May 2013 - The Privacy Post

3

Hospitals and the Risk of Hacking

Posted by on May 30, 2013

While most industries have flocked to the convenience and cost savings of the cloud, health-care providers and hospitals have been slow to adopt. Even the fastest growing medical cloud service only represents less than 5 percent of the physician market. But the wariness of medical providers to employ cloud services makes sense given HIPAA pressures and the threat of third-party attacks. In a recent survey by CFO Research Services, 75 percent of respondents had experienced financial loss and workflow interruptions as a result of third party attacks. And the Russian-Ukrainian cyber gang known as Best Inc. recently stole more than a million dollars from a hospital in Washington.

Health records have gone digital

Photo courtesy of ProvidersEdge.com

Patients should know that hackers could and have attacked hospital databases to exploit patient records for extortion. But with the growing threat of hacking and extortion, medical offices and hospitals can properly secure sensitive patient data through anonymous and private cloud storage. Such precautions are necessary when given the prevalence of hospital hacking and even internal data theft.

In 2011, a disgruntled employee at Florida Hospital had accessed the private records of over 700,000 patients. Of these records, 12,000 victims of car accidents had their data sold for chiropractor and attorney services, literally adding insult to injury. And in 2012, Crescent Healthcare had their computer hardware stolen, which contained Personal Identifying Information and Patient Health Information, resulting in a HIPAA Violation notification. Such, cases could have been avoided had proper internal IT policies been established and observed while securing patient data through a fully anonymous and encrypted cloud service.

The high cost of HIPAA civil penalties.

Infographic courtesy of InspiredLearning.com

Take the case of the dermatology doctor from Surgeons of Lake County whose office computer system was hacked. The attackers breached the practice’s server, seized patient data, and attempted to extort the practice by demanding a ransom. As electronic health records and electronic medical records become the new standard in patient data storage, such attacks will only become more widespread unless the industry as a whole addresses the issue of securing patient privacy.

According to the Secretary of the Department of Health and Human Services, almost 21 million people have had their electronic medical records or electronic health records stolen or breached in the past three years. The biggest data breach was in the case of TRICARE, a healthcare program for Armed Forces members and their families. The medical subcontractor lost the records of nearly 5 million people, revealing the necessity of private data backup. If TRICARE had employed a private and anonymous cloud service, such private patient records would have been backed up and protected through encryption.

Image courtesy of healthcareitnews.com

Top data breaches of 2012

Shockingly, governmental health institutions are just as ignorant of proper security measure as some sectors of private healthcare. In 2013, hackers traced to Eastern Europe seized the private medical records of 780,000 Utah residents from the Utah Department of Health. And even medical insurance companies have been breached, as in the case of major insurance providers like Health Net and Blue Cross Blue Shield, resulting in the potential exploitation of millions of individual patient records.

Patients, consumers, and citizens should demand that their private health records be kept private from hackers and even disgruntled employees looking to make a quick buck off selling medical records. And healthcare providers, insurers, and governmental health organization should proactively seek security solutions to the glaring gaps that currently leave patient records wide open to hacking and data exchange. Shifting private records to an anonymous cloud service can ensure that sensitive information is kept truly private, protecting both patients and providers.

Privacy for Patients

For true user privacy, only anonymous cloud storage and sharing services like SpiderOak provide all the convenience and savings of the cloud while guarding against hacking and security breaches. SpiderOak is a cloud storage and sharing service that offer data backup and syncing services. It stands out from the crowded cloud market by featuring complete data privacy and user anonymity. Through 256-bit AES encryption and two-factor password authentication, SpiderOak makes sure that medical records, folder names, file names, and passwords cannot be read or even accessed by SpiderOak and its employees.

As for two-factor authentication, this is just like the process used with some banking and financial services that require a PIN or correct answer to a secret question as an extra precautionary measure. For SpiderOak, this means submitting a private code through SMS in addition to the encrypted password to log in. Once successfully logged in, medical providers can store and share data with 100 percent privacy, as SpiderOak has “zero-knowledge” of uploaded data and plaintext encryption keys. This means that the company and its employees don’t even have access to user passwords. Instead, the data encryption key for individual passwords is exclusively stored on each user’s computer. This way, every bit of patient data is kept fully anonymous. SpiderOak’s services are available with Windows, Mac, and Linux desktop environments, along with Android and iOS mobile platforms, granting health care providers flexibility along with security.

May 2013 - The Privacy Post

0

Album Leaks & the Promise of Private Storage

Posted by on May 29, 2013

It seems that every other day you hear of some critic bemoaning the demise of the recording industry. And it’s true that labels have struggled to stay relevant in an era of independent artists and digital downloads. But while the industry has taken drastic measures to combat digital piracy, there is still a glaring lack in security standards to guard against album leaks. Unplanned album leaks threaten the entire music industry, from major labels to independent artists. As hackers ruin painstakingly planned marketed releases and the music industry continues to adapt to changing pressures, private cloud storage offers a safeguard from leaks.

Daft Punk

Photo courtesy of breathecast.christianpost.com

Hacked musician phones, emails, and computer drives have become so commonplace that we’ve come to accept it as part of the territory that comes with celebrity. But aside from the massive invasion of privacy and rights that such hacking imposes on artists, they also threaten the very source of their livelihood. Recently, Jai Paul suffered a leak of illegally seized demo tracks passed off as his latest album on Bandcamp. As Jai Paul wrote on Twitter, “To confirm demos on bandcamp were not uploaded by me, this is not my debut album. Please don’t buy. Statement to follow later.”

Jai Paul’s label, XL Recordings put out a statement in regards to the leak saying, “As widely reported, on Sunday 14th April, music by XL Recordings artist Jai Paul was illegally made available via a fake Bandcamp account. This music was not uploaded by Jai and it’s not his debut album – it is a collection of various unfinished recordings from Jai’s past. Neither XL or Jail will take any money from the sale of this music. We have been working with Bandcamp and PayPal to resolve this situation and they have told us all purchases will be refunded within the next 7 days.”

In the case of this album leak everyone but the hacker lost. Fans were disappointed in the poor quality of these unreleased tracks, never meant to be put out in wide distribution, and had to wait a week before getting their money back. Jai Paul and XL Recordings suffered a loss in image and the leak distracted from his actual album debut. And even Bandcamp’s brand was damaged as artists now worry about the site being used for fake pages in the future. And even iconic bands like U2, have been unable to properly secure their music from hacking and leaks as shown by a recently leaked jam session video posted by a fan.

While fans await the long anticipated release of Daft Punk’s Random Access Memories, the French electronic duo have had to suffer several leaked “versions” of their singles. The most recent leak of “Giorgio by Moroder” is of poor quality and frustrates the painstaking efforts of the producers and marketing team that have hoped for a polished and planned release.

From EDM to rock, album leaks threaten the entire chain of the music industry as they can help illegal downloads spread long before an official release, causing plummeting drops in sales. For the band Phoenix, the leak of their latest album simply killed the magic for their fans. As Deck D’Arcy put it in a recent interview with Fuse, “It’s more important for the fans, actually. Because as a music fan before the Internet…we would discover, we would wait like crazy for the release date. And a “leak” was not in the vocabulary of the music world. So we were dying for records to come out. There was a lot of emotion…But for people, they don’t have the same tension and that’s a little bit of a shame.”

Album leaks even have the potential to derail a planned marketed release as shown in the case of Kid Cudi’s Indicud. The rapper’s sophomore album was leaked three weeks before its scheduled release date, causing his label to scramble to release the album a week early to avoid any further losses in album sales.

Kid Cudi

Photo courtesy of breathecast.christianpost.com

And even debut acts like Stooshe have found themselves on the bitter end of an album leak. The pop trio unfortunately had their debut album leaked a year early before final production. As Karis Anderson told Digital Spy, “It was frustrating of course,” and Courtney Rumbold added, “The mixing and mastering on the songs has changed a bit…We’ve added ‘Slip’ and two new songs…When the album leaked, we didn’t want to give everyone the same album again.” With the inherent pressures of a debut album, the leak forced Stooshe to essentially record and master a whole new record at added studio and production costs.

Stooshe

Photo courtesy of digitalspy.com

A Private Storage Solution

For labels and artists that want a sure way to avoid against album leaks, a solution lies in anonymous cloud storage and sharing services like SpiderOak, which provide all the benefits of cloud storage and syncing while protecting against hacking and security breaches. SpiderOak is a cloud service that offers data backup, storage, and syncing services. It separates itself from the crowded cloud market by offering full privacy and anonymity. Through 256-bit AES encryption and two-factor password authentication, SpiderOak ensures that business files, folder names, filenames, and passwords cannot be read or accessed by SpiderOak or its employees, so labels and artists can rest easy knowing no one has access to their treasured tracks.

As for two-factor authentication, this is similar to the process used with some banking and financial services that require a PIN or correct answer to a secret question as an extra precautionary measure. For SpiderOak, this means submitting a private code through SMS in addition to the encrypted password to log in. Once successfully logged in, users store and share data with 100 percent privacy, as SpiderOak has “zero-knowledge” of uploaded data and plaintext encryption keys.

This way, only approved artists and producers can access tracks and works in progress, to ensure that nothing leaks without the approval of the artist and label. Through protecting their tracks with private storage, artists can secure record sales without having to worry about competing with an early leak. SpiderOak’s services are available with Windows, Mac, and Linux desktop environments, along with Android and iOS mobile platforms.

May 2013 - The Privacy Post

0

Privacy & The Right to Know Act

Posted by on May 28, 2013

It seems like just about every day, the news headlines give businesses and users more reasons to protect their sensitive information. From massive data breaches by hackers to data mining from social media sites like Facebook, the world of digital data storage has moved so quickly that standard privacy measures haven’t been able to catch up. But as the public grows more and more aware of the raging battle over net privacy, the call for legal protections for sensitive individual information has grown louder than ever. Through legislation like SOPA, PIPA, and CISPA, consumers have learned of the pressing need for privacy in the face of spying and user data exchanges by big corporations and even the U.S. government.

Activism Director Rainey Reitman of the EFF

Photo courtesy of info.abril.com.br

Users are learning that their data has been collected and often sold to companies without their knowledge, marking an era of legal exploitation. But a new bill is being considered in California that could help change this dangerous precedent. Known as the “Right to Know Act of 2013”, AB 1291 would give California consumers unprecedented privacy rights and industry transparency by requiring companies to disclose any data they collect and share on individual users. If passed, companies would have to provide a free report on such data mining and exchanges by customer request within 30 days. While the law currently narrowly defines “customers” as California residents, the state is a national leader in privacy legislation, so if passed it could create a ripple effect throughout the country.

According to Activism Director Rainey Reitman of the Electronic Frontier Foundation, “Under current California law, customers can contact companies and ask for an accounting of disclosures for direct marketing purposes – basically, a list of what companies got your personal data for them to send you junk mail, spam, or call  you on the phone – and general facts about what types of data were disclosed…The new proposal brings California’s outdated transparency law into the digital age, making it possible for California consumers to request an accounting of all ways their personal information is being trafficked ­­– including with online advertisers, data brokers and third-party apps.” This legislation captures growing public discontent with the current anarchic state of the market, with 69 percent of respondents to a recent national poll in favor of such transparency laws. But even in the face of wide consumer demand companies have already pressured lawmakers to weaken the bill.

Recently, a letter signed by 15 important companies and industry groups demanded that the Right to Know Act’s author, Assemblywoman Bonnie Lowenthal, D-Long Beach, pull the bill citing concerns over unnecessary strain on the industry as well as the potential torrent of lawsuits. Most unnerving of all, among the signatures was TechAmerica, a trade group representing major industry leaders like Microsoft, Google, and Facebook. According to attorney Nicole Ozer of the ACLU, “A lot of companies don’t want consumers to know what’s happening to their personal information…Companies are collecting and sharing this information with third parties.”

Assemblywoman Bonnie Lowenthal, D-Long Beach

Photo courtesy of venturebeat.wordpress.com

Sadly, the industry pressure has worked for the short term. This month, Bonnie Lowenthal decided to stall the Right to Know Act of 2013 until an undetermined time next year. TechAmerica has loudly lobbied against the California Right to Know Act, claiming that it “rests on mistaken assumptions about how the internet works.” This condescending attack on consumer right was rebutted by the ACLU, which highlighted the alarming data exchanges of private consumer information. But privacy activists and users of all sorts can still look ahead to taking up the fight again in 2014 as Lowenthal remains confident that AB 1291 will pass, awarding Californians the same protections already in place in 27 EU countries with similar laws (where companies like Google and Facebook have already been in compliance).

TechAmerica has led the fight against the Right to Know Act

Image courtesy of afptechknow.org

But until that moment comes, users can still protect their private data without relying on the government or the good graces of private industry. Many are already aware that Facebook apps mine sensitive data from user profiles including religious, sexual, and political preferences. And a whole industry of data collection rests on information pulled from social media and mobile devices. Users can start by making sure they don’t disclose any sensitive information to social media sites that they don’t want sold to other companies for advertising purposes. After that, individuals and businesses can protect themselves by storing any sensitive data exclusively to a private cloud.

Protecting Yourself In the Meantime

Many cloud services market themselves as “secure” solutions with standard data encryption as well as hashed and salted passwords. But these are just the first line of defense against security breaches and still leave sensitive data vulnerable to third party attacks (there are even whole sites dedicated to showing people how to crack hashed and slated passwords). For true user privacy, only anonymous cloud storage and sharing services like SpiderOak provides all the benefits of the cloud while protecting against hacking and security breaches.

Users store and share sensitive files with 100 percent privacy, as SpiderOak has “zero-knowledge” of consumer data and plaintext encryption keys. This means that the company and its employees don’t have access to user passwords. Instead, the data encryption key for individual passwords is exclusively stored on each user’s computer. This way, every bit of consumer data, right down to the password is kept fully anonymous.

May 2013 - The Privacy Post

0

Managing the Risks of Cloud Computing

Posted by on May 27, 2013

In a recent study surveying 1,300 American and U.K. companies, 88 percent of respondents claimed their small business saved money through employing cloud services. And it seems that the push to the cloud will soon spread so wide that cloud services will become standard for most businesses around the globe in just a matter of years. Currently, 53 percent of small businesses, with staff between five and 50 people, now employ some type of cloud service.

Small business and the cloud

Image courtesy of sadasystems.com

Clouds can help businesses gain a competitive edge, save money, and turn profits through a wide variety of ways. For retailers, cloud services offer the potential to securely store big data to better serve their customers. And for companies used to buying and maintaining their own servers, clouds can cut hardware costs by hosting data on virtual servers. Even industry leaders like Microsoft and Google have seen the benefits of cloud services, offering their own products to businesses and managing to take away large shares of the market. But while businesses shift IT costs from hardware, software, and staff to cloud services, glaring gaps in security continue to threaten wide sectors of industry.

Though savings are the primary driving force behind to push to the cloud, there are other factors to consider as well including smoother workflow and employee mobility. However, security remains an imminent threat with cloud data storage services, especially those that only use the basic safeguard of hashing and salting passwords. In a recent survey of IT decision makers that have not yet made the switch to cloud services for their businesses, 57 percent were hesitant out of security concerns and 29 percent cited privacy issues. But with proper IT policies like data encryption, HR teams and IT managers can help secure their sensitive information, while truly private cloud storage services can provide peace of mind through added security measures like data and password anonymity.

Cloud adoption

Image courtesy of Isaca.org

While cloud computing has revolutionized the market, to fully take advantage of the benefits of cloud storage, businesses must secure their data from attack. Because as much as cloud computing is convenient and cost-effective, entire brands can go under with just one security breach! From ruined reputations to consumer lawsuits, the costs of hacking necessitate a guaranteed safeguard from attack.

Hackers have exploited user data through selling the information to other companies and have even resorted to extortion as recent news headlines show. But as David Linthicum, senior vice president for Cloud Technology Partners, put it, “We have studies that come out that say that [the] cloud is insecure, and others that say that it’s more secure. I think it’s somewhere in the middle – it’s as insecure as you make it.” In an era in which businesses can’t rely on the goodwill of private industry or the protections of the government, IT managers must take their own initiative on securing their companies’ most sensitive data.

Cloud risks

Image courtesy of CopperBridge Media

After doing the work of encrypting data in house, it’s important to choose a cloud service that provides complete privacy and anonymity. Many cloud services offer “secure” storage with standard data encryption as well as hashed and salted passwords. But hashing and salting is just the bare minimum and only a first line of defense against security breaches. Hashing and salting still leaves sensitive company and user data vulnerable to third party attacks, and there are entire sites dedicated to showing people how to crack hashed and slated passwords using the same encryption . For true user privacy, only anonymous cloud storage and sharing services like SpiderOak provide all the convenience and savings of the cloud while protecting against hacking and security breaches.

SpiderOak is a cloud service that offers data backup, storage, and syncing services. It differentiates itself from the crowded cloud market by offering full privacy and anonymity. Through 256-bit AES encryption and two-factor password authentication, SpiderOak ensures that business files, folder names, filenames, and passwords cannot be read or accessed by SpiderOak or its employees.

As for two-factor authentication, this is similar to the process used with some banking and financial services that require a PIN or correct answer to a secret question as an extra precautionary measure. For SpiderOak, this means submitting a private code through SMS in addition to the encrypted password to log in. Once successfully logged in, users store and share data with 100 percent privacy, as SpiderOak has “zero-knowledge” of uploaded data and plaintext encryption keys. This means that the company and its employees don’t have access to user passwords. Instead, the data encryption key for individual passwords is exclusively stored on each user’s computer. This way, every bit of consumer data, right down to the password is kept fully anonymous. SpiderOak’s services are available with Windows, Mac, and Linux desktop environments, along with Android and iOS mobile platforms.

May 2013 - The Privacy Post

0

Raising the Bar: Common Gaps in Cloud Security

Posted by on May 26, 2013

Cloud storage and sharing services have revolutionized the business world, offering convenient data storage and syncing for mobile workers. Cloud services have saved companies the massive costs of servers and a bigger staff, but without proper risk management, a company’s entire reputation could be shattered with a single security breach. The imminent threat of third party attack, data mining, and even legal snooping through laws like CISPA, have kept some businesses far from the cloud out of fear of hacking. But truly secure cloud solutions are out there, and at the EMC World 2013, Tom Roloff, the senior vice president of EMC’s Global Services, predicted that most businesses will have made the switch to the cloud within five years, due to security becoming the major differentiator between cloud services.

Close the security gaps in your cloud!

Image courtesy of smeadvisor.com

As it stands, companies that currently employ cloud storage and sharing services are for the most part ignorant about the true risks of data breach and of how the services they rely on purport to protect their information. According to a recent NetIQ survey of IT executives, over half of the surveyed executives believe that merely storing data on a cloud is an increase in overall data security in itself. But 70 percent of the executives did indicate concerns over potential risks to their company’s sensitive data, while 45 percent aren’t confident in the security programs already put in place by their cloud providers.

Business & Cloud Computing

Image courtesy of cloudfluence.com

As companies trust more of their sensitive information to third-party cloud service providers, some executives and managers have actively searched for data security solutions from servers to end users. Almost half of surveyed IT executives stated that they don’t have current control of their data on the cloud and less than half train end users on secure cloud access procedures and policies.

Common challenges of the cloud

Image courtesy of soatothecloud.com

Many IT managers trying to navigate the world of cloud storage, sharing, and syncing procedures feel like they are drowning in a sea of cloud concerns. From the dangers of mobile data access to the threat of hacking, businesses must scramble to stay one step ahead of the game. According to a recent study, 89 percent of global information security professionals don’t fully understand how security solutions apply to the cloud, and 78 percent don’t have a proper grasp of good cloud security protocols. With daily headlines of major companies and even governmental institutions getting hacked it’s shocking to see just how wide of a security gap this massive move to the cloud has left open. In just one security breach, hackers can steal sensitive user data while permanently damaging a brand’s reputation. According to Steve Pate of Computerworld, the threat of cloud breaches isn’t going away any time soon, “whether they are hackers looking for data, or accidental misconfiguration, which we recently saw with Amazon’s cloud storage where over 126 billions (yes, billion) files were unintentionally exposed. Organizations simply have to take data privacy more seriously.”

For companies, IT managers, and even individual users looking for truly secure cloud solutions, navigating the world of data security can be confusing and complicated. But as the recent breach in Amazon’s cloud storage shows, no one is exempt from the threat of attack, from small startups to the biggest players. Two ways to secure sensitive data while employing a cloud storage service are through self-encryption and finding a cloud provider that offers true privacy.

Self-encryption means taking the initiative to protect your sensitive data from the very start. Anytime a company has access to sensitive data, that data should be encrypted before leaving the company’s network to be stored on a third party cloud. By using a cloud-security gateway, companies have control of their data throughout the beginning stages of the cloud storage process. Encrypting data on company networks also protects against internal hacking and data mining, while ensuring that the convenience of mobile data access maintains a smooth workflow. This simple precaution is enough to protect sensitive data when coupled with a cloud storage service that provides full privacy and anonymity to its users.

As companies search for such services, Infrastructure as a Service (IaaS) has become the fastest growing sector in the cloud world, with projected annual growth rates above 40 percent through 2016. There are a wide range of cloud services to choose from, so some businesses might get lost trying to find the right solution for their needs.

Privacy Over Security

Most cloud services offer “secure” solutions through data encryption as well as hashed and salted passwords. But these popular standard security procedures still leave sensitive data vulnerable to third party attacks. To truly enjoy total privacy for your business needs, anonymous cloud storage and sharing service like SpiderOak provides all the convenience and savings of the cloud while protecting against hacking and security breaches.

Users store and share sensitive files with 100 percent privacy, as SpiderOak has “zero-knowledge” of consumer data and plaintext encryption keys. This means that the company and its employees never even have access to your password. Instead, the data encryption key for individual passwords is exclusively stored on each user’s computer. This way, every bit of consumer information, right down to the password is kept fully anonymous.

May 2013 - The Privacy Post

3

Hashed and Salted but Still Not Safe: Protected Password Storage

Posted by on May 24, 2013

In April 2013, the popular website LivingSocial was attacked, revealing sensitive consumer information held on the company’s servers. In an email sent by the company to users, LivingSocial acknowledged, “The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords – technically ‘hashed’ and ‘salted’ password.” To further calm customer fears, they added, “We never store passwords in plain text.” While, reassuring on the surface, relying on salted and hashed passwords really doesn’t provide the protections that many companies claim.

Hashing and salting is a basic security standard

Image Courtesy of ReadWrite.com

50 million LivingSocial passwords were stolen, due to inadequate security measures. The company hashed passwords with “SHA1 using a random 40 byte salt”.  This means that LivingSocial’s system encrypted customer passwords through a popular algorithm, transforming plaintext passwords into unique strings of data called a “hash”. Then, to further jumble the encrypted password, the system adds a random mess of characters called a “salt”, which makes the password longer and more complex. The problem with this common method of password “protection” is that the SHA1 is too popular and weak, especially for a company with as large of a consumer database as LivingSocial.

Password hashing

Image courtesy of Filosophy.com

This watered down security measure is simple to exploit. One way hackers could have taken advantage of the breach in LivingSocial’s system is by bruteforcing the password hashed in the company’s database. This involves cycling through characters in each letterset using a hashing algorithm like MD5, until the attackers crack a user’s encrypted password.

To make this process faster, like in the case of the 50 million hacked passwords, attackers use rainbow tables to analyze the data. Rainbow tables contain all possible passwords, so shorter and less complex passwords are the first and easiest ones to crack. While salting and hashing have become the standard method of password encryption, all this really does is make the password longer and more complex. This means that hackers can still crack user passwords, especially when weak algorithms like SHA1 are relied on. The complexity of encrypted passwords just makes the cracking process longer.

Brute forcing

Image courtesy of Filosophy.com

This recent security breach is just one example of a chronic failure in the market to address privacy concerns and adequately protect sensitive user data. Just last year, user credentials from companies like eHarmony, Yahoo, and Formspring were hacked due to gaping security vulnerabilities. Through such examples it is obvious that merely going with the standard route of encrypting passwords by hashing and salting just doesn’t cut it. Recently, the note taking service Evernote was also breached, revealing sensitive data on 50 million users. With just the instances of LivingSocial and Evernote, over 100 millions users have had their personal information seized and exploited in the past year. And a cursory glance at the daily news reveals just how widespread issues of cyber security have become.

50 million Evernote passwords were hacked

Image courtesy of PCGerms.

Consumers that have since taken their online privacy for granted have woken up to the fact that they can’t rely on anyone but themselves to proactively keep their data safe. As a result, a drastic shift in the market is in store as users continue to reward companies that take extra precautionary measures to protect their information. As just about every sector of industry makes the switch to cloud storage and sharing for the sake of cost and convenience, protecting your privacy from attack and exploitation has become more important than ever.

Some simple steps to better encrypt your password can help complicate the cracking process in the event of a breach. One way to help bolster the standard encryption process of hashing and salting is by making a complicated password longer than twelve characters using as many random symbols as possible. When hashed and salted, this extra-complicated password will take much longer to crack, hopefully frustrating potential attackers to the point of moving on to a less difficult encryption.

But even complicated encrypted passwords won’t do much to keep you truly safe. Think of it like putting a simple lock on your car, it’s a stand precautionary measure, but it won’t do much to thwart a truly skilled thief. And in this day and age, just about any hacker with enough time and initiative can take advantage of the security gaps left by only using hashed and salted password encryption. And once a user’s encrypted password hash is cracked, attackers can try to break into other accounts held on other websites, exploiting the common fact that many users still use the same password for multiple sites and services.

True Privacy

Most popular “secure” cloud services are still vulnerable to third party attacks. To truly experience privacy for your individual or business needs, an anonymous cloud storage and sharing service like SpiderOak provides all the benefits of the cloud while protecting against hacking and security breaches.

Users can store and sync sensitive files with 100% privacy, as SpiderOak has “zero-knowledge” of consumer data given the company cannot access the plaintext encryption keys. This means that you and only you have access to your password as SpiderOak employees can never see your plaintext encryption keys (or password). Instead, this data encryption key (or password) is exclusively stored on each user’s computer. This way, every bit of consumer information, right down to the password, is kept private and anonymous.

May 2013 - The Privacy Post

0

BYOD & Plaintext Password Storage

Posted by on May 23, 2013

Most businesses have already made the switch to the cloud to capitalize on the efficiency and convenience cloud computing provides. But with news of rampant hacking successfully targeting everyone from major sectors of private industry to governmental agencies, online data storage and file sharing has brought up a whole new world of security concerns. Companies that have Bring Your Own Device (BYOD) policies in place for the sake of convenience and workflow must navigate around the dangers of password hacking and threats from third party attacks via mobile devices. Such devices, like phones and tablets, utilize apps that can scan and seize data like addresses. And users that connect to company email servers with mobile devices could even jeopardize the entire network if infected with malware, halting production and stalling profits.

The U.S. Army Corps of Engineers’ National Inventory of Dams was breached

Photo courtesy of the Department of Interior.

As more and more businesses realize the vulnerabilities of BYOD policies, many have turned to “secure” cloud storage and sharing services to enjoy the benefits of the cloud while minimizing the risk of attack. But the standard password protections of yesteryear no longer hold water to today’s sophisticated hacker. Recently, the hosting service Linode was hacked. In the security breach, hackers accessed user credit card information and passwords held on the company’s database. The company issued a statement attempting to reassure users that their information was safe because sensitive data was secured with both public and private key encryption. But for company services like Linode Shell and Lish, some passwords were stored on the database in plaintext. These services allowed users unlimited access to server consoles even in the case of a network outage, which begs the question of why user passwords were ever hosted in plain text with such dangerously privileged server access.

A Systemic Problem

It wasn’t too long ago that the hacker group LulzSec became a household name through the very public breach of SonyPictures.com. With just one simple SQL injection attack, the group was able to access the private information of over a million individual users. Everything from passwords to email addresses and birthdates was compromised as SonyPictures.com took no measures to properly secure such sensitive data, practically leaving private user information up for grabs by storing it all in plaintext.

Users were outraged and from the consumer blowback, it seemed that data storage services around the world would finally take data security and user privacy seriously. Unfortunately, such hacks are now so commonplace they hardly even make the news anymore. From the continued and common practice of storing sensitive information in plaintext to weak password encryption services that give the illusion of safety, many popular companies continue to be the worst offenders.

In 2012, Yahoo quietly suffered an attack on one of its sub-domains. By simply exploiting an insecure URL, hackers were able to seize over 400,000 user passwords from Yahoo’s Contributor Network. Most revealing of all, the sensitive files weren’t even encrypted. Instead, this industry leader chose to dangerously store user information in plaintext.

LinkedIn

Image courtesy of ABCNews.com

But even when storage services take precautions to secure their users’ data, these attempts can often be halfhearted, still leaving information that should be completely private, wide open to attack. The professional networking service LinkedIn was another recent victim to password breach, with over six million hashed passwords leaked. Essentially, hashing helps secure passwords by converting them into a jumble of encrypted characters. While taking this first step in security, LinkedIn failed to take the second common measure of salting the hashed passwords. Salting helps to randomize the hashed passwords by including an extra string of characters, making the salted and hashed password even harder to crack.

Salting and hashing

Image courtesy of QuickHeal.com

Though not completely secure by any means, the failure of many big companies to even undertake basic precautionary measures like salting and hashing passwords just goes to show how widespread this problem has become. As PayPal chief information security officer Michael Barrett put it, “Password hacking is now the work for script kiddies.” Even the U.S. Army has had trouble securing their databases from attack, as shown from a recent breach on the U.S. Army Corps of Engineers’ National Inventory of Dams.

Secure Solutions

In the wake of the cloud computing revolution, a new group of cloud storage services have emerged, marketing themselves as secure solutions to third party threats. But popular services like Dropbox have lately come under fire for the fact that employees have access to private and unencrypted user data. And even with encrypted data, the encryption keys could always be accessed through savvy hacking or even legislation like CISPA.

For users and businesses looking for a truly private storage solution, a zero-knowledge service provider like SpiderOak offers the convenience of the cloud while ensuring complete user privacy and anonymity. True zero-knowledge storage means that the company and its employees never have access to your password and plaintext encryption keys. Instead, the data encryption key is stored exclusively on the user’s computer, so that sensitive consumer information stays completely private.

May 2013 - The Privacy Post

0

Clearing Up the Cloud: Privacy vs. Security

Posted by on May 22, 2013

For businesses and individual users that need more storage than most, cloud storage and sharing solutions have revolutionized the world of data management. Hosting sensitive files on a hard drive is dangerous because it leaves data open to attack and even loss in the case of a power outage or system failure.

So instead of taking up space with expensive onsite servers, many are opting for the convenience of cloud storage, in which data “floats” in an online network. While this newer and increasingly popular method of data storage and management is easier on the budget and company workflow, cloud services have also become prime targets for hacking. Early in 2013, the cloud service Evernote suffered an attack on its servers. The consequence of this single breach of security is that user names, private email accounts, and even individual passwords were accessed, threatening the security of users as well as diminishing public confidence in the company.

Stuart McClure, former chief technology officer of McAfee

Photo courtesy of Flickr.com

According to some data security experts like Stuart McClure, former chief technology officer of McAfee, finding a truly secure cloud storage service can often be like “picking a dog with the least fleas.” But even cautious business owners and web-savvy users have made the shift to the cloud in droves despite security concerns to save money that would otherwise be spent on expensive servers and a bigger staff.

PaaS Market Forecast

Image courtesy of Gartner.com

The convenience of the cloud makes up for lack of resources and funding, ultimately generating a massive amount of savings for most midsize businesses and firms looking to cut costs on hardware, software, upgrades, and staff. But all of these added benefits don’t make up for the devastating consequences a security breach could leave on a company, and those that have already made the switch to cloud storage are now scrambling to find secure solutions to the threat of attack. As cloud computing is predicted to grow by close to 20 percent this year, the cloud security market is filling in vulnerabilities left by this revolution in the market, with projections that cloud security services will make up about 10 percent of the IT security market within two years.

Cloud computing & IT spending

Image courtesy of SoftwareStrategiesBlog.com

While the threat of attack remains a very real possibility, with proper security measures, no one should be dissuaded from taking their business to the future that is cloud computing. For one, cloud storage allows companies to tap the resources of workers all around the world for real-time collaboration and increased productivity. And for anyone that’s ever experienced the nerve-shattering frustration of having a company server attacked or even just offline for a few hours, switching from easily compromised onsite servers to cloud storage saves both time and money. Ultimately, finding a secure cloud service is much cheaper and more convenient than the alternative of hiring a bigger staff and maintaining onsite storage.

What About Security?

While the pros definitely outweigh the cons in making the switch to the cloud, all that convenience and money saved means nothing if your sensitive data is hacked. Storing company data or private information like financial and health records on a cloud means that those cloud servers could still be hacked unless the service is somehow anonymous and fully private.

The issue of cloud security is complicated and many users and businesses that have made the switch unfortunately don’t take the time to research the stark differences between the varieties of cloud solutions on the market. Many cloud providers understand the vulnerabilities of their services and offer encrypted passwords as a line of defense against third party attacks. But this common response still leaves gaps that invite dangerous security breaches.

Most of these “secure” cloud services are still quite vulnerable, with reports of services being hacked almost on a daily basis, from Yahoo emails to LivingSocial. An encrypted password is just a slight complication for a savvy attacker, and will do little to protect your private data from the eyes of anyone with enough drive and skill to seize it. What compounds the problem is the convenient but dangerous and popular company policy of Bring Your Own Device.

Bring Your Own Device policies allow workers to utilize their own devices to access the company cloud. Common cloud storage services like Dropbox and Evernote, can leave sensitive corporate information vulnerable to breach by third party attacks. But with a fully anonymous and private cloud storage system, users and companies can take full advantage of the benefits of cloud computing and Bring Your Own Device policies without having to worry about the major threat of hacking.

Privacy vs. Security

Though “secure” clouds are still vulnerable to data mining and attack, a truly private cloud storage and sync service like SpiderOak can provide all the convenience and cost savings while guaranteeing protection from third party attacks and security breaches.

Users can store and synchronize sensitive files without having to worry about cyber spying, hacking, or even data mining from the company itself, as SpiderOak has “zero-knowledge” of your data stored on its servers as it never has access to your password in plaintext. This means that the company is technically incapable of reading your information, making this fully private and anonymous storage and sync service a stark contrast to vulnerable “secure” clouds.

May 2013 - The Privacy Post

0

Keeping Your Photos Safe From Hacking & Extortion

Posted by on May 21, 2013

The digital age has given people convenient ways to store and share their photographs with loved ones all around the world. But with online photo storage comes new risks as show by the seemingly endless scandals circling politicians and celebrities from hacked photos. But the powerful and famous aren’t the only ones that fall victim to online attacks and as recent news shows, everyone should secure their photographs from potential attack. Private photos have become a prime hacking target for everyone from snooping journalists and disgruntled workers to extortionists and blackmailers.

Unfinished paintings by George W. Bush.

Photo courtesy of Salon.com

Recently, hacked Bush family emails revealed a collection of paintings by George W. Bush, showing just what the former president had been doing with his time since occupying the White House. While this is one of the lighter sides of recent hacking news, it just goes to show that standard email photo storage isn’t safe or secure for anyone, not even former presidents.

George W. and George H.W. Bush

Photo courtesy of LATimes.com

A growing concern is the increase of the crime known as “sextortion”, in which predators hack into private email accounts in order to extort victims through any sensitive photographs or videos. In April, two men were sentenced in California for threating professional poker players with extortion through photographs stolen from the players’ email accounts. That same month, another man was accused of the attempted extortion of 14 different women through supposedly compromising photos retrieved from their hacked emails. And in Palestine, women face a new threat in the form of online blackmail. Many Palestinian women are discouraged from even posting or hosting photographs online, knowing that people could easily access their email accounts to retrieve photos, which have been successful tools for blackmail in the hands of hackers.

Yahoo was hacked in 2012

Photo courtesy of CSMonitor.com

From everyday parents that want to keep pictures of their children offline, to users in volatile regions of the world that have to worry about the daily threat of blackmail, safely storing private photographs has become a new standard in basic personal online security. There are countless online photo storage companies to choose from that offer supposedly “secure” services, but simply having a password (even if it’s encrypted), isn’t a guarantee against having your private photos turned public. The only way to ensure that your private photos stay private, is to opt for a fully anonymous storage and sharing service like SpiderOak.

Protecting Your Photos

Through SpiderOak, users can conveniently store their photos online without having to worry about attacks or monitoring. This truly private storage and sync service is 100% anonymous, meaning that no one, not even the company’s own employees, can access the plaintext data uploaded to its servers.

Here’s how to safely leverage SpiderOak’s private cloud storage system to safely protect your photographs:

Step 1: Download SpiderOak through the website and install the application.

Step 2: When the application launches, clicked the ‘Advanced’ button and then find the ‘Category’ box in the left window pane.

To select ‘Pictures’ simply check the box or – to select specific folders under the Picture category – click on the word ‘Pictures’. This will bring up the computer folder where you saved your photos. Next, find and select the digital evidence of your college exploits, awkward yearbook pics, and any other photos you want to keep private and click Save.

Step 3: If you want to secure more than 2 GBs of those all important pictures, you can click on the ‘Buy More Space’ button and choose the plan and pricing level that’s right for you. Unless you’re a small business or a professional photographer, chances are that the lowest level plan ($10 per month for 100 GBs) will fit your storage needs.

Step 4: After the upload is finished, your photos will be fully private and secure on SpiderOak’s server, anonymously stored forever. And you’ll be able to finally relax, knowing that the only proof of that terrible Halloween costume from last year is truly for your eyes only.

Syncing Your Photos With SpiderOak

For professional photographers on the go and social media shutterbugs, a convenient option for keeping your photos with you wherever you might go is to take advantage of syncing with SpiderOak. This service’s Sync function keeps a user’s synchronized folders up to date and in real-time across a wide range of devices. Here’s how:

Step 1: Find and select the Sync tab. If this is your first time syncing with SpiderOak you won’t see any syncs listed yet. Next, find and click the ‘New’ button. This will open up the Sync Wizard, which will guide you through the rest of the syncing process.

Step 2: Choose a name for the Sync and be sure to make it unique as you can keep multiple Syncs going at once with SpiderOak. This means that you can keep your business documents, financial files, and whatever else you like syncing and up to date across your devices while your photos seamlessly upload to SpiderOak’s anonymous storage system.

Step 3: Select the photo folders your want to keep current and in sync across your computers and click ‘Save’.

Now your photos will benefit from privacy, accessibility and complete anonymity anyone but yourself. For professional photographers, this revolutionizes the industry, in which the threat of hacked photographs could ruin careers, while Instagram addicts can keep their most treasure memories safe and current across all their devices through syncing with SpiderOak. And for most online users, this anonymous and fully secure storage system means the return of true privacy in an age of rampant hacking and potential extortion.

May 2013 - The Privacy Post

0

CISPA & A New Era in Legal Cyber Spying

Posted by on May 20, 2013

CISPA, or the Cyber Intelligence Sharing and Protection Act, is a bill that sets a dangerous precedent for the ongoing erosion of online privacy. Presented as an urgent solution to the threat of hacking and cyber attacks, this controversial piece of legislation’s most recent rewrite is still full of loopholes that throw personal privacy out the window.

CIPSA

Image courtesy of CopyPress.com

Under its current wording, CISPA would open to the door to warrantless governmental monitoring of your online activity. The private sector would be able to legally search and seize sensitive user information including emails, health records, search history, and even banking information. In this broad violation of American cyber privacy, employers in the United States could even require employees to disclose their social media passwords.

CISPA bill text

Image courtesy of tropicsofmeta.wordpress.com

CISPA’s legal standing is still shaky, but having passed the US House of Representatives, privacy advocates are up in arms in an ongoing battle to protect sensitive data from prying eyes. The problem with the proposed legislation is that the federal government and businesses could freely share user data without having to ever deal with the normal legal process of acquiring a warrant. This loophole around anti-trust and classification laws would leave your private and sensitive data open to hacking and data mining from other third parties, as there are no rules requiring companies to delete or secure financial or health records before sharing them with the feds.

CISPA co-author Rep. Mike Rogers (R-Mich.).

Photo courtesy of Mashable.com

If signed into law, American citizens, normally accustomed to due process, would have their private records and information open to data mining, spying, and quasi-legal investigations. This new violation of privacy would undermine centuries of precedent of guaranteed security against warrantless search and seizures. For some reason, while a physical file would require a warrant to obtain, some companies and sectors of the government don’t seem to think that online files should be awarded the same security.

Senator Jay Rockefeller (D-W. Va.).

Photo courtesy of Politico.com

Luckily for you and your data, advocates for online privacy have gained enough public attention and support to sway the senate. And according to recent news, the Senate may not have enough votes take up the House-passed piece of legislation with vocal critics like Senator Jay Rockefeller (D-W. Va.), chairman of the Senate Committee on Commerce, Science, and Transportation, coming out against the bill’s lack of privacy protections. And even President Obama has lately reiterated his 2012 claim that he would issue a presidential veto, should CISPA ever come to his desk.

Fighting Back With the Right to Know Act

But don’t rest too easy just yet, as CISPA’s advocates in both the government and private sector are sure to come back in no time with the next iteration of legalized privacy violations. Instead of passively waiting for the next fight for online privacy and due process in the digital era, groups like the ACLU of Northern California and the Electronic Frontier Foundation have been joined by privacy advocates to help pass the Right to Know Act (AB 1291). This proposed bill would grant the public access to any personal data that companies store on them or share with others. If passed, California residents would be able to request their user files, as well as a list of any other companies with which their user data was shared. Regardless of whether or not a company was online or offline, this transparency bill would grant unprecedented citizen access to information on how their user data is being stored and trafficked.

So even if a bill like CISPA passed, under the proposed protections of the Right to Know Act, Californians could keep one step ahead with knowledge of which companies indulge in shady data mining and sharing. With awareness of which companies systematically violate user privacy by exploiting their data for profit, online users can make more informed consumer decisions. And with the knowledge that users will be watching their every move, companies will be much less likely to engage in the rampant storing and selling of supposedly private consumer data that sadly marks the current state of the market.

Protecting Your Data in the Meantime

As privacy advocates and informed consumers keep watch on the latest developments regarding CISPA and the California Right to Know Act, you can still keep your files and private data safe from the eyes of legal snoops. Instead of waiting for legislation and governmental protections, make the switch to an encrypted cloud storage and sharing service like SpiderOak to keep your sensitive files, documents, and photos truly safe from any prying eyes.

Currently, even without CISPA, private companies like Google openly engage in the mining and selling of user data and the outdated Electronic Communications Privacy Act of 1986 allows governmental agencies to read your email without a signed warrant. The only way to get around this loophole in online privacy is to proactively protect your sensitive files, from emails to financial documents and health records.

Most cloud storage and sharing services only protect users with encrypted passwords, which are still vulnerable to savvy hackers. And of course, governmental agencies from the Department of Defense to the IRS are still able to request user data without a warrant. But with SpiderOak, users can store and share sensitive files without ever worrying about cyber spying from hackers, companies, or even the government.

SpiderOak’s server has “zero-knowledge” of your data, which means that only users have readable access to their files, making this service private and anonymous. No one but the user has access to their password, so even if requested by the government to hand over your files or retrieve your password, the company wouldn’t even be able to.