Tag Archives: security

Protecting Medical Records in a New Era of Health Insurance

Courtesy of Greg Harbaugh/Feature Photo Service

With the healthcare system undergoing numerous changes, it’s important to make sure medical data is secure.
Courtesy of Greg Harbaugh/Feature Photo Service

Enterprises have scrambled to stay ahead of new regulations brought about by the Affordable Care Act, otherwise known as ObamaCare. The healthcare industry, however, is the most directly impacted by the law, as healthcare providers and insurance companies must prepare for an influx of new patients and a more widely insured populace. But as the insurance pool broadens, risk will be compounded as medical records and sensitive data becomes a brighter target for hacking and leaks. The best way to protect medical data in this new era of mandatory health insurance is through secure cloud storage and sync services that offer 100% data privacy and user anonymity. Anything less than full data privacy and security for medical records could result in damaged brands, exploited information, and increasingly costly HIPAA fines.

Continue reading

Digital Currency Concerns: Bitcoin Security in the Cloud

http://farm6.staticflickr.com/5544/10307542203_8ecae47c05.jpg

Bitcoin digital currency has been the focus of some attacks, but will it still gain traction among large enterprises?
Image Courtesy of Flickr User anatanacoins

For tech-savvy early adopters and enterprises seeking to stay ahead of technological innovations, Bitcoin has been presented as if it were a digital gold mine. This decentralized digital currency works through value transfers that are not yet regulated by any country, corporation, or bank. Bitcoin isn’t backed up by solid assets, so value tends to fluctuate with user investment, jumping from $150USD to $1,000USD in just a matter of months. While many enterprises have stayed away from Bitcoin use or investment until the legal issues are all cleared up, those that want to stay ahead of the curve can still take advantage of the currency while keeping their assets safe through private key storage and sync with a secure cloud service.

Continue reading

Generational Risk: Millennials & Data Security

IT, Finance, & The Threat to Data Safety.
Image Source: Softchoice

Millennials are typically seen as the go-to generation for all things tech-related. So it may come as a big surprise that recent surveys indicate that lax generational views toward data security could jeopardize the safety of your enterprise’s data. This flies in the face of the recent trend of reverse mentoring, in which younger workers share their tech habits to older workers. When it comes to bad habits, such practices could cause entire organizations to adopt unsafe data storage and syncing techniques, leaving sensitive corporate information open to attack or leakage.

The best way to protect such data is through strong internal systems and the adoption of secure storage and sync services. A recent survey put out by Softchoice is changing the way enterprises view their Millennial workers. According to the research, 28.5% of 20-somethings have their passwords kept in plain sight. This is in comparison with 10.8% of Baby Boomers. So it’s clear that the common wisdom that younger generations are inherently more data-secure falls flat on its face. The survey also found that the lack of secure password storage went hand in hand with syncing sensitive files to unprotected devices for the convenience of working from home. As Millennials are more likely than other generations to push for mobile or work-from-home options, companies need to find secure solutions to handle this trend without putting their data at risk.

Continue reading

Responsibly Bringing a new Cryptography Product to Market

Post Snowden, technologists have rushed a variety of “liberation tech” projects to market, making boastful claims about their cryptographic capabilities to ensure the privacy of their customers. These goals are noble but the results have sometimes been embarrassing.

We’re building a new crypto product ourselves: a high-level secure-by-default framework developers can use to build end-to-end cryptographic applications without writing crypto.

Here’s what we required:

  1. To be independently verifiable it must be open source
  2. Have a spec
  3. Have a threat model
  4. Have clear, well documented code
  5. Be audited by security professionals with a crypto background

In this post I’ll share how we’re going about #5. We’re committed to development in the open, including security review.

The first audit we could schedule was with 3 researchers from the Least Authority team. Among other reasons we chose them because they have deep experience building verifiable storage systems. For anyone in that market, Tahoe-LAFS is a must read.

Auditing is both expensive and hard to schedule, with leading organizations booked months in advance.  The best teams are not limited by their ability to sell their services but rather by their ability to hire and fulfill that work. Consequently there’s very little downward pressure on their rates.

To get the most from a security audit, it’s best to go in with the cleanest code possible. It’s like brushing your teeth before you visit the dentist. It’s impolite and ineffective to ask someone to puzzle over the subtleties of code you haven’t clarified [1].

We focused this first audit narrowly on a bare bones single-user (no collaboration or multi-user sharing) demo application built with the Crypton framework. Our goal was good coverage of the framework’s core fundamentals: account creation, authentication, and single-user data storage.

Unfortunately, at the time we could schedule the audit to begin, there were three issues that the Crypton team knew about but hadn’t a chance to fix or even document. The auditors independently discovered two of those three issues with a lead to the third issue (less severe) tagged [UNRESOLVED] in their report. Additionally they found three other serious issues unknown to the team. Overall, some of the best money we’ve ever spent!

Since the purpose of this post is to give clear expectations, I think it’s important to share real numbers and cleared this with Least Authority.

Zooko explained, “We gave SpiderOak a small discount on our normal price, and moreover we pushed back our other projects in order to get the work done for you first. We did these two things because we wanted to form a relationship with SpiderOak since you provide end-to-end-encrypted storage, and we wanted to support Crypton because it is end-to-end-encrypted and is fully Free and Open-Source Software.”

Our bill was $30,000, or about $5k/researcher per week.

We have a second audit with the nice folks at Leviathan Security, covering the multi-user features of Crypton, and we’ll share that report when it’s complete. In the meantime, here’s the report (rst, pdf) from the first audit by Least Authority.

Here are some of the resulting GitHub issues and pull requests to
resolve the findings. Issue B, C, D, and E.

The resolution for Issue A involves a switch to SRP based authentication. This was part of the longer term roadmap as it provides several additional benefits, but proved to be a nontrivial undertaking and that effort is still ongoing. Some attention is given to this implementation in the next audit by Leviathan Security.

Update: Zooko at Least Authority just published an article discussing their motivation for accepting the project.

Update 2: The originally published version of this post erroneously linked to a non-final draft of the report from Least Authority. That link is corrected; and the final audit report should say “Version 1, 2013-12-20″ at the top.

NOTES:


[1] Zooko shared a story about an experiment that was conducted by Ping Yee in 2007. The results of the experiment illustrate auditing challenges.

In short several very skilled security auditors examined a small Python program — about 100 lines of code — into which three bugs had been inserted by the authors. There was an “easy,” “medium,” and “hard” backdoor. There were three or four teams of auditors.

1. One auditor found the “easy” and the “medium” ones in about 70 minutes, and then spent the rest of the day failing to find any other bugs.

2. One team of two auditors found the “easy” bug in about five hours, and spent the rest of the day failing to find any other bugs.

3. One auditor found the “easy” bug in about four hours, and then stopped.

4. One auditor either found no bugs or else was on a team with the third auditor — the report is unclear.

See Chapter 7 of Yee’s report for these details.

I should emphasize that that I personally consider these people to be extremely skilled. One possible conclusion that could be drawn from this experience is that a skilled backdoor-writer can defeat skilled auditors. This hypothesis holds that only accidental bugs can be reliably detected by auditors, not deliberately hidden bugs.

Anyway, as far as I understand the bugs you folks left in were accidental bugs that you then deliberately didn’t-fix, rather than bugs that you intentionally made hard-to-spot.

Tomorrow is ‘The Day We Fight Back’ against mass surveillance

In Matt’s Damon’s AMA on Reddit last week, he was asked:

Hey Matt, your amazing monologue about the NSA in Good Will Hunting is probably more relevant today than it was when the film was first released. How did you come up with that scene, and are you at all surprised by the revelations on the NSA from the information released by Snowden? 

Here is the clip from Good Will Hunting:

Matt’s reply:

“Well, the first thing to that monologue is it’s safe to say that is the hardest that Ben and I have ever laughed while writing something. We were in our old house in Hollywood, in the basement of this house writing this thing and we were literally in tears because this monologue kept building on itself. We wrote it it one night and kept performing it back and forth, and pissing ourselves laughing.

You know, I was unaware, as I think everyone was, that they had that capacity. Snowden is literally changing policy. These are conversations we have to have about our security, and civil liberties, and we have to decide what we are willing to accept, and he’s provided a huge service kickstarting that debate…”

If you haven’t yet heard, tomorrow one of those conversations about our security, civil liberties, and what we’re willing to accept – it’s called The Day We Fight Back.

Thedaywefightback.org screen shot

“Together we will push back against powers that seek to observe, collect, and analyze our every digital action. Together, we will make it clear that such behavior is not compatible with democratic governance. Together, if we persist, we will win this fight.”

HOW YOU CAN PARTICIPATE:

WHAT HAPPENS ON FEBRUARY 11th:

In the U.S.: Thousands of websites will host banners urging people to call and email Congress. Ask legislators to oppose the FISA Improvements Act, support the USA Freedom Act, and enact protections for non-Americans.

Outside the U.S.: Visitors will be asked to urge appropriate targets to institute privacy protections.

Global events: Events are planned in cities worldwide, including in San Francisco, Los Angeles, Chicago, Copenhagen, Stockholm and more. Find an event near you.

Add the banner to your site now: Grab the banner code on thedaywefightback.org. They’ve built special plugins for WordPress and CloudFlare users and also have a special version of the banner that pushes people to call over email.

Will you join us? 

Calming the Biggest Cloud Fears

Small businesses have been stuck in a security limbo over the past few months. News of the NSA’s PRISM program has frustrated consumers and has complicated the international market. Widespread cloud fears and worries of government surveillance programs, as well as the prevalence of state-sanctioned hacking have prompted many businesses to cancel contracts and forgo the cloud altogether. But security fears shouldn’t keep you or your business from capitalizing on all that the cloud has to offer. With a secure cloud service that offers zero-knowledge storage, data privacy, strong encryption, and user anonymity, SMBs can leverage the cloud without worrying about dealing with the headache of a breach or leak.

SMBs in the Cloud

Consumer fallout following revelations of the National Security Agency’s PRISM program are set to cost U.S. cloud service providers up to 20% of the foreign cloud market for a potential combined loss of $35 billion. The Information Technology & Innovation Foundation (ITIF) recently put out a report that claims that lack of consumer trust could derail the American cloud for the long term. According to the report’s author Daniel Castro, “If U.S. companies lose market share in the short term, it will have long-term implications on their competitive advantage in this new industry. Rival countries have noted this opportunity and will try to exploit it.” And a report by the Cloud Security Alliance revealed that 10% of respondents cancelled contracts with U.S. cloud providers following news of the PRISM program leak.

Cloud Fears

Another survey of executive-level managers shows that 49% of respondents believe that the cloud will positively benefit their business but have been hesitant to adopt the technology due to security fears. According to cloud engineering specialist Ryan Stenhouse, the cloud actually can be more secure than what many businesses are currently using. Stenhouse says, “If anything, you have more control over what you’re deploying on, since you have no fixed allocation of resources – you use as much or as little as you need and that leads to savings. The biggest security concerns are around access to your data on your VM, you should carefully investigate the controls providers have in place to secure your environment. Big providers such as Amazon and Rackspace make this information available and are accredited to the highest industry standards.”

Sam Visner

Still, businesses should be wary of exactly which providers they trust with their sensitive data as companies offer a wide range of security protections, from the virtually nonexistent to the practically uncrackable. Vice president and general manager of Cybersecurity Sam Visner says, “Data protection is a particularly important concern. Organizations need to ensure that their cybersecurity policies and protections cover information assurance — particularly as they seek to unlock the value of information and big data and use it to make high-value decisions regarding customer strategy, public policy and national security. The survey shows we still have some way to go to allay these types of cybersecurity concerns.” One of the biggest blocks to adoption is lack of understanding of how to proactively protect data. According to Visner, “Information technology professionals in general, and CIOs in particular, need to be informed about the controls necessary to protect their operations and the providers’ approach to meeting those controls. Those contemplating the acquisition of cloud services should look carefully at how security certification or attestation is being performed, and who is performing it.” For SMBs looking for strong security protections, zero-knowledge data policies are essential. This way, only your company has access to your sensitive data.

SpiderOak for Small Businesses

For most SMBs, finding a truly protected third party cloud service can be a challenge as many “secure” services on the market have security gaps that leave data and private company info wide open to third party attacks, leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides businesses with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that data, files, and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, SMBs can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and enabling a secure mobile workforce.

The Rise of State Sanctioned Hacking

Businesses that compete on the global market have to contend with a wide range of security threats. Hackers could steal intellectual property, disrupt production, and attack digital assets for ideological motives as well as for personal profit. Internal leaks from cloud providers and disgruntled employees could dip into profits by revealing company secrets and leaking projects before their marketed release date. But the latest threat to business security comes from the rise of state sanctioned hacking. Whether under the banner of citizen espionage programs or large-scale coordinated attacks on political enemies and dissidents, instances of state-backed hackers are increasing each year. One of the best ways that companies can proactively protect their data is through exclusive storage and syncing with a secure cloud service that offers data privacy and user anonymity.

Courtesy of privacyinternational.org

Hacking Team

In 2001 a hacking program called Ettercap enabled the proliferation of spying, remote device control, and password cracking technology. Billed as a “comprehensive suite for man-in-the-middle attacks” this open source free program was intended as a security test mechanism for networks. But the program’s abilities quickly caught on in the hacking community. The Milan police department caught wind of the program and soon contacted its Italian developers, Alberto Ornaghi and Marco Velleri, to help them track the Skype calls of suspects. This became the catalyst for the start of the Milan-based hacking company called Hacking Team. This organization boasts 40 employees and offers commercial hacking programs to international law enforcement agencies. One troubling program developed by Hacking Team is Da Vinci. This citizen espionage program allows law enforcement to access more data than the controversial PRISM program conducted by the U.S. National Security Agency. Through Da Vinci, governments can access suspect phone conversations, Skype calls, webcams, computer microphones, and emails.

Courtesy of cisco.com

How Ettercap Works

Such broad trespasses of citizen digital rights come under the auspices of the “war on terror”. Unfortunately, these programs are mostly used to threaten and harass dissidents and political opponents. Back in July, the political dissident Ahmed Mansoor was attacked through malware while in Dubai. Governmental sources are suspected and reveal ramped up efforts to control political opposition in the light of the Arab Spring. The Moroccan activist Hisham Almiraat sought help from the Electronic Frontier Foundation to confirm a coordinated malware attack on journalists. According to Almiraat, “After the Arab revolutions happened, those governments have maybe realized they have to harness the power of the Internet and use those tools to try to scare activists, or try to spy on them and follow their steps.” The attack was traced back to Hacking Team software and resulted in a seven-month-long jail sentence for Ahmed Mansoor.

Ahmed Mansoor

The impression such examples give is that these programs are just part and parcel of living under oppressive regimes. But such state-backed hacking efforts are also prevalent in democracies like the United States. In an attempt to convict suspected child pornographer Eric Eoin Marques, the FBI admitted to hacking into the Tor network, which has been widely criticized for hosting exploitative content on its Freedom Hosting servers. Whether or not state-backed hacking is being used to put away dangerous criminals or to gain a tighter grip on citizen communications, international businesses should be aware of the threat of such governmental security breaches. Know that regardless of what governments claim publicly, recent leaks like Snowden’s revelation of the PRISM program show the huge discrepancy between what the government admits to doing and what they actually do in private.

Securing Data Online With SpiderOak

For most users, finding a truly protected third party cloud service can be a challenge as many “secure” services on the market have security gaps that leave data and private company info wide open to third party attacks, leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that data, files, and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, users can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and enabling safe mobile access.

Secure Banking & the Cloud

The banking world has set out some of the tightest online security measures for secure banking transactions on the web. But as hosts of private customer knowledge, account numbers, and assets, online banking services are prime targets for hacking, leaks, and attacks. One of the best ways for banks to secure their information is to remap their services using the private development framework Crypton while exclusively storing and syncing sensitive data to a secure cloud service provider.

Courtesy of dailymail.co.uk

Santander

Recently a Santander bank branch in London was the victim of a sophisticated cyber-attack worthy of the silver screen. London police in conjunction with PCeU, Scotland Yard’s e-crime unit, detained twelve men on suspicion of conspiring to steal data and money from the bank. One of the suspects allegedly posed as a maintenance engineer and was able to install a keyboard video mouse device (iKVM) to a branch computer, which enabled the group to seize the desktop contents of the device through the bank’s network. According to PCeU Detective Inspector Mark Raymond, “This was a sophisticated plot that could have led to the loss of a very large amount of money from the bank, and is the most significant case of this kind that we have come across.”

Courtesy of techweekeurope.co.uk

KVM Switch

Santander responded through a spokesman, which assured customers that their assets were still safe. According to a statement the bank claims, “Santander was aware of the possibility of the attack connected to the arrests. The attempt to fit the device to the computer in the Surrey Quays branch was allegedly undertaken by a bogus maintenance engineer pretending to be from a third party. It failed and no money was ever at risk. No member of Santander staff was involved in this attempted fraud. We are pleased that we have been able, through the robustness of our systems, to prevent the fraud and help the police gather the evidence they needed to make the arrests.” But according to Dr. Eerke Boiten from the University of Kent, the failed plot should be cause for concern for all banks as it shows a ramped-up level of criminal sophistication. Boiten says that the iKVM “captures all the information that goes to the screen, keyboard and mouse. If you manage to get it installed inside the computer, it gives you a way of contacting the device through a remote computer. This is what people use for controlling a big server remotely. You basically can control a computer inside that bank branch. With one such device you can do as much damage as an individual teller can, within the bank. This is not just one guy trying to install this thing and see if he can get through to the Internet.” The foiled attempt at digital theft shows that thieves are willing to exploit any and all weaknesses in security, whether physical or digital.

Courtesy of cs.kent.ac.uk

Dr. Eerke Boiten

This case of attempted theft has caused a wave of concern to ripple through the tech security world. According to senior security researcher at Kaspersky Lab David Emm, “Like many other hacking attempts, the game plan of the hackers in this case was to be able to get information on transactional and customer data held on the computers within the bank to use for financial advantage. This attempt should remind organizations that a holistic approach needs to be taken toward security. It’s not just the IT security methods that need to be scrutinized, but the people within the organization as well.” Banks should make sure that all employees are brought up to date on security protocols and that no unauthorized personnel are allowed near branch devices.

As McAfee CTO Raj Samani says, “These arrests prove that the ease with which anybody can conduct what is described as a very significant and audacious cyber-enabled offence requires limited technical knowledge and [a] questionable moral compass. Simply plugging in a physical device that can be [acquired] from any number of legitimate outlets demonstrates that the bar required to be a ‘cyber-criminal’ is probably at its lowest level.” The fact that banks and security experts can’t agree on the level of sophistication that this foiled plot poses should worry customers that expect strong security measures for their assets. Through creating completely private infrastructures on Crypton and uploading sensitive information to a private cloud, banks can ensure that data is kept safe, even when accessed remotely from approved users.

Keeping Customer Data Safe With SpiderOak

For most banks, finding a truly protected third party cloud service can be a challenge as many “secure” services on the market have security gaps that leave data and private company info wide open to third party attacks, leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides banks with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users can tailor the service to fit their needs.

SpiderOak protects sensitive customer data with 256-bit AES encryption so that data, files, and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, banks can rest easy knowing that their customer data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and enabling a secure mobile workforce.

How to Reduce Your Risk in the Cloud

Small businesses have been somewhat hesitant to switch to cloud service providers, especially after the NSA PRISM program leaks. International backlash threaten many U.S. cloud services, as users are suspicious of governmental citizen espionage. But there are ways for businesses to still leverage all of the cloud’s benefits while securing their data from legal snoops. From better practices onsite to exclusive storage through a secure cloud service, there are plenty of options for SMBs to protect themselves from all sides.

 

Courtesy of risk.net

Cloud Warning

 

Some businesses are already aware of cloud services that protect user data through strong encryption and zero-knowledge policies, but many still don’t know hot to protect data onsite. Encryption should begin at home through Virtual Private Network (VPN) and TLS (HTTPS) tunnels. Through proactively protecting data before it reaches your secure cloud provider you can ensure that you have all of your bases covered. Don’t let government overreach scare you away from capitalizing on the cloud, with a service that offers data privacy and user anonymity, you can reach the right combination of convenience and security.

 

Courtesy of online-backup.choosewhat.com

Data Encryption

 

Aside from employing a secure cloud and encrypting onsite, there are other ways to help keep your data safe while using the cloud. Gretchen Marx is the manager of cloud security strategy at IBM and recently offered The Guardian six keys steps to protecting your data while using a secure cloud:

1. Know who’s accessing what
People within your organization who are privileged users, – such as database administrators and employees with access to highly valuable intellectual property – should receive a higher level of scrutiny, receive training on securely handling data, and stronger access control.

2. Limit data access based on user context
Change the level of access to data in the cloud depending on where the user is and what device they are using. For example, a doctor at the hospital during regular working hours may have full access to patient records. When she’s using her mobile phone from the neighborhood coffee shop, she has to go through additional sign-on steps and has more limited access to the data.

3. Take a risk-based approach to securing assets used in the cloud
Identify databases with highly sensitive or valuable data and provide extra protection, encryption and monitoring around them.

4. Extend security to the device
Ensure that corporate data is isolated from personal data on the mobile device. Install a patch management agent on the device so that it is always running the latest level of software. Scan mobile applications to check for vulnerabilities.

5. Add intelligence to network protection
The network still needs to be protected – never more so than in the cloud. Network protection devices need to have the ability to provide extra control with analytics and insight into which users are accessing what content and applications.

6. Build in the ability to see through the cloud
Security devices, such as those validating user IDs and passwords, capture security data to create the audit trail needed for regulatory compliance and forensic investigation. The trick is to find meaningful signals about a potential attack or security risk in the sea of data points

Following the six steps laid out above will go a long way in keeping your company’s data safe. Another way that privacy advocates are fighting for your security is in the world of development. Crypton is an open source software project that offers a way for developers to make encrypted cloud-based developments in a collaborative and mobile-enabled environment. According to the Crypton website, “To our knowledge there is no other existing framework that handles all the encryption, database storage and private user-to-user communication needed to build a zero knowledge cloud application.” The company behind this effort to encourage secure app development is SpiderOak, a leader in secure cloud solutions.

Courtesy of irec.executiveboard.com

Security Concerns

Securing Data With SpiderOak

For most SMBs, finding a truly protected third party cloud service can be a challenge as many “secure” services on the market have security gaps that leave data and private company info wide open to third party attacks, leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides businesses with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that data, files, and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, SMBs can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and enabling a secure mobile workforce.

Google Claims It Has a Right to Your Email

Millions of online users rely on Google Gmail for personal and business correspondence. But despite passionate consumer backlash against privacy breaching policies by companies like Facebook and organizations like the NSA, Google is claiming in court that it has a right to the contents of your emails. This outrageous declaration has prompted consumer rights groups to fight back and governmental organizations are even considering banning Gmail for official correspondence. As lawmakers and privacy advocates champion digital privacy rights, one way to protect your data in the meanwhile is to exclusively store and sync sensitive files to a secure cloud service provider. A good provider will offer data privacy, user anonymity, and zero-knowledge policies so that only you have access to the contents of your data.

Google Privacy

The group that filed the lawsuit against Google is Consumer Watchdog. The organization asserts that Gmail users do not reasonably expect that the company will search the contents of their emails. Director John Simpson recently told ABC News that Google “actually read and data-mine the content of the messages. They’re using my content for whatever purposes they want to do with it.” He hopes that the lawsuit might encourage Google to seek a profit through other means like “ads that aren’t based on reading your email. Or they could just stop reading emails. There are a number of commercial services that are more amenable to privacy concerns.” Other privacy experts are less certain of the legality of Google’s policy but still caution against it, as the company claims they are protected in part by the fact that they use computers and not people to scan the contents of emails. According to Lorrie Cranor, director of the privacy engineering master’s program at Carnegie Mellon University, “The issue isn’t whether it’s a machine or human reading emails, but what could happen as a result of having your email read…There is a difference between user expectations and business practices. Just because every business may do it doesn’t mean that users know the things that are actually done. Ideally, the best choice is to give people the option to opt out.”

How Gmail Uses Emails for Ads

 

What does Google have to say about all of this? Essentially, they claim you have no privacy rights over your email. In their filing for a dismissal of the class-action lawsuit, Google wrote, “Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use Web-based email today cannot be surprised if their communications are processed…Indeed, a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” The idea is that because users put their content on Gmail, the company has a right to mine it for advertising purposes. The same idea was put forth by Facebook and shot down in the courts so it’s likely that this won’t hold up for long. Still, the company’s aggressive stance is frustrating to say the least. Google attorney Whitty Somvichian says that “Users, while they’re using their Google Gmail account, have given Google the ability to use the emails they send and receive for providing that service…They have not assumed the risk that Google will disclose their information and they fully retain the right to delete their emails.” Instead of waiting around for this company to protect your data, exclusively store anything sensitive to a secure cloud service like SpiderOak.

 

Backlash Against Google

Securing Your Emails With SpiderOak

For most users, finding a truly protected third party cloud service can be a challenge as many “secure” services on the market have security gaps that leave emails and private data wide open to third party attacks, leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that emails, files, and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access.