Sunday, February 16, 2014

How secure is "Dropbox"?

Basic Overview and Awareness to Secure Your DropBox Account!

What's Dropbox?

Dropbox is a free and extremely easy-to-use tool for sharing files, photos, and videos, and syncing them among your devices. You can also use Dropbox to back up files and access them from other computers and devices (including smartphones and tablets), with dedicated apps for each device you own running Android, Mac Linux, Blackberry or iOS platform.

Dropbox is especially good for backing up your files online, although the biggest barriers to this are the size of your backups. You get 2GB free with Dropbox, or you can choose 100GB, 200GB, or 500GB with a monthly fee. There are also business plans that start at 1TB for five users. You’ll just have to make sure that the files you want backed up live in the Dropbox folder.

Dropbox also has the ability to share files with others. And, if your computer melts down, you can restore all your files from the Dropbox website.

Is Dropbox "Safe" to use?

The move on hosted services like Dropbox storage site raises questions about what cloud users can and should do to keep their information and data secure and compliant.

Cloud security drew attention in 2012 with Dropbox’s admission that usernames and passwords stolen from other websites had been used to sign into a small number of its accounts.

A Dropbox employee had used the same password for all his accounts, including his work account with access to sensitive data. When that password was stolen elsewhere, the attacker discovered that it could be used against Dropbox.

This was a powerful reminder that users should rely on different passwords for each secure site and service.

Also, VentureBeat reported that the Dropbox iOS app was storing user login credentials in unencrypted text files—where they would be visible to anyone who had physical access to the phone.

What Encryption does Dropbox use?

Dropbox claims:
At Dropbox, the security of your data is our highest priority. We have a dedicated security team using the best tools and engineering practices available to build and maintain Dropbox, and you can rest assured that we’ve implemented multiple levels of security to protect and back up your files. You can also take advantage of two-step verification, a login authentication feature which you can enable to add another layer of security to your account.
When it comes to encryption methods Dropbox use, they state that:

  • Dropbox uses modern encryption methods to both transfer and store your data.
  • Secure Sockets Layer (SSL) and AES-256 bit encryption.
  • Dropbox website and client software are constantly being hardened to enhance security and protect against attacks.
  • Two-step verification is available for an extra layer of security at login. You can choose to receive security codes by text message or via any Time-Based One-Time Password (TOTP) apps, such as those listed here.
  • Public files are only viewable by people who have a link to the file(s).
Dropbox uses Amazon’s Simple Storage Service (S3) for storage, which has a robust security policy of its own. You can find more information on Amazon’s data security from the S3 site or, read more about how Dropbox and Amazon securely stores data.

How to Secure your Dropbox account?

Popular cloud storage service Dropbox, had a history of security problems, ranging from compromised accounts to allowing access to every Dropbox account without requiring password.

When and if you decide to use cloud services like Dropbox, the following three basic steps can help you protect your data:

  • Apply web-based policies using URL filtering, controlling access to public cloud storage websites and preventing users from browsing to sites you’ve declared off-limits.
  • Use application controls to block or allow particular applications, either for the entire company or for specific group.
  • Automatically encrypt files before they are uploaded to the cloud from any managed endpoint. An encryption solution allows users to choose their preferred cloud storage services, because the files are always encrypted and the keys are always your own. And because encryption takes place on the client before any data is synchronised, you have full control of the safety of your data.You won’t have to worry if the security of your cloud storage provider is breached. Central keys give authorized users or groups access to files and keep these files encrypted for everyone else . Should your web key go missing for some reason—maybe the user simply forgot the password—the security officer inside the enterprise would have access to the keys in order to make sure the correct people have access to that file.
How to secure your Dropbox account?
  • Enable Two-Step Verification - With two-step verification enabled, you’ll have to enter both your password and a security code from your mobile phone whenever you sign into the Dropbox website or add a new device to your account. Even if someone else knows your Dropbox password, they won’t be able to log In without the time-sensitive code from your phone.
  • Unlink devices you don’t use and view web sessions.
  • Get email notifications - Ensure email notifications are enabled so you’ll receive emails when new devices and apps connect to your account.
  • Manage linked Applications – Third-party apps often require full access to your Dropbox account, and the app retains access even if you stop using it. If the app itself is compromised or starts behaving maliciously in the future, it will be able to do damage.
  • Don’t reuse your passwords – You should use a unique password for your Dropbox account, one that you haven’t used for any other services.
  • Encrypt your Dropbox files – To protect yourself and ensure your sensitive files remain secure, you can encrypt the files you store in your Dropbox account. To access the encrypted files, you’ll need to know the encryption password – anyone without the encryption key will only see random, jumbled nonsense data.

Saturday, February 15, 2014

Four "Basic" Ways To Protect Company Data

Breach at Target appears to have started with a malware-infected email!

Target Corp. and other large retailers have made the news due to data breaches, but businesses of all sizes need to make sure they have up-to-date policies and procedures to protect private data.

The breaches at Target highlight how important it is for organizations to know how secure their networks are?

Here are four measures businesses should take to ensure their data stays private.
  • One obvious way is to make sure your business' security software is up to date and working "to make sure you don't leave holes in your technology.
  • Do you have policies and procedures in place for how employees interact with the business' server and network? Such measures include making sure employees have strong passwords for their computers and other devices, keeping their machines updated with the latest anti-virus protection and providing them with general awareness on things to watch out for, such as phishing messages (scams that ask people to give out personal information or prompt a person to click on a link that will infect their computer with malware).
  • Make sure that employees have safeguards on the personal devices they use to connect to the company's network.
  • Don't forget security measures for paper records.

Saturday, February 8, 2014

The Internet of Things

"The Internet of Things" is now finding its way into mainstream conversation!

Once a term used mostly by MIT professors and those steeped in the privacy and security field, "The Internet of Things" is now finding its way into mainstream conversation. Loosely defined as the practice of equipping all objects and people in the world with wirelessly connected, identifying, computing devices, the term represents what could be a hugely transformational way of life.  

At one time, "The Internet of Things" probably sounded like science fiction; but today, it's becoming very real. Here are a few examples of where you can literally see, hear and almost feel this phenomenon occurring in some very ordinary places:
  • TRENDnet marketed its SecurView video cameras as "secure." In fact, the cameras had faulty software that allowed anyone with the cameras' Internet addresses to hear and see what the cameras were capturing. In fact, more than 700 were hacked, creating live-streams of private locations and private moments online for the world to hear and see.      
  • Google possesses possibly more data about consumers' online activities than any other organization (Facebook, Microsoft, IBM would probably be close behind.). Now it seems, the Internet giant is on track to know as much about your offline behavior. The company recently purchased Nest, which makes "smart" thermostats and smoke/fire alarms that track indoor-activity data. They have stated they plan to create many more of these types of smart gadgets. How much personal information will Nest share with Google, and how will that information be used?
  • A range of smart-home and smart-car technology allows consumers the ability to control access and features of their houses and vehicles. But who else might gain the same level of control? And what will happen when "smart" cars and appliances can function on their own without human intervention? As this Guardian article contends, they will certainly be tempting to hackers.

Sunday, February 2, 2014

Cybersecurity in the age of "Surveillance"

How to assure that your network and its data are being guarded by a trusted partner?

The collection of information generated from the online activities of citizens, by both private and public interests, has become so widespread and pervasive that it has prompted several social commentators to label today’s digital-defined culture as “The Surveillance Age.”

The fact that nearly every sovereign state with the means is conducting high-tech surveillance programs, a practice that is considered by most to be integral to national security and ensuring the safety of the state and its citizens. For many observers, the most disconcerting component of the recently exposed data-collection activities of the National Security Agency was tied to multiple U.S. companies may have cooperated in the surveillance activities.

The possibility that trusted businesses could be leaving digital backdoors through which sensitive information could slip has cast a chill across both consumer and professional market sectors. This issue is not for us to speculate here; however, given the interest it has attracted, it would be valuable to share some fundamental information about mobile security, as well as some guidance to assure that your network and its data are being guarded by a trusted partner.

A key element of security is encryption technology, which is critical to protecting the confidentiality and integrity of a digital transaction between two endpoints, such as a mobile device and a corporate server located behind a firewall. Providing an integrated approach to mobile security, in which data is encrypted while at rest (stored on a digital device) or in transit, is the best protection against the loss of data or a security breach that could impact the profitability, competitiveness, or reputation of an organization. Strong encryption guards against data integrity compromises in these environments, which are typically treated by network engineers or mobile security experts as hostile and untrustworthy

It’s important to note that encryption technologies differ significantly in the degrees of protection they offer. To gain a deeper understanding of encryption requires an introduction to a few esoteric cryptography terms. One of those terms is entropy, which plays a significant role in determining the effectiveness of a modern encryption system. At a very high level, entropy is a measure of how much randomness you have. Simply put, the more entropy you have the more effective your encryption can be. Consider the differences between seeking a needle in a haystack and looking for one hidden in an acre’s worth of haystacks. The procedures are essentially the same; it’s the level of difficulty and complexity that differs substantially between the two scenarios. 

Any discussion related to digital intrusion or surveillance has to include spyware, which is a form of malware. Businesses or organizations using mobile devices that have open development platforms are especially susceptible to attempts to exploit users through spyware. It is also a favorite tool of cyber criminals, who are increasingly targeting mobile devices as access points into the confidential data of organizations for purposes that range from nuisance to nefarious. 

Disguised within a consumer application, malware can be used to gain access to personal information, for anything from marketing to identity theft to compromising corporate data. This real and growing threat requires security solutions that properly safeguard the privacy of governments, enterprise workers, and individual users.

The fact that the number and utility of mobile devices will only increase means that the boundaries of the modern organization are being stretched to include hundreds or even thousands of mobile end points possessing access to the most precious assets, such as intellectual property and other sensitive information.

Security in this environment cannot be an afterthought. It must be built in at every layer -- hardware, software, and network infrastructure -- to ensure end-to-end protection. With the stakes so high in “The Surveillance Age,” it’s imperative that you demand "confidentiality & integrity" commitment from every partner you trust with your information.