Most IT users are familiar with antiviruses and spyware. What is often overlooked is the security of their data which they transmit and store online trusting the default technologies or the security of the companies that provide these services.
Anytime we use a public wi-fi connection or connect to a local area network (LAN), everyone else using that access point or LAN can spy on our traffic and monitor whatever we send through it. Many websites only implement encrypted Secure HTTP (HTTPS) only at the login stage but once authentication has been completed, data such as cookies flow unencrypted over the network. The most famous exploit that arose from this was as recent as 2010 when a Firefox extension called Firesheep allowed users to intercept unencrypted cookies from Facebook and Twitter allowing third parties to hijack the session. Site wide HTTPS was only made mandatory on Facebook in October 2012. Even when HTTPS is properly implemented, bugs such as the recent Heartbleed scare allowed an attacker to read the credentials and password or session ID of their target.
More worryingly, mobile wireless networks aren’t as secure as once thought either and just yesterday it was revealed that the British spy agency GCHQ together with the NSA, hacked into the internal networks of Gemalto the largest manufacturer of SIM cards in the world. Gemalto produces 2 billion SIM yearly cards to telco providers such as AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world that allowed them to spy on billions of users around the world as simple as tuning into a FM radio broadcast without the need of any search warrants.
Also many Instant Messaging services such as Whatsapp, SnapChat and Viber, although encrypted while in transit many of them have questionable encryption mechanisms and almost all of these companies have the necessary private keys to unlock such encryption. One particularly bad offender is Whatsapp, who from 2009 to 2012 implemented no encryption in its messages and even when it implemented it, used a painfully rudimentary encryption by incorporating your phone’s IMEI to be the password.
For computers, a VPN would encrypt all communications in and out of the computer preventing interception on the ISP layer and offering another layer of security in the event the site doesn’t implement proper encryption or there is a security vulnerability that affects it. I2P and Tor are other options but require more technical knowledge to implement probably and at least with TOR present their own security concerns. They’re also generally much slower than a VPN.
Securing phones are a bit trickier as they have two different channels, one for voice and one for data and different tools are required to secure them. For the data channel, a VPN works but for voice and SMS, users can protect themselves by equipping themselves with freely available apps like TextSecure, RedPhone and Signal that would encrypt those communications.
For IM services, head on to EFF’s Secure Messaging Scorecard for a review of popular instant messaging services to compare and pick a messenger with a privacy focus. I personally use Telegram’s secret chat function which combines ease of use with decent security although there are arguably more cryptographically secure IMs out there.
Dropbox, OneDrive, Box, Google Drive, Apple’s iCloud are now ubiquitous parts of our lives, allowing us to bring our files anywhere we need to go. We often trust a lot of our information on such services with many storing documents, password databases and other sensitive files and relying on the company to do its work in figuring out the security. They often claim high level encryption being used and best security practices. However reality shows that even the largest cloud storage providers can be subject to hacks or hiccups that can compromise your files’ security.
Dropbox in 2011, introduced a bug that allowed some users to log into accounts even without the right password. This bug took 4 hours to fix and in that time, affected users had their accounts left in the open. Apple’s iCloud in late 2014 did not have brute force protection which allowed hackers to expose private intimate photos of celebrities. Dropbox, Box and Google Drive also had some form or another of a hyperlink vulnerability allowing third parties to potentially see your files. OneDrive for Business was caught silently modifying code into files that you store with them giving it a uniquely identifiable code making it potentially possible to match them to a company or a specific user’s accounts.
These are but a handful of security issues plaguing cloud services and these are only the known issues.
For the end user who continue to want to rely on the conveniences of cloud storage, I would recommend creating encrypted containers within your cloud storage. TrueCrypt used to be the leader here and is still widely used despite it being subject to a mysterious halt in development but there are other alternatives available such as Veracrypt which add further security. By keeping it in an encrypted container and saved in your regular cloud storage such as Dropbox, should there be any breaches in security on your cloud provider, your data remains safe.
Another option for businesses is to consider the use of private dedicated clouds. Compared to public cloud solutions like Dropbox where access and data control is controlled by third parties, private clouds allow complete control over all programs and storage but that means you have to ensure your in-house team is up to the task of securing your data. For example, Singlehop provides an excellent dedicated private cloud service.
Too often we put too much trust in large corporations that manage, store and transmit our data. With data breaches becoming commonplace, it makes sense to take security into our own hands and to build multiple layers of protection. Thankfully, as seen above, there are plenty of freely available tools that can enhance your data security both in the cloud and while in transit.