
backup

Barracuda Backup Vx review: Hassle-free hybrid backup

20 May 2021
Acronis Cyber Protect 15 Advanced review: A well-rounded package
backup

Acronis Cyber Protect 15 Advanced review: A well-rounded package

13 May 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

30 Nov 2021
Access brokers are making it easier for ransomware operators to attack businesses
cyber security

Access brokers are making it easier for ransomware operators to attack businesses

1 Dec 2021