Stop worrying about cloud data security - download Cloudifile!

Cloudifile is a smart cloud data automation and security tool.
Just a couple of clicks – and your data is protected and seamlessly integrated into your workflow.
Learn more details at www.cloudifile.com!

IBM discloses vulnerability in Dropbox's Android SDK

 

 

The flaw allegedly affects popular Android apps like Microsoft Office Mobile, but Dropbox maintains its scope is limited

Security researchers at IBM have found a vulnerability in Dropbox's Android SDK, versions 1.5.4 through 1.6.1, which allows attackers to connect applications on mobile devices to the Dropbox accounts they control.

IBM and Dropbox have been working together since December to verify and patch the vulnerability. But Dropbox remains adamant that the problem is of extremely limited scope and most Android users -- especially at this point -- are not vulnerable.

Rapid response

 

Originally discovered by IBM Security's X-Force Application Security Research Team, the vulnerability -- classified as CVE-2014-8889 -- allows an attacker to link an app that uses the vulnerable version of the SDK to a Dropbox account of their choosing. The user's own Dropbox account is not accessible through this vulnerability.

"This may allow the attacker to steal sensitive information and inject malicious data into apps," IBM's Roee Hay stated in a high-level overview of the issue provided in advance of its public announcement.
According to IBM, Dropbox responded very quickly when contacted. "This may have been the most rapid response from any vendor we disclosed a vulnerability to," said Erin Lehr, of External Communications and Media Relations at IBM Security, in a phone conversation. "Within four days, they had a patch."

That said, IBM agreed to give Dropbox at least 90 days to verify the vulnerability -- enough time for Dropbox to ensure that those using its SDK had patched their products.

While only a small percentage of all Android apps use the SDK -- 0.29 percent, according to research provided by AppBrain -- IBM claims the vulnerability is more common among some of the more popular Android applications and cited Microsoft Office Mobile as one example. Out of 41 apps it examined that used the Dropbox SDK, IBM claims 31 apps were vulnerable.

"The rest of the apps were vulnerable to a much simpler attack that has the same consequences but had been fixed by Dropbox in the 1.5.4 version of the SDK, which the apps' developers did not upgrade to," Hay said.

A closed window of opportunity

 

Dropbox, however, maintains that the scope of the vulnerability is extremely limited -- and far more so now that app developers have had time to patch their applications.

"There are no reports or evidence to indicate the vulnerability was ever used to access user data," said Devdatta Akhawe of Dropbox in a blog post about the issue.

Dropbox also insists that exploiting the vulnerability would not have been easy to do and would have required all of the following conditions be fulfilled:

1. The victim would have to be using an application on Android with the affected version of the SDK.
2. The victim would have to visit "a specially crafted malicious page with their Android Web browser targeting that app, or have a malicious app installed on their phone," said Akhawe.
3. The Dropbox client for Android would have to not be installed on the device.

This last point is crucial for two reasons:

1. The Dropbox client -- as opposed to apps developed with the vulnerable version of the SDK -- is itself not currently vulnerable.
2. Once the client is installed, all interaction with Dropbox through third-party apps is conducted through the client, rather than via the functionality provided in the SDK.

Most Android malware isn't due to vulnerabilities in the operating system itself, but rather because incautious users install applications not provided from the Google Play store, which is scanned regularly. That said, this vulnerability affected legitimate, fully vetted applications. Future vulnerabilities of the same ilk will require as much early warning and remediation as possible.

Serdar Yegulalp — Senior Writer

 

 

90 Percent of IT Pros Worry About Public Cloud Security 

 

One third of IT professionals surveyed said they've experienced more security breaches with the public cloud than with on-premise applications.

By Jeff Goldman

A recent Bitglass survey of more than 1,000 IT and IT security practitioners found that one third of respondents have suffered more security breaches with the public cloud than with on-premise applications.

According to the company's 2015 Cloud Security Report, fully 90 percent of respondents expressed concern over public cloud security.

Just 5 percent said they weren't concerned at all about security in the cloud.

Respondents' leading cloud security concerns are as follows: unauthorized access (63 percent), hijacking of accounts (61 percent), malicious insiders (43 percent), insecure interfaces/APIs (41 percent), and denial of service attacks (39 percent).

Key barriers to cloud adoption included general security concerns (45 percent), data loss and leakage risks (41 percent), loss of control (31 percent), and legal and regulatory compliance (29 percent).
(A recent BitSight survey found that 79 percent of IT security and risk management decision-makers said ensuring that business partners and third parties comply with their security requirements is a top priority over the next 12 months.)

Thirty-six percent of respondents said they believe even leading cloud applications like Salesforce and Office 365 are less secure than on-premise applications.

Still, 38 percent of enterprises store intellectual property in the cloud, 31 percent store customer data, 19 percent store sensitive financial data, and 8 percent store employee healthcare data in the cloud.
And 43 percent of respondents said employees are allowed to access personal storage services from the corporate network.

"Almost 80 percent of managers are concerned about personal cloud storage services operated by employees or visitors, and the risk they pose regarding data privacy and leakage," the report states.
A recent SailPoint survey of 1,000 enterprise employees found that those managers' concerns are justified -- 1 in 5 respondents to that survey said they had uploaded proprietary corporate data to a cloud app "with the specific intent of sharing it outside the company."

"The report confirms that the cloud is increasingly part of enterprises' IT plans, with some 72 percent of organizations saying they are either planning to implement or are actively implementing cloud environments," Bitglass CEO Nat Kausik said in a statement.

"At the same time, organizations are concluding that SaaS applications are less secure, slowing widespread adoption of these technologies," Kausik added.

 

Are you sure your cloud data is secure?

Don't worry about your cloud data security! Download Cloudifile for FREE right now!

Just a couple of clicks – and your data is protected and seamlessly integrated into your workflow.

Learn more at www.cloudifile.com! 

 

Cloud trends survey: 9 out of 10 orgs concerned about public cloud security 

 

After surveying more than 1,000 cybersecurity professionals, a cloud trends study found that steady adoption of the cloud hasn't eased practitioners' security concerns. In fact, 9 out of ten organizations were “moderately concerned” to “very concerned” about public cloud security, the report said.

Published Wednesday by Crowd Research Partners, the 32-page “Cloud Security Spotlight Report” (PDF) highlighted major drivers and risk factors associated with cloud adoption, as well as organizational attitudes about such trends. The study was conducted with cooperation from the Information Security Community on LinkedIn and cloud security providers, such as AlienVault, AlertLogic, Bitglass and Palerra, CRP said in a release.

In addition to 90 percent of organizations having concerns about public cloud security, the report ranked the top three cloud adoption barriers: general security concerns (45 percent), data loss and leakage risks (41 percent) and loss of control (31 percent).

As far as the biggest security threats introduced by public cloud use, 63 percent of participants said that unauthorized access via “misuse of employee credentials and improper access controls” was a principal concern. Sixty-one percent of those polled said that hijacked accounts, services or traffic was one of the biggest cloud security threats, while 43 percent voted “malicious insiders" as a top threat.

The occurrence garnering the smallest percentage of votes was natural disasters. Only seven percent of respondents said that Mother Nature was a top threat to cloud security.

Another major finding in the study was that, “despite SaaS providers' significant investments in security, 36 percent of respondents believe that major cloud apps such as Salesforce and Office 365 are less secure than on-premise applications,” the report said. “Only 12 percent believe these apps are more secure.”

The report also included a section on key ways to implement cloud security. Survey participants voted “consistent security across IT infrastructures,” the most important factor (60 percent) for securing cloud environments, followed closely by continuous protection (58 percent).

Half of respondents said that setting and enforcing consistent cloud security policies was the “most popular method to close the cloud security gap,” the study said. The use of application programming interfaces (APIs) for reporting, auditing and alerting organizations of security events was ranked the second-most popular method (45 percent) among participants.

Danielle Walker, Senior Reporter of SC Magazine

Gartner: CIOs need to focus on supporting mobile, context-aware services, analytics

 

A recent Gartner poll of 2,800 chief information officers globally reveals public cloud is in itself of minimal focus among a wide range of deployment options they must consider to support the next generation of applications, services and devices. The firm said CIOs need to instead focus on supporting mobility and using analytics to improve operations.

According to the Garnter survey, nine per cent of CIOs today are not even considering cloud computing for software-as-a-service projects, a number that increases to 15 per cent for infrastructure-as-a-service projects.

“I&O leaders have been more protective of their existing infrastructure and, in many cases, have been the biggest obstacle to cloud-based solutions, often resorting to cloudwashing as an excuse to not seriously pursue a true cloud-based solution,” said Dave Russell, vice president and analyst at Gartner.
“Instead, I&O leaders should institute a ‘cloud-first’ consideration for every project on an application-by-application basis,” Russell said.

“Rather than ignoring the cloud outright, or only reluctantly considering it, evaluating all implementation models at the outset of a project can help save time and produce better results,” added Mike Chuba, research vice president at Gartner.

The firm said the results show enterprises are recognizing the need for advanced analytics to improve operations and enhance the IT department’s understanding of internal users, and the need to support more mobile workstyles, which both have infrastructure implications.

“The CIO survey responses indicate that mobile devices are now the primary or secondary interface for a significant number of IT investments. The survey also showed that 71 per cent of CIOs felt an increasing need for context-aware services. For I&O leaders, this means mobility must now be a top concern in system design,” the firm said.

“To support the changing analytics game, I&O leaders will need to lay an IT foundation for predictive analytics — an effort that is difficult but decreasing in cost thanks to parallel processing frameworks that can run analytics solutions.”


Learn more at www.businesscloudnews.com!

7 Things You Should Read About Cybersecurity

The President is talking about it. Your tech friends are talking about it.  Seth Rogen and Sony joined Target, Home Depot and JP Morgan Chase on its list of victims.  But, you still only have a beginner’s sense of what cyber-security means.  We are living in a digital world, and all the same bad stuff that happens in the offline world is moving online.  That includes the threats we usually assign to our military or intelligence agencies. What’s it all mean? Below are some essential links to get you up to speed. But, to fully prepare, join us in person or by livestream when we host a Cybersecurity conference on Monday, February 23rd (You can RSVP here.), followed by a conference on the Future of War Tuesday and Wednesday. (RSVP for that here).

To prepare for the conference, here are 7 things you should read on cybersecurity.

An Exclusive Look Inside DARPA’s Plan to Visualize Cyberoperations by Sara Sorcher, The Christian Science Monitor
 The Pentagon’s advanced research wing plans to spend $125 million on Plan X, a virtual-reality system for US cyber warriors to see attacks coming over networks and more quickly fight against them.

How to Catch a Terrorist by Matthias Schwartz, The New Yorker
The N.S.A. claims it needs access to all our phone records. But is that the best way to catch a terrorist?

The future of war: Cyber is expanding the Clausewitzian spectrum of conflict by Tim Maurer, Foreign Policy
The development of more and more advanced cyber capabilities is expanding the way in which states carry out conflicts.

NATO Tries to Define Cyberwar by Rob Morgus, Real Clear World
As the number of cyber attacks increase, how are we able to define what is an act of cyber war, and what is not.

The Hackers of Oz by Anne Marie Slaughter and Shane Harris, The Weekly Wonk
How do we win a war that can’t be seen? Anne-Marie Slaughter goes behind the cyber curtain and investigates the insides of the NSA in this podcast with Shane Harris.

The State, the Internet, and Cybersecurity by Peter W. Singer and Emanuel Pastreich, The Brookings Institution
Peter Singer discusses the dynamics of cyberspace and how governments should best conceptualize cyber threats, and suggests that cybersecurity’s greatest challenges are in threat identification and attribution.

A Red Cross for Cyberspace by Tim Maurer, TIME
Let’s start a conversation about whether and how a global cyber federation could make cyberspace a more resilient and humanitarian human creation.

By Justin Lynch

 

And do you worry about your cloud data security?

If so, try Cloudifile - cloud encryption tool that adds a proven security level to Dropbox improving its simplicity and efficiency at the same time. 
Learn more at www.cloudifile.com!

How to decipher cloud computing jargon

As IT becomes an integral part of each business function, it’s increasingly important for non-IT professionals to gain a top-level understanding of technical terms, in order to better execute their own responsibilities. If your business is considering moving to the cloud, one of the biggest challenges that you will face is your ability to understand all the terms that cloud vendors and “techies” throw around.
Below are some of the most commonly used cloud terms, starting with Amazon’s most popular Compute, Storage and Database offerings in the Cloud, followed by some other generic, but seemingly confusing terms. For those of us who don’t have a technical background, this list should help to get you started and give you a clearer understanding of cloud computing, so you’ll be ready for your next chat with IT.

 

VPC

VPC (Virtual Private Cloud) is used to logically separate your infrastructure, platform and applications in a secure virtual network that you define. It is your virtual apartment block in the cloud, which houses all of the bits and pieces relevant to your business. This may include personalised applications for your business like sales and inventory management systems, security software, additional EC2 instances, email hosting services and online storage.

 

VPN Connection

A VPN (Virtual Private Network) is the secure connection between a VPC and another network, like a home network, mobile computer/tablet or another office for your business. It does this by connecting your VPC over another network, like the internet, to other devices/networks. It ensures that everything in your VPC is available to all staff or relevant parties, at any time and in a secure manner.

 

Load Balancing

Is a system used to distribute website traffic across multiple instances. Rather than relying on one server, incoming requests are balanced across a range of servers. That way, your business isn’t relying on a single server, improving the performance and ensuring high availability of your site. You can think of it as balancing the weights on a set of scales until they are even, that is, if you only have two servers – most businesses will have more.

 

Auto Scaling

This is a process that configures your compute capacity (like the size, configuration or architecture) up or down, according to the conditions that have been defined. It can launch and terminate instances without manual intervention. Using this process, you can be sure that the number of EC2 instances that are being used will increase seamlessly in high traffic periods such as when your marketing team is running a busy marketing campaign. It will automatically decrease the required capacity again afterwards, ultimately ensuring there is no spend wastage.

 

CDN

A Content Delivery Network or Content Distribution Network is a large network of caching servers that are distributed across different geographies (in the same country or across multiple countries), taking your web content closer to the eyeballs that are digesting it. As the demand for uploading and downloading content to servers is increasing, cloud providers are now making your cloud available from a number of different servers in different locations, so that you and your content consumers experience increased performance and decreased latency.

 

Self-healing

Like the name suggests, a self-healing device or system is one that has the ability to notice that it is not operating correctly and, without the need for human involvement, make the necessary changes to restore normal operating function. These intuitive systems have made IT servicing and maintenance increasingly cost-effective and reduces service downtime for users.

 

Utility Computing/Billing

Cloud uses a pay-per-use model that allows cloud users to pick and choose what technologies, services, infrastructure and capacity they need, and pay for these on a needs basis. This improves on traditional IT models where you have to permanently maintain enough infrastructure to cope with occasional spikes in traffic. As a result of utility billing and the commoditisation of infrastructure in the cloud, smaller players are gaining greater access to computing power, online storage systems, and website hosting – services that were previously accessible only by industry goliaths.

I hope that helps! Are there any cloud terms out there that you still don’t understand?

By Mark Randall, chief customer officer of listed cloud services provider, Bulletproof.

Learn more at www.brw.com.au! 

 

Protect your private pics with Cloudifile! It's easy and FREE!

Simply select the folder with your pics, right click it, and choose "Clouidify". All the pics in the folder will be securely encrypted and automatically sent to cloud. In addition, newly created or copied pics will be automatically cloudified.

Learn more at www.cloudifile.com! 

Hurry up! Download Cloudifile now - and get it for free for ever!

Cloudifile is a powerful cloud encryption tool that adds a proven security level to Dropbox improving its simplicity and efficiency at the same time. 

How it Works?

Cloudifile encrypts your data in all Dropbox-associated locations and organizes easy and transparent sharing of this data with other users.

All you have to do is to select data to protect, right click it, and select Cloudify. The rest of the work Cloudifile performs for you:

1.  Encrypts selected data locally.
2.  Automatically synchronizes encrypted data with Dropbox.
3.  Puts virtual decrypted copy of data in its original location.
4.  Puts virtual decrypted copy of data on the virtual Cloudifile disk.

Learn more details at www.cloudifile.com!