Monday, October 24, 2016

Protecting your data at rest

Data In Transit – Data At Rest

I recently received this question from a user:

Especially given the new anti-privacy laws. Is there a way to encrypt your data to avoid it getting sold to the highest bidder. I already have everything on Google drive, for the most part. It makes it easy since I have so many computers where I do my work and I travel a lot, which increases the likelihood that I lose a laptop or tablet.

Here's my response:

First of all, congratulations on being aware of these issues.

Protecting data at rest is not a matter of one or two simple responses: 

On your computer you may have financial and medical records, password lists, personal emails, and a decade of browsing history. While legitimate internet communication shouldn’t expose static data, your disc drive is a prime target of malware. You have installed “set and forget” technical protection in the form of antimalware software and think you’re protected. Modern operating systems are largely hardened already and user best practices are even more important. Once you click on a link, you’ve given whatever is attached to it permission to do whatever it might. Everyone who sits at the computer must develop the reflex to ask why are they opening an attachment or visiting a website and what are the risks?

Now you can trust that your data are safe once you turn off the computer and lock the door to your office. But that computer is a laptop sitting on the seat next to you on the train or in the coffee shop. Maybe your data aren’t even on the computer but conveniently shared and available “in the cloud.” Either way, some stranger may be able to walk by and pick it up from you.  

How do you protect this?

The answer is that your files should be encrypted whenever they are not in use. Unlike your HTTPS communications, this encryption is something that you must take responsibility for. It’s a nuisance, but it means every time you open a project or share a document you must use a password and appropriate procedures.

Fortunately this need not require entering a unique password constantly. Probably most of the files you handle daily don’t really need to be strongly protected against snooping. Most pictures and emails, even if they’re not public, may not represent a significant privacy or financial risk.

For what does need to be protected, files can be encrypted either individually or in bulk. Modern office suites offer an option to password protect a document as you save it. Compression utilities (“zip”) also can encrypt the files as they’re stored. Their encryption methods are now solid; unlike the password option in Microsoft Office 2003 (.doc files rather than the current .docx format) which could be opened without difficulty if you used another brand of editor.

For larger quantities of files you can use an encryption system like VeraCrypt to create an encrypted virtual disc or even to encrypt your entire computer. If you choose the virtual disc option; it creates a single file that, when you open it appears to the system like any other drive. When it’s closed the contents appear as total gibberish to anyone without the key. The encrypted file can be stored or transmitted without fear of loss of your data. While it can be stored in a shared cloud, it must be synchronized manually as most systems won’t recognize when it has been changed.

But you want universal access of your data in the cloud.
 Again, weigh the nuisance factor of file or folder encryption with the value of its contents. Most “name-brand” cloud providers probably offer reasonable security by requiring a sign-in to your account. Hopefully they also use encrypted transmission while it's in transit. The bigger risk is when you give a collaborator access to modify a document that is synchronized back to your computer. In that case, you have given someone permission to put any file they want on your computer without your intervention. This could represent the ultimate phishing attack if you’re not alert to it.

What if someone doesn't have to break in to see your data?

If you synchronized individual files, the cloud provider has your data and all the meta details associated with it. Unless you've encrypted the individual files with a password, they also have access to that content. Maybe their terms of service promise they won't actually read the files, how will they react if someone comes in claiming to be "with the government" and asks for your data? If their data center is in the same jurisdiction as you they have to satisfy a subpoena; and may respond to an unjustified request.

You can make your cloud storage secure from this loss by using the same practices you use for data on your own laptop. You would have to download and upload the files every time you use them to ensure the protection is always in force. Collaboration also would be problematic unless you were all working with the shared files in a homogeneous environment such as Microsoft Office365.

Hacked over Russian hackers?


Are you upset that Russian hackers – possibly operating under the influence of, or even directed by, their government – got into the Democratic Party’s email system?

I’m not.

I’m upset that anyone was able to get into the system as easily as they did.

Any high interest operation such as a major election is going to attract the attention of hackers trying to break in for any of a multitude of reasons. Just as Willie Sutton is going to rob banks, political adversaries or those seeking financial gain will take any advantage they can against their opponents.

It is the responsibility of the people with valuable information to protect it themselves. Once an organization reaches a size, a level of notoriety or importance, or economic or political significance; they must take advantage of professional security experience. An individual who gets hacked may have some losses but won’t necessarily suffer serious economic or reputational disaster. A large business may be able to expend the resources to clean up after they’ve learned their lessons. But the entities in the middle, from a 10-person office to a national volunteer organization could be damaged beyond recovery.

What should a high profile organization like a political party do?

If I were consulting them, the first thing I’d do is sequester the devices and accounts from everyone with a recognizable name. Then I would issue them devices that are known free of any malware and without the most attacked apps. These would route all online activity through the office via VPN where it is protected from interception and filtered. Similarly, their email and messaging will go through a single system with advanced safeguards and appropriate passwords. Finally, social networking will all be posted by public relations personnel. Although there can be accounts in the principals’ names and they may submit posts; they will be vetted and edited, if necessary.

Finally, everyone will attend a class in protecting themselves against attacks from phishing to ransomware and all the online lures. This is because a slip of the finger by anyone from the top dog to the intern – and even the IT staff – can open the entire organization to an attack.

Browsers churn disc drives

A researcher discovered that browsers might churn disc drives - to the extent of writing gigabytes of redundant data per day.

Steve Gibson, using Sysinternals tools discovered that the Firefox web browser was rewriting a snapshot of its current contents to the default disc every 15 seconds. If you habitually leave your browser with many tabs open all the time, this could amount to a huge amount of data over the course of the day. Also, if you are leaving tabs open, it's writing the same data every time. (Gibson admits to keeping hundreds of tabs open.)

While writing unnecessary redundant data to the disc may have had a minor impact on overall computer performance a decade ago; this could seriously degrade the life of modern Solid State Drives.

All chip-based memory devices from a $5 flash drive to the industrial-grade system storage in servers can have information written to a given cell a only finite number of times before the reliability starts to deteriorate. Under normal use, the SSD that helps your laptop run cooler and have a longer battery life will probably outlive your desire for a faster computer or larger screen. But there is no need to put this extraordinary stress on the system and reduce its life by possibly as much as half.

SSDs are also appearing in higher-end consumer and business desktop computers or are being retrofitted by hobbyists. End-market devices marketed at a lower price point may be even more prone to early failure under this load. They might have a lower redundancy and not be able to survive as many write cycles as those sold for use in internet servers.

A similar issue of heavy disc usage also exists in Google's Chrome browser. Hopefully publicity will encourage the browser publishers to revise this procedure. Unfortunately, not being a security issue, it probably will not get a high priority for correction.

Gibson has determined a tweak to Firefox that allows the user to reduce the churn that is excerpted at Or listen to the podcast at (you can jump forward to about 1:05).

Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at
(cc) 2016- Bill Barnes - Disclaimer - Home Page - Blogs Home