Tag Archives: cloud

Evernote hacked, an early warning for the Cloud Storage storm coming?

In recent years I have written various articles warning of the risk related to uncontrolled cloud storage solutions usage in the corporate world.

Evernote is a popular online note storage solution which is often used by mobile users. You could see it as a cut down version of Dropbox as it is more restrictive to what one can store online.

It got hacked a few days ago, as reported by the Verge, what was stolen includes usernames, email addresses and encrypted passwords. We don’t know what password algorithm they used and how hard/easy/feasible it is for the hackers to crack them, but the company behind Evernote now asks *all* its (millions) users to reset their passwords.

This should really serve as a wake up call, to check what policies and controls are in place to prevent your users to transfer all sorts of corporate documents outside of your corporate security controls. If Evernote is used within your company, and those passwords were cracked, how different would it be from having those users loosing unencrypted USB sticks or unencrypted laptops containing corporate documents? Not all users would have access to sensitive data, but those who do should certainly not be free to use any cloud storage solutions they like without extra security controls.

With the increase popularity and demand of BYOD and Mobile Devices, are you restricting your HR, VIP, Financial department users when it comes to syncing data in the cloud? do you know what data is leaving your company to Dropbox? Skydrive? GoogleDoc? … Evernote?
If you don’t, now would be a good time to find out… before a government data privacy agency asks you!

Boxcryptor, a great tool to secure your cloud storage solution.

I made my feelings very clear about the use of Dropbox in the enterprise, through a previous post. I still believe Dropbox and similar other cloud sotrage solutions such as Google drive or Sky Drive are a timebomb waiting to happen for many companies who are busy securing their infrastructure but forget to look at the data leaving their premises through the back door. Or just not appreciating how tablets and smartphones are driving their users’ behaviours and requirements.

There will be a lot of red faces if/when Dropbox and Co announce they have been hacked.

However, I have recently come accross a great tool that can help reducing the impact of such a bad scenario. It is called Boxcryptor.

Boxcryptor creates an encrypted folder under your Cloud Storage directory (i.e.: Dropbox) and allows for files to be encrypted on the fly thus making it much faster and transparent than the solution I described before with Truecrypt. The encryption keys are stored locally and only known to you. Their client runs on many different platforms, Mac, PC, iOS, Android.

Boxcryptor works very well but it is important to note a difference in software behaviour between a MAC and a PC.

On a MAC, if you install boxcryptor it will create an encrypted folder in your Cloud Storage directory.
It will also create a new “disk” which gives you direct access to that encrypted folder.

You then have a choice, you can either drop files to this “disk” or to that encrypted folder in your cloud storage directory. Those 2 actions are the sames and the files will be encrypted in both cases.

On a PC, if you install Boxcryptor it will create a folder in your Cloud Storage directory. Note that I did not say encrypted folder. It will also create a new “disk”.
The difference between the PC and MAC implementation of Boxcryptor is that, on a PC, files are only encrypted if you drop them into your Boxcryptor disk. They will not be encrypted if you drop them in your cloud storage boxcryptor folder directly. That folder and the boxcryptor disk are not the same. Those 2 actions are therefore not the same.
This could be confusing, and a user may forget about that difference and copy sensitive files directly onto his cloud storage boxcryptor folder, thinking those files are going to be encrypted when they are not.
To be fair, there is a readme file in the Boxcryptor “encrypted” folder. But the chances are nobody will read it and more importantly, could forget about it.

My recommendation is to get used to copy files to the boxcryptor disk only. That way, you are always sure they get encrypted (and that the software is running in the background!).

I have contacted the authors and they are aware of this behaviour difference. Although they did not commit on any release dates, they are apparently working on it.