Tom Olzak

Posts Tagged ‘Truecrypt’

Should you run away from Dropbox?

In Access Controls, Cloud Computing, Computers and Internet, Data Security, Piracy Legislation, Privacy, Risk Management, Security Management on June 21, 2011 at 15:26

For a long time, I’ve recommended Dropbox to colleagues, friends, and family.  However, recent revelations and events made me look for a more secure and less risky solution.

First we learn that any employee at Dropbox has access to our data. According to the Dropbox site,

Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations). Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.

The problem I had with this was the lack of communication to customers that this was the case.  Many of us understood that NOBODY could access our data.  Well, no problem.  I simply used TrueCrypt to encrypt sensitive data.  This was inconvenient and caused some performance issues.

As regular listener of Security Now, I decided to try the highly recommended Carbonite.  Not only does it back up all my data, but all my Office files and PDFs are available via my iPad and iPhone.  In addition, nobody can access my files but me…  Finally, the cost is pretty low: $59 per year for unlimited storage.

After testing Carbonite, I wasn’t yet ready to drop Dropbox.  However, today I read that they left all files available to the public for four hours yesterday.  (sigh).  I guess it was too much to expect a great cloud file respository to actually be secure, too.

Are they kidding?

In Data Security on March 24, 2009 at 12:19

Working through my ‘pile’ of unread RSS feed postings, I found one that piqued by interest.  It was entitled, Best Encryption Utilities: Protect Files, Email, and ostensibly provided a list of encryption utility downloads.  What I found was not only disappointing, but sad.

The link is to a PC World download list which appears to simply be a come-on for purchasing product (shown below).  OK, maybe I was expecting too much from PC World, like actually listing good, free encryption software (e.g., TrueCrypt and AxCrypt).  Oh, well.

Disappointment

Disappointment

Which cryptographic algorithms to use and those to avoid

In Data Security, Encryption, Risk Management on March 18, 2009 at 11:35

Researchers at Fortify Software have written a Crypto Manifesto, in which they make algorithm recommendations for:

  • Cryptographic hashes
  • Encryption and encoding
  • Symmetric and public keys
  • Pseudo-random number generators

The table below summaries the manifesto’s assertions, with details about why a certain algorithm calls into the use or not-use column included in the Fortify document.
 

recommended_encryption_methods

Anti-Forensics: Challenges for the Forensics Investigator

In Forensics on March 13, 2009 at 19:24

Paul Henry video from 2006 in which he discusses encryption, steganography, disk wiping, and other methods used to thwart forensics methods.

(Video is a little rough, but the information is valuable.)

%d bloggers like this: