If you are having trouble viewing this email, click here to view this online



   ISSUE 21

 23 April  2013

Article of the Month   Around the World

How to secure your personal data in the cloud?

    Chances are that a majority of the people reading this article use some type of free cloud storage whether it is Google Drive, Dropbox, SugarSync(my favourites of course!) or any other service. Such cloud storage offerings are especially beneficial for research students like me to store research data enabling us to work on them either from our research centres, homes or while we attend conference in some faraway land. Free cloud storage offerings can be a lifesaver at a time when research funds are dwindling due to the grim global economic outlook. However, all users of these cloud storage services must consider one important problem � confidentiality of the files we upload. Almost all of the cloud storage services provide some confidentiality guarantees for user data, both during data transmission and storage. For example, if you read the privacy policies of Dropbox and SugarSync, they claim to encrypt all data in storage while using SSL to secure all data during transfer. Despite these assurances, security breaches are not uncommon among the cloud storage providers as evident from the Dropbox security compromise last year.


Therefore, an extra layer of security will be always handy and that�s why we should pre-encrypt all confidential information before uploading them to the cloud. Besides, there are plenty of free-tools that can be used for file encryption and finding them is just a matter of Googling the term. Out of the tools I�ve tried so far the one that got my nod is TrueCrypt. It has been extensively reviewed through security research and practical applications. If you are bit paranoid about using the binaries they provide you with a source code version. Installing and using TrueCrypt is a piece of cake that it could be done by a little kid. Usually this involves installing the program, creating an encrypted disk volume and saving your files in the volume you created. There is also a good beginners tutorial in their Website to get you started.

Nevertheless, there are few things you must be careful of when using TrueCrypt for the purpose of securing files in cloud storage. First of all, you must decide where to place your data for encryption. This seems very trivial but if you place your cloud synchronisation folder (e.g., your Dropbox folder) inside an encrypted container the synchronisation folder will be encrypted in your computer but the files in the folder will be uploaded to the cloud unencrypted. Since we certainly do not want this to happen, it is important to create the encrypted containers within your cloud synchronisation folder so that these encrypted containers get uploaded to the cloud storage. Second, you must decide on the encryption and hashing algorithms to use. The choice will depend on how sensitive your data is � if the confidentiality of your data is a matter of life and death then select the strongest algorithms available, but you trade-off speed and computing resources for better security. TrueCrypt also provides some details on the algorithms for you to make an informed decision. Third, you must select a secure passphrase which is long enough and uses a combination of alphanumeric and special characters. For additional protection you may also use a keyfile. A strong passphrase is of paramount importance since they have been proved very difficult to break while the weak ones offer little security. If you are unconvinced just read this article on how FBI failed to crack the strong passphrase of a TrueCrypt container.

There is another practical consideration before using encrypted volumes with cloud storage. If your encrypted volume is very large it will take ages for it to synchronise with the cloud. Every time you make the slightest change to a single file in the encrypted container the whole container has to be uploaded since your cloud synchronisation program only sees the container as a single file. If you are lucky enough to have a super fast DSL connection with an unlimited data volume you may use a larger encrypted container. On the other hand, if your ISP provides you with a small, capped data volume and your connection allows you to have a lunchbreak while it uploads a 50 MB file you need to spread your data in to several encrypted containers of smaller size. (After all, a person would hold only a limited amount of highly confidential information unless you are doing something illegal or working for spy agency!) As a final note, I don�t intend to this article to sound like a sales pitch for TrueCrypt. In fact, you can use any file encryption utility to secure your data if you are confident of the security it provides.

Hasala Peiris
PhD Research Student
Curtin University, Perth, Australia


















  Fool Me Once?
    '....When you?re lurking in the computer crime underground, it pays to watch your back and to keep your BS meter set to ?maximum.? But when you?ve gained access to an elite black market section of a closely guarded crime forum to which very few have access, it?s easy to let your guard down......'
Phoenix Exploit Kit Author Arrested In Russia?

'....The creator of a popular crimeware package known as the Phoenix Exploit Kit was arrested in his native Russia for distributing malicious software and for illegally possessing multiple firearms, according to underground forum posts from the malware author himself......'

Banks Hit Downtime Milestone In DDoS Attacks

'....In recent weeks, U.S. banks and financial services institutions have seen their website downtime double, compared to just one year ago.That finding, first reported by NBC News, comes via Keynote Systems, which maintains dummy accounts with the country's top 15 banks, which it uses to monitor site uptime and availability to customers by attempting to log into its accounts every five minutes......'

Egyptian navy captures divers trying to cut undersea internet cables

'....A spokesman for the Egyptian military has reported that three scuba divers have been arrested in the Mediterranean as they tried to cut a submarine data cable owned by local telco Telecom Egypt......'

Six U.S. Air Force cyber capabilities designated "weapons"

'....The U.S. Air Force has designated six cyber tools as weapons, which should help the programs compete for increasingly scarce dollars in the Pentagon budget, an Air Force official said on Monday......'

Month in Brief

Facebook Incidents Reported to Sri Lanka CERT|CC in March 2013



 Fake + Harassment



Statistics - Sri Lanka CERT|CC

Inbound Threats to Sri Lanka during       March 2013


Android AirDroid Flaw Can Lead to XSS, DoS Attacks

�...A cross-site scripting (XSS) vulnerability exists in the browser version of AirDroid, a cloud management application for Google�s Android phones. According to an alert from the US-Computer Emergency Readiness Team (US-CERT), at the current time, there is no patch planned and there is no logical workaround......'

ICS-CERT warns on utility web page info

'....Critical infrastructure providers should be careful about posting industry event and business contact information on their Web pages because that data has been used to customize ?spear fishing?

attacks aimed at the larger critical infrastructure community, said the U.S. critical infrastructure Cyber emergency team......'


Notice Board
  Training and Awareness Programmes - April-May 2013
Date Event Venue
- 18th- 19th April Content Development for Learning Management System e-Thaksalawa" ICT Laboratory, ICT Branch, Ministry of Education.
- 3rd- 4th May Training on Web Development for newly recruited ICT graduate teachers under development of 1000 Secondary Schools Project  ICT Center, University of Kelaniya.  
- 6th- 10th May Tamil Medium educational content development for Learning Management system "e-Thaksalawa" Education Leadership Development center, Meepe.

Brought to you by: