Category Archives: Privacy

We Are Not Just Numbers!

April 15, 2013 16:47 | Leave a Comment |

The PrisonerI’m not a number, I’m a free man” said Number 6 in the serie called “The Prisoner” (for the oldest amongst us). The serie was broadcasted in the Sixties but we have to admit that, still today, we are only numbers! And this will be worse in the coming years.

Personally, I’m not against being a number if controls are properly implemented. Numbers are easy to be indexed, to be sorted and searched. Numbers are a good way to identify things or people but they can easily be spoofed. As Wikipedia says:

In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data (in this case the number) and thereby gaining an illegitimate advantage.

Read More →

Posted in: Privacy, Security | Tagged: , , , ,

You Just Have Been Erased! Are You Sure?

July 18, 2012 17:23 | Leave a Comment |

MiB NeuralizerThis is a never-ending story! People will never realize that once data has been published online, it is a nightmare to try to remove it. Here is another example…

In parallel to this blog, I’m playing with another website called leakedin.com. The purpose is to educate people about the huge amount of data that can be posted on the Internet without their prior consent, by mistake or, worse, wittingly! The website compiles interesting data collected from paste websites using my tool pastemon. Everything is automated and some content can be grabbed just before being removed by the website maintainers (pastebin.com looks more and more aggressive on this point). I completely agree on the fact that some content might be offensive for some people. That’s why my website proposes an abuse page to report such content. When something is reported, the content is immediately removed. My goal is not to offense people! A few days ago I received this message:

From: xxxxx@xxxxx.xxx
Subject: please remove ASAP!

My Social Security # is on your website in 2 different locations. It originated on pastebin and has since been deleted from their website. Please remove both links from Leakedin.com.

http://www.leakedin.com/2012/05/04/xxxxxx


http://www.leakedin.com/2012/05/04/yyyyyy

Thanks,
xxxxxx xxxxx

A few hours later, the content was removed and I notified the person with a standard reply. Then, a second message came in:

From: xxxxx@xxxxx.xxx
Subject: Re: please remove ASAP!

Thanks for deleting 2 links with my SS# (see below) but I still see it when googling my name "xxxxx". Please help!!
Thank you,

LeakedIn » Blog Archive » Potential leak of data: US SSN
www.leakedin.com/2012/05/04/xxxxx/
May 4, 2012 - J 08213 xxxxx xxx xxxxx xxx xxxxx MS xxx xx/xx/xxxx xxx-xx-xxxx xx/xx/xxxx xxx-xx-xxxx xxxxx xxxxx xxx

LeakedIn » Blog Archive » Potential leak of data: US SSN
www.leakedin.com/2012/05/04/xxxxx/
May 4, 2012 - ... xxxx xxxx xxxx xx xxxxx xx/xx/xxxx xxx-xx-xxxx xxxxx xxxxx xxxxx xxxx xxxx xx xxxxx xx/xx/xxxx xxx-xx-xxxx ...

Ok, ok, how to answer in a comprehensive and polite way? We are not in a Holliwood movie, there is no way to rollback in the past and forget what happened using a neuralizer! There is no “format” nor “delete” button on the Internet. I won’t say it’s impossible to get rid of all your private data. There are even companies which sell their services to build you a brand clean online profile (against lot of $$$).

This example was based on private data related to one person. I let you imagine when a company looses thousands of records or publishes by accident condifential data. Such incidents occur every day. The correct title for this article should be “You just have been… indexed!“.

Posted in: Net, Privacy, Security | Tagged: , ,

All Your Data Are Valuable!

June 15, 2012 15:46 | Leave a Comment |

GoldA few weeks ago, a subsidiary of a major Belgian bank was hit by a blackmail attack. Attackers requested a big amount of money or they threatened to reveal sensitive stolen data. I don’t know how ended this story, did the bank pay? Did the attackers really steal a big amount of data or they were just bluffing? Targets of such attacks always try to limit the impact by avoiding communications. This is in fact a bad behavior and, hopefully, things will change when the breach notification laws will be in place in European countries.

Same story today! >We learned via the Belgian press (article in Dutch) that another attack was conducted against an interim company. More information has been posted by another Belgian blogger. By reading his post, it looks that security was very poor (as usual I would like to say!). They leaked 10K records with name of job seekers, address, email, national number and social security card number. As a proof, they released some records here.

You can be tempted to have a reaction like “That’s weird but it’s just another leaked database!” But, the stolen data contained also comments made by the company employees about the job applicants. Examples? (based on the sample data release) “Nothing to catch. Always looks drunk. Unstable person.” or “Something wrong with it. Huge sweating and coughing. Drugs?“. If the complete database will be released in the Internet, this could have huge impacts for multiple parties:

  • Are employees authorized to write down comments like this?
  • The same comments written by the employees could lead to discrimination. (Example: comments based on bodies or physical aspect of the people)
  • Customer of the interim agency could be impacted too. Bad publicity! (Example: If they don’t want workers from a specific religion or skin color!)
  • The psychological impact on some job seekers. How some could react if they read the comments left about them? Some might be psychologically weak and have difficulties to sustain their position as unemployed.

As you can see, problems are not only on the technical side. In my opinion this is the perfect example to remember that all your data are valuable. Often, most critical data are found in military, financial or medial environments but, if you collect data about people (customers, partners, …), you must implement security measures to protect them in the right way!

 

 

Posted in: Belgium, Privacy, Security, Websites | Tagged: , , ,

What Are You Sharing with Dropbox?

May 19, 2012 15:15 | 11 Comments |

I like DropboxDropbox is a well-known online service which allows you to share files between computers. If, in the past few months, new outsiders came on the same market, Dropbox remains the number one. If files are synchronized between Dropbox software clients, they also provide features to share files with third-party who don’t have a Dropbox account. How? By creating “links” to those files. It’s easy: In your Dropbox folder, select a file, right click and select “Dropbox -> Get Link“. Your direct URL will look like this: “http://www.dropbox.com/s/wg0ih0qywujn77y/myfile.zip“. Then, share the URL with your peers who just have to point their browser to it to access your file. Easy!

But if your files are available via HTTP(S), this means that anybody can access them. We just have to guess valid URLs. Guessing the 15-characters strings is doable (brute-force) but will require a lot waste of time. Where can we find plenty of existing URLs? In search engines of course!

Read More →

Posted in: Privacy, Software | Tagged: , ,

Ranking People Like Domains or IP Addresses?

February 29, 2012 20:57 | 1 Comment |

I'm not a numberReal time events or network traffic analysis is interesting to track suspicious behaviors. And, if you add some external sources of information, you could increase even more the capability of detecting real events. Such ranking sources applies usually to IP addresses and domain names. They are plenty of online resources with huge lists of suspicious IP’s/domains (a good starting list is available here). You can of course create and maintain your own private lists. But can we implement the same ranking with “people” (humans)?

Read More →

Posted in: Logs Management / SIEM, People / Places, Privacy, Security, Uncategorized | Tagged: , , ,

Show me your SSID’s, I’ll Tell Who You Are!

January 12, 2012 17:49 | 7 Comments |

Wi-Fi

The idea of this article came from a colleague of mine. He wrote a first version of the script described below. I found it very useful and asked his permission to re-use it and to write this blog article. Thanks to him! In the mean time, during my researches, I also found that a friend, Didier Stevens, published on his blog the same kind of script but for an AirCap adapter. Mine uses any adapter capable to be switched to “monitor” mode.

All devices have Wi-Fi interfaces (laptops, tablets, mobile phones, consoles, etc) and their operating systems have features to easily manage the wireless networks you connect them to. When you connect for a first time to a new network, most users save the informations for later use (or the system stores it for you without notification). This small database will be used later by the operating system to discover which known network(s) is(are) available and automatically connect to them.

This database may contains a lot of interesting data. Some may reveal private information like your employer, your ISP, where you go to party, to eat, where you go on holidays or which security conference you attended. Why? Simply because networks are often configured with explicit names. Have a look at the screenshots below taken from a laptop running Ubuntu:

 

Ubuntu Wifi-Settings

(Click to enlarge)

Network Configuration

(Click to enlarge)

By default, when a new wireless network is configured, the flag “auto-connect” is enabled. This is the case on Ubuntu, MacOS and Windows 7. What does this mean? Each time you boot your computer or you reconfigure your Wireless card, the device will sent “Probe Request” management frame over the air. This can be compared to a message like “Hey! Network xxx are you there?“. Even if your network uses encryption, all those probes are sent in clear! In Wi-Fi technologies, they are several methods available to detect the available networks or SSIDs:

  • Beacon,
  • Probe Requests,
  • Probe Responses,
  • Association Requests,
  • Reassociation Requests

Probe Requests” are very interesting to be captured to detect the SSID’s already configured and used by people. To achieve this, we just need a BackTrack 5, a Wi-Fi network card that supports monitoring mode and some tools. To collect “Probe Requests“, just use the following commands:

  # iwconfig wlan0 mode monitor
  # iwconfig wlan0 channel <i>
  # tshark -i wlan0 subtype probereq

It’s easy but not very convenient! If you keep tshark running a few hours, you could miss data. The purpose of the script is to automate this process and keep some statistics about the detected probe requests (clients MAC addresses and SSID’s). It’s also important to scan all the available channels (1-14) to grab as much SSID’s as possible. This is called “channel hopping” and to achieve this, the script starts a child process which changes the Wi-Fi channel every 5 seconds within an infinite loop. The script syntax is the following:

  Usage: ./hoover.pl --interface=wlan0 [--help] [--verbose] [--iwconfig-path=/sbin/iwconfig]
                    [--ipconfig-path=/sbin/ifconfig]
                    [--dumpfile=result.txt]
  Where:
  --interface     : Specify the wireless interface to use
  --help          : This help
  --verbose       : Verbose output to STDOUT
  --ifconfig-path : Path to your ifconfig binary
  --iwconfig-path : Path to your iwconfig binary
  --tshark-path   : Path to your tshark binary
  --dumpfile      : Save found SSID's/MAC addresses in a flat file (SIGUSR1)

It will dump all detected SSID’s to the console in a completely passive way. No packets are sent over the air from the scanning host! When you kill the script or wake it up via a SIGUSR1 signal, it will dump all detected SSID’s, MAC addresses, packets count and the last time if was seen. The example below shows the result of one day of scan in my neighborhood. 40 SSID’s detected in my area is not bad (I’m leaving in the countryside).

 !! Dumping detected networks:
 !! MAC Address          SSID                           Count      Last Seen
 !! -------------------- ------------------------------ ---------- -------------------
 !! 7E-62-89-9E-C4-E4    Billi-Wifi                             43 2012/01/10 22:15:36
 !! 07-46-6E-4F-61-4E    Réseau de ******                     2732 2012/01/11 16:28:09
 !! 6F-B6-11-2E-AF-74    LA HAGOULLE                             1 2012/01/11 16:17:08
 !! 8F-9F-B1-5B-73-C8    Go-Away-Lamerz                         85 2012/01/11 16:28:09
 !! 00-ED-E1-3A-A9-1C    wifi94                                  6 2012/01/10 18:25:27
 !! E1-28-7F-6A-C6-44    3cles                                   1 2012/01/11 16:17:08
 !! 4E-CD-8A-BD-1C-EB    NOW-X-54                               10 2012/01/10 20:08:02
 !! 0B-8C-A1-1C-BB-51    CRAPS                                5598 2012/01/11 16:28:09
 !! 91-4A-F0-42-A6-63    bbox2-****                              1 2012/01/11 10:48:49
 !! 0B-A7-51-ED-E1-FA    SpeedTouchD4288C                        2 2012/01/11 16:17:08
 !! C09-C2-23-89-2D-E9   ISFS                                    4 2012/01/10 18:12:25
 !! CE-7C-B6-58-39-D3    HAYEZ                                   1 2012/01/11 10:48:49
 !! 44-45-60-E6-61-1B    Guest                                   1 2012/01/11 16:17:08
 !! 0B-A7-51-ED-E1-FA    bbox2-****                              8 2012/01/11 16:15:11
 !! 09-C2-23-89-2D-E9    biblio                                  1 2012/01/11 10:48:49
 !! CE-7C-B6-58-39-D3    free-hotspot.com                        2 2012/01/11 16:17:08
 !! 37-F3-65-28-35-0C    123EURO                                 1 2012/01/11 16:17:08
 !! E4-8F-02-9B-E8-3C    FREE_DELIRIUM                           1 2012/01/11 10:48:49
 !! 6E-2C-81-CE-13-E3    bbox2-****                              4 2012/01/10 18:25:27
 !! E9-4A-D6-4F-72-0C    chateau_magique                         1 2012/01/11 16:19:07
 !! A4-B4-B3-FC-B0-75    WiFi_FD                                 1 2012/01/11 16:17:08
 !! E3-9E-A3-9F-A1-F7    TP-LINK_******                        519 2012/01/11 16:10:51
 !! DA-6C-E2-D8-D8-A7    bbox2-****                              6 2012/01/10 18:25:27
 !! 03-94-41-21-6C-C2    bbox2-****                              3 2012/01/10 18:25:27
 !! 27-E3-1F-61-5A-69    linksys-n                               1 2012/01/11 10:48:49
 !! 81-8A-48-1B-DF-20    Philips WiFi                            1 2012/01/11 10:48:49
 !! 55-C3-BE-F9-63-60    SpeedTouch******                        1 2012/01/11 16:17:08
 !! F0-3D-CC-D3-16-A4    blanmont                               27 2012/01/11 16:28:09
 !! 7A-19-39-BC-3B-A6    chouchou                                1 2012/01/11 10:48:49
 !! 7E-62-89-9E-C4-E4    belgacom                                1 2012/01/11 10:48:49
 !! 07-46-6E-4F-61-4E    Réseau UAH                              4 2012/01/10 18:25:27
 !! 6F-B6-11-2E-AF-74    dlink                                   5 2012/01/11 10:48:49
 !! 8F-9F-B1-5B-73-C8    sagem-****                              1 2012/01/11 16:17:08
 !! 00-ED-E1-3A-A9-1C    bbox2-****                              1 2012/01/11 10:48:49
 !! E1-28-7F-6A-C6-44    bbox2-****                              2 2012/01/11 10:48:49
 !! 4E-CD-8A-BD-1C-EB    QuickWiFi                               1 2012/01/11 16:17:08
 !! 91-4A-F0-42-A6-63    bbox2-****                              1 2012/01/11 16:17:08
 !! 81-8A-48-1B-DF-20    linksys                                14 2012/01/11 16:19:07
 !! 27-E3-1F-61-5A-69    WiFi_6E                                 1 2012/01/11 16:17:08
 !! 82-94-05-84-30-ED    Sitecom                                 1 2012/01/11 16:17:08
 !! Total unique SSID: 40

Note: the MAC addresses have been randomized using the MAC Address Generator.

That’s all for the technical part. Now that you have a list of MAC addresses and SSID’s, what can you do with them? How can this script be useful from an attacker perspective?

First, use this as a “presence detection” mechanism. You can track the presence of people in a specific area. Being at home, I could detect when my neighbor is back at home and uses his laptop. Same for companies. Behind outside, you could detect the presence of employees in the office. More your antenna is powerful more you will be able to detect activity from a long way. Then, the detected SSID’s could help you to learn a lot about your potential victim. The goal is to “put a face” on the MAC address. You can learn the type of device/ISP they use. You can learn about the habits (and later to perform social engineering). hotel SSID’s, restaurant SSID’s etc.Some people defines SSID’s with personal data: pet names, street addresses, nick names. Always interesting stuff… If you know that your victim booked an room in a specific hotel, it’s a step forward to asking him to click on a rogue document coming from this hotel. But that’s another story!

The script is available here.

Posted in: Privacy, Security | Tagged: , , ,

Honeymail: Track Who’s Leaking Your E-mail Addresses

December 21, 2011 21:20 | 2 Comments |

Honey Jar“E-mail”… What a wonderful online service! When I first connected to the Internet around 1994 (I’m feeling old writing this!), I was so exited to receive my first e-mail! Today, I’m very happy when I received less than 50 e-mails per day! E-mail has been, for years, associated with spam. Still today, most of the SMTP traffic on the Internet is spam. Fighting spam became a real sport for most of us.

Today, most spam can be easily detected and blocked by filters. Being my own e-mail provider (I maintain my own domains, DNS & SMTP servers), regular spam is not an issue for a while. Each week, maximum two to three spams are not detected… I find this acceptable. Today, I’m most concerned by my privacy and how my personal information are managed by third parties.

How do I take care of this issue?

  • With my Gmail account, I’m using “email+source@domain.com” e-mail addresses. This helps the creation of filters based on the “+strings” you used. Helas, more and more online services do not allow a plus sign in e-mail addresses.
  • Using my own infrastructure, I’m using e-mail addresses like “source@nospam.rootshell.be“.

The goal of those techniques is tracking who leaked or shared your e-mail addresses without your authorization. For a few months, a new project has been initiated by a friend, Tomasz Miklas. His project is called honeymail.net. The principle looks the same as my own solution but it does not require any infrastructure on your side and no registration at all. How does it work?

  • You visit a website which requires your e-mail address in a form.
  • Create a new alias and activate it. It’s easy as sending an e-mail: 
      From: xavier@private-email.com
  To: create@my.honeymail.net
  Subject: Suspicious website

    You will receive an e-mail with a link to activate your new alias.

  • Continue with your registration on the suspicious website and provide your honeymail.net address.
  • The first time you will receive a mail to this address, honeymail.net will create a link between the sender and your alias (a “one-2-one” link). Then the message will be delivered to your private address:
    Now, your alias is linked to the sender! If you receive an e-mail to your alias from another source, you’ll be warned.
  • To test, just send a new e-mail from another account:

To manage your aliases, simply send other e-mails. Aliases can be temporary paused and resumed. This is useful to simply drop all e-mails sent to them. Another nice operation is the “reset“. It deletes the existing link with the source e-mail address. The website is clear and easy to use, have a look for more details!

At the moment, honeymail.net is still a proof of concept but it looks very promising. I recommend it if your privacy is a main concern!

Posted in: Privacy, Security, Websites | Tagged: , , ,

Who’s Playing with my Data?

December 14, 2011 21:14 | Leave a Comment |

Is it safe?My privacy, your privacy are key requirements in our (online) life! Nobody enjoys seeing personal data used by unauthorized people. Let me tell you a story that happened to me today. I visited the website of a well-known vendor to grab some information about its products. When you’d like to access more information like a white-paper, documentation or a live demo, you are often redirected to a very nice form asking you hundreds of personal data. That’s part of the game. Even if, personally, I hate this! Most of the time, I just press the “back” button of my browser or close the tab. After all, looking for some information does not mean that I’m ready to meet the vendor or to be hunt by their sales force! I respect sales people, they have to do a job not always easy but… DON’T BUG ME!

Back to my today’ story. I really needed the precious documentation. Forced to follow the procedure, I filled and submitted the online form. Of course, I never disclose my personal data. Usually I use the one of the Privacy Commission in Brussels:

Jean Dupont
Commission for the Protection of Privacy
Rue Haute, 139
1000 Brussels, Belgium
+32 (0)2 213 85 40

And to protect my e-mail, I use guerrillamail.com which provides temporary e-mail addresses. Some vendors are nasty and refuse disposable e-mail addresses but it remains unusual (hopefully for us). Back to the GuerrillaMail interface, I received the confirmation but also a strange message: (Note: Information has of course be anonymized)

  Undelivered mail
  From: postmaster@webagency.com, To: ucqczlqd@sharklasers.com, Date 2011-12-14 12:32:04
  An error was detected while processing the enclosed message.  A list of
  the affected recipient follows.   This list is in a special format that
  allows software like LISTSERV to automatically take action on incorrect
  addresses; you can safely ignore the numeric codes.

  --> Error description:
  Error-for:  johndoe@webagency.com
  Error-Code: 3
  Error-Text: Mailer server.webagency.com said:
              "550 5.1.1 <johndoe@webagency.com> User unknown; rejecting"
  Error-End:  One error reported.
  ------------------------------ Original message ------------------------------
  Received: from AspEmail (server.webagency.com) by server.webagency.com
  (LSMTP for Windows NT v1.1b) with SMTP id <0.00018EAA@server.webagency.com>;
  Wed, 14 Dec 2011 7:32:02 -0500
  From: <ucqczlqd@sharklasers.com>
  To: sales@vendor.com,johndoe@webagency.com
  Subject: VendorName - Request a Demo
  Date: Wed, 14 Dec 2011 07:32:02 -0500
  MIME-Version: 1.0

  The following information has been submitted:

  First Name:         Jean
  Last Name:          Dupont
  Company:            Commission for the Protection of Privacy
  Title:              N/A
  Email:              ucqczlqd@sharklasers.com

  Phone:              +32 (0)2 213 85 40
  State:              Brussels
  Country:            Belgium

  Comments:           Don't bug me!

  Referral Info:
  Refering URL:   http://www.vendor.com/
  Landing Page:   /a/very/long/path/to/more/vendor/information/index.asp

Of course, It was very tempting to google for the email address which generated the non-delivery error message. I found the guy! He worked for “webagency.com” as a “Search Marketing Specialist” (Just his title already scares me!) and left seven months ago. I’m wondering why this guy configured the script to send a copy of all visitors information to his mailbox? What can we learn from this story?

  • From a visitor point of view, don’t trust the website you’re visiting. Even if they belong to well-known or big players, information can be accessed by third parties. Most websites are developed and hosted outside the company (and outside controls!)
  • From a company point of view, manage properly the departure of people. When someone leaves the company, lot of organizations simply close the e-mail account. The right way is to redirect the mailbox to a manager or a direct colleague who will be able to process the new incoming mails. This way, the problem reported above should have been detected and fixed.
  • Implement code review and strong software development rules. If the data was sent to a second e-mail address for debugging purpose or during a test phase, why leave it active for months?
  • Depending on your business, this could have huge compliance impacts! (Note: sensitive information should never been sent via e-mail!)
  • Implement SoD (“Separation of Duties“) to ensure that tasks are properly handled. Developers cannot implement backdoors or add unexpected functions in their code.

Now, you will understand why you receive spam even if you manage your e-mail addresses properly! Stay safe!

Posted in: Privacy | Tagged: , , , ,

Your Car Knows a Lot About You!

August 11, 2011 09:36 | 3 Comments |

Car LockI got a new company car. W00t! After the basic welcome-tour of the different options, I went deeper and reviewed the on-board computer configuration options. Today, modern cars integrate multimedia interfaces to manage information from several sources:

  • GPS coordinates (past as well as present)
  • Phone books synchronized from phones over Bluetooth/IR or cable
  • Address books also synchronized from phones or manually configured in the GPS (Your home, your office, …)
  • Audio data (your favorite music types or pod-casts may reveal interesting stuff about your personality or activities)

Unauthorized access to those data can definitively break your privacy. There are different types of threats. The software developed by the car manufacturers can be buggy (Do you remember the story of the Nissan LEAF?). It’s difficult to protect yourself against this. Patches or updates must be provided by the manufacturers and (often) installed by car dealers or official repair centers. Another thread is an unprotected access to your private data: They can be access by engineers during maintenance or your car may be stolen. What about a replacement of the multimedia system with a brand now one? Such devices have more and more built-in storage based on hard-drivers or memory flash. Do they have a procedure to wipe them properly? The problem is the same with old drives still containing data and sold on eBay. The car can also be sold… with interesting content! In high-level cars, it’s not uncommon to have an on-board Internet access via 3G. Your multimedia system becomes a real browser with… cookies, history, credentials. Lot of fun!

In my car, all this information is centrally managed via a MMI or “Multi Media Interface“. While browsing the options, I found this interesting one: “Data Encryption”.

MMI Encryption Menu

(Click to enlarge)

This option allows you to define a master password to encrypt your personal data stored in the system. Of course, I activated this option. It remains basis, you just have to enter a password. Good point, there is no limitation on the length and allowed characters:

MMI Encryption Configuration

(Click t enlarge)

Until now, the system never asked me my password again, even if I power-cycle the MMI. I suppose it prompts for the password after the system has been completely disconnected from its power source? I searched for technical information about this feature (which algorithm is used, how is stored the key) but I did not find anything relevant. If you’ve more details, please share.

Also, it looks that most Audi ECU (“Engine Control Unit“)  also implement encryption via a 1024-bits RSA key. This is know as an “anti-tuning” feature which prevents unauthorized modifications of the engine parameters.

Conclusion: Like mobile phones, cars are also computers and may contain sensitive data!

Posted in: Forensics, Privacy, Security | Tagged: , , , ,

Should Dropbox & Co be Killed?

April 25, 2011 21:35 | 4 Comments |

Partly CloudyI’m a big fan of the Dropbox application for a while. Dropbox helps you to synchronize your files within a personal deposit located in the cloud. If you have multiple Dropbox clients configured, your files will be instantly synchronized between all your devices when they come online. I use it daily to exchange files between my iPhone, Macbook and Linux laptop. Any change performed in the monitored folder is immediately synchronized with the other devices. Easy but safe?

Dropbox recently changed its EULA (“End User License Agreement“) and this made lot of people cringe. For a few days, the following mentions about privacy of your uploaded files have been removed from their website:

Nobody can see your private files in Dropbox unless you deliberately invite them or put them in your Public folder

Dropbox employees aren’t able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc., not the file contents).

Dropbox now announces:

We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights. If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox.”

For me, this means that people inside the Dropbox organization have tools to decrypt your files and access the content. I don’ t synchronize critical files with my Dropbox account but, as you  probably know, the malicious insider became a major threat today. My privacy remains a big concern! Bad month for Dropbox, it looks that the Dropbox user’s authentication is insecure by design. So, I decided to look for a nice Dropbox alternative. Is is time to change? There are plenty of Dropbox-alike services available but only one matched my principal requirements:

  • Respect of my privacy (encryption)
  • Multi-platform support (Linux, Windows, MacOS & iPhone)

This other service which came fist is Wuala (an European sub-company of Lacie). The biggest advantage  of Wuala is the encryption. It’s performed on the client side before the data being sent to the cloud. This means that Wuala cannot decrypt your data (except by using  a  bruteforce attack against weak passwords ;-) ). As you encrypt data by yourself, more CPU usage is required and a risk of data loss exists if you loose your password! (You are the only one to know it). About the security of your data, Wuala allows their users to share some free disk space to store blocks of data from user users. By doing this, you can get extra storage capacity (they call this “trading“). Nice but I’m not feeling comfortable with some piece of my data stored on other computers not controlled by the “service provider“. What will happen if their encryption algorithm is broken? From a pure networking point of view, Wuala can be detected as a Peer-2-Peer application. I still prefer Dropbox which works  below the radar (it uses HTTPS). Here is a small overview of pro & con:

Solution Pro Con
Dropbox
  • Use HTTPS
  • Simple OS integration
  • Multiple platforms support
  • Server side encryption
  • Close source software
  • The only way to increase storage quota is $$$
  • Lack of configuration (delays, confirmations, …)
Wuala
  • Client side encryption
  • Multiple platforms support
  • Extra storage can be received by “trading”
  • Less OS integration (require extra packages like MacFuse)
  • Sync between multiple computers not available for free accounts
  • Closed source software
  • Peer-2-Peer protocols (incoming connections – firewalls must be update)

My conclusions? First, don’t forget the “security triangle“! More features are available in applications, more security concerns may arise.  A good example is the deduplication mechanism used by Dropbox to reduce bandwidth and storage requirements. Second, always keep in mind that your files are sent to the cloud with all it’s known issues! Before using a synchronization service (or any other service offered in the cloud), perform a risk management exercise. What if your data were lost? What if  they are disclosed? As always awareness is mandatory. Users must be aware of the risks they take by using such services. Don’t kill immediately services like Dropbox or Wuala but use them in the right way!

If you really need to exchange sensitive data, there are solutions to increase their confidentiality and integrity:

  • Encrypt them by yourself! (GnuPG is your friend)
  • Create a TrueCrypt container in your Dropbox folder

About TrueCrypt containers, I don’t recommend to use them “live”. It’s not easy to sync a big container even if both are working with blocks. It seems that Dropbox will always transfer the complete file after every change.

Dropbox already communicated on your topic via their blog about those security issues.

Posted in: Cloud Computing, Privacy, Software | Tagged: , , , , ,