Storage forum: Cloud storage and sharing, is it secure?

thumb drives can be lost and or damage. You would be crazy to send it in the mail, even if you could "trace" it.
Better to encrypt it and put the data in the a Google drive.

Nope, not in my opinion....

Frances, I am sorry to hear about your mother. I went through this myself 2 years ago and it is never easy.

As far as your question about security. Unfortunately, nothing is really totally secure and it really comes down to a combination of probability, levels of security, the degree of inconvenience you find acceptable and whether or not the data is even worth protecting in the first place.

PROBABILITY - The question of probability is always interesting. What is the probability or likelihood that someone would want to target your data in the first place and how much effort will they be willing to put forth to get it? If you are celebrity like Lindsay Lohan, work for the CIA, the CEO of a major corporation or your computer holds the missile launch codes at NORAD, then I guess you might be considered a target worth pursuing and no level of security can be enough. But for most of us, we don't really have much that would be worth a concentrated effort to obtain our data. So that pretty much leaves you with protecting yourself against general virus, malware and phishing attacks that are trying to steal your identity and/or attempting to get your bank or credit card information or simply attempting to swindle you out of some money.

WHAT TO PROTECT - Individual users have different security needs than companies. Unlike a company, an individual typically has far less to protect and has the ability to determine what data is worth protecting and what is not. So for the most part, you will want to pay particular attention to critical data such as bank account information, username and password files and Social Security numbers and not worry too much about your photos and music files. I suppose you might not want that naked photo of yourself to get out but that is probably about it.
EMAIL IS NOT SECURE
I hate to burst your bubble, but using regular email to send sensitive, unprotected information back and forth between your family members is probably the least secure method of them all. And if any of your family members have AOL, Yahoo, Gmail or any other free email account, you can probably bet that someone already has some of your data. Every time you get a junk email that appears to be from someone you know , but isn't, typically indicates that their email account has been compromised and someone has access to not only their address book but all of the mail in their account. I receive 3 to 4 calls per week from users that have had their email accounts hacked. I you plan to continue using regular email, at the very least, I would suggest that you password protect your sensitive Word and Excel files before sending them as an attachment to an email. Microsoft Word and Excel have built-in password protection, that will encrypt your file so that it can only be opened by someone with the correct password. NOTE: Versions of Office Word and Excel prior to 2007 are not true encryption and are not secure. You could also use other forms of encryption such as TrueCrypt but why not use something you all already have.

There are many alternatives to choose from to accomplish your goal of sharing documents with your family and here are just a few:

Cloud Storage - Dropbox, Box.com,Synclicity, Google Drive, SkyDrive, SpiderOak, Cubby, iCloud and dozens of others. Personally, I find DropBox to be one of the easiest and most useful of them all even though it may not be the most secure.
Personal Cloud - You can setup your own personal Cloud storage that you can give access to all of your family members. This involves purchasing a small NAS (Network Attached Storage) Device and connecting it to your home router. You then copy all the files that you want to share with your family to this device, setup sharing, permissions, passwords and wola you have your own cloud. You can kill 2 birds with one stone and also use it to back up all your computers in the house and then just share a single folder over the internet with family members. NAS devices are available from Buffalo, Western Digital, Synology and many others for as little as $200. Here are just a few Examples:

http://www.buffalotech.com/products/network-storage/home-and-small-office-nas/linkstation-live-1

http://www.synology.com/products/product.php?product_name=DS112j&lang=us

http://www.wdc.com/en/products/network/networkstorage/

Secure Email - There are many secure email services out there that will encrypt your email before it is sent but this can be a bit of a pain to use. If you are using Outlook 2007 or newer to compose email then you can use the built-in encryption system to send encrypted emails. Only users with the encryption key setup on their system can read the messages.

USPS - You could always put all the information on a DVD, Flash Drive or Memory Card and send it around to all your family members via the US Mail. But you would want to encrypt the data just in case the mail gets lost.
Remote Desktop - Another option would be to give your family members remote access to your computer directly using Windows Remote Desktop or some other service such as LogMeIn or GoToMyPc and they could then gain access to the files they need. Not my favorite option... I am not sure I would want my brothers and sisters poking around my computer.

My Recommendation:

I have given you several options here but my personal recommendation (I am sure many of the paranoid users will probably disagree) would be as follows:

1. Setup a single, Free 2GB DropBox account (you can purchase more storage if you need it) with a good, strong password at www.dropbox.com.

2. Sort through the documents that need to be shared and password protect the ones that have sensitive data in them using Microsoft Word 2007 or newer. To do this:
a. Open each document with Word and then select SAVE AS
b. Select WORD DOCUMENT
c. Leave the file name the same and click on the word "Tools" near the bottom of the open window
d. Select GENERAL OPTIONS and Enter a password in the "Password to Open" box. If you don't want anyone to be able edit or change these documents, you could add a second password in the "Password to Modify" section.
e. Click on "OK" to save and close.
f. Now your document is encrypted and will require the password to open.
NOTE: If you don't have that many files then just go ahead and password protect all the files. If you have a huge number of files then just protect the ones that contain sensitive data.

3. Next, Copy all the files and folders that you want to share to the DropBox folder on your computer.
Give the account information and password to each of your family members (OVER THE TELEPHONE, NOT BY EMAIL) and have them setup a Dropbox account on each of their computers using the exact same account info and password. Also give them the password to open the documents.
You are now done. Any documents that you or any of your family members add to or edit in the DropBox folder will appear in everyone else's own DropBox folder on each and every computer that has DropBox installed on with this same account information. You can also access this data from any Internet connected computer by simply logging into DropBox.com as well as from smart phones and tablets. One other benefit is you can send others, such as accountants and lawyers links to these documents if they need them too.
NOTE: If you want to use DropBox for other personal usage or if you or some family members already have a DropBox account, you can also setup individual DropBox accounts on each family members computer using their own individual account information and then just share a single folder within your DropBox with the rest of the members.

Dana
Wayland Computer

As I mentioned above , I recommend using Password protection for sensitive documents which is a form of encryption in all version of office starting with 2007. Password protection in Office 97, 2000 and 2003 is NOT encryption and therefore not safe.

This is directly from Microsoft documentation:

"In the Encrypt Document dialog box, in the Password box, type a password, and then click OK.

You can type up to 255 characters. By default, this feature uses AES 128-bit advanced encryption. Encryption is a standard method used to help make your file more secure."
Therefore, if you encrypt the document or spreadsheet with office 2007 or newer before saving it to DropBox or any other cloud storage provider and use a GOOD password, I would consider this safe for most people.
My Personal opinion... Again nothing is 100% and this is far more secure than what he is currently doing which was simply sending unprotected documents within emails.
Dana

Much of what Dana said is factual and on-target. There are a few things though that seem a little out of alignment with the reality.

First off, the "Probability" factor. While it is extreemly unlikely that any individual person would be "targeted" as Dana indicated, what is left out is that hackers rarely, if ever, target individuals - they target environments. In today's world of rampant identiy theft, personal data misuse and even unintentional data leakage from companies, it is imporant for each person which uses a computer to have a very basic understanding of the digital age in which we live.

We hear all the time about various government agencies or institutions or even large corporations being hacked. Either by individuals, a losley held together group (such as Ananoymous) and now even governments getting into the act of hacking high-value targets. Even the US has been accused of doing this type of activity. So, while individuals are NOT targeted, the environments where there data is stored are.

This leaves it to, what can the hackers hope to gain? Plenty. Simple programs can scan huge amounts of data looking for potentially benificial information (SSN, CCRD, Bank Balances, etc.) Even if the data does not pan out to be a bank balance, there may be bank routing numbers and bank account numbers embedded in the content, and since major institutions are listed along with routing numbers (needed to transfer funds from one bank to another), finding such a number embedded in the data allows a not-so-savey programmer to peg and pull surrounding information for a "closer" look. This after never looking directly at an individuals information. Why should they? There are millions of pieces of information in the file they've stolen.

My job is data security through the analysis of human behavior. Not the technical stuff. Yet, I find that most individuals are blase about protecting their own information. The simple statement of "Hey, I'm one of millions. What are the odds of me geting hit by a hacker?" This is the real thought that needs to be considered. Keep in mind though, that while you may only have $100 to your name, along with a million others, $100 times a million adds up quickly. With the programs, very simple ones I might add, are prolific in the digital world where we live, they are effective - once the information is obtained.

Email Security - As Dana indicated, email simply is NOT secure. There is so much information that can be gleaned from a simple email that it boggles the mind. How many little old ladies think to send their friend who lives across the country a reciepe for chicken soup, only to start receiving porn spam a couple of months later. Where do you think they get this information? She never even went to such a web site, never even thought that kind of stuff was out there.

It is not all doom-n-gloom though. For those that really want to protect their conversations and still share their information, in particullarly the type of situation this family has mentioned, there are a number of ways. As Dana indicated, it all depends on what level of inconvenienc you're willing to put up with. Some options offer good security while minimizing the "inconvenience"; while still others take the opposit side of the road (weak security with a facade of high inconvience covering up the week security).

In today's busy world, and depending on your pocket book, there are some fairly low cost; low inconvenience approaches. One of the best I've seen for safeguarding the sharing of information are what is called VPN tunneling. Several products on the market allow one computer to be setup as the storehouse, and others to access that computer through VPN (or Virtual Private Networking). It doesn't rely on sources outside of your own computers, while allowing you to share information in a fairly simple way. Everything from documents saved (scanned?) as .PDFs to Excel files containing a list of financial transactions, to Quicken books files that are used to track expenses and revenue.

Usually a VPN is a simple installation which establishes the primary (or other systems) with an encrypted link (up to 256bit AES is most common) to different computers that only yourself and those you designate can access. As to email, this is a bit more expensive, yet doable...

Many services offer the ability to send a document for temporary storage, and for those you want to access the document, automatically sends a notice that the information is now available. In the notice is a link to a secured connection where the information may be downloaded. Yes, this service usually has a fee, but since the data is temporary (if anything is now a-days) it offeres a way to provide confidential information for a term needed by what ever requires the this level of security.

The bottom line - each person must take responsibility for their own information. They must make the decision based on what they have to lose, how it could affect them, and what level their busy lives will be impacted by their decision to protect their own information.

The CLOUD is NOT SECURE. If you can access it, so can others. Forget about security. EVERYTHING can be hacked. Never put financial info online for others to access it. NEVER, NEVER, NEVER. You'll forget about the convenience long before you'll forget about a robbed bank account or 401K. And this doesn't even include the makers of the software in your computer, or on-line programs. What do I mean?

Try this test. Open WORD. Count how long it takes to open. Now close it. Disable your internet connections, both wirelessly and hard line. Now open up Word again. Count how long it takes. Now close it. Count how long it takes. Why does it take so long? Read a programs safety and security policies. Read real well. The only way to fully secure your data is NEVER be online. Everything else is a risk. Some risks are worth it, like secure online banking. Others are not. To me, CLOUD storage is not. What happens IF? If your ISP is down and..... If the internet is under a viral attack and.....

Still not convinced. A friend of mine is one of the leading developers and pioneers of cloud computing and storage. Yet she tells me, it has many issues that have yet to be addressed. I store everything on removable hard drives. Most people don't need more than one or two 1GB drives. I have more than a dozen. They swap in and out like a USB drive.

I just wanted to thank all of those who signed-up for nCrypted Cloud. This was my first CNet discussion post. I was genuinely just trying to help Frances and relate my personal experience and story. This is a very long discussion thread with many different opinions regarding cloud storage, so I was not sure anyone would even read my post. I have been completely humbled and blown away by the response.

Thank you,
Nick

Special thanks to JLowy and his dad.

You bring up an excellent point we did already consider.

When you install nCrypted Cloud on top of Dropbox (our first supported provider, more coming), we enable end users to configure folder based privacy policies. When you set a folder to Make Private or Share Securely, that tell us to first go through that directory and all existing sub-directories and encrypt the existing data. It also tells is to from now on, encrypt all future data destined for the folder (ie drag and drop, cut/copy/paste through explorer or finder, Save or Save As though apps etc) and to your point never have non encrypted in that folder, so to your point, unencrypted data never syncs to the cloud going forward. Now this is for existing data before we got installed. Once we are install, simply create a empty folder, set the policy of choice, and everything you put in will start in the encrypted state with no exposure.

Now for data that was already in the cloud before a user configured their privacy folder, our best practices suggestion is that they at least attempt to manually purge the revision history. But even if they don't, the free version of Dropbox will purge version history in 30 days automatically.

So thank you for your feedback. This is a real differentiator between our solution and others. Honestly most users never consider this important and critical subtlety you point out, and it took much effort for us to implement our solution so it's seamless, while making sure we do not expose you data unencrypted.

but I do have to wonder. You register on the same day as the above person who represent ncryptedcloud, you go on to plug ncryptedcloud with a post directly below him... hmmm you know I have raise an eyebrow, surely you just didn't happen to find this discussion thread in this small Internet world....

I'm all for everyone in this community to help one another out in a time of need, but if the intent is for you to advertise or shameless shill the product ncryptedcloud then I really don't appreciate it! One other reason I have my suspicious about your post is in the way you carefully type out the company's name being consciously aware of using lower and uppercase letters for ecryptedcloud. Most of the time, when people post and mention a company they could careless about how a brand is spelled out, but in your case, most reps or staff know how much it means from business perspective on how their brand is typed up in public. Maybe I'm wrong, but I always type 'CNET' with capitals because it is our brand and that the way everyone who works here types it in a public space or email.

If I have mistaken about your post and I truly hope I have, then I apologize.

I'm just looking out for our members to make sure that they are getting advise from a genuine customer/user, rather then a representative who just trying make their product look good with a biased claim.

So I hope you understand where I'm coming from.

Respectfully,
-Lee
CNET Community

nCryptCloud apparently changes the file extension to n".zip" when it encrypts a file, and the application usurps the zip extension for iits own use, over-riding Winzip and PKzip.
I got this information from the company's support pages, which I read before trying it.
That is a *remarkably* stupid and lazy piece of programming if it is indeed true. Tens of millions of computers worldwide are set up to see "*,zip" files as compressed archives used by Winzip and PKzip. Any other program using that extension is unbelievably daft. It's like insisting on renaming your output files "*.bmp" or "*.jpg" or even "*.doc".
Any company producing software with that massive a flaw in it is not one I would trust. Ever. Even if the flaw was caused merely by lack of forethought and was fixed as soon as someone pointed out how nuts it was.
I wold like to ask the programmer(s) : Why didn't you just use the extension "*.NCC" or something equally obscure?

Of course, if the support page is wrong, I most heartily apologise for everything I've said and I hope someone from the company will reply to the question on it.
https://ncryptedcloud.zendesk.com/entries/23169508-How-Can-I-Continue-Using-WinZip-
or find it through https://ncryptedcloud.zendesk.com/home
H.

And my apologies if I was disrespectful.I am sure your kind and thoughtful reply will re-assure many people.
H.

Sorry to hear about your Mom.

My situation: I am helping my Folks "Age in Place". I am the Executor and working as their Power of Attorney. We have a regular Attorney and an Elder Law Attorney. [and the rest of the Professionals, like a Certified Geriatric Care Manager to name one]. Mom is in late stages of Alzheimer's. She has fallen and been in Skilled Nursing from that and later due to a serious infection. Dad had a Stroke 15 months ago and has some minimal memory and congnitive issues. But both are living at home. I only have one sibling to deal with.

I deal with all aspects financial, making appointments, social calendar, driving, cleaning, cooking and more. I am male.

Years ago they had all of their Documents in place for these eventualities. Over the years they were updated as needed. I have all the Hard Copies and the POA's are in multiples. Any copy made is dated and noted as a copy. Original Hard Copies are in a Safe Deposit Box as well as with the Attorney/s. Some folks want to see the original and then make their copy.

We also have updated POLST/s on the Fridge.

All communication with Professionals is via e-mail, in person and phone. Notes are put in a physical files. E-mails are in folders.

Since I am right in the middle of this venture, I personally would not trust the "Cloud", w/o obtaining Professional advice from an Elder Law Attorney and CPA.

Obtained a great deal of information form this book I read a few years back: "The Alzheimer's advisor: a caregiver's guide to dealing with the tough legal and practical issues" by James, Vaughn E. AMACOM - American Management Association, c2009.

But that is my opinion and $.02.

Good Luck!

Why worry with cloud storage at all? Keep an encrypted copy of the data on a memory s stick or your phone (remember, encrypted and locked) and don't put anything in the cloud. This will aso give you multiple copies of important data.

As one of the posters below, the key to determining what to do is:

1. Evaluate the data

If the data has social security numbers, names, addresses, bank account information, ANYONE with this can get in and drain your account. So, imagine that someone steals the information. Ask yourself what could happen.

2. Google Docs and Dropbox have both been hacked (passwords compromised and information accessed/stolen) in the past.

3. What about employees? Can they see your data? What if the employee is in some poor, third-world country?

4. What does the cloud company say about your data and what they can do with it?

In the case of the terms of service, many public cloud (including those mentioned) at one point in time said they "own" your data. Not really legal (copyright) so now they do NOT own anything but YOU have to give them a right to do anything they want with your data (read TOS). They also say they scan all data coming in. Just because they encrypt your data doesn't mean they can't decrypt it and give it to advertisers or even publically display it.

So, while hacking is an excellent point, the cloud provider can do whatever they wish without resorting to that.

Frances - I am very sorry to hear of your situation. You are not alone... Those of us that have to deal with this type of situation understand and pray for you...

Most of what Dana said is factual and on-target. There are a few things though that seem a little out of alignment with the reality.

First off, the "Probability" factor. While it is extremely unlikely that any individual person would be "targeted" as Dana indicated, what is left out is that hackers rarely, if ever, target individuals - they target environments. In today's world of rampant identity theft, personal data misuse and even unintentional data leakage from companies, it is important for each person which uses a computer to have a very basic understanding of the digital age in which we live.

We hear all the time about various government agencies or institutions or even large corporations being hacked. Either by individuals, a loosely held together group (such as Anonymous) and now even governments getting into the act of hacking high-value targets. Even the US has been accused of doing this type of activity. So, while individuals are NOT targeted, the environments where there data is stored are.

This leaves it to, what can the hackers hope to gain? Plenty. Simple programs can scan huge amounts of data looking for potentially beneficial information (SSN, CCRD, Bank Balances, etc.) Even if the data does not pan out to be a bank balance, there may be bank routing numbers and bank account numbers embedded in the content, and since major institutions are listed along with routing numbers (needed to transfer funds from one bank to another), finding such a number embedded in the data allows a not-so-savvy programmer to peg and pull surrounding information for a "closer" look. This after never looking directly at an individual's information. Why should they? There are millions of pieces of information in the file they've stolen.

My job is data security through the analysis of human behavior. Not the technical stuff. Yet, I find that most individuals are blase about protecting their own information. The simple statement of "Hey, I'm one of millions. What are the odds of me getting hit by a hacker?" This is the real thought that needs to be considered. Keep in mind though, that while you may only have $100 to your name, along with a million others, $100 times a million adds up quickly. With the programs, very simple ones I might add, are prolific in the digital world where we live, they are effective - once the information is obtained.

Email Security - As Dana indicated, email simply is NOT secure. There is so much information that can be gleaned from a simple email that it boggles the mind. How many little old ladies think to send their friend who lives across the country a recipe for chicken soup, only to start receiving porn spam a couple of months later. Where do you think they get this information? She never even went to such a web site, never even thought that kind of stuff was out there.

It is not all doom-n-gloom though. For those that really want to protect their conversations and still share their information, in particularly the type of situation this family has mentioned, there are a number of ways. As Dana indicated, it all depends on what level of inconvenience you're willing to put up with. Some options offer good security while minimizing the "inconvenience"; while still others take the opposite side of the road (weak security with a facade of high inconvenience covering up the week security).

In today's busy world, and depending on your pocket book, there are some fairly low cost; low inconvenience approaches. One of the best I've seen for safeguarding the sharing of information are what is called VPN tunneling. Several products on the market allow one computer to be setup as the storehouse, and others to access that computer through VPN (or Virtual Private Networking). It doesn't rely on sources outside of your own computers, while allowing you to share information in a fairly simple way. Everything from documents saved (scanned?) as .PDFs to Excel files containing a list of financial transactions, to Quicken books files that are used to track expenses and revenue.

Usually a VPN is a simple installation which establishes the primary (or other systems) with an encrypted link (up to 256bit AES is most common) to different computers that only yourself and those you designate can access. As to email, this is a bit more expensive, yet doable...

Many services offer the ability to send a document for temporary storage, and for those you want to access the document, automatically sends a notice that the information is now available. In the notice is a link to a secured connection where the information may be downloaded. Yes, this service usually has a fee, but since the data is temporary (if anything is now a-days) it offers a way to provide confidential information for a term needed by whatever requires this level of security.

The bottom line - each person must take responsibility for their own information. They must make the decision based on what they have to lose, how it could affect them, and what level their busy lives will be impacted by their decision to protect their own information.

My recommendation; if the information you place in the "cloud" will not lead to your information being obtained that could potentially harm you or ruin you financially - go for it. For all other information that you hold sacred, hang on to it and NEVER put it in a "cloud". Remember, that data has to be stored somewhere; not floating around outside of this physical plane of existence; and the more a company houses, the greater the threat to the data stored there...not just a single individuals - but millions...