VOLUME 21

   ISSUE 21

 23 April  2013

    Chances are that a majority of the people reading this article use some type of free cloud storage whether it is Google Drive, Dropbox, SugarSync(my favourites of course!) or any other service. Such cloud storage offerings are especially beneficial for research students like me to store research data enabling us to work on them either from our research centres, homes or while we attend conference in some faraway land. Free cloud storage offerings can be a lifesaver at a time when research funds are dwindling due to the grim global economic outlook. However, all users of these cloud storage services must consider one important problem – confidentiality of the files we upload. Almost all of the cloud storage services provide some confidentiality guarantees for user data, both during data transmission and storage. For example, if you read the privacy policies of Dropbox and SugarSync, they claim to encrypt all data in storage while using SSL to secure all data during transfer. Despite these assurances, security breaches are not uncommon among the cloud storage providers as evident from the Dropbox security compromise last year.

Therefore, an extra layer of security will be always handy and that’s why we should pre-encrypt all confidential information before uploading them to the cloud. Besides, there are plenty of free-tools that can be used for file encryption and finding them is just a matter of Googling the term. Out of the tools I’ve tried so far the one that got my nod is TrueCrypt. It has been extensively reviewed through security research and practical applications. If you are bit paranoid about using the binaries they provide you with a source code version. Installing and using TrueCrypt is a piece of cake that it could be done by a little kid. Usually this involves installing the program, creating an encrypted disk volume and saving your files in the volume you created. There is also a good beginners tutorial in their Website to get you started.

Nevertheless, there are few things you must be careful of when using TrueCrypt for the purpose of securing files in cloud storage. First of all, you must decide where to place your data for encryption. This seems very trivial but if you place your cloud synchronisation folder (e.g., your Dropbox folder) inside an encrypted container the synchronisation folder will be encrypted in your computer but the files in the folder will be uploaded to the cloud unencrypted. Since we certainly do not want this to happen, it is important to create the encrypted containers within your cloud synchronisation folder so that these encrypted containers get uploaded to the cloud storage. Second, you must decide on the encryption and hashing algorithms to use. The choice will depend on how sensitive your data is – if the confidentiality of your data is a matter of life and death then select the strongest algorithms available, but you trade-off speed and computing resources for better security. TrueCrypt also provides some details on the algorithms for you to make an informed decision. Third, you must select a secure passphrase which is long enough and uses a combination of alphanumeric and special characters. For additional protection you may also use a keyfile. A strong passphrase is of paramount importance since they have been proved very difficult to break while the weak ones offer little security. If you are unconvinced just read this article on how FBI failed to crack the strong passphrase of a TrueCrypt container.

There is another practical consideration before using encrypted volumes with cloud storage. If your encrypted volume is very large it will take ages for it to synchronise with the cloud. Every time you make the slightest change to a single file in the encrypted container the whole container has to be uploaded since your cloud synchronisation program only sees the container as a single file. If you are lucky enough to have a super fast DSL connection with an unlimited data volume you may use a larger encrypted container. On the other hand, if your ISP provides you with a small, capped data volume and your connection allows you to have a lunchbreak while it uploads a 50 MB file you need to spread your data in to several encrypted containers of smaller size. (After all, a person would hold only a limited amount of highly confidential information unless you are doing something illegal or working for spy agency!) As a final note, I don’t intend to this article to sound like a sales pitch for TrueCrypt. In fact, you can use any file encryption utility to secure your data if you are confident of the security it provides.

Hasala Peiris
PhD Research Student
Curtin University, Perth, Australia
 

:

.

.

'....The creator of a popular crimeware package known as the Phoenix Exploit Kit was arrested in his native Russia for distributing malicious software and for illegally possessing multiple firearms, according to underground forum posts from the malware author himself......'

'....In recent weeks, U.S. banks and financial services institutions have seen their website downtime double, compared to just one year ago.That finding, first reported by NBC News, comes via Keynote Systems, which maintains dummy accounts with the country's top 15 banks, which it uses to monitor site uptime and availability to customers by attempting to log into its accounts every five minutes......'

'....A spokesman for the Egyptian military has reported that three scuba divers have been arrested in the Mediterranean as they tried to cut a submarine data cable owned by local telco Telecom Egypt......'

'....The U.S. Air Force has designated six cyber tools as weapons, which should help the programs compete for increasingly scarce dollars in the Pentagon budget, an Air Force official said on Monday......'