Dropbox users save a million files every 5 minutes. In total, 25 million people use the service. However, the creators do not guarantee the integrity of your data, and the authentication system has already failed.
Background
On the nineteenth of June, Dropbox organized a kind of “day open doors" Within 4 hours, anyone could log into someone else's account using an arbitrary password. The creators of the service might not have even noticed the problem if information about the vulnerability had not been published by an independent security researcher (pastebin.com/yBKwDY6T). Behind Lately This is not the first sensitive story related to the security of files that users from all over the world so willingly trust to Dropbox cloud storage.
Here it should be recalled that from the very beginning of the service’s existence, the developers assured users that they took a responsible approach to data security. Thus, during synchronization, all files are transferred exclusively over a secure SSL connection and are stored on the server in encrypted form (AES-256). Changed recently Terms of use, the same people made it clear that they only restrict access to files for their employees, but if the need arises, including at the request of law enforcement agencies, Dropbox will certainly provide access to the account of any user. This is encryption.
I’m not paranoid and, in general, I have nothing to hide, but I absolutely don’t want to open my personal files to anyone. In addition, I was always not happy with the fact that the data was in clear text on every computer that was synchronized with my Dropbox account. It's time to fix this whole mess.
Raising EncFS
To be fair, it should be said that the service has an official wiki (wiki.dropbox.com), which provides specific tips on security tuning. The ironclad truth is that data must be encrypted on the local machine, and transferred to the cloud in encrypted form. In particular, it is proposed to place a TrueCrypt or FreeOTFE container in a Dropbox folder and store all confidential documents inside it. The method is effective - no doubt about it: even if the account is compromised, the attacker will not be able to decrypt the data. And everything would be fine, if not for one “but”. With this approach, you can forget about rational file synchronization: when you change any document, the entire crypto container will be synchronized, no matter what its size (for example, 1 GB). In addition, in this case, an important Dropbox option is lost, which allows you to roll back any changes and return to an arbitrary version of the file.
Fortunately, a more elegant solution is proposed in the same wiki - use file-by-file encryption, that is, apply cryptography to each file separately. EncFS, a virtual cryptographic file system, is ideal for this. When mounting EncFS, the source directory (the original directory with encrypted files, which can be located in Dropbox) and the mount point are specified. After mounting, each file in the mount point directory corresponds to a specific file from the encrypted directory. Thus, you work with files in clear text, and EncFS transparently places their encrypted versions inside Dropbox. Because each file is individually encrypted, Dropbox can sync changes incrementally for each file. This is a very good technology that has been used under Linux for a long time and is based on the FUSE (Filesystem in Userspace) technology, which allows programmers to create virtual file systems. Despite its roots, it can now be successfully used both under Mac OS X and Windows. Let's start with the last one.
Windows
After an unpleasant story with the Dropbox authorization system, enterprising German guys quickly released the BoxCryptor utility (www.boxcryptor.com), which creates a virtual cryptographic disk in the system. Every file placed on it is automatically encrypted using the AES-256 standard.
Physically encrypted data is placed in an arbitrary directory, for example, in a Dropbox folder, while on a virtual disk it is in clear form and can be easily accessed from any application. The developers acted very wisely and did not reinvent the wheel, but simply implemented the basic features of EncFS for use under Windows. And although BoxCryptor does not yet support all the capabilities of the technology, it is quite enough for reliable protection data.
After installation, the application automatically detects the folder used by Dropbox and offers to place a directory with encrypted files in it. To encrypt data, you need to come up with a passphrase, and also select a letter for the drive on which the files will be located in clear text. If you do not want the data to be in clear text without your knowledge, you don’t have to save the password and enter it every time you mount the disk. By checking the box next to “Advanced Mode”, you will get access to some fine tuning BoxCryptor. This may be particularly necessary if there is a need to use Dropbox’s ability to roll back to previous version file.
The fact is that BoxCryptor by default encrypts file names, turning them into gobbledygook, thereby interfering with the versioning system implemented in Dropbox. Therefore, if you need this feature, then file name encryption will have to be disabled.
From now on you should see the BoxCryptor directory inside your Dropbox, and the system should appear virtual disk(I have X:). Now you have a folder in Dropbox where you can store confidential files. It is important to remember two important rules here. First, never save files directly to the BoxCryptor directory, this is the place where the data is stored in encrypted form (and synchronized with the cloud in the same form). Therefore, you need to work with documents through that same virtual disk. And secondly, never delete the encfs6.xml file from the BoxCryptor folder. It contains information important to EncFS, which is necessary in order to decrypt the data. IN free version program, you can create a logical partition with a volume of no more than two gigabytes, that is, exactly the same partition as Dropbox provides by default. In case you are not satisfied with this limitation and do not want to pay money, there is an open implementation of EncFS for Windows - encfs4win (gitorious.org/encfs4win). Of course, there are no restrictions in it.
It is based, as in the case of BoxCryptor, on the Dokan library (dokandev.net), which is an analogue of FUSE for Windows and is necessary for mounting third-party file systems on the system.
Linux
Many Linux distributions have everything you need to use EncFS built in by default, but this doesn't always make things easy. It is important to use the latest development version (>= 1.7), which has fixed a number of bugs. And many distributions, unfortunately, ship with an older release (usually 1.6). This, for example, applies to Ubuntu 10.10, which is installed on one of my laptops. There is no big problem here. You just need to install new version EncFS and, for ease of working with it, the Cryptkeeper GUI utility:
sudo apt-get install encfs cryptkeeper
After the installation is complete, we can launch Cryptkeeper through the menu “Applications - System Tools - Cryptkeeper” and import the encrypted directory:
- In the notification area, select “Cryptkeeper - Import EncFS folder”.
- Next, we indicate the directory where the encrypted files are located (that is, the BoxCryptor folder).
- And we determine the desired mount point through which we can access the data in clear form.
After this, an item will appear in the Cryptkeeper menu for quickly mounting an EncFS volume: for example, “Cryptkeeper > /home/step/Documents/Safe”. After entering the password, the volume we need with the decrypted files will appear in the system. It was possible to do without any GUI utilities by simply connecting the EncFS volume in the console:
encfs ~/Dropbox/BoxCryptor/ ~/BoxCryptor
The first parameter specifies the location of the encrypted volume, and the second specifies the mount point for the clear files.
Mac OS X
Installing EncFS under Mac OS X is perhaps the most difficult to implement due to the need to install additional tools. But it still won’t take much time, and the installed tools will still come in handy in your work more than once. The main catch here is that all the distributed EncFS binaries for MacOS are hopelessly outdated, so we will have to compile everything manually.
The procedure here is as follows:
1. To immediately have a compiler and other necessary tools to build EncFS, it is best to install the development kit. XCode(developer.apple.com). The free version 3 is ideal.
2. Next you will need MacFUSE (code.google.com/p/macfuse), a version of the FUSE project ported to Mac OS X, which in turn uses EncFS. Just run the downloaded MacFUSE.pkg, and the installer will do everything itself.
ruby -e "$(curl -fsSL https://raw.github.com/gist/323731)"
4. Now we can download the EncFS sources and assemble them on our computer. Homebrew will do everything for us, loading all the necessary dependencies (it’s not for nothing that we installed it):
brew install encfs
5. Everything - EncFS in the system! You can go to the terminal and mount the BoxCryptor directory to the system (most often this is ~/Dropbox/BoxCryptor) in the folder where the files in open form will be located (say, ~/Dropbox/BoxCryptor):
encfs ~/Dropbox/BoxCryptor ~/BoxCryptor
The excellent GUI utility MacFusion (www.macfusionapp.org) with the connected plugin for EncFS support (thenakedman.wordpress.com/encfs) will save you from working in the console.
Choosing an alternative
BoxCryptor and EncFS are, in principle, not the only developments that offer an additional layer of encryption on top of Dropbox. Similar functionality (with AES-256 encryption) is also offered by SecretSync (getsecretsync.com/ss). Versions for Windows and Linux are now available on the project's official website, and a release for OS X is promised in the very near future. True, the client was written in Java, and with all due respect to this programming language, I really don’t like any desktop applications implemented with its help.
So we can say that BoxCryptor was lucky :). Let's now try to look at the problem from the other side. Since the service itself does not fulfill the duties that we expect from it, then maybe we can simply change it to something else? The task, whatever one may say, is not unique - there are a number of projects that offer file synchronization between different computers and devices, but with a much greater emphasis on data security.
One of the most sensational of them is Wuala (www.wuala.com), which is positioned by its creators as a “secure online storage.” The service has been developing aggressively lately and offers almost all the same features that Dropbox has. Clients are already available for Windows, Linux, Mac, as well as iPhone and Android.
Wuala uses RSA-2048 for authentication and AES-128 for file encryption. Security is also added by the service's distributed approach to resource storage. The fact is that the service is based on technology that reduces server costs by using idle resources. When added to the repository new file, it is encrypted and split into a large number of fragments. Guess where these fragments are located? In the cloud and... other users' computers. Yes, yes, the service offers users a program for “trading” their capacities. Everything is fair: if a user shares part of his disk with the Wuala network, he gets additional space in the cloud (this requires that the computer be turned on for at least 4 hours a day).
Thus, hard disks Wuala users make up a distributed network, which the service uses to improve file download speeds, accessibility and reduce its costs. Error correction algorithms and extensive redundancy are used to ensure that data is never lost. At the start, the user is allocated 1 GB for free, but he can upgrade his account through the referral program, attracting other people (just like in Dropbox), as well as “selling” his disk space. To be honest, I have not yet decided to completely switch to Wuala.
There are a few little things that are currently preventing us from doing this. I have several in my Dropbox folder shared folders, which we actively use with other employees to collaborate on documents. This means that everyone will have to switch to Wuala.
The mobile phone application, although it provides access to files in the cloud, is still very limited in capabilities. And the interface for accessing files through the browser is implemented through a laggy Java applet. Therefore, the Drobox+BoxCryptor combination is my choice for this moment. Everything works, everything is familiar, everything is safe - in short, I like it.
Access to encrypted files via the web
When using BoxCryptor, you will no longer be able to view protected files via the web. More precisely, they can be downloaded, but only in encrypted form. The Portable version of BoxCryptor can help out, which will help decrypt files downloaded from the cloud. True, if you have not disabled file name encryption, then find necessary documents It can be oh so difficult. Have this in mind. In general, the Portable version of BoxCryptor is intended for use in situations where the user has limited rights in the system. By the way, it gets along well with Dropbox’s portable assembly - DropboxPortableAHK (dropportable.ho.am).
Chronicle of Dropbox failures
April 7- researcher Derek Newton shared some details about Dropbox authorization in his blog (bit.ly/dropbox_fail). It turned out that the program stores all the authentication information in the config.db file. It is located in %APPDATA%Dropbox and is a SQLite database.
Among many other fields, one of them - host_id - is the most interesting. It is determined by the client after the first authorization and does not change over time. And here’s the catch. Its value is in no way tied to the system. By copying config.db to another machine, an attacker can easily gain access to someone else’s account data. Without notifying the user! Moreover, even if the user changes his login and password, nothing will change either - the host_id will still remain valid. Currently the ID is tied to specific device and can be revoked via the web interface.
April 19- Dropbox changes its user agreement, directly stating that, if necessary, it can decrypt user files and provide them for investigation under US laws.
26 April- an open Dropship project appears on GitHub (github.com/driverdan/dropship), which allows you to quickly get any file that is in the Dropbox cloud in your account. All that is needed is to know its hash. The author, Vladimir van der Laan, was immediately contacted by the service’s chief technical director and politely asked to remove the source code. Users of the program responded by creating numerous mirrors of the project on github and on Dropbox itself. Within a short time, they also received a request from a Dropbox representative to immediately delete the project files.
June 19- a release with a serious vulnerability in the authorization system was launched into the service. As a result, any user could log into someone else's account without knowing the password. Dropbox justifies that during the time it took to fix the vulnerability, less than 1% of users logged in.
Good day, dear readers of the site. I think many people have wondered about the security of cloud data storages; many people also store confidential personal data in them, and no one wants this information to get to third parties, even by accident. Data encryption can help with this.
But encrypt everyone separate file The task is quite long, it is not logical to load a crypto-protected container into the storage and update it entirely every time, even with minimal changes to the attached files. The Cryptomator application can help solve this issue.
Cryptomator is an application for encrypting data sent to cloud storage, i.e. encryption occurs not on the server with the data, but on your computer. This approach has its pros and cons:
Pros:
- There is no need to authorize the application in the cloud storage.
- Higher speed of the file encryption/decryption process, because depends only on the performance of your system and the program itself.
- There is no need to send data to cloud storage.
- The program is completely free and is an Open Source project. Anyone can explore the code on GitHub.
Minuses:
- you need a cloud service client to synchronize data, or access via WebDav (more on this below).
Installing Cryptomator
In Ubuntu, Mint, ElementaryOS, installation occurs from the PPA repository. Enter the following commands into the terminal:
sudo add-apt-repository ppa:sebastian-stenzel/cryptomator
sudo apt-get update
sudo apt-get install cryptomator
Or you can download the deb package from the developer's website.
In Fedora, OpenSUSE, CentOS and other distributions that use .rpm packages, installing cryptomator is done by downloading the RPM package for 32bit and 64bit systems from the official website. Cryptomator is also available in the AUR repository.
As you can see, installing the program does not require much effort.
How to use Cryptomator
We launch the application and see a simple control window:
As you can see in the image, I have already created one crypto storage.
Press the button "+" in the lower left corner, opens file manager, where you need to select the storage location (I recommend a folder that is automatically synchronized with the cloud service) and the name of the encrypted file and its name.
Then enter the password to access the crypto storage.
And press "Create storage", after which you will be asked to re-enter your password to unlock the completed vault.
It is where you need to copy data for encryption; for example, I copied the .rpm package of the application itself. The program window will display a graph with the encryption/decryption process, a red and green line for the encryption and decryption process, respectively.
After the encryption process is complete, click "Lock storage". After which you can synchronize the data with the cloud service. After encryption, the files take on a similar appearance.
This folder contains a file named "masterkey.cryptonator", it is used to decrypt the storage when adding item 1 of the finished storage.
Conclusion
As shown above, installing, configuring and using the program does not require additional skills and knowledge beyond the basic ones, and every beginner who wants to protect their data can work with it. Unfortunately, the interface and functionality of the Cryptonator application for Linux systems is much lower than for Windows and MacOS; we can only hope that the developer will address this.
Related posts:
Dear community!
But we should start with an overview of the current situation.
There are clouds in which you can store a lot of different information. Sometimes done for free. It's seductive. Many services are literally fighting in their desire to provide you with as many gigabytes and functions as possible. However, you need to understand that free cheese only comes in a mousetrap. The danger lies in the fact that you transfer your files for storage to someone else’s uncle with unknown intentions in relation to you. And the danger of files as an object of information lies in the fact that a copy can be made from it and you will never know about this fact. Also, files can be analyzed for different purposes. In general, a lot of things.
Those who adhere to the point of view “I have nothing to hide, let them look” may not read further. Continue to enjoy recent iCloud photo leaks, removal of unlicensed content from the cloud, etc. For those who care about the confidentiality of their personal lives and, in general, it is unpleasant for them to spy on you through the keyhole and put the big brother’s hand into your personal affairs - read on.
You can use the clouds. But you need to do it right. The solution here is data encryption. However, you need to understand that encryption is different from encryption. Many services shout that they have the best encryption algorithms. But these same services are modestly silent about the fact that they themselves can access your data at any time. Therefore, the most correct option is to encrypt/decrypt data on YOUR side. Thus, the cloud always deals only with encrypted content. At the same time, the encryption client and the cloud service should not have the same owner. The ideal case is an open source encryption client.
So what do we have with this approach:
1. The owner of the cloud never has access to the contents of your files. No way.
2. All nodes in the chain of your traffic do not have access to your data. This is, for example, the owner of a wifi point in a cafe, a provider, the owner of trunk lines, network administrators at your work, etc.
This is cool.
1. You have extra worries about ensuring encryption/decryption, and an extra load on your computer.
Who cares what is more important? But let's agree that:
1. The cloud is not a corporate tool for you. Although there may be options here in the form of distributing the password to colleagues.
2. The cloud is a personal data storage for you.
Current state of affairs
1. At the moment, no service provides the above-described content encryption model. It’s understandable, it’s not profitable for him.
2. After googling, I was surprised to find that no one is particularly concerned about this problem. Perhaps the same trick is repeated with clouds as with social networks n-eleven years ago. When people, without thinking, posted everything about themselves online. Who had what relationship with whom, where he served and worked. A gift to all intelligence agencies and scammers.
Current options for solving the problem of ensuring the security of your own files in the cloud:
1. Encryption provided by the cloud owner. Protects only from other users, but not from the cloud owner.
2. Storing files in the cloud in password-protected archives or encrypted containers (such as truecrypt). It is inconvenient to use, because in order to make a small change or just download a file, you need to download/upload the entire container. Which is often not fast if it is big.
3. VPN only protects the communication channel, but not the cloud content.
4. BoxCryptor program. It can encrypt files sent/downloaded from the cloud. But its operating mechanism is inconvenient. On your local computer there should be a synchronized copy of all cloud data. In this copy, you work with data, and the program uploads/merges it into the cloud in encrypted form. Synchronizes in general. Inconvenient.
What do we want?
We want to have a flash drive with us, we insert it into any of our (or not our) computers with an Internet connection, and launch a certain program from it. A virtual disk appears in our system, by going into it (some using Explorer, some Total Commander) we will be taken to our account in the cloud. We see our files and do what we need with them. And then we turn everything off and leave. But if we log into our account without launching this magical program, then we (or an attacker, an admin-sniffer, a cloud owner, etc.) will see a bunch of garbage - both in the file names and in their contents.
An alternative is to install this program permanently on all your computers and forget about its existence and the need to run it periodically. This method will work with all types of clouds that support the WebDAV standard and allow you to store simply arbitrary files that meet file system standards.
After googling, I found only 2 options for solving the encryption issue almost in the form in which I need.
1. WebDav plugin for Total Commander. Adds a cloud account to Total Commander and it becomes visible as a disk. In which you can copy files. However, it does not yet support encryption. My attempts to persuade the author to include encryption in it and to become Gisler the first to solve this problem were unsuccessful.
2. The CarotDAV program, which has already been written about on this site. It can encrypt files and names individually. And everything would be fine, but it has an explorer interface, which is inconvenient.
And now, in fact, the reason why I am writing this long post has happened.
Actually, the program is easy, everything works as it should. But most importantly, now you can be sure that your files in the cloud belong only to you - while maintaining an easy and convenient way to access them.
I invite everyone who is interested and who needs such a program to join the testing.
Cloud storage services are very popular due to increased level accessibility of our files and documents. But how can we enhance their privacy and security?
1. Use cloud settings
Cloud storage providers offer separate settings to ensure the confidentiality of user data. Using these configurations will certainly improve your overall security posture. Your first step towards protecting your cloud data should be protecting itself. account. To start, use strong password for your online storage accounts. Then activate ‘two-step verification’. For a broader understanding, two-step verification and two-factor authentication are a way to protect service login processes. For this purpose it is used mobile phone client as the second requirement to enter the service. This requires the user to enter a special security code along with their username and password when logging into the required website. This special security code is provided to the user by sending an SMS to pre-specified mobile phone. Code automatically generated and sent every time you try to log in. So even if your username and password are compromised, you still have a mobile phone in your hands. This way, hackers will not be able to access your cloud storage since they will not have the security code that is sent to your mobile phone.
In the same way, cloud storage offers several options for file sharing. Use these options before sharing files with others. For example you can make a file publicly available which means that everyone has access to such a file. There are also other options restrictions this permissions. You can set the access parameters so that only the person who has a link to the file along with read permission can access the file. Some services offer protect files on the cloud passwords so that those who want to access the files must enter a password. Find out more about your account settings to then skillfully use such tools to protect privacy and improve security settings.
2. Encrypt files locally
There is a huge amount on the Internet encryption tools. Choose only reliable apps to encrypt your files locally before sending them to the cloud. This means that the encryption/decryption key for cloud files will be exclusively yours. Therefore, if suddenly a third party gets hold of your files, they will not be able to view them, since the key decryption is only with you. Some of these encryption tools are: AES Crypt, MEO Encryption Software, etc.
Personally, I used encryption software AES Crypt on your Windows PC. The program is very easy to use and works quite quickly. AES Crypt supported 256-bit encryption. Free program available at this official link. This little program takes a few seconds to load. You will receive a Zip archive from the site. After extracting the archive, you will find the ‘AesCrypt’ folder, which contains the installer software. After installing the AES Crypt program, you will see a special option in the context menu, with which you can quickly use the application.
IN operating system Windows shortcuts AES Crypt is missing on the desktop and in the start menu. You need to use the tool directly from context menu, or use command line. How to use the latter is described on the application's website.
The application can only encrypt compressed/archived folders. This requirement does not apply to single files. To encrypt a file, right click on the file and select the option 'AES Crypt' from the context menu. Provide decryption password and click on the ‘OK’ button.
The encryption process starts instantly. Take into account the fact that you must remember password decryption to decrypt/unlock the file. If you you'll forget password, you won't be able to gain access to such a file.
If you want to decipher your file double click on it (or click on the right mouse button and select the ‘AES Decrypt’ option from the context menu).
After this, a miniature window will appear containing a field for entering a password.
In this field you must enter the password specifically for this file, and then click on the ‘OK’ button. This way you will decrypt your file and be able to open it.
3. Use special tools to encrypt cloud data
Exist dedicated and special tools for encrypting data stored on such cloud services, How Google Drive, OneDrive, Dropbox, etc. Third Party Applications allow you to encrypt files locally, that is, before they are synchronized with cloud storage. This will save you time encrypting and uploading each file separately to the cloud. Some of these tools are: Boxcryptor, Cloudfogger, etc. These tools, such as 'Boxcryptor', will create special folder on your computer, which will be connected to local folder cloud storage (for example, Dropbox) on the same device. So, if you are using Boxcryptor for Dropbox, for example, you just need to transfer the files to the Boxcryptor folder. The application encrypts files and sends them to the Dropbox folder for further synchronization with the server. IN ultimately encrypted files end up on Dropbox. If any of these files need editing, do so in the Boxcryptor folder. In this case, the edited file will be synchronized automatically. That's all!
I hope this article has helped you improve the privacy and security of your cloud data. Stay with us and you will get even more interesting and advanced tips. Thank you for attention.
Data residing on your hard drive, USB flash drive, and external media is best encrypted using VeraCrypt. The program is based on the well-known TrueCrypt tool, but also offers more features than the previous version.
A TrueCrypt follower called VeraCrypt will completely encrypt your driveTo use external storage media, encrypted containers are created for data on disks. These containers consist of a single file that only opens its contents with VeraCrypt and the correct password.
To create a container, select the “Create an encrypted file container” option from the VeraCrypt main menu and follow the program’s instructions. Installed on your PC HDD you need to code completely including Windows system.
This has the decisive advantage that if you have physical access to your system, attackers will not be able to change your Windows password and gain access to your data. To do this in VeraCrypt you need to select the option “Encrypt a system partition or the entire system disk"(Encrypt the system partition or entire system drive).
Mobile device protection
To avoid having to enter a complex password every time in iOS, use the Touch ID fingerprint sensor on iPhone smartphones 5s, 6/Plus, 6s/6s Plus, SE To protect your data on devices running Android control and iOS, you will have to encrypt the system. Apple has this already standard. Even the FBI can't break their code. This is clearly demonstrated by the recent case when the competent authorities tried to consider the iPhone of a terrorist.
According to experts, the agents could not break the code; they simply restored it using brute force. To avoid such interference without much difficulty, instead of a four-digit number, you need to use a complex password for access.
To do this, go to “Settings | Touch ID and password | Change Password" and then click "Password Options". Here select “Custom code (letters + numbers)”. Even the FBI with its capabilities would take decades to crack such a password.
Android devices are not encoded natively. You will have to resolve this issue manually All intelligence agencies can do is read the saved backup copy of the password in iCloud. Therefore, our advice is this: only create local backups via iTunes.
And only you will have access to them. You can get rid of existing backups in the cloud by deleting everything saved in “Settings | iCloud | Storage | Manage | Backups» via “Remove copy” from Apple servers.
To enable encryption when using Android, select Settings | Security" and then "Encrypt phone". But be careful: just like with iOS, your data will be lost if you forget your passcode!
Encrypting data in the cloud
If your data is in cloud storage, for example, Dropbox or in the GMX center, there is a possibility of access to them by third parties. You can protect these accounts with Boxcryptor(). It encrypts the contents of Dropbox and other services using its own code.
Boxcryptor will protect your data in all major cloud services To access your data, you will need the Boxcryptor program and app on all your devices. The tool integrates into the system and conveniently encrypts or decrypts data in background. In addition, the manufacturer indicates that it does not own the encryption keys. If you forget your password, you will lose your data.