The recent, high profile compromise of several celebrities’ iCloud personal photo archives (see Jennifer Lawrence naked photos spark fear of mass celebrity hacking) reminds us of the inherent vulnerability of all cloud storage. Popular media now asks if Apple’s iCloud service is safe (see Is Apple's iCloud safe after leak of Jennifer Lawrence and other celebrities' nude photos), but the question should be even broader.
With massive consumer use of general file storage solutions like Dropbox, consumers should worry about compromise of these stores. The type of compromise that Jennifer Lawrence and other celebrities experienced could happen on any cloud storage provider — Dropbox, Box, Amazon Cloud Drive, Google Drive, Microsoft OneDrive, and, of course, iCloud.
As a first step, consumers must secure their access to cloud assets with strong, secure passwords which they change often. This minimizes the risk of an attacker directly accessing the consumer account using their legitimate credentials, and ensures that an attack which compromises one account can not spill over into other accounts.
However, mere password security is not enough as the celebrity iCloud compromise has shown. In this case, the compromise resulted from a flaw in Apple’s Find My iPhone feature, and did not require direct access to user credentials. In order to prevent this kind of compromise, consumers should use encryption to prevent access even when the attacker has possession of the data.
Cloud privacy protection tenants argue for both securing the access to the data (credentials) and the data itself (encryption). This allows users to store and share data in a world where they can’t trust anyone with safety, security, and without fear. Cloud data storage has revolutionized our ability to access data from anywhere, on any device, and it’s important to not let cyber criminals take that freedom from us.
Ohanae can help. Ohanae software, once installed on your mobile and computing devices, provides complete cloud privacy protection with three important features. First, passwords are managed allowing every site to have a unique, complex password, and facilitating password changing on a regular, short schedule. Second, data — both in transit to the cloud storage provider, and at rest in their data centers is encrypted. This encryption allows for access only by you on your registered devices! Finally, Ohanae provides secure filesharing. When you need to share data with others, all the protections of cloud privacy protection can move right along with the data. Ohanae does this all without storing any keys or passwords anywhere (locally or in the cloud) — ensuring that there is no single point of compromise which would reveal your data to prying eyes.
There’s nothing wrong with storing your sensitive data in the cloud — just make sure to use Cloud Privacy Protection to safeguard yourself!
Tuesday, September 2, 2014
Thursday, August 21, 2014
Ohanae Goes to College
The Whitehat Society, a special interest group dedicated to issues around cyber security at Singapore Management University, recently organized an Ohanae use case competition. Participation was fantastic, with numerous innovative entries submitted for the “Trust No One” essay competition. Lim Yi Shen and Lim Jun Yan claimed the top awards – each winning a Microsoft Surface 2, complete with a sleek keyboard and sleeve.
Meet the Winners
“I am a freelance designer and am working on various Kickstarter projects. Ohanae helps me in my work with its device-centric combined solution for both login and data protection that helps my team collaborate better. With Ohanae, I can conveniently keep using the wide range of cloud service providers, like Dropbox, Google Drive, OneDrive, and Box, without the fear of having my credentials, and hence data, compromised by malicious users. Ohanae also helps me protect my intellectual property rights against plagiarism by maintaining control of my files with information segregation done as simply as clicking to encrypt and decrypt.” – Lim Yi Sheng
“As a student, I use multiple devices like phone, laptop and tablet, and need to manage numerous accounts. Ohanae keeps my data out of reach from anybody but me, allowing me to fully utilize the convenience and flexibility of popular cloud service providers for personal and work-related storage. I realized Ohanae Cloud Privacy Protection’s simplicity and comprehensive coverage of local and cloud storage, on all major OSes during my internship in a large scale company, as it struggled to protect its private corporate information. Indeed, in a world when you can trust no one, a thoughtful all-rounded defence by Ohanae is your best bet.” – Lim Jun Yan
Proactive BYOD
Throughout history, there are many examples of events that led to calamities. In hindsight, it’s often painfully obvious that they could have been predicted and prevented by proactive efforts. Bring-Your-Own-Device, often referred to by security officers as “bring your own disaster”, represents just such a sea change for enterprises. A new article in NetworkWorld discusses several surveys that show that BYOD is continuing unabated, and often, unapproved devices or apps are being actively hidden from hostile enterprise IT departments.
Organizational reaction to BYOD typically falls into one of three categories.
In some organizations, IT has mandated that there is no use of bring-your-own-devices or apps. In a very small number — for instance, military or government intelligence agencies — the organization has the ability to completely control all incoming and outgoing network access, and to enforce physical access to facilities by unauthorized devices, and the mandate works. For the vast majority of mandated companies, controls are company policies, and enforcement is by individual compliance. The Trackvia study finds that non-compliance with company guidelines is a significant problem, with almost 70% of younger workers admitting to doing so.
In other organizations, IT has recognized that mobile devices and apps are required to achieve peak employee performance, but have certified and approved specific devices and tools. TrackVia’s study finds this hasn’t worked either, with from 30 to 50% of specific employee age groups reporting they picked other devices or apps because the ones IT chose did not meet their needs.
CIOs in the last category understand that BYOD and BYOA use within their organization is inevitable, but struggle with the other harsh reality that by-and-large, employees just don’t care about security.
Clearly, employees drive organizations towards the third alternative, and organizational attempts to drive towards the first impact employee productivity and efficiency, and consume valuable IT funding and personnel resources.
Ohanae offers CIOs a better way to embrace the second and third choices. Ohanae’s Cloud Privacy Protection software suite allows enterprises to certify and support some third party applications and devices, or to be completely agnostic to apps and devices, against a secure backdrop. Ohanae software ensures that files are encrypted on devices and in the cloud, alleviating worries about data exposure on devices which are not certified, supported, or under management by an organization. Ohanae’s credential management system ensures that cloud based storage (and other cloud based apps) are accessed using secure, complex passwords that prevent account compromise and related data exposure. Ohanae’s secure file sharing allows users to collaboratively exchange data with industrial strength access mechanisms.
Ohanae Cloud Privacy Protection provides a safe environment for corporate data and credentials, and allows IT the time, freedom and safety to make the right choices for BYOD and BYOA that will keep IT users happy, productive and secure.
For more information, please see our videos: Cloud Compliance for Business and Cloud Compliance Policy.
Organizational reaction to BYOD typically falls into one of three categories.
In some organizations, IT has mandated that there is no use of bring-your-own-devices or apps. In a very small number — for instance, military or government intelligence agencies — the organization has the ability to completely control all incoming and outgoing network access, and to enforce physical access to facilities by unauthorized devices, and the mandate works. For the vast majority of mandated companies, controls are company policies, and enforcement is by individual compliance. The Trackvia study finds that non-compliance with company guidelines is a significant problem, with almost 70% of younger workers admitting to doing so.
In other organizations, IT has recognized that mobile devices and apps are required to achieve peak employee performance, but have certified and approved specific devices and tools. TrackVia’s study finds this hasn’t worked either, with from 30 to 50% of specific employee age groups reporting they picked other devices or apps because the ones IT chose did not meet their needs.
CIOs in the last category understand that BYOD and BYOA use within their organization is inevitable, but struggle with the other harsh reality that by-and-large, employees just don’t care about security.
Clearly, employees drive organizations towards the third alternative, and organizational attempts to drive towards the first impact employee productivity and efficiency, and consume valuable IT funding and personnel resources.
Ohanae offers CIOs a better way to embrace the second and third choices. Ohanae’s Cloud Privacy Protection software suite allows enterprises to certify and support some third party applications and devices, or to be completely agnostic to apps and devices, against a secure backdrop. Ohanae software ensures that files are encrypted on devices and in the cloud, alleviating worries about data exposure on devices which are not certified, supported, or under management by an organization. Ohanae’s credential management system ensures that cloud based storage (and other cloud based apps) are accessed using secure, complex passwords that prevent account compromise and related data exposure. Ohanae’s secure file sharing allows users to collaboratively exchange data with industrial strength access mechanisms.
Ohanae Cloud Privacy Protection provides a safe environment for corporate data and credentials, and allows IT the time, freedom and safety to make the right choices for BYOD and BYOA that will keep IT users happy, productive and secure.
For more information, please see our videos: Cloud Compliance for Business and Cloud Compliance Policy.
Wednesday, August 6, 2014
Unique Passwords for Internet Accounts
With the widely publicized compromise of 1.2 billion user accounts from almost a half a million different websites, one very popular question is what can the average internet user do to protect themselves.
The common recommendations are straightforward:
The challenge for users continues to be that secure practices are difficult to do, impact their productivity, and make useful resources harder to access anytime, anywhere. Users continue to make the tradeoff towards speed, productivity, ease of use, and universality — even as the risks and costs dramatically increase.
Ohanae believes that total cloud privacy protection is the solution to this epidemic. Although traditional password management is part of cloud privacy protection, it is not enough alone. Cloud privacy protection must include security of the password manager, so that it does not become a single point of failure, where all passwords can be compromised through it. Cloud privacy protection must include authentication that goes beyond a simple password, preferably by using multi-factor authentication to safeguard access to website credentials.Cloud privacy protection must safeguard data as well as credentials — enabling storage of sensitive, identity related data without risk of trickle-down account compromises if that data is accessed without authorization.
The Ohanae suite for Cloud Privacy Protection implements a password management function called Ohanae 1-Tap. Ohanae 1-Tap does not store passwords anywhere (on your device, on Ohanae’s servers, or in the cloud). Passwords are generated dynamically only when they are used, and generated by two factor authentication based on device and passphrase.
Ohanae’s Cloud Privacy Protection encrypts files stored in cloud storage providers — at creation on your device, during transmission across the Internet, and once stored in the cloud storage provider. The data is protected by strong, multi-factor authentication to dynamically generate decryption keys only on use — industrial strength technology to keep sensitive information in your files from the prying eyes of cyber criminals.
Finally, Ohanae knows that users have the need to securely share data with other collaborators, and supports secure transmission and use.
With Ohanae, it’s easy to establish unique, strong, lengthy passwords for every website, change them as often as you’d like, and have those passwords available on every device you use — whether desktop, laptop, or mobile. You can feel secure storing sensitive files online, and sharing them with others. And, in the unlikely event of a compromise, you have the confidence that the breach is limited — to just a single website, or a single cloud storage provider.
We can defeat the cybercriminals of the world and make epic password theft a news story of the past, and complete Cloud Privacy Protection is the way to do it! To get started, download Ohanae from http://www.ohanae.com today!
The common recommendations are straightforward:
- Use long, strong, and complex passwords
- Use different passwords for every website
- Change your passwords often, at least every six months
- Avoid storing sensitive information (passwords, social security numbers, or other identity information) online
The challenge for users continues to be that secure practices are difficult to do, impact their productivity, and make useful resources harder to access anytime, anywhere. Users continue to make the tradeoff towards speed, productivity, ease of use, and universality — even as the risks and costs dramatically increase.
Ohanae believes that total cloud privacy protection is the solution to this epidemic. Although traditional password management is part of cloud privacy protection, it is not enough alone. Cloud privacy protection must include security of the password manager, so that it does not become a single point of failure, where all passwords can be compromised through it. Cloud privacy protection must include authentication that goes beyond a simple password, preferably by using multi-factor authentication to safeguard access to website credentials.Cloud privacy protection must safeguard data as well as credentials — enabling storage of sensitive, identity related data without risk of trickle-down account compromises if that data is accessed without authorization.
The Ohanae suite for Cloud Privacy Protection implements a password management function called Ohanae 1-Tap. Ohanae 1-Tap does not store passwords anywhere (on your device, on Ohanae’s servers, or in the cloud). Passwords are generated dynamically only when they are used, and generated by two factor authentication based on device and passphrase.
Ohanae’s Cloud Privacy Protection encrypts files stored in cloud storage providers — at creation on your device, during transmission across the Internet, and once stored in the cloud storage provider. The data is protected by strong, multi-factor authentication to dynamically generate decryption keys only on use — industrial strength technology to keep sensitive information in your files from the prying eyes of cyber criminals.
Finally, Ohanae knows that users have the need to securely share data with other collaborators, and supports secure transmission and use.
With Ohanae, it’s easy to establish unique, strong, lengthy passwords for every website, change them as often as you’d like, and have those passwords available on every device you use — whether desktop, laptop, or mobile. You can feel secure storing sensitive files online, and sharing them with others. And, in the unlikely event of a compromise, you have the confidence that the breach is limited — to just a single website, or a single cloud storage provider.
We can defeat the cybercriminals of the world and make epic password theft a news story of the past, and complete Cloud Privacy Protection is the way to do it! To get started, download Ohanae from http://www.ohanae.com today!
Tuesday, July 29, 2014
Mobile, BYOD, and the Enterprise
The consumerization of the mobile and bring-your-own-device trends continues to gain exponential momentum in 2014. According to an infographic published this week in Information Week, 90% of employees use mobile phones at work, and 35% use personal tablets at work. Furthermore, employees use an average of 21 different apps at work. Although email remains the most often used, document-centric apps, including file sharing are now used by more than one in every five employees.
InfoWorld goes a step farther in an article this week, calling CIOs and business leaders to proactively embrace the two trends rather than just reacting to the inevitable employee uptake. InfoWorld cites potential benefits from employee productivity to better communication and engagement with customers.
At Ohanae, we agree that comprehensive adoption of bring-your-own-device (and bring your own cloud services!) and mobile have significant advantages for the business. But, it’s important to adopt technologies that will protect the business against data loss, account compromise, and device theft or misuse.
Cloud Privacy Protection incorporates a suite of capabilities to allow BYOD, mobile, and user selected cloud-based file sync & share in a secure environment. Cloud Privacy Protection includes protection for data in transit to and at rest in the cloud file sync & share provider. It also includes secure file sharing between collaborators, regardless of the mechanism of sharing. Finally, it includes protection for user credentials — the credentials that provide access to raw storage of encrypted data.
With Ohanae’s suite of cloud privacy protection capabilities, enterprises can feel secure in embracing new trends that embrace cloud storage, pervasive mobile use, and bring your own device tablets and laptops.
InfoWorld goes a step farther in an article this week, calling CIOs and business leaders to proactively embrace the two trends rather than just reacting to the inevitable employee uptake. InfoWorld cites potential benefits from employee productivity to better communication and engagement with customers.
At Ohanae, we agree that comprehensive adoption of bring-your-own-device (and bring your own cloud services!) and mobile have significant advantages for the business. But, it’s important to adopt technologies that will protect the business against data loss, account compromise, and device theft or misuse.
Cloud Privacy Protection incorporates a suite of capabilities to allow BYOD, mobile, and user selected cloud-based file sync & share in a secure environment. Cloud Privacy Protection includes protection for data in transit to and at rest in the cloud file sync & share provider. It also includes secure file sharing between collaborators, regardless of the mechanism of sharing. Finally, it includes protection for user credentials — the credentials that provide access to raw storage of encrypted data.
With Ohanae’s suite of cloud privacy protection capabilities, enterprises can feel secure in embracing new trends that embrace cloud storage, pervasive mobile use, and bring your own device tablets and laptops.
Wednesday, July 23, 2014
Two Factor Authentication Strength
Recent articles have suggested that password strength in some situations is not important. For instance, a recent Network World article asserted that the weakest and most well known password “123456” could have a place in an overall password strategy.
Another area where weak passwords are sometimes advocated is in combination with a two factor authentication (2FA) scheme. Two factor authentication combines two different pieces of information in order to establish access for a user. Typically, the two pieces come from two of the categories: something the user knows, something the user has, and something the user is. In most common, widely used schemes, the two factors are something the user knows (either a password or a PIN) and something the user has (a magnetic card, a secure token, or a specific device).
Adding a second factor certainly increases the security of a system. One could argue that you could decrease the first factor to offset that gain if the original system was secure enough. Taken to the extreme, if the second factor was stronger than the first, you could make the first trivially easy and still be better off. In that case, you would essentially be using a single factor system, just with the stronger factor.
Those are the keys to determining how much relaxation of one factor you can accommodate by adding a second factor: how strong is the second factor, how resilient is the system, and how independent are the two factors? How important is increasing the overall security of the system?
The classic two factor authentication system - a bank card and associated PIN works well. Both factors are strong. The card requires theft of a physical item to compromise it. The PIN (although only a 4-6 digit code) is usually strong because there is a lack of automated methodologies for attacking the PIN — it requires manually entering codes over and over at a banking machine. Furthermore, limitations on the number of wrong entries in a time period prevent effective brute forcing of the PIN. Systems are typically resilient — because there are not other attack modes beyond actual use of the card.
However, the card system can be compromised by poor choices. For instance, selecting trivial PINs like 1234, 0000, or other easily determined information makes it so that theft of the card is the only real attack required. Trivial PINs turn the two factor system in one factor, where possession of the card is the only block. Similarly, writing the PIN on the card so that the two factors are no longer independent (by compromising the card, you gain the PIN) also negates the benefits of the two factor system.
The final question is how important is increasing the overall security of the system. At Ohanae, we feel that passwords should always be strong, secure, and unique. If you need a password, then you want the best — whether it’s to secure less important websites, or as one piece of a multi-factor authentication scheme. Password compromise inevitably leads to information that can make secondary identity attacks easier and more successful. Your identity, accounts, and data integrity rest on preventing all attacks, and a weak password can be the proverbial weakest link that unravels the strongest chain of protection.
Ohanae’s cloud privacy protection solution gives users on all their devices the ability to quickly and easily use strong, secure, unique passwords on each website and application they use.
Another area where weak passwords are sometimes advocated is in combination with a two factor authentication (2FA) scheme. Two factor authentication combines two different pieces of information in order to establish access for a user. Typically, the two pieces come from two of the categories: something the user knows, something the user has, and something the user is. In most common, widely used schemes, the two factors are something the user knows (either a password or a PIN) and something the user has (a magnetic card, a secure token, or a specific device).
Adding a second factor certainly increases the security of a system. One could argue that you could decrease the first factor to offset that gain if the original system was secure enough. Taken to the extreme, if the second factor was stronger than the first, you could make the first trivially easy and still be better off. In that case, you would essentially be using a single factor system, just with the stronger factor.
Those are the keys to determining how much relaxation of one factor you can accommodate by adding a second factor: how strong is the second factor, how resilient is the system, and how independent are the two factors? How important is increasing the overall security of the system?
The classic two factor authentication system - a bank card and associated PIN works well. Both factors are strong. The card requires theft of a physical item to compromise it. The PIN (although only a 4-6 digit code) is usually strong because there is a lack of automated methodologies for attacking the PIN — it requires manually entering codes over and over at a banking machine. Furthermore, limitations on the number of wrong entries in a time period prevent effective brute forcing of the PIN. Systems are typically resilient — because there are not other attack modes beyond actual use of the card.
However, the card system can be compromised by poor choices. For instance, selecting trivial PINs like 1234, 0000, or other easily determined information makes it so that theft of the card is the only real attack required. Trivial PINs turn the two factor system in one factor, where possession of the card is the only block. Similarly, writing the PIN on the card so that the two factors are no longer independent (by compromising the card, you gain the PIN) also negates the benefits of the two factor system.
The final question is how important is increasing the overall security of the system. At Ohanae, we feel that passwords should always be strong, secure, and unique. If you need a password, then you want the best — whether it’s to secure less important websites, or as one piece of a multi-factor authentication scheme. Password compromise inevitably leads to information that can make secondary identity attacks easier and more successful. Your identity, accounts, and data integrity rest on preventing all attacks, and a weak password can be the proverbial weakest link that unravels the strongest chain of protection.
Ohanae’s cloud privacy protection solution gives users on all their devices the ability to quickly and easily use strong, secure, unique passwords on each website and application they use.
Monday, July 21, 2014
Password Manager Security
A recent CSO Online article summarized the findings of a UC Berkeley research team, finding that five browser based password managers contained security flaws that could lead to the compromise of login credentials they were protecting.
The research team’s work outlines an evaluation of password managers against their primary directive of ensuring that stored passwords are only accessed by the authorized user and the website that the password is for. Unfortunately, their evaluation found all five password managers contained flaws in their implementation.
In order to evaluate the password managers, the research team looked at five main attack vectors.
In the password managers surveyed, each provided a cloud based implementation that exposed the password store. In some implementations, the cloud-based password store was not encrypted, or data for the password store (usernames and passwords) were sent in the clear to the server in the cloud.
Ohanae does not store passwords in the cloud, or on local devices. Other credential information (domain and username) are stored on the local device, and passed through the cloud (for synchronization with other devices), but is encrypted during transmission and while stored.
Passwords are generated on demand only on authorized devices by a user with the master passphrase. This provides two factor authentication on local devices, and ensures that there is no static store which can be attacked and decrypted.
Finally, the master passphrase is only used, and not transmitted, even between devices of the same user — using Ohanae’s patent pending technology to ensure that sensitive passwords and pass phrases are retained and used only on authorized end devices.
Many of the password managers surveyed used bookmarklet technology to allow web browsers on popular mobile computing platforms (iOS and Android) to directly retrieve credentials from their stores. Due to the untrusted execution environment of bookmarklets, they require special handling to ensure that only secure APIs are called.
Ohanae does not use bookmarklet technology. We use secure browser extensions where available (primarily on our PC and Mac implementations), and rely on user copy and paste for insecure environments (such as most mobile operating systems).
Furthermore, since we only provide username and password to login forms, we do not add any additional data to form submission which would allow any type of fingerprinting operation.
The researchers also mention vulnerability of password managers to phishing attacks. In particular, allowing attacker websites to open dialogs which ask for the password managers username and password. Since the Ohanae application does not run inside the browser, it is easy to differentiate an attacker prompt (in a web UI) from the valid client login prompt.
Finally, at the time of this writing, Ohanae software does not provide a mechanism for sharing passwords between users. However, this feature is part of our product vision and roadmap, and we’ll pay close attention to the UCB research team’s recommendations in this area.
Ohanae believes, as the research team states that “password managers provide tremendous security and usability benefits at minimal deployability costs”, and we appreciate the time and effort the research team has spent to analyze typical attack vectors and the current state of the password manager art.
Ohanae is committed to providing industrial strength security in all three parts of our complete cloud privacy protection offering: securing login credentials, securing data in-motion and at-rest in cloud storage providers, and securely and collaborative sharing data.
The research team’s work outlines an evaluation of password managers against their primary directive of ensuring that stored passwords are only accessed by the authorized user and the website that the password is for. Unfortunately, their evaluation found all five password managers contained flaws in their implementation.
In order to evaluate the password managers, the research team looked at five main attack vectors.
- The password manager must maintain the integrity of the master account and password, making it impossible for an attacker to impersonate a valid user and retrieve credentials.
- The password manager must securely store the list of credentials. The storage mechanism must ensure confidentiality, integrity, and availability of the database. In particular, attackers should not be able to learn, modify, or delete credentials.
- If the password manager provides sharing of credentials between users, then appropriate safeguards must be taken to maintain collaborator security.
- The password manager must not operate in a way which allows user fingerprinting to happen. This would allow multiple, coordinated attacker websites to deduce identity information based on information passed between the websites by the password manager.
In the password managers surveyed, each provided a cloud based implementation that exposed the password store. In some implementations, the cloud-based password store was not encrypted, or data for the password store (usernames and passwords) were sent in the clear to the server in the cloud.
Ohanae does not store passwords in the cloud, or on local devices. Other credential information (domain and username) are stored on the local device, and passed through the cloud (for synchronization with other devices), but is encrypted during transmission and while stored.
Passwords are generated on demand only on authorized devices by a user with the master passphrase. This provides two factor authentication on local devices, and ensures that there is no static store which can be attacked and decrypted.
Finally, the master passphrase is only used, and not transmitted, even between devices of the same user — using Ohanae’s patent pending technology to ensure that sensitive passwords and pass phrases are retained and used only on authorized end devices.
Many of the password managers surveyed used bookmarklet technology to allow web browsers on popular mobile computing platforms (iOS and Android) to directly retrieve credentials from their stores. Due to the untrusted execution environment of bookmarklets, they require special handling to ensure that only secure APIs are called.
Ohanae does not use bookmarklet technology. We use secure browser extensions where available (primarily on our PC and Mac implementations), and rely on user copy and paste for insecure environments (such as most mobile operating systems).
Furthermore, since we only provide username and password to login forms, we do not add any additional data to form submission which would allow any type of fingerprinting operation.
The researchers also mention vulnerability of password managers to phishing attacks. In particular, allowing attacker websites to open dialogs which ask for the password managers username and password. Since the Ohanae application does not run inside the browser, it is easy to differentiate an attacker prompt (in a web UI) from the valid client login prompt.
Finally, at the time of this writing, Ohanae software does not provide a mechanism for sharing passwords between users. However, this feature is part of our product vision and roadmap, and we’ll pay close attention to the UCB research team’s recommendations in this area.
Ohanae believes, as the research team states that “password managers provide tremendous security and usability benefits at minimal deployability costs”, and we appreciate the time and effort the research team has spent to analyze typical attack vectors and the current state of the password manager art.
Ohanae is committed to providing industrial strength security in all three parts of our complete cloud privacy protection offering: securing login credentials, securing data in-motion and at-rest in cloud storage providers, and securely and collaborative sharing data.
Monday, June 9, 2014
Singapore IDA Recommends Complex, Secure Passwords
Last week’s news about unauthorized password resets in the SingPass system (see the story here) reinforced the main cautions around passwords. Jacqueline Poh, Managing Director of Singapore’s Infocomm Development Authority recommended that all individuals use strong complex passwords with a variety of characters, including letters and numbers. The IDA went on to recommend other security best practices, including clearing browser caches after use, and changing passwords on a regular basis.
Ohanae software helps protect passwords against compromise. Ohanae users may select long passwords with upper case letters, lower case letters, numbers, and special characters and can be easily changed on a regular basis. Furthermore, Ohanae generates unique passwords for each site or application. Since Ohanae generates these passwords on use, they are never stored on any device, and users are spared the challenge of remembering many complex passwords. Finally, Ohanae implements browser cache and history clearing on laptop and desktop devices.
Ohanae’s Cloud Privacy Protection offering provides password security, but also provides secure encryption of files on device, in transit, and in the cloud as well as secure file sharing. This three-fold offering provides strong protection of both data and logins in the cloud, and is available now for Macintosh, Windows, Android and iOS.
Ohanae software helps protect passwords against compromise. Ohanae users may select long passwords with upper case letters, lower case letters, numbers, and special characters and can be easily changed on a regular basis. Furthermore, Ohanae generates unique passwords for each site or application. Since Ohanae generates these passwords on use, they are never stored on any device, and users are spared the challenge of remembering many complex passwords. Finally, Ohanae implements browser cache and history clearing on laptop and desktop devices.
Ohanae’s Cloud Privacy Protection offering provides password security, but also provides secure encryption of files on device, in transit, and in the cloud as well as secure file sharing. This three-fold offering provides strong protection of both data and logins in the cloud, and is available now for Macintosh, Windows, Android and iOS.
Tuesday, June 3, 2014
Ohanae supports Reset The Net
On June 5, 2014, individuals and organizations around the world will rally to support Fight For Freedom’s “Reset the Net” initiative. This effort suggests that users adopt tools that provide end-to-end encryption as one mechanism to counter mass surveillance efforts by government agencies.
Government entities like the United States’ National Security Agency (NSA) cast a wide net in their surveillance efforts. As country and world citizens, we all benefit from the legitimate success of these agencies — when they counter criminal or terrorist elements that intend harm to us. However, it’s important to find the right tradeoff between privacy and protection — a challenging question that the framers of US Constitution wrestled with over 200 years ago when writing the Fourth Amendment. Fight for Freedom advocates end-to-end encryption as a mechanism to counter passive, widespread, un-targeted surveillance and preserve personal privacy, while allowing government agencies to continue the targeted surveillance of specific individuals or organizations that pose a threat to their citizens.
But, government agencies are not the only entities in the unprotected seas of the internet. Russian hacker Evgeniy Bogachev was identified Monday as the leader of a vast group of internet criminals that compromised hundreds of thousands of computers, leading to over $100 million in identified losses to date.
A recent United States federal lawsuit against a popular cloud and email provider asserted that email sent through the cloud provider’s servers had been scanned and indexed in order to provide targeted ads. Indeed, the privacy policies of all the major cloud providers usually contain language that allows the provider to “use” data uploaded to their services to generate derivative services.
The end-to-end encryption recommendations of the Fight for Freedom’s Reset the Net are important because they help individuals and companies ensure that their data is ONLY used for approved purposes. It helps us set a fair and reasonable bar for the tradeoff between privacy and legitimately beneficial services (in the case of government agencies and service providers). And it protects us without compromise for dangerous, criminal elements that inhabit the Internet in abundance.
Ohanae is proud to support the Reset the Net initiative with Ohanae's cloud privacy protection software. Our software provides end-to-end encryption for data at rest locally, during transmission to cloud storage, and at rest in the cloud. It prevents unauthorized use by ANYONE except the owner at all points. Ohanae also provides secure file sharing for similar protection when you need to collaborate with others, and secure password management to protect against damaging account compromises.
Ohanae software is free for the first device, and available on iOS, Android, Windows, and Mac OS. Through referral bonuses, up to five complimentary years of premium service may be easily earned. Please navigate to http://www.ohanae.com to learn more about Ohanae and get started today!
Government entities like the United States’ National Security Agency (NSA) cast a wide net in their surveillance efforts. As country and world citizens, we all benefit from the legitimate success of these agencies — when they counter criminal or terrorist elements that intend harm to us. However, it’s important to find the right tradeoff between privacy and protection — a challenging question that the framers of US Constitution wrestled with over 200 years ago when writing the Fourth Amendment. Fight for Freedom advocates end-to-end encryption as a mechanism to counter passive, widespread, un-targeted surveillance and preserve personal privacy, while allowing government agencies to continue the targeted surveillance of specific individuals or organizations that pose a threat to their citizens.
But, government agencies are not the only entities in the unprotected seas of the internet. Russian hacker Evgeniy Bogachev was identified Monday as the leader of a vast group of internet criminals that compromised hundreds of thousands of computers, leading to over $100 million in identified losses to date.
A recent United States federal lawsuit against a popular cloud and email provider asserted that email sent through the cloud provider’s servers had been scanned and indexed in order to provide targeted ads. Indeed, the privacy policies of all the major cloud providers usually contain language that allows the provider to “use” data uploaded to their services to generate derivative services.
The end-to-end encryption recommendations of the Fight for Freedom’s Reset the Net are important because they help individuals and companies ensure that their data is ONLY used for approved purposes. It helps us set a fair and reasonable bar for the tradeoff between privacy and legitimately beneficial services (in the case of government agencies and service providers). And it protects us without compromise for dangerous, criminal elements that inhabit the Internet in abundance.
Ohanae is proud to support the Reset the Net initiative with Ohanae's cloud privacy protection software. Our software provides end-to-end encryption for data at rest locally, during transmission to cloud storage, and at rest in the cloud. It prevents unauthorized use by ANYONE except the owner at all points. Ohanae also provides secure file sharing for similar protection when you need to collaborate with others, and secure password management to protect against damaging account compromises.
Ohanae software is free for the first device, and available on iOS, Android, Windows, and Mac OS. Through referral bonuses, up to five complimentary years of premium service may be easily earned. Please navigate to http://www.ohanae.com to learn more about Ohanae and get started today!
Sunday, June 1, 2014
TrueCrypt - What Now?
TrueCrypt, a package that supported on-the-fly encryption of file data through encrypted virtual disks, partitions, and entire file systems, was discontinued by its anonymous development team on May 28, 2014.
TrueCrypt served a definite need in the market place allowing sophisticated security-minded users to encrypt data locally. By moving TrueCrypt containers onto cloud providers like Dropbox and Box, TrueCrypt’s protective capabilities could be extended to the cloud. Although the anonymous fashion in which it was developed prevented standard certification that applies for most commercially developed software, a crowd-sourced effort to audit the software was in progress, and the encryption package had a public history of successful mitigation of attacks by sophisticated law enforcement agencies.
With its announcement, the TrueCrypt Foundation has suggested that equivalent filesystem encryption capabilities may be found natively in the operating systems for Windows (BitLocker) and MacOS (FileVault). However, these solutions do not fully replace the on-the-fly type encryption that TrueCrypt provided for users storing data off their local system, in the cloud.
For storage in the cloud, users can take advantage of Cloud Privacy Protection offerings. Ohanae Inc. is proud to offer previous TrueCrypt users an integrated solution for local storage and cloud based storage, with keys that are controlled (generated and used locally) by the end user. The Ohanae solution provides security for data at rest locally, in transit to cloud providers, and at rest in the cloud.
Migration from TrueCrypt to Ohanae is simple — with drag and drop or copy/paste functionality to move files from TrueCrypt containers into Ohanae Secure Drives. Ohanae pricing is attractive — with free use for single device users, and special referral bonuses to gain premium support for up to five years.
For further information, and to start securing your data locally and in the cloud with Ohanae, please refer to http://www.ohanae.com. For information on Ohanae’s referral program, please see http://www.ohanae.com/referral.
TrueCrypt served a definite need in the market place allowing sophisticated security-minded users to encrypt data locally. By moving TrueCrypt containers onto cloud providers like Dropbox and Box, TrueCrypt’s protective capabilities could be extended to the cloud. Although the anonymous fashion in which it was developed prevented standard certification that applies for most commercially developed software, a crowd-sourced effort to audit the software was in progress, and the encryption package had a public history of successful mitigation of attacks by sophisticated law enforcement agencies.
With its announcement, the TrueCrypt Foundation has suggested that equivalent filesystem encryption capabilities may be found natively in the operating systems for Windows (BitLocker) and MacOS (FileVault). However, these solutions do not fully replace the on-the-fly type encryption that TrueCrypt provided for users storing data off their local system, in the cloud.
For storage in the cloud, users can take advantage of Cloud Privacy Protection offerings. Ohanae Inc. is proud to offer previous TrueCrypt users an integrated solution for local storage and cloud based storage, with keys that are controlled (generated and used locally) by the end user. The Ohanae solution provides security for data at rest locally, in transit to cloud providers, and at rest in the cloud.
Migration from TrueCrypt to Ohanae is simple — with drag and drop or copy/paste functionality to move files from TrueCrypt containers into Ohanae Secure Drives. Ohanae pricing is attractive — with free use for single device users, and special referral bonuses to gain premium support for up to five years.
For further information, and to start securing your data locally and in the cloud with Ohanae, please refer to http://www.ohanae.com. For information on Ohanae’s referral program, please see http://www.ohanae.com/referral.
Wednesday, May 21, 2014
Password Compromises of Large User Repositories
Today’s breaking news of the theft of eBay’s password and customer database highlights the danger implicit in the favored target of cyber criminals: large corporate repositories with millions of consumer records.
The eBay compromise poses particular business problems for eBay. Some of the highest costs for businesses with data compromise and theft include loss of customer trust and remediation of possible, unauthorized transactions. With eBay’s quick and informative disclosures, and thorough transaction audit, these are challenges that primarily affect eBay.
However, for customers in a breached database, the effects can extend beyond these corporate type of problem. The customer information in the database is a gateway for criminals to additional data.
First, when passwords are contained in the compromised information, these passwords are often reused as credentials for other websites. A 2013 Ofcom study reported that 55% of users used a single password for the majority of web sites they accessed, only a slight improvement from 60% in 2011. When passwords are stolen, and combined with other identifying information in the same database (such as user IDs or email addresses), a breach of a single website like eBay can be extended to breaches of a much wider universe of websites for affected consumers.
Second, the compromise of passwords often leads to the critical problem that an attacker can appear to be an authorized user. This lets the attacker gain access to the resources protected by the password. In the case of eBay, this is a user’s auction activity, but it varies depending on the compromised website. For example, a similar breach to a file sync and share website would result in attackers gaining access to user data files stored in the cloud.
Cloud privacy protection requires protecting both login credentials and the data stored in the cloud. Securing login credentials with unique, strong passwords limits exposure to the single compromised website. Securing cloud based data adds a second level of protection, even when the login credentials are compromised, to prevent data loss.
Thursday, April 17, 2014
Heartbleed and Cloud Privacy Protection
Cloud Privacy Protection software is fundamentally about protecting your data and logins in the cloud. The recently disclosed Heartbleed SSL vulnerability affected hundreds of thousands of websites, allowing attackers to gain access to user passwords on those sites.
As web site providers have patched their servers, removing the heartbleed vulnerability, affected users could safely change their password. This prevented further use if the password was compromised.
How Cloud Privacy Protection Helps
Although heartbleed was unique in its reach, bugs and vulnerabilities in authentication processes, worms, and viruses have a lengthy history. It’s reasonable to expect that further compromises may happen in the future. However, there are some steps that you can take to protect your private cloud data today.
A fully implemented Cloud Privacy Protection system shields data loss, protects against wide spread login loss, and mitigates the resolution if an exposure does occur.
Protect the Data
First, data should be protected by keys and passwords that are distinct from user login credentials. This ensures that data at rest (stored in the cloud) and data in transit (while being sent to the cloud or to your local devices) cannot be accessed simply through compromise of your login credentials. By utilizing a zero knowledge system, file encryption keys are never transmitted or stored on the cloud provider. This prevents file data from disclosure even if the cloud storage provider is fully compromised.
Limit the Exposure
Second, use individual passwords for each web site. This guarantees that a security compromise like heartbleed, that allowed retrieval of user credentials on an affected website, is limited to only that website. If the same password is reused for multiple websites, then a successful breach of one can be turned into a breach of all.
Ease the Pain
Finally, using a Cloud Privacy Protection system, once the initial exposure has passed, reissue passwords – while keeping them strong and unique to each website. This ensures that potential future login breaches are prevented.
Ohanae Can Help
Ohanae’s flagship offering provides full cloud privacy protection in a zero knowledge, multi-factor local authentication system. Ohanae encrypts data files (for storage or sharing) using keys which are never transmitted to other servers. Additionally, Ohanae provides strong password management with unique passwords for each application and website. Access to these passwords is through Ohanae’s patent-pending, local, multi-factor authentication system.
Subscribe to:
Posts (Atom)