Security Review: Online Backup
Every day there are more online backup options: Mosy.com, Xdrive, Adrive. This is a significant security concern that should be more respected. These online backup solutions offer encrypted data transmission and strong firewalls. Although companies may say they are 100% secure, this is not a guarantee any organization can reasonable make. A system can never be completely secure. A system can only be free of known exploits. Commonly, large companies have their servers hacked and data stolen. This happens to companies as large as Comcast, Novell, Citibank, and Microsoft. Even if certain online backup solutions are 100% secure, this would not ensure that all other are and will be in the future. An attacker who gains access to an online backup server would have access to varied and immense data.
Assets &Security Goals:
–Online backups should be as removed from corporate external networks by multiple levels of protection once stored.
–Companies should seriously consider whether it would be okay if their data leaked, and what would be the consequences for customers.
Adversaries and threats:
–Enemies: Any rival to a company or person who uses online backup.
–Experienced Adverseries: Hackers with unreleased exploits to access servers owned by Mozy and other backup solutions.
Potential weaknesses:
–A port scan of all online backup company servers would likely reveal a vulnerability somewhere.
–A dictionary attack could be conducted on Mozy log-ins.
Defenses:
–The provider should remove the data from network access once backed-up.
–Do not use online backup if you require the data to be confidential or it could be used to the advantage of a rival.
Likely online backup will become more ubiquitous as all emerging technologies. When it becomes more prevalent, this issue will become a strong privacy concern.
Comment by John
February 7, 2009 @ 3:59 am
One way to protect yourself using online backup, is to encrypt your data before it is uploaded. At http://www.MyOtherDrive.com, we use 128-bit AES encryption to encrypt your files on your machine, using your password, before they are transmitted to our site. That means that our system never sees your encryption password, and receives completely encrypted files. Used this way, your data is safe not only going across the Internet, but also safely stored on our disks. As you are aware I am sure, banks uses 128-bit SSL encryption for online banking. If a hacker were to somehow compromise our system, your encrypted files would be completely useless and unreadable to the attacker as they would not have your encryption password.
To give you an idea of how strong 128-bit encryption is, the RC5 challenge enlisted a distributed network of over 30,000 computers to crack a 64-bit encrypted message. (http://www.distributed.net/rc5/). It took 1,757 days to break it. To put that in perspective to 128-bit encryption, it would have taken twice as long had it been 65-bit. 66-bit encryption would take 4 times as long. At that same rate of computers and processing, it would have taken 7,546,257,539,072 days to break 128-bit (over 20 billion years). And remember, that is a distributed attack using over 30,000 computers.
Comment by John DeRegnaucourt
February 7, 2009 @ 8:34 am
Make sure when you backup your data you are backing up the data with an Encryption method and password that is only known by you. If you have to send your encryption password up to the server, then that means the company and its employees all could technically get at your data.
If your data is backed up by an encryption method such as AES encryption where the encryption is done on the client, not on the server, your files are doubly safe.