Posted by Kalyani M. on Apr 17, 2014
In my last post, we examined the ins and outs of the HeartBleed security vulnerability in OpenSSL that has affected about half a million websites and client-side software. This bug being considered as one of the biggest threats the Internet has ever seen. Many popular websites like Yahoo, Flickr, NASA, and OKCupid are vulnerable to the HeartBleed bug. That means the information passing through these websites could also be targeted by cyber attacks, even though they are encrypted. The HeartBleed bug allows an attacker to get access to sensitive personal information like private keys, user keys, passwords, usernames, and credit card details. Security expert Bruce Schneier has termed HeartBleed as a “catastrophic” bug, and “on the scale of 1 to 10 gives it 11” in terms of severity.
There is a possibility that you are affected by this bug, either directly or indirectly. Unfortunately, with the nature of this threat, there is not a lot that you can do to protect yourself. It is the responsibility of the Internet companies to update their servers and develop patches to ensure protection. Besides issuing patches, the companies need to revoke their digital certificates and reissue them to maintain their authenticity. On their end, users can do some basic security checks to verify whether or not they are affected by Heartbleed. Here are certain things that you can do to protect your data from this critical bug:
These are some of the security practices that you need to follow for better security of your personal information from this critical bug. However, as I had mentioned earlier, Internet companies have the ultimate responsibility of mitigating this issue and come up with better security solutions as soon as possible
Protection against cyber attacks with SpiderOak: There is no denying the fact that Heartbleed is a major security vulnerability. However, strong security practices always make it difficult for intruders to access sensitive information. SpiderOak implements strong security controls to ensure protection of sensitive user data from cyber attacks. SpiderOak’s encryption is comprehensive — even with physical access to the storage servers, SpiderOak staff do not know the names of your files and folders. The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. Sign up for this product today.
Posted by Kalyani M. on Apr 15, 2014
A major security bug, “Heartbleed”, has been making major headlines recently. The security vulnerability has infiltrated many well-known websites, and affected millions of users. It was discovered in some versions of OpenSSL, utilized by thousands of websites. OpenSSL is an encryption technology that uses TLS/ to secure communication over the Internet, and protect sensitive user information like usernames, passwords, credit card numbers, and financial data. Therefore, the exploitation of this critical bug allows cyber criminals to gain access to personal details of millions of Internet users. More information makes an attacker stronger, and opens the door to many more intrusions.
The bug was identified by a group of security engineers at Codenomicon while they were working on improving the security features of the company’s security testing tools. Heartbleed could be considered as one of the biggest security threats in Web security, because it exposes the contents of a server’s memory, where most sensitive user data is stored. This vulnerability allows anyone on the Internet to read the memory of systems protected by vulnerable versions of OpenSSL. It can compromise the private keys used for encrypting communication and identifying trusted sources on the Internet. The most worrisome aspect of this news is that this vulnerability existed for two years and was not detected until recently.
OpenSSL handles a service of TLS called Heartbeat, an extension to TLS added in 2012. German programmer, Robin Seggelmann, introduced the new feature “Heartbeat” to OpenSSL. His intention was to improve some features of the encryption technology, and enable the“Heartbeat” feature for better security in OpenSSL, the software package used in nearly half of all web servers. Open SSL is used to protect Apache and nginx Web servers, email servers (SMTP, POP, and IMAP), chat servers, VPNs, and other client-side software. According to the research of security experts, a mere coding “oversight” led to a coding error that created the “Heartbleed” vulnerability. In an interview with The Guardian, Seggelmann said, “I am responsible for the error because I wrote the code and missed the necessary validation by an oversight. Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version.” Segglemann submitted the code on the New Years Eve 2011, which means OpenSSL used in Websites and other client-side software has contained this vulnerability since that time.
It has also been discovered that Juniper and Cisco routing gears also have this vulnerability that might allow the hackers to capture passwords or personal user data while passing over the Internet. The way HeartBleed works is very simple. The Heartbeat extension is used by two computers to make sure if the other is alive or not. The client sends its heartbeat to the server to check its status, and the server sends it back to the client to give an indication that it is listening. The packet simply contains random chunks of data and a note saying how much data it sent. The server receiving the data returns exactly the same amount to the client. If by chance either one of them is down and does not respond, the other will know by the heartbeat sync mechanism.
With Heartbleed, the attacker exploits this mechanism by lying about the amount of data it has sent to the server. For example, even if only one byte of data was sent, it will tell the server that it sent 64KB of data. In doing this, the server makes a note that it has to send 64KB of information to the client in order to establish communication. If the server does not have 64KB of data, then it fills the packet with any other information it has in its memory at that time. This means that anything in the memory, like encryption keys, user keys, passwords, usernames, emails, and business documents, can be compromised by an attacker. Sending more Heartbleed requests allows the attacker to fetch even more memory. The good news is that there is no evidence so far that the bug has been exploited by anyone. Also, the issue has been fixed in OpenSSL v1.0.1g. However, users will still need to take protective measures to ensure protection against Heartbleed vulnerability. In my next post, I will be discussing about different security measures that users can take to protect themselves against Heartbleed.
Protection against cyber attacks with SpiderOak: HeartBleed is a major security vulnerability, having the potential to be exploited by hackers to access a massive amount of user data. However, strong security practices always make it difficult for intruders to easily access sensitive information. SpiderOak implements strong security controls to ensure protection of sensitive user data from cyber attacks. SpiderOak’s encryption is comprehensive — even with physical access to the storage servers, SpiderOak staff do not know the names of your files and folders. The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. Sign up for this product today.
Posted by Kalyani M. on Mar 27, 2014
The recent major data breach at Target has been an eye-opener that showed how malware infected Point-Of-Sale (PoS) devices can be exploited to gather huge amounts of credit and debit card data. Malware attacks are on the rise these days. The reason why most of these attacks are successful is because most of the malware being used is new and unknown, and no defense mechanisms are in place to counter it. Another new form of malware, called Ploutus, is targeting ATM machines and allowing cyber criminals access cash. In order to install this malware, the hacker needs to be able to physically access the ATM machine. Therefore, in the majority of cases it is seen that standalone ATM machines, especially the ones in convenience stores, become victims of data breaches. The ATM machines in banks are usually more secure than standalone ATM machines, and have a heavy physical shield protecting them from unauthorized access.
Security vendor Symantec initially identified this new form of malware. They carried out research on a standalone ATM machine to determine exactly how the Ploutus malware works. The standalone machines allow hacker can access all parts of the machine with only minimal effort. The latest version of the malware allows the hacker to control the malware remotely via text messages. They must first set up a mobile phone within the ATM machine to connect and infect it with malware. To effectively connect with the ATM, the hackers use a method called USB tethering. Since the phone is connected to the ATM through a USB port, it continually draws power from the connection to keep the phone battery recharged. Once the phone is connected to the ATM, the hacker will send an SMS message to the phone attached to the ATM. The phone will detect the message, convert it into a network packet, and forward it to the ATM via USB cable.
According to Symantec, “the network packet monitor (NPM) is a module of the malware which acts as a packet sniffer, watching all network traffic going on in the ATM. As soon as the compromised ATM receives a valid TCP or UDP packet from the phone, the NPM will parse the packet, and search for the number “5449610000583686” at a specific offset within the packet in order to process the whole package of data. Once that specific number is detected, the NPM will read the next 16 digits and use them to construct a command line to run Ploutus”. The Ploutus malware has proven to be extremely effective for the cyber criminals to carry out fraudulent activities. It allows them to control the machine remotely and withdraw as much cash as they want.
The security researchers at Symantec believe the reason behind these kinds of attacks is the vulnerability in Windows XP operating system, which the majority of ATMs run on. This vulnerability is exploited by cyber criminals to install malware on ATM machines. Microsoft has already announced the risk of “zero day forever”. Once Windows XP retires, Microsoft will not be releasing any patches for upcoming security vulnerabilities, and as a result, these systems will only become more vulnerable to cyber attacks. Besides Ploutus, the Symantec security team has also found out several different forms of malware that target ATM machines for several other reasons. There are different kinds of sophisticated malware designed to carry out different types of attacks, like stealing PIN numbers or Man-in-the-Middle attacks.
These days, many ATM machines have better security features, like encrypting data on a hard disk, ensuring protection against malware installation. However, with older versions of ATM machines running on Windows XP, it is challenging to ensure protection against malware attacks. Still, a few things can be done to enhance the security on older version, such as upgrading to Windows 8, implementing full disk encryption for protection against tampering, and enhancing physical security by constantly monitoring the ATM machines using CCTV. By taking all these security measures into account, we can protect ATM machines from massive data breaches.
Shielding Private Data with SpiderOak
A great way to shield sensitive consumer and corporate data from any snooping eyes is through storing and syncing with a private cloud service provider. For enterprises looking for a truly private cloud service, SpiderOak Blue offers fully private “public” and onsite server deployment options for full flexibility. Choosing the right third party cloud service can be a challenge, as many services on the market have security gaps which leave private data vulnerable to third party attacks, malware, and legal snooping. But SpiderOak sets itself apart from the rest of the market by providing a fully private cloud service featuring all of the benefits of cloud storage along with 100% data anonymity.
SpiderOak protects sensitive enterprise data through 256-bit AES encryption so that sensitive files and passwords stay private. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices, as SpiderOak never hosts plaintext data. SpiderOak Blue’s private cloud services are available for enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, making this one of the only cross-platform solutions on the market. You can sign up for this product now
Posted by Kalyani M. on Mar 20, 2014
The PRISM revelations have made us more aware and proactive regarding maintaining our privacy in the electronic medium. The NSA has left no stone unturned to monitor and gather millions of user data. They have circumvented almost every security control on the Internet for bulk data collection. When it is not possible for them to break into the system, they provide legal notice to companies to access sensitive user information. In such a situation, how can we expect to maintain the security of our data? How can businesses retain the trust of their consumers that their data is safe from surveillance?
Recently, Edward Snowden spoke at the Southwest Interactive technology festival in Austin via satellite video, regarding the importance of encryption for data privacy. He said encryption works if it is implemented properly. This practice has time and again proved to be one of the most effective ways of protecting data. Snowden emphasized that encryption should not only be implemented by businesses, but active research and analysis should also be done on this security control at an academic level. The best method is end-to-end encryption. It ensures complete security of data against unauthorized access. However, often times it is seen that end-to-end encryption is not implemented in mainstream commercial products. Across the majority of the Internet, online companies are hesitant to implement end-to-end encryptions in their products.
The reason behind this is that if major Internet companies, like Google or Facebook, would implement strong encryption protocol like end-to-end encryption, then it will become extremely difficult for them to gather data about their users to utilize for targeted advertising and will conflict with their business model. They believe that adding more security controls to a product will negatively impact the user experience. The tools that are used these days to offer end-to-end online communications are not refined and not easy to use.
A recent report revealed that several top websites use hidden scripts to determine how long you hover over an ad, when you pause, or click on it. In doing this, they are able to determine your interests and send you promotions or advertisements according to these perceived interests. Facebook has recently announced its intent to monitor cursor movement of users to make improvements in its service. It will collect various pieces of information, such as how long you hover over a particular part of its website or whether your news feed is visible at a given moment on your mobile phone’s screen. They store all this captured information in a data analytics warehouse and make sure that you are getting targeted ads related to this information. The NSA takes advantage of these technologies used for targeted advertisement to carry out surveillance activities. It has been successful in breaking encryption standards, monitoring website cookies, and tapping into the data center links of well-known technology companies to collect user data.
After the PRISM revelations, many technology companies like Google, Yahoo, and Facebook announced new encryption protocols to encrypt user data in transit. The problem with these protocols is that they encrypt communications at the point of transport, and then the companies decrypt and re-encrypt it. On the other hand, end-to-end encryption encrypts your data on your systems. Therefore, it is difficult for intelligence gathering services to target individual computers and access user data. However, one of the drawbacks of implementing strong encryption protocols is that it is usually harder to use and not available for free. According to Snowden, “If you have to go to a command line, people aren’t going to use it. If you have to go three menus deep, people aren’t going to use it.” In order for end-to-end encryption to work effectively it has to be more user-friendly.
Besides implementing end-to-end encryption, companies should not store user data for an extended length of time. It is totally understood that at times companies need to collect user data for improving their services or adding some extra features to their application. However, if they make sure that the user data is not stored for unnecessarily long periods of time, then they can provide better security to their customers from surveillance programs.
Snowden also recommends some security tools to the Internet users for better security of their data on the Internet. You can use disk protection to protect data on hardware, implement browser security plugins, like NoScript and Ghostery, for web cookie tracking, and last, but not the least, utilize Tor to hide your identity while surfing the Internet.
Protect your personal data from NSA surveillance with SpiderOak: SpiderOak encrypts the files in your computer before uploading them to the server. As a result, you, and only you, have access to your unencrypted data. Even SpiderOak cannot read your data because the keys used for encryption only belong to you. It is impossible for someone to gain control of your data by hacking into SpiderOak. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. Sign up for this product today.
Posted by Kalyani M. on Mar 18, 2014
Cloud computing is attracting many enterprises because of its easy deployment, cost effectiveness, and flexibility. One of the major advantages of cloud computing is its disaster recovery approach. With this system, enterprises have a cost effective disaster recovery plan in place, and do not have to worry about deployment and maintenance of IT infrastructure or resources for disaster recovery. Cloud computing gives a completely different approach to disaster recovery. In this approach, the operating system, data and applications are integrated into a single software bundle or virtual server. This virtual server can be easily copied and backed up on an off-site data center within minutes. In comparison to the conventional disaster recovery approaches, this is extremely beneficial because it is hardware independent and therefore it is easy to transfer information from one data center to another without the burden of installing every component of the server. Cloud-based disaster recovery approach is extremely cost effective and dramatically reduces recovery time compared to traditional approaches.
Beyond easy deployment and cost effectiveness, there are a few other benefits of a cloud-based disaster recovery approach:
Given the benefits of cloud disaster recovery, it definitely looks like an attractive alternative for enterprises searching for reliable data storage and back up. Before implementing cloud disaster recovery, you do need to take several things into consideration. Like any traditional disaster recovery, there is no blueprint for cloud disaster recovery. Different organizations have different needs and priorities depending on the business they are in.
Additionally, one of the most important aspects that an enterprise needs to take into consideration is security. The cloud is vulnerable to many security attacks and breaches. Therefore, while moving to a cloud-based disaster recovery plan, enterprises should focus heavily on the security practices of cloud service provider.
According to John Morency, research vice president at research firm Gartner, Inc. in Stamford, Connecticut, “You still see with some major events, such as the lightning strike in Dublin [in 2011] that took out the cloud services, of Amazon and Microsoft, that there can be some temporary loss of service. The cloud shouldn’t be considered 100% foolproof. If organizations do need that 100% availability guaranteed they need to put some serious thought into what they need to develop for contingencies.” There are several aspects of security that the enterprises should take into account before moving to cloud disaster recovery: Determine how security data is transferred, stored and managed in the cloud. What access control mechanisms are in place? What security controls are used to protect data from unauthorized access? Apart from passwords, what extra layer of security is used to protect your data? Lastly, make sure that the cloud service provider complies with all the security rules and regulations required to maintain the privacy of data. With strong security practices and controls in place, the cloud disaster recovery approach is one of the most efficient and cost effective approaches for modern enterprises.
SpiderOak and Disaster Recovery
SpiderOak provides makes it easy to backup existing data and provides disaster recovery. It allows users to create and sync their local documents with a cloud version, which they can later access from any device. These systems even save revisions of documents so users can go back if they make a mistake and retrieve a previous version. SpiderOak Blue provides enterprises and large businesses with fully secure cloud storage, zero-knowledge, end-point device backup, remote syncing, and sharing. Essentially, it offers all of the convenience of the cloud, along with 100% data privacy. SpiderOak Blue is available with onsite deployment and private servers, or outsourced deployment through a private and secured public cloud server, so that enterprises can seamlessly tailor the service to fit their unique needs. Authentication is resolved via a virtual appliance that is positioned behind your firewall and is integrated with Active Directory/LDAP for a single sign-on. The service is compatible with Mac, Windows, and Linux, as well as iOS and Android, to provide comprehensive and mobile security for companies with a remote workforce. Sign up today to try SpiderOak.
Posted by Kalyani M. on Feb 20, 2014
Recently we have examined both the conveniences and concerns regarding cloud services, and the conversation is most likely far from over. National Security Agency surveillance has definitely raised concerns about privacy of user data in cloud services. Documents leaked by Edward Snowden indicate that the NSA has been collecting huge amounts of user data by cracking encryption technologies, using backdoor methods, and in some cases providing legal notice. As enterprises are using well-known cloud services like Amazon or Google, the PRISM revelations might lead to a negative impact on U.S. cloud storage companies, as the surveillance activities of the spy agency have taken a toll on the reputation of technology companies. People are becoming increasingly concerned about the privacy and security of their data stored in the cloud.
The NSA is basically devising all possible ways to break the security controls on the web to track and collect huge amounts of user data. The news about the NSA cracking encryption of common online security products and placing secret doors at the access points can further undermine the confidence of foreign businesses. The NSA has been successful in cracking the majority of the encryption codes on the Web, by using supercomputers, technical trickery, court orders, and behind-the-scenes persuasion. Apart from deciphering the encryption of online products, the NSA has devised programs to deliberately insert vulnerabilities in commercial products, so that they may collect more information by exploiting those vulnerabilities. The NSA asks these companies to deliberately make changes to their products in undetectable ways like leaking encryption keys, making random number generator less random, adding a common exponent to a public-key exchange protocol, and so on.
According to research done by the information technology and innovation foundation (IITIF), NSA surveillance may end up costing U.S. cloud service companies $22 billion through 2016. The prediction by IITIF assumes that the U.S. might lose about 10% of its cloud computing market to European and Asian competitors. The United States is considered a leader in cloud computing usage and innovation, but PRISM revelations might cause a shift away from leading data storage providers like Google, Yahoo, and IBM. Salesforce.com recently lost one of their major clients due to government surveillance activities. This is just one example showing the negative impact of surveillance on cloud services. In the future, if the government does not take a stand on reforming the surveillance programs, cloud service companies in this country might have to bear huge loss.
Taking all of the security concerns into consideration, many companies have requested the government to allow them to publish a transparent report of mass data collection requests made my the NSA. In order to gain the trust of their customers, it is extremely important for cloud service providers to be transparent regarding the storage and sharing of sensitive user information. The government needs to take action towards reforming the surveillance program, and allow companies to reveal more details about what data has been requested of them by the government. It also needs to establish international transparency to gain the trust of foreign customers.
Similarly, cloud service providers also need to implement strong security controls to ensure better safety of their customers from surveillance programs. It would be wide for them to construct strong encryption standards such as 256 bit-AES for better security. Encryption has time and again proved to be the most secure method for protecting data in the cloud. The keys used for encrypting sensitive customer data should be managed effectively by periodic key rotation and re-encryption of data with new keys. Employees should be not be given more access than what is needed to complete their tasks. Cloud storage companies should require strong passwords, longer keys, or complex hash algorithms to make it difficult for anyone to access user data.
I believe by implementing security measures and being transparent data usage, companies can gain the trust of their customers, and those who have been enjoying the benefits of U.S. cloud services might think twice before moving to alternate services. Under the light of NSA surveillance, cloud startups whose prime goal is to secure their customer data will see a huge growth in their business in the near future.
Protect your personal data from NSA surveillance with SpiderOak: SpiderOak encrypts the files in your computer before uploading them to the server. As a result, you, and only you, have access to your unencrypted data. Even SpiderOak cannot read your data because the keys used for encryption only belong to you. It is impossible for someone to gain control of your data by hacking into SpiderOak. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can sign up for this product now.
Posted by Kalyani M. on Feb 18, 2014
Cloud services are becoming increasingly popular these days, both among the public and business enterprises. While convenient, Cloud services can be extremely vulnerable to Denial of Service attacks (DoS). As more organizations are relying on cloud computing technology for their business operations, denial of service attacks, one of the most common forms of attack on the cloud, can prove extremely damaging. A DoS attack makes your network or machine unavailable to the intended users by flooding them with connection requests. Within the eighth annual Worldwide Infrastructure Security Report from security provider Arbor Networks, it was revealed how cloud services increase the risk of attacks. The report indicated: “94% of data center operators reported security attacks, 76% had suffered distributed denial of service (DDoS) attacks towards their customers, while just under half (43%) had partial or total infrastructure outages due to DDoS and yet only 14% of respondents had seen attacks targeting any form of cloud service.”
Posted by Kalyani M. on Feb 13, 2014
With healthcare data doubling every year, it can be extremely difficult for medical institutions to manage such a huge amount of information using traditional IT systems. This is one of the reasons why the healthcare industry is gradually moving towards the use of cloud services. A cloud storage system allows organizations to place data on a centralized electronic system that can be accessed anytime from anywhere. Cloud services can help the healthcare industry to access and manage health records effectively in order to provide better patient care. A properly implemented cloud storage system allows hospitals to process tasks effectively and quickly, without causing a drop in performance. Cloud computing has proven extremely beneficial and cost effective for patients and healthcare providers.
Posted by Kalyani M. on Feb 11, 2014
Cloud computing has become the driving force of today’s IT industry. More and more enterprises are moving towards this technology because of its flexibility, cost effectiveness, and easy deployment. According to the technology researchers at Gartner, the cloud services are expected to grow to $210 million by 2016. However, cloud computing is vulnerable to several security breaches and cyber attacks. The fact that the cloud hosts a tremendous amount of data makes them an attractive target for the cyber criminals. It is also extremely difficult to track or investigate cyber attacks on cloud services because of an ever changing set of users and data centers.
Posted by Kalyani M. on Feb 7, 2014
Security researchers have devised a unique method to trick the hackers trying to crack encrypted information. As you may know, encryption is one of the most effective methods of protecting data. However, it is seen that in many cases intruders are successful in getting into the system by trying different encryption-cracking methods. There are several sophisticated pieces of software that are capable of deciphering secure data. Keeping these security concerns in the forefront, two security researchers, Ari Juels and Thomas Ristenpart, from the University of Wisconsin Madison, have come up with a new encryption system called “Honey Encryption”.