Tag Archives: encryption

Supporting Reset the Net & Free Software for End-to-End Encryption

SpiderOak Supports Reset the Net and free software for end-to-end-encryption June 5Today, June 5, just a year after one of the most significant leaks in U.S. history by Edward Snowden, SpiderOak joins Reset the Net and hundreds of thousands of others to protect our privacy and freedom from government mass surveillance.

Our CEO, Ethan Oberman, had this to say about Snowden and the campaign:

The Snowden revelations not only raised the level of awareness around privacy but also intrinsically changed the way people think about their online presence. It is wonderful that there is more awareness around this issue and even more wonderful to see the advancements that companies have made in the past year, especially around data encryption. The Reset the Net campaign will help drive the dialogue forward, leading to a future in which we are able to set new, higher standards for privacy. We are proud to support this campaign and honored to participate in the worldwide movement toward a more free and secure Internet.

Here are some ways to better protect yourself against mass surveillance…

SUPER-EASY ENCRYPTION TOOLS:

These free tools let you talk, chat, and text with privacy.

  • Adium & Pidgin for private (OTR) chat over Gtalk, Facebook, Yahoo, MSN, XMPP / Duck Duck Go and others
  • Textsecure and Redphone for Android and iPhone (we hope), for private SMS and voice calls
  • HTTPS Everywhere for browsers
  • GPGtools and Enigmail (as a bonus for more sophisticated users)
  • TOR (as a bonus for sophisticated users or those with anonymity needs)

(One important note on the inclusion of Pidgin, Adium, and OTR: if you believe you may be the specific target of surveillance, these aren’t the tools for you. Pidgin has had a large number of remotely exploitable vulnerabilities recently, and auditors looking at the code believe there are likely to be many more. Still, these tools are effective against passive mass surveillance, and they’re unusually easy to use.)

THIS OFFER EXPIRED ON JULY 6, 2014.

5 FREE GBS
  • If you’re already a SpiderOak user (free or paid), get your additional 5GBs by sending an email toerin[at]spideroak.com with the subject ‘Reset the Net 5GB’. You MUST include your username in the message. (I will collect usernames and apply your 5GB in July, no later than July 11). 
  • If you don’t have a SpiderOak account, sign up for a new SpiderOak account and enter the promo code resetthenet. You should have 5 free GBs! If you have any issues, send us a note at support@spideroak.com.
TO GET 33% OFF
  • If you’re a completely new SpiderOak user, sign up for a new SpiderOak account and after you download the client, choose ‘BUY MORE SPACE.’ Then choose ‘UPGRADE PLAN’ and select the plan you want. Enter the promo code resetthenet for your 33% off! Enjoy.
INSTRUCTIONS FOR EXISTING USERS:
  1. In the client choose ‘BUY MORE SPACE’, or in the web login, go to your Account page and select “Upgrade Plan”
  2. Choose YEARLY and type in promotional code resetthenet
  3. Finally, select “Next” and “Submit Order”
  4. Congrats! Enjoy your 33% off.

*If you already have a paid account, you will have to complete this payment process. However, your account will pro-rate. PayPal users will need to cancel their existing subscription and create a new one.

DEVELOPERS

We need you to build privacy into your apps! It’s the only way to make privacy scale. Check out Crypton. It’s the first application framework that provides a foundation for building ‘Zero-Knowledge’ cloud products. It allows developers to provide customers a truly private storage and collaboration environment with no access to unencrypted customer data, without having to rely on 3rd party security layers or post development hacks.

Finally, we encourage you to watch this video to learn more about Reset the Net. Support the movement on social media by sharing calls for greater privacy and security under the campaign hashtag #ResetTheNet.

No Knowing November

No matter where you consume the news, there is no escaping the revelations continually coming out of PRISM and MUSCULAR and their impact around the globe. At its root, it uncovered a dangerous problem – privacy online is indeed threatened at every level.

Since its inception in 2007, SpiderOak has been focused on preserving our users’ privacy through the implementation of ‘Zero-Knowledge’ technologies – the privacy-first orientation that ensures the server never knows what data it is storing. How is this accomplished? By never storing the encryption keys and therefore never having plaintext access to the data. Ultimately, this is the only way to give ownership and control back to the user and – thus – ensure privacy throughout the process.

Back in January – when everyone was talking about the importance of security – we had the foresight to call 2013 the Year of Privacy. As we have seen, security only solves half of the problem. When a company retains the keys to the data, it also maintains the ability to access it. The access can then be used in a number of damaging ways as has been exposed back in June.

SpiderOak, Zero Knowledge, Privacy, No

Help us make this month NO KNOWING NOVEMBER by sharing this critical message on privacy through ‘No Knowing!’

WANT TO SHARE?

  • Promote privacy through #NoKnowing
  • Use any of our ‘No Knowing’ images

NSA & The Rise of Cryptography

You might think that the NSA would back off of their rampant citizen spying programs after the enormous international backlash against the PRISM program. Unfortunately, it doesn’t seem that assuaging public rage is on the NSA’s docket. Recent revelations published by the Guardian indicated that the NSA and UK’s GCHQ have continued to broaden digital espionage programs. Privacy advocates are fighting back through legislation, but the best way to protect your digital rights in the meantime is to exclusively upload to a secure cloud provider that offers both data privacy and user anonymity.

NSA & Cryptography Image from fcw.com

According to files published by the Guardian, the NSA spends over $200 million annually on a programs which seeks to “covertly influence” technology product designs. Additionally, the NSA has allegedly been involved in a decade-long program that enabled Internet cable taps. Over in the UK, a GCHQ team is developing a way to crack the encryption efforts of Facebook, Google, Yahoo, and Hotmail. In a leaked GCHQ document from 2010, the joint intent to crack encrypted data was made public. The document states, “For the past decade, NSA has lead [sic] an aggressive, multi-pronged effort to break widely used Internet encryption technologies. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.” This has troubled both privacy advocates and libertarians that feel their digital rights are being infringed. According to Bruce Schneier, Harvard fellow at the Berkman Center for Internet and Society, “Cryptography forms the basis for trust online. By deliberately undermining online security in a short-sighted effort to eavesdrop, the NSA is undermining the very fabric of the internet.”

Bruce Schneier photo from Wired.com

Cryptography researcher Matthew D. Green of Johns Hopkins University agrees that attempting to build and implement such backdoor spying programs is dangerous. According to Green, “The risk is that when you build a back door into systems, you’re not the only one to exploit it. Those back doors could work against U.S. communications, too.” Other countries and spies could use these programs against our own national interest, especially given that the Snowden and Manning Leaks show that the government doesn’t quite have a good handle on its sensitive data. As law professor James Grimmelmann says, “Start from the point that if the NSA had competent security, Snowden wouldn’t have been able to do a tenth of what he did. You give sysadmins privileges on specific subsystems they administer. And you do not give them write access to the logs of their own activity. The NSA should be grateful that Snowden got there first, and not the Chinese.”

Other privacy advocates and cryptographers feel disheartened, as all of this just seems like a regurgitation of the same played out debates over the NSA Clipper Chip encryption back door program proposed in the 1990s. Cryptographer and SSL protocol designer, Paul Kocher, expressed his frustration with the current debacle. In regards to the NSA’s attempts at creating an encryption backdoor, he said, “And they went and did it anyway, without telling anyone. The intelligence community has worried about ‘going dark’ forever, but today they are conducting instant, total invasion of privacy with limited effort. This is the golden age of spying.”

Snowden’s NSA Cryptology Leak from Wired.com

This should send anyone who is scared toward proper encryption and secure cloud services. For as Edward Snowden recently asserted, “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.” Along with proper encryption and exclusive storage and syncing with a secure cloud service, Bruce Schneier offered the Guardian five simple steps to stay secure despite NSA surveillance programs:

1) Hide in the network.

2) Encrypt your communications.

3) Assume that while your computer can be compromised, it would take work and risk on the part of the NSA – so it probably isn’t.

4) Be suspicious of commercial encryption software, especially from large vendors.

5) Try to use public-domain encryption that has to be compatible with other implementations.

Staying Safe With SpiderOak

For most users, finding a truly protected third party cloud service can be a challenge as many “secure” services on the market have security gaps that leave data and private info wide open to third party attacks, leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that photos, files, and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access.

How SpiderOak Shields You From PRISM

Cloud companies have been scrambling to provide consumers with guaranteed protections from hacking and legal snoops after the public fallout occurring as a result of the NSA’s PRISM program leak. As governmental organizations like the NSA continue to snoop on citizens, cloud services like SpiderOak continue to up the ante in privacy protections and data security. SpiderOak shields users from PRISM through strong encryption and the fact that only users host encryption keys. The company also recently rolled out a plan to accept bitcoin and continues to update its celebrated Crypton privacy framework.

SpiderOak & Prism

Recently, reports on intelligence budgets show that governmental agencies are ramping up efforts on citizen spying. Roughly $11 billion is allocated to the Consolidated Cryptologic Program, which Director of National Intelligence James Clapper says is part of an exploration “in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit Internet traffic.” The details of the program are still confidential, which has caused much justified paranoia in the online community. Google Cloud Storage is just one company that is trying to fight back against lack of public confidence following the PRISM leaks. With a 128-bit Advanced Encryption Standard (AES) and encrypted keys, the company seeks to win back consumer trust. Unfortunately, this doesn’t go far enough.

128-bit encryption is relatively weak when more secure companies like SpiderOak can offer 256-bit encryption. Furthermore, the company keeps a master encryption key that is supposedly rotated. According to Google, “We provide user data to governments only in accordance with the law. Our legal team reviews each and every request, and we frequently push back when the requests appear to be fishing expeditions or don’t follow the correct process. When we are required to comply with these requests, we deliver it to the authorities. No government has the ability to pull data directly from our servers or network.” But this explanation falls flat on its face when considering the fact that a simple subpoena would allow the government to access files using Google’s master key. With SpiderOak, users hold their keys so that the company can’t access your data even if it was asked to by the law.

Wikipedia Security Measures

 

Another company fighting back against privacy breaches is Wikipedia. The free research site promises to protect user privacy through HTTPS security protocols. According to a statement, the company “believes strongly in protecting the privacy of its readers and editors. Recent leaks of the NSA’s XKeyscore program have prompted our community members to push for the use of HTTPS by default for the Wikimedia projects.” While this is a promising step in the right direction, it’s just one example of a company proactively doing the right thing by protecting user privacy.

SpiderOak CEO Ethan Oberman

Another way to protect privacy online is through the use of the secure digital currency, bitcoin. Very few cloud companies accept bitcoin, which makes SpiderOak’s recent efforts to allow for bitcoin payment all the more revolutionary. According to SpiderOak spokesman Daniel Larsson, “The potentially anonymous and proof-centric nature of cryptographic currencies certainly ties into our overall messaging. Based on all of the above, it seems rather natural to at least start experimenting with cryptocurrencies as a form of payment. The choice of bitcoin was easy as it is the most widely adopted cryptocurrency and is also the only one directly exchangeable for fiat (USD), should we decide that we want to move towards larger scale acceptance.” While the bitcoin program is just in its initial pilot stages, security concerns are sure to push consumers towards the private currency.

One of SpiderOak’s strongest selling points is in its privacy platform. The company’s Crypton framework allows for private storage, sync, and development. CEO Ethan Oberman says, “Previously, privacy could only live in the belly of a downloaded client which limits adoption and creates obstacles — especially as the world shifts toward the web. Now armed with a way to push privacy further into the web than previously possible, the Crypton framework can serve as a necessary cornerstone in the development and continued advancement of this new privacy platform.”

How to Guard Your Privacy & Shield Your Identity With SpiderOak

For most users, finding a truly protected third party cloud service can be a challenge as many “secure” services on the market have security gaps that leave data wide open to third party attacks, leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides colleges with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak Blue is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access.

Risk Free BYOD: Keeping Convenience & Security

If you haven’t yet heard of BYOD, you soon will. The growing policy trend is transforming work culture around the world and will likely become the next standard for workplace technology. BYOD stands for Bring Your Own Device, meaning that offices with this policy allow or require employees to conduct official work on their personal devices such as laptops, tablets, and smartphones. Enabling BYOD has allowed enterprises and businesses to appeal to top-tier candidates while establishing a more flexible office culture. However, BYOD policies don’t come without their risks, as unsecured devices could become sources of hacking, malware, and leaks. But with a private third party cloud service, companies can permit employees to use their own devices without having to sacrifice data security.

BYOD Policies & the Cloud

Image courtesy of business.bt.com

According to a survey of CIOs conducted by Gartner about 40% of enterprises will stop providing devices to employees by 2016. Instead, almost half of major enterprises will rely on BYOD policies to conduct business. The technology behind this rapidly growing trend is secure cloud storage. According to CTO and founder of iSpaces, Dermot Doherty, cloud computing creates “the framework from which BYOD can function. It also eases the burden from IT departments to find proper devices for their employees, manage service plans, and maintain the latest software and hardware upgrades.” Furthermore, Doherty asserts that cloud storage offers “a safe and manageable storage place for company information that is not stored on any particular device, but merely accessible from it.” But in order to capitalize on the benefits of Bring Your Own Device policies, “Companies need to change their current hardware security policies to accommodate BYOD, while utilizing the latest cloud-based services to manage their information,” says Doherty.

Employees & BYOD

Image courtesy of baselinemag.com

BYOD policies are also transforming the world of higher education. A recent survey of higher education CIOs shows that about a quarter of respondents already have BYOD policies in place at their college. Such policies also enable work from home positions and a more mobile workforce. With the cloud and BYOD, some businesses can do away with traditional office spaces altogether, interacting over the Internet and phone when needed. Through this new trend, companies can also tap the skills and resources of workers from all over the world, letting enterprises competitively shop for the best skills at the best price. To many modern workers time and comfort are just as important as salary and benefits. Ultimately, those businesses that can offer the greatest flexibility will be able to keep employee morale high, resulting in greater personal investment and more productivity.

When considering rolling out new BYOD policies, it’s important to secure sensitive company data exclusively on a private cloud. Otherwise, corrupted employee devices could spread malware throughout company infrastructure. Disgruntled employees and hackers can take advantage of loose BYOD policies to wreak havoc on company data and infrastructure. But instead of holding onto ancient office policies forbidding private devices, enterprises and businesses should seek out cloud services that offer user anonymity and strong data encryption. That way, even in this case of a security breach, sensitive company data would be protected. And don’t allow employees to upload company data to any other clouds, as many free public cloud services are highly vulnerable to data mining and hacking. IT departments should insist on universal cloud standards as a security measure in any BYOD policy.

BYOD Today

Image courtesy of tuinnovates.com

BYOD in the Private Cloud

For many enterprises, finding a truly protected third party cloud service can be a challenge as many “secure” services on the market have security gaps that leave private corporate and consumer data wide open to third party attacks and even governmental spying, in the light of the ongoing NSA PRISM scandal. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides enterprises with fully private cloud storage and sync, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak Blue is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server.

SpiderOak protects sensitive enterprise data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, consumers can rest easy knowing that their data is truly protected and brands can gain diehard customer loyalty by publically securing consumer information. SpiderOak Blue’s cross-platform private cloud services are available for enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full BYOD flexibility.

Lock it Up: Security Onsite & in the Cloud

After the fallout of the NSA PRISM scandal, companies have flocked to encryption services in droves. But many major enterprises still hesitate to fully protect their data. A recent Kaspersky Lab and B2B International survey of over 5,000 senior IT managers found that 35% of participating companies don’t properly encrypt data onsite, leaving massive gaps that expose sensitive consumer and corporate data to a security breach. Leaks, corporate espionage, and governmental snooping can permanently damage a brand, so companies looking to leverage technology in their favor stay ahead of the competition by encrypting sensitive data and utilizing private third party cloud services for storage and sync.

Onsite Encryption

Image provided by macobserver.com

Encryption technology has come a long way. In 1995, A U.S. intelligence official reported that “The ability of just about everybody to encrypt their messages is rapidly outrunning our ability to decode them.” Now, the National Security Agency has developed ways to tap into central servers to mine for mega data on consumers under the guise of security protocols in the war on terror. In the controversial PRISM program, the NSA has seized, stored, and analyzed big data on millions of consumers. But consumers and enterprises that trust their data to a truly private cloud service can have peace of mind knowing that even in the case of a subpoena or governmental snooping through PRISM, all that U.S. spies would be able to see are unreadable blocks of data. This is because encryption goes hand in hand with encryption keys, which are the catalyst for decoding encrypted blocks of data. According to the Princeton University computer scientist Ed Felten, “A key is supposed to be associated closely with a person, which means you want a person to be involved in creating their own key, and in verifying the keys of people they communicate with.” Many cloud services host plaintext data as well as encryption keys, which means that the company has access to information that some consumers and enterprises might think are private. So it’s important to choose a third party cloud service that doesn’t store plaintext and that uses peer-to-peer encryption with keys exclusively stored on approved user devices or servers so that the company doesn’t even have a copy.

PRISM Program

Image courtesy of idownloadblog.com

According to the Electronic Frontier Foundation’s Seth Schoen, the NSA scandal should be of concern to all users and enterprises. Some might not see any problem with governmental access to such mega data like IP addresses and phone logs, but even such seemingly innocuous information could be used to exploit and even blackmail citizens, consumers, and enterprises. And according to Justin Johnson of Late Labs, the PRISM controversy “is an important reminder that what we share online and communicate to others via technology can, and sometimes will, be seen by people that we didn’t intend to see it.” Both enterprises and consumers must be proactive in securing their sensitive data, for as John Simpson, Director of the Privacy Project at Consumer Watchdog, says, “These tech companies, and the government, know more and more about people’s private lives.”

Aaron Swartz, co-creator of Strongbox

Photo courtesy of ProgressiveVoices.com

Such a climate has sent a wave of paranoia through the web community as enterprises scramble to right truly private solutions in an attempt to win loyalty through positioning themselves as liberty and privacy advocates. One such attempt can be found in The New Yorker’s Strongbox. In an age when reporters have to worry about being monitored and whistleblowers can’t be assured of protections, Strongbox allows people to post tips and stories with a general amount of anonymity. The private uploading service operates like a private cloud and was developed on the open-source code DeadDrop by Kevin Poulsen and Aaron Swartz. Such steps show a high market demand for services that offer true data privacy and user anonymity.

Protecting Corporate and Consumer Privacy

But finding a truly protected third party cloud service can be a challenge as many third party cloud services on the market have vulnerabilities that leave private corporate and consumer data wide open to third party attacks and even governmental spying. One cloud storage and sync company that sets itself apart from the rest of the market is SpiderOak for general users and SpiderOak Blue for enterprises. This service provides users and enterprises with fully private cloud storage and sync, featuring all of the benefits of the cloud along with 100% data privacy, so even in the case of a PRISM breach all the NSA would seize is unreadable blocks of data.

SpiderOak protects user and enterprise data through two-factor password authentication and 256-bit AES encryption so that all files and passwords stay private. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data whatsoever. This way, even if the PRISM program is allowed to continue, consumers and enterprises can relax knowing that their data and brand is fully protected. SpiderOak’s cross-platform private cloud services are available for users and enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices.

Screen Shot 2013-06-17 at 5.28.13 PM

Securing Your Mail From Site to Site

Many of you know how to secure your email between your mail client and your computer. But if you run your own mail server, did you know you can secure email between servers? Many servers support TLS encryption for outgoing connections, which will protect your mail between your server and the next one. For my favorite mail server, Postfix, add this to your main.cf:

smtp_tls_security_level = may

This will enable “opportunistic” TLS for outbound connections, meaning it will use encryption if the remote server supports it, otherwise it will transmit it unencrypted. If you’re really paranoid and don’t want to talk to servers that don’t support encryption, you can change may to verify or secure to ensure that the remote end uses encryption.

To ensure that your server listens for TLS requests, add this:

smtpd_tls_security_level = may
smtpd_tls_cert_file = ...
smtpd_tls_key_file = ...

Note the small difference between smtp_... and smtpd_. The cert and key parameters configure your SSL certificate. You can also use encrypt here instead of may to force encryption for clients, but this isn’t recommended for a public Internet server.

By default, if Exim is compiled with TLS support, it will attempt TLS for outbound connections. If you want it to accept TLS, though, you’ll have to set:

tls_advertise_hosts = *
tls_certificate = ...
tls_privatekey = ...

It’s important to note that even with these configurations, you can’t guarantee that your mail is completely encrypted in transit, since your mail could be transmitted between several servers. It also doesn’t prevent eavesdropping on the servers themselves. If you want to ensure that only the recipient can read your mail, you should use something like PGP.

I’ll leave other mail servers as an exercise to the reader. Feel free to post further configuration or notes in the comments!

Security, Privacy & Encryption 101 Roundup

As you know, privacy and security is not something we take lightly. In our efforts to help educate our fellow humans on their importance and the role they play in our lives on and offline, we’ve compiled the below list of recent news, resources and tips.

[For the past few weeks we’ve focused on encryption. If you missed them: Just Because It’s Encrypted Doesn’t Mean It’s Private and Encryption 101.]

If you would like to share links or resources we’ve missed, we encourage you to do so below.

May Highlight

Education

News & Information

Breaches

Tools

Interesting Reads

Comics

Tips

  • Don’t send sensitive information over the Internet before checking a website’s security
  • Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net)
  • Install and maintain anti-virus software, firewalls, and email filters to reduce suspicious traffic
  • Don’t use passwords that are based on personal information that can be easily accessed or guessed
  • Use both lowercase and capital letters in your passwords
  • Use different passwords on different systems
  • Do business with credible companies
  • Do not use your primary email address in online submissions
  • Devote one credit card to online purchases
  • Encrypting data is a good way to protect sensitive information. It ensures that the data can only be read by the person who is authorized to have access to it
  • Use two-factor authentication if available (coming soon to SpiderOak)
  • Back up all of your data on a regular basis

Just Because It’s Encrypted Doesn’t Mean It’s Private

Now that you’ve got a handle on what encryption is and what it can do, it’s important to understand what it can’t do.

Encryption is a tool, and like any tool, it can be used improperly or ineffectively. It may sound a bit strange for us at SpiderOak to disclaim the benefits of encryption, but I hope to show that while encryption is necessary for privacy, it’s not always sufficient.

One prime example of the utility of encryption is HTTPS. By wrapping encryption around regular HTTP, engineers have created a powerful tool for securing content both delivered to you and provided by you. But HTTPS only protects content while it’s in transit. HTTPS will protect your credit card numbers as they travel over the internet to a merchant, but once they arrive on the other end, they’re no longer encrypted and it’s up to the merchant and credit card providers to protect them. Credit card providers and banks have developed PCI DSS regulations to tightly specify the security of credit card processing, but as the frequency of credit card breaches demonstrates, these regulations aren’t sufficient to guarantee privacy.

Another great cryptographic tool is Full Disk Encryption. Whether built-in to your computer hardware or provided by software like TrueCrypt, FDE protects the contents of your hard drive by encrypting every last bit. Anyone who steals your hard drive will find it completely unreadable. But while you’re using the drive, it is readable. While you have your computer on and the drive unlocked, any malicious piece of software running on your computer will find all of your data fully readable. FDE is a valuable tool, but it can only guarantee privacy while the disk isn’t in use.

Privacy is a complex problem that requires attention to many details, one of which is encryption. We’ve tried our best to provide you with the best privacy possible for your important data. If you’re interested in more details about how we protect your privacy, please read our Engineering page. And feel free to ask us about it, we’re always willing to brag!

Hashed and Salted but Still Not Safe: Protected Password Storage

In April 2013, the popular website LivingSocial was attacked, revealing sensitive consumer information held on the company’s servers. In an email sent by the company to users, LivingSocial acknowledged, “The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords – technically ‘hashed’ and ‘salted’ password.” To further calm customer fears, they added, “We never store passwords in plain text.” While, reassuring on the surface, relying on salted and hashed passwords really doesn’t provide the protections that many companies claim.

Hashing and salting is a basic security standard

Image Courtesy of ReadWrite.com

50 million LivingSocial passwords were stolen, due to inadequate security measures. The company hashed passwords with “SHA1 using a random 40 byte salt”.  This means that LivingSocial’s system encrypted customer passwords through a popular algorithm, transforming plaintext passwords into unique strings of data called a “hash”. Then, to further jumble the encrypted password, the system adds a random mess of characters called a “salt”, which makes the password longer and more complex. The problem with this common method of password “protection” is that the SHA1 is too popular and weak, especially for a company with as large of a consumer database as LivingSocial.

Password hashing

Image courtesy of Filosophy.com

This watered down security measure is simple to exploit. One way hackers could have taken advantage of the breach in LivingSocial’s system is by bruteforcing the password hashed in the company’s database. This involves cycling through characters in each letterset using a hashing algorithm like MD5, until the attackers crack a user’s encrypted password.

To make this process faster, like in the case of the 50 million hacked passwords, attackers use rainbow tables to analyze the data. Rainbow tables contain all possible passwords, so shorter and less complex passwords are the first and easiest ones to crack. While salting and hashing have become the standard method of password encryption, all this really does is make the password longer and more complex. This means that hackers can still crack user passwords, especially when weak algorithms like SHA1 are relied on. The complexity of encrypted passwords just makes the cracking process longer.

Brute forcing

Image courtesy of Filosophy.com

This recent security breach is just one example of a chronic failure in the market to address privacy concerns and adequately protect sensitive user data. Just last year, user credentials from companies like eHarmony, Yahoo, and Formspring were hacked due to gaping security vulnerabilities. Through such examples it is obvious that merely going with the standard route of encrypting passwords by hashing and salting just doesn’t cut it. Recently, the note taking service Evernote was also breached, revealing sensitive data on 50 million users. With just the instances of LivingSocial and Evernote, over 100 millions users have had their personal information seized and exploited in the past year. And a cursory glance at the daily news reveals just how widespread issues of cyber security have become.

50 million Evernote passwords were hacked

Image courtesy of PCGerms.

Consumers that have since taken their online privacy for granted have woken up to the fact that they can’t rely on anyone but themselves to proactively keep their data safe. As a result, a drastic shift in the market is in store as users continue to reward companies that take extra precautionary measures to protect their information. As just about every sector of industry makes the switch to cloud storage and sharing for the sake of cost and convenience, protecting your privacy from attack and exploitation has become more important than ever.

Some simple steps to better encrypt your password can help complicate the cracking process in the event of a breach. One way to help bolster the standard encryption process of hashing and salting is by making a complicated password longer than twelve characters using as many random symbols as possible. When hashed and salted, this extra-complicated password will take much longer to crack, hopefully frustrating potential attackers to the point of moving on to a less difficult encryption.

But even complicated encrypted passwords won’t do much to keep you truly safe. Think of it like putting a simple lock on your car, it’s a stand precautionary measure, but it won’t do much to thwart a truly skilled thief. And in this day and age, just about any hacker with enough time and initiative can take advantage of the security gaps left by only using hashed and salted password encryption. And once a user’s encrypted password hash is cracked, attackers can try to break into other accounts held on other websites, exploiting the common fact that many users still use the same password for multiple sites and services.

True Privacy

Most popular “secure” cloud services are still vulnerable to third party attacks. To truly experience privacy for your individual or business needs, an anonymous cloud storage and sharing service like SpiderOak provides all the benefits of the cloud while protecting against hacking and security breaches.

Users can store and sync sensitive files with 100% privacy, as SpiderOak has “zero-knowledge” of consumer data given the company cannot access the plaintext encryption keys. This means that you and only you have access to your password as SpiderOak employees can never see your plaintext encryption keys (or password). Instead, this data encryption key (or password) is exclusively stored on each user’s computer. This way, every bit of consumer information, right down to the password, is kept private and anonymous.