October 2013 - Page 2 of 3 - The Privacy Post

0

Metasploit’s DNS Registrar Hacked Via Fax

Posted by on Oct 17, 2013

 

Image from http://www.theguardian.com/

Image from http://www.theguardian.com/

Metasploit is a service used by computer and network security professionals worldwide to perform penetration testing of corporate systems and determine if the vulnerabilities are fixed. Recently, Metasploit was attacked by a group of pro-Palestinian hackers, who managed to hijack its website by simply sending a fax. The hackers are a group of four people, known as the KDMS Team. They came into prominence a few weeks back when they hijacked the websites of popular messaging service Whatsapp and the antivirus company AVG.

This time the hackers were able to trick the DNS registrar of Metasploit, Register.com by sending a fax, requesting to change the IP addresses associated with the URLs of Rapid7 and Metasploit. As a result, people who visited the homepage of these sites were redirected to a politically charged message. The hack redirected the domains to a page, which contained a message from KDMS Team, reading in part:

Image from http://www.theguardian.com/

Image from http://www.theguardian.com/

This kind of attack is called a DNS redirect “which involves an attacker changing the records which tell web browsers what server lies behind any given web address”. According to HD Moore, chief research officer at security company Rapid7, the website was “hijacked through a spoofed change request FAXED to Register.com. Hacking like its 1964.”

Image from http://www.ibtimes.co.uk/

Image from http://www.ibtimes.co.uk/

Immediately after the attack, Rapid7 asked the registrar to block all changes to its domain, unless it gets authorization by phone. They are also considering top-level domain (TLD) to prevent unauthorized access to their DNS registrars. “These locks introduce hurdles for normal changes to our infrastructure and so we were still in the planning stages. In hindsight, we should have taken action sooner,” said Moore.

The attackers did not compromise the servers running these websites and the redirect was fixed within an hour. But this attack had the potential of causing serious damage by redirecting the users to a spoofed site asking for personal details like SSN and credit card numbers.

Similar kinds of attacks were carried out on the websites of Whatsapp, AVG and Avira by the KDMS group. They were able to perform a DNS redirect by sending a fake password reset request. But these firms were registered with a different registrar – Network Solutions. Besides Rapid7 and Metasploit, two other companies, Bitdefender and ESET registered with Register.com also fell prey to KDMS team’s DNS redirect attack.

These are some of the steps that businesses can take to protect themselves from similar kind of attacks:

  • Train employees to recognize phishing attacks: One of the things that led to this attack is the response to the fake fax request that came from the attacker, and changing the IP addresses of Metasploit and Rapid7. The employees need to be trained in order to differentiate between a fake and legitimate request. If they find any request suspicious they should call up the requestor directly and inquire about it.
  • Implement registry locks for better security: As Moore pointed out, all these DNS registrars who became victims of the attack lacked registry locks. “A registry lock is a status code applied to a web domain name that is designed to prevent incidental or unauthorized changes – including modifications, transfers or deletion of domain names and alterations to domain contact details – without first authenticating to the top-level domain operator.”
  • Monitor DNS Settings: Lastly, businesses should monitor DNS settings regularly to check for changes to registration information and DNS resolution to IP addresses in their business-critical domains. This will help the businesses to track any kind of security breach quickly and take suitable measures immediately to remediate it.

 

SpiderOak Blue for Enterprises:

Finding a truly secure third party cloud service can be a challenge as many services on the market have security gaps that leave private data vulnerable to third party attacks. One cloud storage and sync service that sets itself apart is SpiderOak Blue. This service provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can signup for this product now.

SpiderOak Blue protects sensitive enterprise data through two-factor password authentication and 256-bit AES encryption so that files and passwords stay private as unreadable blocks of data. Two-factor authentication is just like the process used by some financial services that require a PIN as an extra precaution along with a password in order to log in. With SpiderOak, enterprises that choose to use two-factor authentication must submit a private code through text along with their unique encrypted password. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices (SpiderOak never hosts any plaintext data). SpiderOak Blue’s cross-platform private cloud services are available for enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices.

 

 

October 2013 - Page 2 of 3 - The Privacy Post

0

Russian Government Installs Olympic Surveillance

Posted by on Oct 16, 2013

Image from http://www.thelogofactory.com

Image from http://www.thelogofactory.com

The Russian government is planning to install extensive surveillance to keep tab on the athletes and spectators attending the Winter Olympics games in Sochi. They have taken all measures to ensure that no communication by the spectators or athletes goes unmonitored during the event. As per the research conducted by two investigative Russian journalists Andrei Soldatov and Irina Borogan, the Russian authorities have made excellent arrangements in terms of communication support, including 4G coverage and free WI-Fi coverage throughout the city of Sochi. But the Internet, telephone and other communication providers have to build their network in such a way that the Russian security service FSB, can access and monitor all the traffic using Sorm, Russia’s system for intercepting phone and internet communications.

The reports suggest that the FSB has been working on upgrading the Sorm systems across Russia keeping in mind the extra traffic during the games. All the Internet and telecom providers have to install Sorm boxes as per the law and once they are installed the FSB can access data without even notifying the service providers. Along with Sorm the Russian security service is also planning to install a technology called “deep packet inspection” that will allow intelligence agencies to filter users by particular keywords. This controversial technology will be installed across Russia’s networks, and is required to be compatible with the Sorm system for network monitoring and data analysis. “There is an element of meta-data gathering, but Russian security services are not so interested in meta-data. This is about content,” Soldatov told The Telegraph, citing an “information security concept” document laying out these measures. “The idea seems to be to make communications in Sochi totally transparent for the Russian authorities. “For example you can use the keyword Navalny, and work out which people in a particular region are using the word Navalny,” says Soldatov, referring to Alexei Navalny, Russia’s best-known opposition politician. “Then, those people can be tracked further.”

A diagram of Sorm Surveillance system. http://www.wired.com

A diagram of Sorm Surveillance system. http://www.wired.com

The US State Department Bureau of Diplomatic Society has also warned those travelling to Russia this year for the Olympics to take precautions with communications and devices. The brochure sent out by the US state department warns business travelers not to share any trade secrets, negotiating positions, and other sensitive information during the games, as that information might be taken and shared with competitors, counterparts, and/or Russian regulatory and legal entities.

While this kind of intensive surveillance and monitoring poses risks to the privacy of people attending the Games, the Russian government claims to be taking such strict security measures for the protection of Sochi against terrorist attacks. Sochi neighbours Russia’s turbulent North Caucasus, where federal forces are fighting long-running separatist insurgencies, both Islamist and secular. Doku Umarov, a rebel leader who has claimed responsibility for a number of suicide bombings in Moscow in recent years, has called on his followers to attack the games.

Although the Russian surveillance program for the Olympics may sound similar to the PRISM program there are certain differences between the two. In US and Western Europe, a law enforcement agency needs to get a warrant from the court in order to request the network operator or Internet service provider to intercept the communication channels, and provide the requested information. On the other hand in Russia, FSB also needs to get an eavesdropping warrant, but it is not obliged to show it to anyone. The telecom and Internet providers have to pay for the Sorm equipments and installation but do not have access to the surveillance boxes. Therefore the FSB does not have to contact the service providers directly; instead they have to call on the security controller at the FSB HQ that is connected to the Sorm device on the ISP network.

"The Guardian quoted Ron Deibert, a professor at the University of Toronto and director of Citizen Lab, which co-operated with the Sochi research, as calling the Winter Games SORM upgrades “PRISM on steroids”. The difference in the two countries’ surveillance infrastructures can be found where the communications providers’ rights intersect with the government’s pre-emptive power to force its will upon them, he said: “The scope and scale of Russian surveillance are similar to the disclosures about the US programme but there are subtle differences to the regulations… We know from Snowden’s disclosures that many of the checks were weak or sidestepped in the US, but in the Russian system permanent access for Sorm is a requirement of building the infrastructure.”

Data privacy with SpiderOak

Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access.

Interested in SpiderOak Products?

SpiderOak carved its niche as the top choice for those most concerned with privacy.

The engineering goal was simple – devise a plan where users’ files, filenames, file types, folders, and/or any other personal information are never exposed to anyone for any reason (even under government subpoena). This describes SpiderOak’s ‘zero-knowledge’ privacy environment.
SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Hive keeps all your files in sync across your computer and mobile devices. Here the end-user has the ownership of data and is the only one with the keys to unlock and look at plaintext data. You can signup for this product at SpiderOak Blue works seamlessly in your enterprise environment. To resolve authentication it deploys a virtual appliance that resides behind your firewall and integrates with Active Directory / LDAP for single sign-on. SpiderOak Blue is compatible in Mac, Windows, Linux, iOS and Android platforms. SpiderOak Blue is now available through a limited release. We have been working with several large enterprises through the beta period and will continue towards general release. If you’re curious about the product, please send an email to blueinfo@spideroak.com and we will get back to you soon.

October 2013 - Page 2 of 3 - The Privacy Post

1

Google’s new policy poses privacy risks

Posted by on Oct 15, 2013

Image from http://www.jeffbullas.com/

Image from http://www.jeffbullas.com/

Google has made an announcement recently that it will be modifying its Terms of Service. As per the new policy, Google will include the names and profile pictures of users for product endorsements in its advertisements. The change will be effective from Nov 11.

The endorsements will come from the people who have signed up for Google+ accounts. As of now Google+ has 390 million active users per month. According to the new policy, if any user above the age of 18 likes something by giving it +1s, comments, and follows on Google properties, then his name and photo can show up in the Google ads. This policy is not applicable to users under the age of 18. For example, “if you search for “Italian restaurants,” you might see an ad for a nearby restaurant along with your friend’s favorable review. Or, in Google Play, you might see that another friend has +1’d a new song or album”. In explanation of the changes the company said, “We want to give you — and your friends and connections — the most useful information. Recommendations from people you know can really help.” This information will only be shown to the people whom you have chosen to share the content with (friends, family or others). However it is possible that people who do not use Google+ will be able to see the endorsements based on public content.

Google has introduced a new feature called “ Shared Endorsements” that enables you to take control over the use of your name and photos in endorsements. You can opt out of the ads by turning off your Shared Endorsement setting. This change will only be applicable to the use in the ads. Your photo and profile name can still be used in other Google services like Google Play.

Image from http://www.insidefacebook.com

Image from http://www.insidefacebook.com

Google seems to be following the footsteps of Facebook who had made a similar announcement in the past. According to Facebook’s “ Sponsored Stories” feature user’s faces and names will show up in the ads about the products they have clicked “like”. But unlike Google, Facebook users cannot opt out from this service. This feature was extremely disliked by Facebook users and suffered severe backlash from security experts. This policy also resulted in a class action lawsuit, which claimed that the company made changes to its privacy settings without notifying the users. Facebook paid $20 million to settle the lawsuit and has proposed to clarify how user names and photos will be used in the ads to implement the change. However the implementation of the new policy is still pending and has been sent to the Federal Trade Commission for further review. FTC is reviewing Facebook’s new policy to determine if the change has violated the company’s 2011 privacy settlement with the federal government. That agreement required Facebook to give adequate notice of changes in privacy policies and to make sure users aren’t misled about how their data is going to be used.

Google’s new move has also led to protests by Google+ users. According to a report on CNET, some Google+ users  have changed their Google+ profile pictures to that of Google executive chairman Eric Schmidt. That way, Schmidt’s face would show up alongside any endorsements pulled from those users’ accounts

Image from http://news.cnet.com/

Image from http://news.cnet.com/

The privacy concerns about Google’s new policy has also prompted Sen. Ed Markey (D-Mass.) to send a letter to the Federal Trade Commission to evaluate Google’s new policy of including user names and photos in the advertisements. “Without users’ explicit permission, Google should not take consumer posts and turn them into product endorsements,” Markey said in a statement. He has asked the FTC to review Google’s new policy and determine if it violates an earlier agreement that the firm made with the FTC on privacy policy. Google has not commented on Markey’s letter.

Protect your personal data with SpiderOak

Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access.

Interested in SpiderOak Products?

SpiderOak carved its niche as the top choice for those most concerned with privacy.

The engineering goal was simple – devise a plan where users’ files, filenames, file types, folders, and/or any other personal information are never exposed to anyone for any reason (even under government subpoena). This describes SpiderOak’s ‘zero-knowledge’ privacy environment.
SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Hive keeps all your files in sync across your computer and mobile devices. Here the end-user has the ownership of data and is the only one with the keys to unlock and look at plaintext data. You can signup for this product at SpiderOak Blue works seamlessly in your enterprise environment. To resolve authentication it deploys a virtual appliance that resides behind your firewall and integrates with Active Directory / LDAP for single sign-on. SpiderOak Blue is compatible in Mac, Windows, Linux, iOS and Android platforms. SpiderOak Blue is now available through a limited release. We have been working with several large enterprises through the beta period and will continue towards general release. If you’re curious about the product, please send an email to blueinfo@spideroak.com and we will get back to you soon.

 

 

 

 

October 2013 - Page 2 of 3 - The Privacy Post

0

SpiderOak on Opposing NSA Surveillance

Posted by on Oct 14, 2013

Image from http://www.cato.org

Image from http://www.cato.org

Last week, CATO institute organized a day-long conference on NSA surveillance disclosures and data privacy protection. The conference was titled-“NSA Surveillance: What we know; what to do about it”, and consisted of members of the government, privacy advocates, lawyers, journalists, and technology and security experts.Senator Ron Wyden (D-OR), Rep. Justin Amash (R-MI) and Rep. F. James Sensenbrenner (R-WI) were the keynote speakers of the day. SpiderOak’s David Dahl was a member of the technology panel. There were discussions about the reporting challenges, legal issues, technology and business dimensions, and potential reforms related to NSA surveillance.

Image from http://www.cato.org

Image from http://www.cato.org

In his morning keynote speech, Senator Ron Wyden told that the details about the PRISM revelations should be made clear to the general public. Wyden said he expected a tough legislative battle against the “defenders of the status quo”, whose arguments, he said, had “Alice in Wonderland flavors” that left the public with a distorted view of the NSA’s activities and the effectiveness of oversight. Supporting the comprehensive surveillance reform bill, he went through the potential reform ideas put together by the members of Congress since the latest revelations made by the former NSA contractor, Edward Snowden:

  • Putting an end to collection of the telephone records of law abiding American citizens.
  • Reforming FISA court that oversees the agency’s foreign intelligence programs.
  • Allowing private companies to disclose the requests made by NSA for mass digital data collection and their response to government requests.
  • Close the loopholes or the backdoors that allow the NSA to collect user data without a warrant.

He said that the members of congress are trying to take the best ideas about the important issues and synthesize them down into a comprehensive reform agenda.

The afternoon technology panel featured key members from the technology field, including Karen Reilly of the Tor project, Jim Burrows of Silent Circle, David Dahl of SpiderOak, Matt Blaze of the University of Pennsylvania and the American Civil Liberty Union’s Christopher Soghoian. There were discussions about how NSA collects mass digital information by tapping into telephone call information, accessing Internet traffic of major Internet companies, and discouraging the use of strong encryption standards for secure communication.

Image from http://www.cato.org

Image from http://www.cato.org

The question that was raised was – under these circumstances, where the government is preventing companies to disclose the exact statistics of surveillance requests, and will continue to snoop around user data for national security, what security controls or technologies do we have in the market to protect our data? In response to this question, David Dahl said that SpiderOak does not have any keys or plaintext data that it can hand over to the government. All the data stored in the SpiderOak server is completely encrypted. “All our data is literally garbage,” he said. “With our text and phone we have nothing to give” the government. SpiderOak’s encryption is comprehensive — even with physical access to the storage servers. Christopher Soghoian argued that people choose services like SpiderOak and Silent Circle over Dropbox and Skype because of the extra level of security they provide to their customers. If these companies comply with the government’s PRISM program then the confidence in their user base is lost and their reputation is damaged on the other hand if they do not comply with the government then they face the risk of being shut down. “This growing economic sphere is under threat,” Soghoian said. The U.S. is “a global leader, we should do everything to grow this market, but instead the Department of Justice and the NSA squashes them before they are big enough to fight for themselves.”

The panel also agreed that there is no secure email service in place today, and improvements need to be made in that regard. A suggestion was made to use WebRTC for secure peer-to-peer communication.

Protect your personal data with SpiderOak

Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access.

Interested in SpiderOak Products?

SpiderOak carved its niche as the top choice for those most concerned with privacy.

The engineering goal was simple – devise a plan where users’ files, filenames, file types, folders, and/or any other personal information are never exposed to anyone for any reason (even under government subpoena). This describes SpiderOak’s ‘zero-knowledge’ privacy environment.SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Hive keeps all your files in sync across your computer and mobile devices. Here the end-user has the ownership of data and is the only one with the keys to unlock and look at plaintext data. You can signup for this product at SpiderOak Blue works seamlessly in your enterprise environment. To resolve authentication it deploys a virtual appliance that resides behind your firewall and integrates with Active Directory / LDAP for single sign-on. SpiderOak Blue is compatible in Mac, Windows, Linux, iOS and Android platforms. SpiderOak Blue is now available through a limited release. We have been working with several large enterprises through the beta period and will continue towards general release. If you’re curious about the product, please send an email to blueinfo@spideroak.com and we will get back to you soon.

 

October 2013 - Page 2 of 3 - The Privacy Post

0

How The Cloud Impacts Developing Economies

Posted by on Oct 11, 2013

Image from http://blog.cloudbees.com/

Image from http://blog.cloudbees.com/

Cloud computing has become the new trend in the technology market for the last few years. With the advent of cloud computing, it has become possible for individuals and organizations to access data and computing resources from anywhere at anytime. Many industries and businesses in developed countries are embracing this technology for its flexibility, effectiveness and speed.

While so much has been said and discussed about the impact of cloud computing in developed economies, less focus has been given to the impact of cloud services in developing economies. There is a huge potential in the growth of cloud computing in developing economies because of a number of reasons. It can be extremely beneficial to developing nations by reducing costs of investment in information and communication infrastructure (ICT). Companies can boost their businesses by getting access to the best business applications and infrastructure at a negligible cost. As a result there will be more job creations, improvement in government services, and they can be better competitors in the global market.

In order to enjoy the benefits of cloud computing there should be an effective and efficient flow of information between the cloud service provider and the customer. This cannot be achieved without three key technical capabilities:

  • First and foremost, the availability of high-speed communication service (Broadband). Although some cloud-supported applications can be delivered in narrow band networks, the real benefits of cloud services can be earned by using high speed Internet.
  • Unrestricted flow of information between the cloud service provider and the customer.
  • The cloud data centers can operate effectively, if they can be located and operated on the basis of efficiency considerations. This way they will be able to provide effective service to the customers anytime and from anywhere.
Image from http://www.cheki.com.ng/

Image from http://www.cheki.com.ng/

The market for cloud computing is gradually increasing in countries like India, China, Brazil, South Africa and Vietnam. An African used car classifieds sevice, Cheki, has built a huge market (that covers Kenya, Nigeria, Malawi, Rwanda and Ethiopia) with most users accessing the site using $70 Android smartphones. Similarly a recent study revealed that in Mexico there was a 3% reduction in fixed cost of a 45-person firm when they switched to cloud services. As a result there was a significant growth in job openings. Besides the above-mentioned examples, there are other areas where cloud computing has proved beneficial for developing nations. Universities and colleges are using cloud services to conduct innovative research, analyze data, and provide virtual computing lab facilities to their students. Another major application of cloud is seen in healthcare services – “India’s ICICI Bank’s insurance arm has used Zoho’s Web-based applications to develop services such as personalized insurance for patients with diabetes. The company adjusts premiums based on how well policy-holders stick to a fitness plan.”

The table below shows cloud computing application areas in developing countries:

Image from http://libres.uncg.edu

Image from http://libres.uncg.edu

There is no doubt that the cloud services offer so many benefits to the developing nations but on the other hand there are concerns about data privacy and security associated with the unauthorized access of information stored on cloud services for malicious purposes.

  • One of the biggest fears in using cloud computing is data loss or illegal access to data. Small businesses trusting cloud services to store their valuable data, can suffer severe loss if any of the service provider’s datacenter servers is hacked or some sensitive information is exposed accidentally. These kinds of situations will harm the reputation of the companies badly.
  • Unlike developing nations, there are standardized rules and regulations (e.g., ISO 27002, Safe Harbor, ITIL, and COBIT) for the cloud service providers operating in countries like US, Canada or the European Union.The service provider needs to comply with all the rules and regulations in order to provide service to their customers. Unfortunately, in developing countries these regulations are not widely adhered by software companies yet.
  • There is always a risk of consumer data being accessed by the service providers, used for targeted ads, or shared with third parties. The provider needs to ensure the customers that their data will not be used for any unintended purposes.
  • Another security issue with the use of the cloud is identity theft. The consumer needs to verify the identity of the cloud service providers using reliable verification mechanisms before using their service.

SpiderOak Blue for Enterprises:

Finding a truly secure third party cloud service can be a challenge as many services on the market have security gaps that leave private data vulnerable to third party attacks. One cloud storage and sync service that sets itself apart is SpiderOak Blue. This service provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can signup for this product now.

SpiderOak Blue protects sensitive enterprise data through two-factor password authentication and 256-bit AES encryption so that files and passwords stay private as unreadable blocks of data. Two-factor authentication is just like the process used by some financial services that require a PIN as an extra precaution along with a password in order to log in. With SpiderOak, enterprises that choose to use two-factor authentication must submit a private code through text along with their unique encrypted password. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices (SpiderOak never hosts any plaintext data). SpiderOak Blue’s cross-platform private cloud services are available for enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices.

October 2013 - Page 2 of 3 - The Privacy Post

1

Privacy Issues For Schools Using The Cloud

Posted by on Oct 10, 2013

 

Image from http://www.wired.com

Image from http://www.wired.com

 

 More and more schools are opting to embrace cloud services for storing student’s data, as they are cost effective, easy to use and provide streamlined services. Schools are encouraging students to use commercial cloud services for sending emails, storing and sharing documents, and for other educational purposes. By outsourcing email and data storage services, the school districts are saving a lot of money earlier spent on server, hardware, software and technical support. However, school’s use of cloud services poses significant risks to student’s privacy.

The major risk in using cloud services is that the collection of personal information by cloud service providers can be used for user profiling and online behavioral advertising. According to a survey report  released by SafeGov.org, the students are forced to use the commercial cloud services, as they do not have the opportunity to grant or withhold their consent. For example, if you are a student using school provided email service and without logging off your email account you decide to browse the web to conduct research on your school project. Then without your consent the service provider collects and stores your search history and contents of your email. Later, you might even get pop-up ads related to your web search. This is just one example. Apart from this there are several instances where your other sensitive data like field trip pictures, parent –teacher email exchange, social security numbers etc can be accessed by cloud computing vendors.  This is an increasing problem as more schools are embracing BYOD technology.

The schools and government customers of Google Apps are encouraged to add ad-based Google services such as search or YouTube with Google apps for educational purposes. As a result the students are driven from and ad-free to an ad-supported environment. On the other hand, Microsoft’s Bing for Schools is an ad-free and no cost version of its Bing search engine. It  can be used in public and private schools across the U.S.

Image from http://www.bing.com/

Image from http://www.bing.com/

While use of cloud services help schools to save thousands of dollars, the data security and privacy risks presented by these services cannot be ignored. The survey report by SafeGov.org says “there are a number of areas where advertising-oriented cloud services may jeopardize the privacy of data subjects in schools, even when ad-serving is nominally disabled.  Threats to student online privacy occasioned by the use of such services in the school environment include the following:

  • Lack of privacy policies suitable for schools: By failing to adopt privacy policies specifically crafted to the needs of schools, cloud providers may deliberately or inadvertently force schools to accept policies or terms of service that authorise user profiling and online behavioural advertising.
  • Blurred mechanisms for user consent: Some cloud privacy policies, even though based on contractual relationships between cloud providers and schools, stipulate that individual data subjects (students) are also bound by these policies, even when these subjects have not had the opportunity to grant or withhold their consent.
  •  Potential for commercial data mining: When school cloud services derive from ad-supported consumer services that rely on powerful user profiling and tracking algorithms, it may be technically difficult for the cloud provider to turn off these functions even when ads are not being served.
  • User interfaces that don’t separate ad-free and ad-based services: By failing to create interfaces that distinguish clearly between ad-based and ad-free services, cloud providers may lure school children into moving unwittingly from ad-free services intended for school use (such as email or online collaboration) to consumer ad-driven services that engage in highly intrusive processing of personal information (such as online video, social networking or even basic search). 
  • Contracts that don’t guarantee ad-free services: By using ambiguously worded contracts and including the option to serve ads in their services, some cloud providers leave the door open to future imposition of online advertising as a condition for allowing schools to continue receiving cloud services for free.”
Image from m2.files.wordpress.com

Image from m2.files.wordpress.com

SafeGov has also sought support from European Data Protection Authorities to implement rules for both cloud service providers and schools. As per these rules or codes of conduct-targeted advertising in schools and processing or secondary use of data for advertising purposes should be banned. In the privacy policy agreement contract between the schools and service providers it should be clearly stated that student data would not be used for data mining and advertisement purposes.

Keeping all these things in mind, the schools should make sure the data would be stored and managed by the service providers before moving to cloud services. They should demand assurance from the service providers that the information collected by them will not be used for data mining, targeted advertising or sold to third parties.

 Secure sensitive student data with SpiderOak

 Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access.

 

Interested in SpiderOak Products?

SpiderOak carved its niche as the top choice for those most concerned with privacy.

The engineering goal was simple – devise a plan where users’ files, filenames, file types, folders, and/or any other personal information are never exposed to anyone for any reason (even under government subpoena). This describes SpiderOak’s ‘zero-knowledge’ privacy environment.SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Hive keeps all your files in sync across your computer and mobile devices. Here the end-user has the ownership of data and is the only one with the keys to unlock and look at plaintext data. You can signup for this product at SpiderOak Blue works seamlessly in your enterprise environment. To resolve authentication it deploys a virtual appliance that resides behind your firewall and integrates with Active Directory / LDAP for single sign-on. SpiderOak Blue is compatible in Mac, Windows, Linux, iOS and Android platforms. SpiderOak Blue is now available through a limited release. We have been working with several large enterprises through the beta period and will continue towards general release. If you’re curious about the product, please send an email to blueinfo@spideroak.com and we will get back to you soon.

 

October 2013 - Page 2 of 3 - The Privacy Post

0

Encryption under the light of PRISM revelations

Posted by on Oct 9, 2013

 

Image from http://www.infosecurity-magazine.com

Image from http://www.infosecurity-magazine.com

With the incredible growth in technology these days, the Internet is now used for a number of important functions such as shopping, managing our bank accounts, paying bills and socializing. While the Internet makes our lives easy and comfortable, there are a lot of security risks that come with it. The exposure of so much personal information like credit card details, social security numbers, or bank account information on the Internet makes us extremely vulnerable to cyber attacks. Most of us rely on a very simple and straightforward security control called “encryption” to maintain the integrity and confidentiality of our data across the Internet. Encryption is a method of securing your data or message by scrambling it into a form that can be only read by someone who has the appropriate key to unscramble it. This is an age-old technique often used to prevent unauthorized users from reading your data. But is this a fool-proof method of data protection under the light of PRISM revelations? It seems that the NSA has several ways to crack this extremely popular and widely-used security control.

The biggest and best-funded spy agency, the  NSA, spends billions of dollars every year to circumvent most of the encryption or digital scrambling technologies used for protection of sensitive data like trade secrets, medical records, secured email messages, Internet chats and even phone calls. “For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies,” said a 2010 memo describing a briefing about N.S.A. accomplishments for employees of its British counterpart, Government Communications Headquarters, or GCHQ. “Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.”

NSA primarily collects information by monitoring network or communication channels. They have sophisticated tools and technologies to automatically monitor and analyze network traffic. NSA has been successful in cracking majority of the encryption codes on the Web, by using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age. They can easily invade poorly-implemented and outdated encryption technologies, and sadly there’s a lot of bad cryptography out there.

Image from http://downtrend.com

Image from http://downtrend.com

 

As per the recent reports, the NSA has been defeating many encryption standards by working closely with security vendors to understand and exploit security vulnerabilities in their products. Basically, the  NSA asks these companies to deliberately make changes to their products in undetectable ways like leaking encryption keys, making random number generator less random, adding a common exponent to a public-key exchange protocol, and so on. Many well-known and high profile companies, like Microsoft, share information regarding vulnerabilities in its software with the US government before releasing security updates in public. So, if you are using any of the Microsoft software products like Windows, Office or Skype, it is possible for the NSA to compromise your system and penetrate into encrypted communications with very little effort.

Here is an interesting story about information sharing by Skype (which is considered the most secure medium of communication) with the US government.

Image from http://www.inflexwetrust.com

Image from http://www.inflexwetrust.com

“Skype, the Internet-based calling service, began its own secret program, Project Chess, to explore the legal and technical issues in making Skype calls readily available to intelligence agencies and law enforcement officials, according to people briefed on the program who asked not to be named to avoid trouble with the intelligence agencies. One of the documents about the PRISM made public by Mr. Snowden says Skype joined Prism on Feb. 6, 2011”.

The obvious question that comes to our mind is how can we keep our data safe from the prying eyes of the NSA? As per Edward Snowden “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.” By the term “end point security “ he means the security of the computers on the either end of the communication. The security of the end point systems is more critical compared to the security of message in transit.

Security technologist Bruce Schneier, recommends the following steps to secure your data despite NSA encryption cracking:

1) Hide in the network: Implement hidden services such as Tor to anonymize yourself.

2) Encrypt your communications. Use TLS. Use IPsec. Again, while it’s true that the NSA targets encrypted connections – and it may have explicit exploits against these protocols – you’re much better protected than if you communicate in the clear.

3) Assume that while your computer can be compromised, it would take work and risk on the part of the NSA – so it probably isn’t Use a computer that has never been connected to Internet before for encrypting and decrypting personal files or documents.

4) Be suspicious of commercial encryption software, especially from large vendors. Most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.

5) Try to use public-domain encryption that has to be compatible with other implementations. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.

 

True Privacy with SpiderOak

At SpiderOak, we protect sensitive user data using 256-bit AES encryption so that files and password remain secured. SpiderOak encrypts the files in your computer before uploading them to the server. As a result you and only you have access to your unencrypted data. Even SpiderOak cannot read your data because the keys used for encryption only belongs to you. It is impossible for someone to gain control of your data by hacking into SpiderOak. SpiderOak’s encryption is comprehensive — even with physical access to the storage servers, SpiderOak staff cannot know even the names of your files and folders. On the server side, all that SpiderOak staff can see, are sequentially numbered containers of encrypted data. In this way, we are not capable of betraying our customers. The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form. SpiderOak generates a key from your password using derivation/strengthening algorithm PBKDF2 (using sha256), with a minimum of 16384 rounds, and 32 bytes of random data (“salt”). This key is then used to encrypt/decrypt a series of strong encryption keys that are used to encrypt/decrypt your data. So, a user who knows her password can generate the outer level encryption key using PBKDF2 and the salt, then decipher the outer level keys, and be on the way to decrypting her data. Without knowledge of the password, however, the data is unreadable. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected.form.

SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can sign up for this product now.

 

 

October 2013 - Page 2 of 3 - The Privacy Post

0

Adobe data breach affects 2.9 million customers

Posted by on Oct 8, 2013

Adobe

Image from www.adobe.com

Adobe Systems has become the recent victim of a massive data breach. The data breach exposed the personal information of millions of customers and the source code of famous Adobe products like Adobe Acrobat, Cold Fusion and others. Last Thursday, Adobe confirmed that the attackers accessed about 2.9 million user data. The customer information that was accessed included names, encrypted credit card and debit card numbers, expiration dates, and other information related to customer orders. However, the decrypted debit card and credit card numbers were not removed from the system.

Adobe has been attracting the attention of a lot of cyber criminals lately because of the widespread use of many of its products. The firm confirmed that they have been receiving “sophisticated attacks” on their network, involving illegal access to customer data and the source code of numerous Adobe products. Journalist Brian Krebs and Alex Holden of Hold security discovered the data leak about a week ago. As per Krebs, “they became aware of the data leak when they discovered a 40 GB source code trove stashed on a server used by the same cyber criminals believed to have hacked into major data aggregators earlier this year, including LexisNexis, Dun & Bradstreet and Kroll.” The server of the hacking team contained huge repositories of compiled and uncompiled source code of ColdFusion and Adobe Acrobat.

A screen shot of purloined source code stolen from Adobe, shared with the company by KrebsOnSec

A screen shot of purloined source code stolen from Adobe, shared with the company by KrebsOnSec

After that discovery, KrebsOnSecurity informed Adobe about the attack with several screenshots showing Adobe source code on hacker’s server. Adobe confirmed that it is aware of the attack and has been working on an investigation of a broad ranging breach on its network since Sept 17th 2013. The Chief Security Officer of Adobe Brad Arkin said that the information shared by KrebsOnSecurity “helped steer their investigation in a new direction.”

ColdFusion source code repository found on hacker’s server.

 

In this case, the risk of identity theft or fraud seems to be low because the compromised personal data was encrypted. However it is still not clear what kind of encryption or security was used by Adobe on the stolen data. The biggest threat in this breach is the leak of source code of Adobe products. This information could lead to spear phishing attacks. The attacker can use this information to fool users by recommending them to download a software update with an email, which my look real because of the accurate information contained in it.

In response to the breach, Adobe has taken certain steps to maintain the security of customer data:

  • Adobe is resetting customer passwords to prevent unauthorized access to Adobe IDs. They are sending email notifications to the affected users-which include many Revel and Creative Cloud account holders- to change their passwords. The users are recommended to change the passwords of the websites where they have used the same user name and password.
  • The customers whose credit and debit card information were accessed will receive an email notification on how to protect yourself against potential misuse of your personal information. “Adobe is also offering customers, whose credit or debit card information was involved, the option of enrolling in a one-year complimentary credit monitoring membership where available”.
  • Adobe has also notified banks processing customer payments for them, so that they can work with work with payment card companies and card issuing banks to help protect user data.
  • They have also contacted federal law enforcement and are assisting in their investigation.

So, as an Adobe customer, if you think your data is compromised or if you have received any notification from Adobe regarding that, make sure you follow the instructions given by Adobe in the notification email.Also be very careful in downloading any software updates from Adobe, as there might be a potential risk of phishing attack due to compromised source code.  Ensure that the update is from a legit site by checking if it is supported by SSL protocol, has any security symbol or HTTPS:// protocol.

Protect your personal data with SpiderOak

Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access.

Interested in SpiderOak Products?

SpiderOak carved its niche as the top choice for those most concerned with privacy.

The engineering goal was simple – devise a plan where users’ files, filenames, file types, folders, and/or any other personal information are never exposed to anyone for any reason (even under government subpoena). This describes SpiderOak’s ‘zero-knowledge’ privacy environment. 
SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Hive keeps all your files in sync across your computer and mobile devices. Here the end-user has the ownership of data and is the only one with the keys to unlock and look at plaintext data. You can sign-up for this product at SpiderOak Blue and see it work seamlessly in your enterprise environment. To resolve authentication it deploys a virtual appliance that resides behind your firewall and integrates with Active Directory / LDAP for single sign-on. SpiderOak Blue is compatible in Mac, Windows, Linux, iOS and Android platforms. SpiderOak Blue is now available through a limited release. We have been working with several large enterprises through the beta period and will continue towards general release. If you’re curious about the product, please send an email to blueinfo@spideroak.com and we will get back to you soon.

October 2013 - Page 2 of 3 - The Privacy Post

2

US Government Denies Tech Companies’ Request for NSA Transparency

Posted by on Oct 7, 2013

 

NSA

Image from http://www.theguardian.com

 

In a previous post, I had discussed how high-profile tech companies like Google, Facebook, Yahoo and LinkedIn are teaming up against the NSA’s request for mass collection of digital data, and seeking the court’s permission to report the exact number of user data requests made by the NSA. In response to the requests made by the tech giants, the US government has filed a court brief denying the release of surveillance request details. The government has said that allowing the companies to release such detailed information “would be invaluable to our adversaries,” providing a clear picture of where the government’s surveillance efforts are directed and how its surveillance activities change over time.

The tech companies often received surveillance requests from the NSA with a gag order, which says it is illegal for them to disclose any information regarding the government’s request to their customers or anybody else. As per these companies, “the gag order violates First Amendment as it interferes with the public’s right to get truthful information about a matter of public debate and service provider’s right to publish such information.” They wanted to publish a transparent report to correct the inaccuracies in the news and to assure the customers that only a tiny fraction of their accounts are subjected to legal orders.

According to the government, however, releasing such information would harm national security interests and allow the adversaries to shift communication platforms to avoid surveillance. The government also dismissed the tech companies’ argument of violation of the First Amendment, saying the information they want to disclose is classified and not covered by the Amendment.

 

Privacy Issues

Image from http://gizmodo.com/

 

Here are some of the responses of the tech firms regarding the government’s decision:

Google said in a statement: “We’re disappointed that the Department of Justice opposed our petition for greater transparency around FISA requests for user information. We also believe more openness in the process is necessary since no one can fully see what the government has presented to the court.”

And Microsoft: “We will continue to press for additional transparency, which is critical to understanding the facts and having an informed debate about the right balance between personal privacy and national security.”

Under these circumstances, where the government is preventing companies to disclose the exact statistics of surveillance requests and will continue to snoop around user data for national security, how can we make sure that our data remains protected? So far it has been seen that it is difficult on NSA’s part to break into properly implemented encryption technologies. NSA has managed to penetrate some systems having poorly implemented and outdated encryption technologies, but getting into properly encrypted systems still remains difficult. Security researchers suggest that implementation of strong encryption standards like AES (Advanced Encryption System) can help in protecting your data from PRISM revelations. AES is the strongest encryption algorithm till date, and is extremely difficult to break.

True Privacy with SpiderOak

Spideroak

Image from https://spideroak.com/

 At SpiderOak, we protect sensitive user data using 256-bit AES encryption so that files and password remain secured. SpiderOak encrypts the files in your computer before uploading them to the server. As a result you and only you have access to your unencrypted data. Even SpiderOak cannot read your data because the keys used for encryption only belongs to you. It is impossible for someone to gain control of your data by hacking into SpiderOak. SpiderOak’s encryption is comprehensive — even with physical access to the storage servers, SpiderOak staff cannot know even the names of your files and folders. On the server side, all that SpiderOak staff can see, are sequentially numbered containers of encrypted data. In this way, we are not capable of betraying our customers.

The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form. SpiderOak generates a key from your password using derivation/strengthening algorithm PBKDF2 (using sha256), with a minimum of 16384 rounds, and 32 bytes of random data (“salt”). This key is then used to encrypt/decrypt a series of strong encryption keys that are used to encrypt/decrypt your data. So, a user who knows her password can generate the outer level encryption key using PBKDF2 and the salt, then decipher the outer level keys, and be on the way to decrypting her data. Without knowledge of the password, however, the data is unreadable. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected.form. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access.

 

Interested in SpiderOak Products?

SpiderOak carved its niche as the top choice for those most concerned with privacy.The engineering goal was simple – devise a plan where users’ files, filenames, file types, folders, and/or any other personal information are never exposed to anyone for any reason (even under government subpoena). This describes SpiderOak’s ‘zero-knowledge’ privacy environment.

SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Hive keeps all your files in sync across your computer and mobile devices. Here the end-user has the ownership of data and is the only one with the keys to unlock and look at plaintext data. You can signup for this product now. SpiderOak Blue works seamlessly in your enterprise environment. To resolve authentication it deploys a virtual appliance that resides behind your firewall and integrates with Active Directory / LDAP for single sign-on. SpiderOak Blue is compatible in Mac, Windows, Linux, iOS and Android platforms. SpiderOak Blue is now available through a limited release. We have been working with several large enterprises through the beta period and will continue towards general release. If you’re curious about the product, please

October 2013 - Page 2 of 3 - The Privacy Post

0

Is your password secure in the cloud?

Posted by on Oct 4, 2013

 

Make your password secure

Image from somecards.com

Many of us use the same password over and over again to access our emails, bank accounts, and social networking sites. We tend to use very simple passwords, as they are easy to remember. Sometimes these passwords can be as simple as your first name, your child’s or spouse’s name, first letters on the keyboard, “123456” and so on. Such passwords can be easily guessed and cracked by hackers. A weak password provides an easy access to the intruder to get into your system and compromise your data. Passwords are like locks that are designed to keep your data safe, and most of the times a strong lock can protect your personal stuff from the bad guys. Whenever there is a security breach, we often blame the security practices of the organization or data storage services but truth is that we, the end-users, are often the weakest link in this chain.

In this age of cloud computing you have the ability to store your personal data (photos or documents) on several virtual servers hosted by third party applications and get access to your data from anywhere. Think about it, if you can access your data so easily from anywhere, is it possible for a hacker to do so? Maybe yes. Cloud services are targets of several attacks because they have to deal with password-based user identities and they can be accessed from anywhere.

We have seen a lot of security breaches in the past involving high profile Internet and cloud applications. After closely studying and analyzing these data breaches, researchers have usually come to the conclusion that the use of weak passwords often leads to such breaches, affecting millions of user data and reputation of well-known organizations. When you choose simple and easy to guess passwords, then no matter how secure the password storage and password hashing are, the attacker will be able to crack the password in no time. Apart from the user, it is also the responsibility of the Internet and cloud application vendor to help the users in selecting a safe and hard to crack password (at least 8-digit long password and a combination of letters, numbers and special characters). Sadly, the majority of online services allow simple and short passwords. What that means is the attacker can hack many user accounts by using online password guessing methods, without even compromising cloud applications or gaining access to password hashes.

Password

Image from http://www.teachthought.com

 

The National Security Agency (NSA) has been in the news lately for invading the privacy of US citizens by collecting massive amounts of digital data. A recent report states that NSA has also asked Internet providers and websites to provide user passwords. As per CNET, “the passwords would enable federal agencies to peruse confidential correspondence or even impersonate the user”.  The NSA has asked companies like AOL, Facebook, Verizon and Yahoo to hand over user passwords. But these companies have turned down NSA’s demand saying this would affect the privacy and confidentiality of their customers. Along with the passwords, the NSA has also asked for the encryption keys and salt (randomly generated line of numbers and alphabets to make hard to crack passwords).  It is still unclear whether NSA is targeting specific individuals or conducting mass data collections. Whatever it is, it definitely posses a major risk to the privacy and security of our data in the Internet.

How can you protect your passwords in the cloud?

  • You can avoid password cracking by using large and complex passwords (at least 8-digits long and combination of letters, numbers and special characters). Two common methods that are used to crack passwords are “Brute force attack” and “Dictionary attack”. The attacker uses a combination of known passwords or possible decryption keys to guess your password.
  • Do not use the same password for multiple services. Use at least four to five different passwords to prevent your data from being compromised. For example, if you are using same password to get into your email, bank account or social media then if one of your account is compromised the hacker can easily get access to other services as well.
  • Update your password frequently. To maintain a safe password you need to constantly update your password in few weeks or months. The more you do it the better.
  • If you do not trust yourself to generate a strong and hard-to-crack password, then you can use third-party applications to generate strong passwords for you. You can manage and encrypt your password by using their password management software. Some of the best rated password managers are 1Password, LastPass , Clipperz and RoboForm.

 

Password

Image from https://agilebits.com/

 

  • Never login to important accounts with HTTP or FTP connections. The network protocol analyzer Wireshark can easily capture the username and password used in the message of HTTP or FTP connections; as a result the password can be sniffed and cracked with very little effort. Always use HTTPS and SFTP connections because they are encrypted and secured.
  • Never use your browsers (IE, Chrome or Safari) to save your passwords. Any password saved in the web browsers can be cracked with a simple click using a script.

SpiderOak keeps your data safe

Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access.

Interested in SpiderOak Products?

SpiderOak carved its niche as the top choice for those most concerned with privacy.

The engineering goal was simple – devise a plan where users’ files, filenames, file types, folders, and/or any other personal information are never exposed to anyone for any reason (even under government subpoena). This describes SpiderOak’s ‘zero-knowledge’ privacy environment.
SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Hive keeps all your files in sync across your computer and mobile devices. Here the end-user has the ownership of data and is the only one with the keys to unlock and look at plaintext data. You can signup for this product at SpiderOak Blue works seamlessly in your enterprise environment. To resolve authentication it deploys a virtual appliance that resides behind your firewall and integrates with Active Directory / LDAP for single sign-on. SpiderOak Blue is compatible in Mac, Windows, Linux, iOS and Android platforms. SpiderOak Blue is now available through a limited release. We have been working with several large enterprises through the beta period and will continue towards general release. If you’re curious about the product, please send an email to blueinfo@spideroak.com and we will get back to you soon.