Even the Most Secure Cloud Storage May Not Be So Secure, Study Finds

[A Guy]

Some cloud storage providers who hope to be on the leading edge of cloud security adopt a "zero-knowledge" policy in which vendors say it is impossible for customer data to be snooped on. But a recent study by computer scientists at Johns Hopkins University is questioning just how secure those zero knowledge tactics are.

Zero knowledge cloud services usually work by storing customer data in an encrypted fashion and only giving customers the keys to unencrypt it, rather than the vendor having access to those keys. But the researchers found that if data is shared within a cloud service, those keys could be vulnerable to an attack allowing vendors to peer into customer data if they wanted to. The study casts doubt over these zero-knowledge clouds and reinforces advice from experts that end users should be fully aware of how vendors handle their data.

Zero knowledge cloud vendors examined by the researchers - in this case Spider Oak, Wuala and Tresorit - typically use a method where data is encrypted when it is stored in the cloud and only unencrypted when the user downloads it again from the cloud. This model is secure. But, the researchers warn that if data is shared in the cloud, meaning that it is sent via the cloud service without the user downloading it on to their system, then vendors have an opportunity to view it. "Whenever data is shared with another recipient through the cloud storage service, the providers are able to access their customers' files and other data," lead author Duane Wilson, a doctoral student in the Information Security Institute at the Department of Computer Science at Johns Hopkins University, was quoted as saying in a review of the report. View the full PDF of the report here.

Source

A Guy

 

[UsernameIssues]

Most of the online storage solutions that I've seen only store one copy of a file. Thousands of users might be paying to store the same file, but only one copy (not counting the vendor's backup copies) is stored in the cloud. To do that, the vendor must know/use the encryption key.

It is fine to say that it would be more secure if each user had/used a unique key, but each user might end up paying more.

 

[lehnerus2000]

Unavoidable.
If you give your data to someone else you run the risk of them reading it.

 

[Layback Bear]

It is simple to me.
1. Only put your data with someone else if that is the only option you have.
2. Cloud usage is growing very fast and Cloud security isn't keep up.
3. Only you will treat your data with the proper security and tender loving care.
4. If #1 applies to you get another option.

 

[UsernameIssues]

Unavoidable.
If you give your data to someone else you run the risk of them reading it.

But you can make is very hard for them to do so. Nested truecrypt volumes are pretty hard to crack. It would be simpler/quicker to just infect your computer and steal the passwords.

It is simple to me.
1. Only put your data with someone else if that is the only option you have.
2. Cloud usage is growing very fast and Cloud security isn't keep up.
3. Only you will treat your data with the proper security and tender loving care.
4. If #1 applies to you get another option.

Is your data safe from an event like fire/flood?

 

[Layback Bear]

If one want to protect from fire and flood it can be done.
You could choose a fire proof and water proof containers for hard drives.
I read a lot more about things being hacked that I do about floods and fires destroying data.

 

[UsernameIssues]

It would be interesting to compare the data loss numbers for hacked vs. fire/flood for private (non-business) data...
...if only such data was available.

 

[exitPr0gram]

Some cloud storage providers who hope to be on the leading edge of cloud security adopt a "zero-knowledge" policy in which vendors say it is impossible for customer data to be snooped on. But a recent study by computer scientists at Johns Hopkins University is questioning just how secure those zero knowledge tactics are.

Zero knowledge cloud services usually work by storing customer data in an encrypted fashion and only giving customers the keys to unencrypt it, rather than the vendor having access to those keys. But the researchers found that if data is shared within a cloud service, those keys could be vulnerable to an attack allowing vendors to peer into customer data if they wanted to. The study casts doubt over these zero-knowledge clouds and reinforces advice from experts that end users should be fully aware of how vendors handle their data.

Zero knowledge cloud vendors examined by the researchers - in this case Spider Oak, Wuala and Tresorit - typically use a method where data is encrypted when it is stored in the cloud and only unencrypted when the user downloads it again from the cloud. This model is secure. But, the researchers warn that if data is shared in the cloud, meaning that it is sent via the cloud service without the user downloading it on to their system, then vendors have an opportunity to view it. "Whenever data is shared with another recipient through the cloud storage service, the providers are able to access their customers' files and other data," lead author Duane Wilson, a doctoral student in the Information Security Institute at the Department of Computer Science at Johns Hopkins University, was quoted as saying in a review of the report. View the full PDF of the report here.

Source

A Guy

I use Dropbox and have quite a bit of space on it for free (87GB to be precise) obtained from referrals, etc. and i would like to ask you if Dropbox is worthy of security in terms of storing things that you would not want compromised.

Dropbox has a site somewhat explaining their security here

Are the ones that you mentioned (Spider Oak, Wuala and Tresorit) better than Dropbox in a sense of encryption methods? Being that this cloud storage there is no way to be 100% secure, correct me if i'm wrong.

I'm looking for just decent encryption at the cheapest cost (If not free, even). Something that would make it worth transferring my data to another storage service and losing my 87GB

 

[A Guy]

Well...

Dropbox drops the security notification ball, again

But then again, are they any different? I think you'd be well served to find out the best ways to secure your current info

6 Ways To Secure Your Dropbox Account

How To Add a Second Layer of Encryption to Dropbox

Another question is how much of that data is actually a liability to you if it was seen? Account info, tax info, etc. Does it all need to be uber secure, or could you go to extra steps to just secure that data that could harm you?

A Guy

 

[exitPr0gram]

Well...

Dropbox drops the security notification ball, again

But then again, are they any different? I think you'd be well served to find out the best ways to secure your current info

6 Ways To Secure Your Dropbox Account

How To Add a Second Layer of Encryption to Dropbox

Another question is how much of that data is actually a liability to you if it was seen? Account info, tax info, etc. Does it all need to be uber secure, or could you go to extra steps to just secure that data that could harm you?

A Guy

I've actually ran across and browsed all of the articles that you've mentioned, but i appreciate you taking the time to look in to it for me.

And no, there is only 1 or 2 things that i wouldn't want people to see on my Dropbox and even those aren't major.

I was really wanting to figure out if the Cloud Storage services you recommended previously were a better way to go in terms of security, or reliability, as I've had an error occur recently with the Windows Dropbox application and lost some data.

 

[exitPr0gram]

Well...

Dropbox drops the security notification ball, again

But then again, are they any different? I think you'd be well served to find out the best ways to secure your current info

6 Ways To Secure Your Dropbox Account

How To Add a Second Layer of Encryption to Dropbox

Another question is how much of that data is actually a liability to you if it was seen? Account info, tax info, etc. Does it all need to be uber secure, or could you go to extra steps to just secure that data that could harm you?

A Guy

Do you use the Truecrypt feature to help secure your Dropbox? Sounds secure enough to, at least, meet the level of encryption that other cloud services provide so no switching (or paying) would be necessary which would also end up causing me to lose my accumulated 80GB's

 

[A Guy]

I posted the article, not suggesting anything I don't use dropbox. If you have no vital files there, stick with what you have. Wanting to be secure is great, but you need to look at your needs as well. You don't put a Popsicle stick in a safety deposit box

A Guy

 

[Layback Bear]

I posted the article, not suggesting anything I don't use dropbox. If you have no vital files there, stick with what you have. Wanting to be secure is great, but you need to look at your needs as well. You don't put a Popsicle stick in a safety deposit box

A Guy

 

[exitPr0gram]

Some cloud storage providers who hope to be on the leading edge of cloud security adopt a "zero-knowledge" policy in which vendors say it is impossible for customer data to be snooped on. But a recent study by computer scientists at Johns Hopkins University is questioning just how secure those zero knowledge tactics are.

Zero knowledge cloud services usually work by storing customer data in an encrypted fashion and only giving customers the keys to unencrypt it, rather than the vendor having access to those keys. But the researchers found that if data is shared within a cloud service, those keys could be vulnerable to an attack allowing vendors to peer into customer data if they wanted to. The study casts doubt over these zero-knowledge clouds and reinforces advice from experts that end users should be fully aware of how vendors handle their data.

Zero knowledge cloud vendors examined by the researchers - in this case Spider Oak, Wuala and Tresorit - typically use a method where data is encrypted when it is stored in the cloud and only unencrypted when the user downloads it again from the cloud. This model is secure. But, the researchers warn that if data is shared in the cloud, meaning that it is sent via the cloud service without the user downloading it on to their system, then vendors have an opportunity to view it. "Whenever data is shared with another recipient through the cloud storage service, the providers are able to access their customers' files and other data," lead author Duane Wilson, a doctoral student in the Information Security Institute at the Department of Computer Science at Johns Hopkins University, was quoted as saying in a review of the report. View the full PDF of the report here.

Source

A Guy

OK so call me stupid but... i'm still trying to determine if your saying you only go with a certain Cloud Storage service or if you use other means of backing up your data.. I'm trying my hardest not to be hard headed here.

Also, in the bold text that you mentioned above... this is what i meant by saying:

" Do you use the Truecrypt feature to help secure your Dropbox? Sounds secure enough to, at least, meet the level of encryption that other cloud services provide so no switching (or paying) would be necessary which would also end up causing me to lose my accumulated 80GB's "

So if you do use Cloud Storage would you agree, or disagree, that using Truecrypt adds similar protection as compared to others you would pay for? The type of Encryption that Truecrypt offers is extremely similar to what your statement said on what was secure.

If i am correct, then Dropbox + Truecrypt would be the way to go.

Thanks in advance for responding

 

[A Guy]

That is a news article. I did not write that article. I posted it here for everyone. I am not suggesting anything. I DO NOT use dropbox myself. I think you are making too much of it. You say you have nothing that personal on dropbox, therefore, it's level of security likely is sufficient for you. You only can make that decision. Adding your own encryption to dropbox would seem more then sufficient to me. A Guy

 

[exitPr0gram]

That is a news article. I did not write that article. I posted it here for everyone. I am not suggesting anything. I DO NOT use dropbox myself. I think you are making too much of it. You say you have nothing that personal on dropbox, therefore, it's level of security likely is sufficient for you. You only can make that decision. Adding your own encryption to dropbox would seem more then sufficient to me. A Guy

Sounds like that combo is better than most as far as security vs price. Which is all i was really trying to figure out.

Thanks for your input!

 

[A Guy]

You have all that space. It's likely secure enough. Encrypt the small amount of data you wouldn't want falling into someones hands, and feel safe

A Guy