Results 1 to 10 of 10

Thread: Cloud storage page

  1. #1
    Senior Member
    Join Date
    May 2006
    Location
    Central NJ
    Posts
    2,547
    Blog Entries
    1

    Cloud storage page

    How secure is cloud file storage?

  2. #2
    If you upload unencrypted content to a provider without 2FA, TLS etc it's not particularly secure. It all depending on your storage needs (backup / data sharing) and if it's for home or commercial use.

    There are a number of cloud storage options varying from consumer-friendly free solutions such as Dropbox, G-Drive, One-drive through to business systems that even the NSA could not crack for example Sync.com for storage and Carbonite for backup.

    Sync.com’s biggest lure is its security (AES-256). The company provides users with free zero-knowledge encryption. That means, unlike Dropbox employees, Sync.com employees can’t read your content and the company can’t hand over readable copies to fulfil legal requests. It also means that the Sync.com doesn’t store copies of your password or encryption keys. So, in the event of a hack like that which hit Dropbox in 2012, there would be no passwords to steal, hashed or not.

  3. #3
    Senior Member
    Join Date
    Apr 2018
    Location
    AZ
    Posts
    219
    Quote Originally Posted by Random View Post
    How secure is cloud file storage?
    A lot depends on how you expect to use that storage as well as the nature of the "content" you're placing there.

    If you expect to use it for a "backup" service (formal or informal) where your goal is to have additional storage as well as the "resilience" of a remote store (i.e., in case your house burns down!), then you can pretty much use any service if you discipline yourself to (securely) encrypt your content before uploading.

    OTOH, if you want to be able to treat it as an "extra disk drive" that you access often, then you'd not want to be bothered with the additional step(s) of having to encrypt/decrypt each time you access the content. (N.B. This also applies if you want to use it as a means of distributing content to others -- they would have to buy into the encrypt/decrypt process).

    You also need to consider the nature of the threat(s) to your data and the resources they may bring to bear to gain access to it. I.e., will you be targeted or just (unfortunately) caught up in a general attack?

    Consider that there are several places where your data is vulnerable to theft:
    • sitting in the cloud
    • in transit to/from the cloud
    • sitting on your local PC


    In the cloud, your concern is theft of your credentials (someone gaining access to your cloud account because your account was compromised, often on YOUR end) as well as large-scale attacks on the cloud service provider (your data just gets caught up in a broader sweep of the provider's store).

    In transit, the choice of protocols can impact the chances of the data being captured by eavesdropping your connection. Protocols that encrypt the content prior to transfer harden that connection against adversaries.

    Sitting on your local PC is likely the most vulnerable place for loss/compromise. Likely, it sits "in plaintext form" so anyone (anything) that has compromised your computer can freely view (and alter!) that data. And, as that computer needs to be "exposed" (to The Internet), it means you are always susceptible to an attack to infect your machine -- even if the data isn't still (or YET!) present there to be harvested!

    For the ultimate in security, you would encrypt the data on a machine that isn't "exposed" (never been connected to The Internet and, thus, not compromised). Then, SneakerNet (any wired/wireless connection would be two-way and provide an opportunity for that "not exposed" machine to be compromised) the encrypted files to a machine that has Internet access (whether it has been compromised or not) and transfer to/from the cloud, there.

  4. #4
    Senior Member alan's Avatar
    Join Date
    Jul 2001
    Location
    Baltimore, MD
    Posts
    6,717
    How does one encrypt data to be sent to the cloud?

    Thank you.

    How did I make my text so dark?



    Alan

    Proofread carefully to see if you any words out.

  5. #5
    Windows 10 comes with BitLocker. I think TrueCrypt is still available. Another option is Carbonite for online backup/storage.

    The following is from the Carbonite website:
    Before your files are sent to our servers, they are encrypted on your computer. Once encrypted, they are sent via secure connection to the Carbonite servers. Carbonite does not make duplicates of files on your system and does not store any information on your computer. The only files Carbonite keeps on your computer are the files which run the backup program.
    https://support.carbonite.com/articl...e-Backup-Works
    The test of success is not what you do when you are on top. Success is how high you bounce when you hit the bottom
    --General George Patton

    Complex problems need to be solved collectively.
    ––Paul Nussbaum
    usc87.blogspot.com

  6. #6
    Senior Member
    Join Date
    Apr 2018
    Location
    AZ
    Posts
    219
    Quote Originally Posted by PN View Post
    Windows 10 comes with BitLocker. I think TrueCrypt is still available. Another option is Carbonite for online backup/storage.

    The following is from the Carbonite website:

    https://support.carbonite.com/articl...e-Backup-Works
    That doesn't protect your data if the machine that you're using to encrypt on its way to the cloud has been compromised. And, if an adversary (malware) sees the Carbonite software on your computer, it knows exactly what it wants to target!

    If, instead, you encrypt your files on a "secured" machine (i.e., one that hasn't been exposed to the outside world) and then SneakerNet the files over to an "exposed" (internet connected) machine, the files are not visible in their unencrypted form. Nor are any of the keystrokes that you used to encrypt them (passphrases, etc.)

    You can use free tools -- like 7zip -- to bundle groups of files together (into an "archive"), compress them and encrypt them (AES-256 is supported by 7zip). If you give the archive a non-descript name -- like Archive123.7z -- then you aren't even leaking any information as to the likely contents of that archive.

    (E.g., encrypting "MyPlanToOverthrowTheGovernment.doc" as "MyPlanToOverthrowTheGovernment.7z" probably doesn't hide the "information" that you really want/need to be hiding! )

    But, as I said, upthread, this requires extra steps to store and retrieve the data (you wouldn't want to DEcrypt the file on that "exposed" machine, either!)

  7. #7
    Automation, you are super geeky! I am fairly certain that most of our members do not have their machines or any computer air gapped. For off-site storage, I have hard drives that are stored at my Mom's home. I have a friend that puts her hard drives (no longer using) in a safety deposit box. That's one way to keep your precious data safe.

    Overall, good stuff!
    The test of success is not what you do when you are on top. Success is how high you bounce when you hit the bottom
    --General George Patton

    Complex problems need to be solved collectively.
    ––Paul Nussbaum
    usc87.blogspot.com

  8. #8
    Senior Member
    Join Date
    Apr 2018
    Location
    AZ
    Posts
    219
    Quote Originally Posted by PN View Post
    Automation, you are super geeky! I am fairly certain that most of our members do not have their machines or any computer air gapped. For off-site storage, I have hard drives that are stored at my Mom's home. I have a friend that puts her hard drives (no longer using) in a safety deposit box. That's one way to keep your precious data safe.

    Overall, good stuff!
    I suspect many (most?) folks have a spare computer/laptop that they aren't using. Do a clean install of your favorite OS -- so you know the machine is not compromised. Then, just never let it talk to the outside world (or run any programs brought ONTO it from the outside world -- unless from trusted sources).

    I "save" old laptops. I think I now have 7 of them. When I do my taxes, I do them on one of those computers -- knowing that there is no way that data can ever find its way onto The Internet. Its a small price to pay -- i.e., not being able to read email WHILE doing my taxes (<shrug> big deal!). But, the same issue that prevents me from interacting with the outside world also prevents the outside world from interacting with me (or my data!).

    Note that, regardless of how you STORE the data, unless you periodically VERIFY that it is still accessible (hasn't suffered bit rot), you really have no way of knowing if it is still "intact"! (like folks who religiously do backups -- but have never actually tried to RESTORE one!)

    I don't advocate folks go to the lengths that I do to protect their data. Rather, I hope to educate as to how many ways your data can be "compromised" -- despite your THINKING that you've been doing all the right things. Do you really care if those vacation photos stored in the cloud are seen by uninvited eyes? I'm sure you'd rather they weren't -- but, it's not likely to have significant consequences (for you), if they are. OTOH, financial data, medical records, identity data are too easily abused!

    A colleague once chided me for not engaging in on-line commerce. His "explanation" to tout the security of that was "with 128 bit encryption, there's no way anyone is going to see your transaction!" His smile turned to one of dismay when I countered: "Unless your machine has already been compromised and the data is leaking out BEFORE it enters the encrypted tunnel!"

    Ooops! Guess he hadn't considered that possibility.

    Its similar to how you would go about "securing" your home. You have to think about it as a THIEF/burglar would, not as a (naive) homeowner.

    A new neighbor came knocking on our door a few months after moving in. They had locked themselves out of the house. Being Sunday, he couldn't get a locksmith to come out (until AFTER the ballgame was over! ). Having his infant in a stroller, accompanied by his wife, they weren't keen on sitting out in the summer heat all that time. So, he opted to see if I could help.

    Of course, an easy way in would be to break a window -- no doubt a thief might consider that worth the risk of someone hearing the breaking glass. I figured my neighbor wouldn't be too keen on having to replace the window glass as a price of getting inside. So, I looked for a less costly approach.

    Walked back to my house to fetch a screwdriver. Removed ONE screw that secured the center stile for his sliding kitchen window. Removed the stile (which took the window lock with it!). Slid the window open and asked him if HE wanted to climb in -- or if he wanted ME to do so? (great way to start a friendship! )

    Reinstalled the stile and the house was good as new!

    Unless you actively think about how your efforts can be subverted, any sense of security is likely to prove to be a disappointment! First step on that path is education...

  9. #9
    This thread begs of anti virus information. I know you do not like windows. Can we set that aside for the time being? Is it possible, do you have the expertise to rate the anti virus programs for those of us who do use win7 or 10?
    I have had periodic paralysis all my life. I lost my ability to walk in 2011 beginning with a spinal block, which was used for a hip fracture caused by periodic paralysis.

  10. #10
    Senior Member
    Join Date
    Apr 2018
    Location
    AZ
    Posts
    219
    Quote Originally Posted by nonoise View Post
    This thread begs of anti virus information. I know you do not like windows. Can we set that aside for the time being? Is it possible, do you have the expertise to rate the anti virus programs for those of us who do use win7 or 10?
    [I can't tell who this comment is directed at. As it immediately follows MY comment, I will assume me.]

    I don't know why you'd assume I "do not like Windows". I rely on it for much of my computing needs. Many of the apps that I use are only available on Windows. Though, admittedly, if there were more choices in the "operating system universe", Windows would hardly be my first! <shrug>

    Unfortunately, I can't help wrt AV programs. I don't run one on any of my computers. They will always be a step behind the "bad guys" -- an exploit has to be released into the wild before the AV guys can figure out how to detect and isolate it. So, I (personally) wouldn't consider them to be "perfect" protection; I would still have to exercise care in the sorts of places I visit and things that I do, on-line, in order to "keep myself safe".

    So, I simply exercise care in the sorts of places I visit and things that I do, on-line, and "keep myself safe" by those practices -- without the need of an AV product! No pron sites, no on-line gaming, no warez, no blind opening of email attachments, no "free" applications, etc.

    This has managed to keep us "infection free" for decades.

    Having said all that, any time I "update" any of the "exposed" (Internet connected) computers, I pull the disk drive and set it aside for a few months. I replace it with a "clean" copy of the disk as it existed when I initially installed Windows -- updated (offline!) with the most recent Windows "monthly rollup". If I end up replacing the entire machine (upgrading hardware), then the "new" machine ends up with a virgin Windows installation (with updates).

    After a few months, I connect the "removed" disk to a computer and download (using the "new" computer) a copy of one of the free/time-limited AV products (most recently AVG). I run a complete scan on the "removed" disk to see if I may have been compromised while that disk was installed in the original computer.

    Note that this does nothing to protect me as any "infections" would have already taken hold on that computer prior to my removing the disk! But, I don't expect to SEE any infections so this is just to confirm that my "computing practices" have, in fact, been robust enough to "keep me safe".

    If I ever see signs of infection, I will have to rethink my practices. But, regardless, the only "data" that I will have placed at risk are:
    • my address book (because malware can easily find those email addresses on your computer)
    • the contents of (all!) my emails
    • possibly every web site that I've visited
    • usernames and passwords for every "forum" I visit -- along with everything I've ever posted, there


    But, because this computer is never used for anything "worthwhile", nothing of importance (bookkeeping, taxes, birthdates, SSNs, physical addresses, medical records, etc.) ever has a chance to be stolen or corrupted. This also means I never have to "backup" this computer -- anything on it is, by definition, disposable!

    We keep another laptop that we use JUST for ecommerce. It has no email capabilities (so no temptation to open the email attachments that we are sent from those ecommerce vendors!). We never "visit" any web sites (other than our financial institutions and eBay/amazon). Never view any youtube videos. Etc.

    And, it is powered off unless we are actually in the process of conducting an ecommerce transaction (so, an adversary has only limited opportunities to get AT it).

    Again, I don't expect folks to adopt similar practices. OTOH, I routinely am asked (by friends/colleagues/neighbors) to "fix" their computers after they've been infected with some form of malware or ransomware. And, they are connected to the same Internet that we are! The difference being how they use it vs. how we use it.

    [A bit of free advice: never let friends know you can "fix" computers. Ages ago, the admonition was never to let friends know you could fix TVs! Same problem: you'll always be fixing something for someone! ]

    [[I really can't recommend, enough, the idea of using a sacrificial machine for your email/WWW stuff and doing all the "important" stuff -- even if it is just playing video games! -- on a separate, air-gapped (i.e., not connected to The Internet) machine. Even if that/those machines have to be updated periodically (I believe W10 requires this? Dunno as I only run W7 which allows me to decide if I want to allow updates at all -- and when!), having control over when those updates CAN be applied is a real win. E.g., if the sacrificial machine gets an update and things go to hell, then that's probably a big hint that you may NOT want to apply that update to the machines that are MORE IMPORTANT to you -- until you understand what went wrong with the update on the sacrificial machine!]]

Similar Threads

  1. Voice software; page up, page down issues
    By Carl R in forum Announcements & Feedback
    Replies: 3
    Last Post: 07-04-2005, 06:38 PM
  2. the cloud cushion
    By Lizbv in forum Care
    Replies: 2
    Last Post: 07-23-2002, 05:13 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •