'Mega' Insecure: Kim Dotcom Defends Rebooted Megaupload Security

Can the new "Mega" file-sharing service from Megaupload founder Kim Dotcom be trusted to keep users' data secure and hidden from prying eyes?

Twelve months ago, the Department of Justice shut down Megaupload and sought the extradition of key company officials from New Zealand to the United States to stand trial on copyright violation and racketeering charges. But on the anniversary of that takedown, this week Dotcom announced the launch of a new file-sharing site, titled simple "Mega."

Dotcom's pitch for the new service is its use of "on-the-fly encryption," to ensure that any data that users upload remains private. "Without having to install any kind of application -- it happens in your browser in the background -- it encrypts, giving you privacy," Dotcom told The Wall Street Journal. "This means when you transfer data, anyone sitting on that line will get nothing as it is all scrambled and impossible to decrypt without your key. This is going to take encryption to the mainstream."

[ What is cyber warfare exactly, and how can we protect ourselves? Read more at Uncertain State Of Cyber War. ]

But numerous security experts have spotted what they say are serious security flaws in Mega's use of encryption. "Kim Dotcom pulled a Nintendo Wii. Mega has decent design ideas, but it has been poorly implemented by people clearly unfamiliar with basic cryptography," according to a security analysis published by "Marcan," a member of the fail0verflow group.

Chief among the security sins, Marcan said, is the hashing of files using the cryptographic technique known as cipher block chaining message authentication code -- better known as CBC-MAC – which, as the name implies, is meant to authenticate messages rather than be used as a hashing function. "A few people have asked what the correct approach would've been here," he said. "The straightforward choice would've been to use SHA1, though MD5 or SHA256 -- for the more paranoid -- would also have worked well."

Thanks to using CBC-MAC, however, the Mega service is vulnerable to having uploaded files intercepted. "If you were hosting one of Mega's CDN [content delivery network] nodes (or you were a government official of the CDN hoster's jurisdiction), you could now take over Mega and steal users' encryption keys," Marcan said. "While Mega's sales pitch is impressive, and their ideas are interesting, the implementation suffers from fatal flaws. This casts serious doubts over their entire operation and the competence of those behind it."

The new Mega service was launched by the German-Finnish Dotcom, 39, together with three former Megaupload employees: chief technical officer, director, and co-founder Mathias Ortmann, 40; chief marketing officer Finn Batato, 38; and Bram van der Kolk, 29. All four remain on bail in New Zealand, where they're continuing to fight the U.S. government's extradition request to answer charges that they illegally generating $175 million in profits and caused $500 million in damage to copyright holders. All four of the former Megaupload employees have said they're innocent.

From a legal standpoint, the Megaupload case is highly unusual because U.S. prosecutors are pursuing criminal offenses against people charged with violating copyright law -- which is normally a civil offense -- as well as racketeering and money-laundering charges. According to legal experts, that strategy appears to have been employed because under New Zealand law, copyright offenses alone would not be sufficient to allow a suspect to be extradited.

Will the new Mega service avoid the widespread privacy that Megaupload allegedly fostered? To gain users, Mega must first prove its mettle, and the vulnerability spotted by Marcan is far from the only security flaw in the service that's been identified to date. For example, security researcher Steve "Sc00bz" Thomas has discovered that the confirmation emails that Mega sends to new customers contain password hashes in plaintext, as well as a link that contains the encrypted master key required to unlock any files the user has stored on Mega.

Thomas has released a tool, MegaCracker, which can extract passwords from the confirmation emails sent by Mega. "Since e-mail is unencrypted, anyone listening to the traffic can read the message," Thomas told Ars Technica. "It makes no sense to send a confirmation link with a hash of your password."

Beyond that security flaw, Mega's file-deduplication techniques -- storing only one copy of a file, no matter how many users upload it -- have been criticized because an attacker could see which users were storing the same file.

Mega also uses JavaScript in the browser to encrypt files before transmitting them via the Internet, which isn't a new technique. "Crooks have known this for years, with online malware toolkits like Luckysploit using JavaScript-based public key cryptography so that sniffed copies of its HTTP payloads can't be decrypted once the attack is over," said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post.

But there's an inherent problem with in-browser encryption: "Software random number generators are notoriously risky," said Ducklin. As a result, any small flaw could leave the encrypted data vulnerable to a trivial brute-force attack.

Dotcom has responded to the security and privacy criticism on the Mega site, noting that its security design will continue to evolve. In a Wednesday Twitter post, he also attempted to turn the security criticism to his advantage: "We welcome the ongoing #Mega security debate & will offer a cash prize encryption challenge soon. Let's see what you got ;-)."

Our 2012 State of Encryption Survey profiles the struggles most IT groups have when trying to manage encryption products. Simply put, the old adage that "encryption is easy, key management is hard" still holds. Read our Five Keys To Painless Encryption report to find out more. (Free registration required.)