Security Now 349

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 349

Contents

Security Now 349: Cloud Storage Solutions

Security Now! #349 -- 04/19/12 Cloud Solutions

(Sarah Lane / iPad Today / Deadly Harvest)

Security News: (via @SteveStyffe) @SGgrc Have you seen this? Google abandons plans to reduce SSL handshake latency. http://arstechnica.com/business/news/2012/04/google-abandons-noble-experiment-to-make-ssl-less-painful.ars


Apple: About Java for OS X Lion 2012-003 http://support.apple.com/kb/HT5242 "This Java security update removes the most common variants of the Flashback malware. This update also configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application. If the Java web plug-in detects that no applets have been run for an extended period of time it will again disable Java applets." Java for OS X Lion 2012-003 delivers Java SE 6 version 1.6.0_31 and supersedes all previous versions of Java for OS X Lion. This update is recommended for all Mac users with Java installed.


Dropbox Tech Blog: http://dl.dropbox.com/u/209/zxcvbn/test/index.html http://tech.dropbox.com/?p=165 zxcvbn: realistic password strength estimation


Errata: (@robertdwalker) @SGgrc OS X 10.7 did significantly improve ASLR. And, 10.8 improves it even further. You misstated that on SN. http://en.wikipedia.org/wiki/Address_space_layout_randomization#Mac_OS_X


Twitterverse: (@TechJeeper - Code Dean in Lansing, Michigan) @SGgrc "False Start's sad demise..." Wasn't this what provide a major advantage for SPDY? http://arstechnica.com/business/news/2012/04/google-abandons-noble-experiment-to-make-ssl-less-painful.ars http://www.imperialviolet.org/2012/04/11/falsestart.html (@SimonZerafa) @SGgrc Is your installed JavaVM buggy and exploitable? :-) -> http://isjavaexploitable.com (@SimonZerafa) @SGgrc If you didn't go looking for it, don't install it; If you installed it, keep it updated; If you don't need it, uninstall it. (@enekob - Eneko Bilbao, Australia) @SGgrc re iOS encryption: Took your advice, upgraded to alphanum PIN. When changed does it re-encrypt the file system? Was very fast if so?!


SpinRite - Ben Stool

Cloud Solutions

Bitcasa: http://community.bitcasa.com/bitcasa/topics/the_biggest_problem_bitcasa_is_not_safe


BoxCryptor:

Primarily Windows - Android - iOS Mac/Linux - Compatible with OpenSource EncFS - can mount BoxCryptor folders. Dropbox integration: "Encrypt your files the quick and easy way. Each file is encrypted individually in real-time and stored in a folder of your choice, e.g. your Dropbox folder." Encrypted Filesystem (EncFS) implementation Encrypts Files not low-level blocks Some metadata leakage: Number of files Rounded-up filename lengths "Select the source directory which stores the encrypted data" "Select the drive letter of BoxCryptor" Licensed per-user per-platform / Unlimited instances within license / One-Time Fee Windows: $0 up to 2GB storage & 1 drive mapping $40 Unlimited Personal, any storage, and # of drives $100 Unlimited Business Android: $0 Free up to 2GB $6 Unlimited Personal $9 Unlimited Business iOS: VERY limited FREE version. In-App purchase to unlock


Box.net:

www.box.com Pricing: Personal Plan: 1 User $0 25MB / 5GB $10/mo 1GB / 25GB $20/mo 1GB / 50GB Business Plan: $15/mo 2GB / 1TB


Carbonite:

$59/year per computer - Unlimited ($5/mo) Win/Mac/iOS/Android/Blackberry (Advanced features are currently Windows only) PIE? Can Carbonite employees see my backed up files? Access to your backed up files is protected by your encryption key which is kept strictly confidential. Unless you choose to manage your own encryption key (see below), a limited number of Carbonite employees are able to access backed up files in order to assist with data recovery if needed. However, they will do so only after obtaining your consent. If you are subject to industry regulations that require no one outside your organization have access to your backed up files (e.g. HIPAA regulations), Carbonite provides you with the option to manage the sole copy of your encryption key. If you choose this option, features such as Anytime Anywhere Access will be unavailable to you. Also, note that if you lose the sole copy of your encryption key, there will be no way for Carbonite to restore your backed up files. For these reasons, Carbonite recommends, and the majority of our customers choose, to have Carbonite manage their encryption keys.


CompletelyPrivateFiles:

Encryption for Box.net Pricing: $0 up to 5MB file size $30/yr up to 15MB $50/yr up to 25MB $80/yr up to 50MB


CrashPlan:

Win - Mac - Linux - Solaris iOS - Android - Windows Phone mobile (Mobile apps are free) http://www.crashplan.com/ "How is CrashPlan different from other online backup services? Unlike ordinary online backup, CrashPlan lets you back up to other destinations in addition to online. You can back up to your other computers, external hard drives and to computers that belong to friends and family for free. If you want to back up online too, purchase a CrashPlan+ subscription for home use. To back up your business data to the cloud, check out CrashPlan PRO or CrashPlan PROe. Pricing: $0 0GB - backup to local, attached, or other people's machines CrashPlan+ $2.50/mo. down to $1.50/mo. 4-year 1 Computer - 10GB CrashPlan+ Unlimited $5.00/mo. down to $3.00/mo. 4-year 1 Computer - Unlimited CrashPlan+ Family Unlimited $12.00/mo. down to $6.00/mo. 4-year 2-10 Computers - Unlimited Seeded Backup: They SHIP a drive with return shipping prepaid: $125. "Get it back Faster" They SHIP a drive with your backed-up files: $125. Security: Free plan is 128-bit Blowfish Plus plans are 448-bit Blowfish (slow key schedule is good!) FULL (optional) TNO-level Security using a "Private Password" to decrypt the encrypted encryption key.


Cubby:

https://www.cubby.com/ Windows / Mac desktop app. / Android & iOS Drag/drop folders onto app and they are in your cubby. DropBox'ish Clone Cross-Computer Sharing / Unlimited P2P cross computer synching Cross-Friends Sharing "Make any folder a cubby right where it is and it's accessible everywhere." Cubby keeps unlimited versions of friend-shared files. "My Cubby Folder" in the cloud, 5GB free. (c) LogInMe NO mention of security/encryption/privacy


Digital Bucket:

Uses Amazon S3 cloud storage No TNO Option Pricing: Individual: $99/yr. 50GB Professional: $30/mo. 100GB + 3 sub-accounts Small Business: $125/mo. 500GB + 10 sub-accounts


Dropbox:

Pricing: $0 2GB $10/mo. or $100/yr 50GB $20/mo. or $200/yr 100GB (amazon is $15/mo. for 100GB) Security: "Compliance with Laws and Law Enforcement" "As set forth in our privacy policy, and in compliance with United States law, Dropbox cooperates with United States law enforcement when it receives valid legal process, which may require Dropbox to provide the contents of your private Dropbox. In these cases, Dropbox will remove Dropbox’s encryption from the files before providing them to law enforcement."


Google Drive:

Rumors: Announcement next week. drive.google.com resolves. Free 5 Gig


Jungle Disk:

Win/Mac/Linux/iOS/USB Rackspace or Amazon S3 Rackspace: Pay ONLY for storage. ($0.15 / GB / Month) Free transit/Free Requests Amazon S3: Also $0.15 / GB / Month Web Access to Cloud files PIE? Optional PIE key management. FULL TNO-level security. Other: Public sharing of specific files: Web URL, with date expiration, can be shared. Max 5 GB and 50 downloads


HiDrive (by Strato):

https://www.free-hidrive.com/product.html iOS, Android, Win Mobile 7 Pricing: $0 5GB $13 for 3mo. 100GB $39 for 3mo. 500GB ISO 27001 certification???


LiveDrive:

Windows / Mac / iOS / Android "Resellers - sell online backup and more! Sell our full range of online backup, storage and sync products to your customers. Custom brand everything, manage it all from the web. Sell unlimited backup accounts from just $59.95 per month - instant setup!" "Completely Safe and Secure" $8/mo. "Backup" no storage limit Additional computers $1.45/mo. $16/mo. "Briefcase" - 2TB - Win/Mac sync Share with friends & family $25/mo. "Pro Suite" - 5TB 30 previous versions, restore deleted files, stream music Add NAS backup for $7.95/mo. Purchase for one year, get two months free.


Porticor:

"Enterprise" oriented Standard/Medium Edition: $162/mo. Free: Up to 3 Disks and 2GB/disk "Register for Free Evaluation" :(


SecretSync:

Client-Side (PIE) Encryption Add-On for DropBox Pricing: $0 up to 2GB encryption folder $40/yr up to 20GB encrypt $60/yr 1 TB


SkyDrive - Microsoft:

Win / iOS / Windows Phone / Windows 8 Metro-style Free 25GB storrage, 2GB per file SDK available for Apps running Win, iOS, Android No apparent focus upon Cloud security and TNO


SpiderOak:

Win - Mac - Linux - iOS - Android FULL TNO-level security / "Zero-Knowledge" privacy Strongly fault tolerant Pricing: $0 2GB $10/mo or $100/yr 100 GB (cheaper than Amazon or Rackspace at 66GB) SpiderOak Features Backup, Sync, Share, Access & Storage Multi Platform Support - Mac, Windows, Linux Compatible 100% Zero-knowledge Privacy Add any number of computers at NO additional cost Storage & time saving De-Duplication Perpetual Deleted File & Historical Version Storage 10-15 Times Faster than traditional backup solutions Wholly Fault-Tolerant Design ALSO... Securely synchronize folders across multiple computers and operating systems using our free online sync Discretely share selected folders with friends, family, colleagues, and clients. Share folders instantly in web ShareRooms w / RSS Efficient Versioning: "SpiderOak keeps historical versions of every file. This is an extremely important safety feature in a backup application. Consider this scenario: You accidently save over your thesis paper with a different document. The easy solution is just go to your backup software and retrieve the old version, except what if you don't notice for a few days? If your backup software doesn't keep historical versions, it will save the new (wrong!) version of your thesis into your next backup, making recovery impossible.

SpiderOak's historical versions are space efficient. Even though your historical versions are encrypted and only stored on the server, SpiderOak detects the similarity between those historical versions and your new versions - only saving the parts that actually changed." HORRIBLE iTunes Store Reviews SpiderOak Promo Code: "Spring"


SugarSync

"SugarSync is a free service that enables you to access, sync and share your files across all your computers and devices. We enable you to backup, sync and share all of your documents, photos, music and movies so that you can access them from your PC, Mac, iPhone, iPad, Android, BlackBerry, or any other device." Win / Mac / iOS / Blackberry / Android / Symbian / Kindle Fire / Web / Outlook plug-in Their Comparison Chart: https://www.sugarsync.com/sync_comparison.html Pricing: $0: 5GB account $5/mo or $50/yr 30GB $10/mo or $100/yr 60GB $15/mo or $150/yr 100GB $25/mo or $250/yr 250GB $40/mo or $400/yr 500GB (better than Amazon or Rackspace) Backup ANY folder / Versioning and Restore DOES NOT look they support TNO-level security.


Tarsnap:

No Windows except through Cygwin, no mobile BSD, Linus, OS X, Solaris Twice the price of Amazon.


ZeroBin:

Encrypted Pastebin http://sebsauvage.net/paste/

Sponsors

Netflix

Production Information

  • Edited by:
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.
Personal tools