Carbonite Can Decrypt Your Data

Yes, your data is encrypted before it gets sent up to their servers for storage (via an SSL connection), but Carbonite keeps a copy of the decryption key on their servers in case they need to decrypt it for various reasons.  It’s stated in their Privacy Policy so it’s not a huge secret, but I wanted to make sure that everybody knows that backing up your data with Carbonite is not as private as you may think.  Here’s the section of the Privacy policy that reveals this:

Carbonite encrypts the files that we process before they leave your computer. Carbonite uses SSL or similar Transmission Encryption technology before sending your files to our data centers. Your encrypted backup files transmitted to our servers are stored in facilities with access restricted to authorized personnel only. Carbonite does not encrypt the file names or file type information.

By Using the Carbonite Product that permits you to download your backed up files to any computer that has a connection to the Internet you understand that Carbonite will be decrypting these files before they leave Carbonite’s servers and that once decrypted these files can be reviewed by anyone who may be able to access them.

Carbonite will not decrypt your files unless i) it reasonably believes that it must do so to troubleshoot problems with the Carbonite Products or Services or ii) it reasonably believes it must do so in order to comply with a law, subpoena, warrant, order, or a certification requirement, such as the requirements of 18 U.S.C. § 2703.

However, if you elect to Use Carbonite Products or Services that permit you to access Backup Data from an Internet enabled computer other than by using Carbonite Software on your registered computer, then your Backup Data will be decrypted by Carbonite in its data center and sent to you in a decrypted form via public infrastructure. You election to use such products or services may make the contents of these files to accessible to individuals or entities other than you and those you intend. By using such products and services, you knowingly accept this risk.

Carbonite might still be the best choice for some users for an easy backup solution, but just understand the risks.  I never count out disgruntled, or just plain curious, employees that have full access to all of your files.

Posted in Internet, Privacy | 2 Comments

Mozilla Tests More Secure Firefox

Mozilla on Wednesday posted preview builds of its Firefox browser with security enhancements designed to mitigate the risk of certain Web attacks.

In a blog post, Brandon Sterne, security program manager for Mozilla, asks security researchers and server administrators to help test the changes by downloading a build appropriate for their operating system.

The preview versions of Firefox implement a specification called Content Security Policy (CSP), which is designed to protect against cross site scripting (XSS) attacks.

CSP originally also addressed cross site request forgery (CSRF) attacks, but the anti-CSRF measures have been moved into a separate security specification called the Origin Header proposal.

XSS and CSRF attacks have been used for data theft, Web site defacement, and malware distribution. They’re typically made possible by Web application coding errors.

Source:
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=220300750&cid=RSSfeed_IWK_All

Posted in Internet, Privacy, Security | No Comments

Trend Micro RootkitBuster

Most security software programs that are available these days provide protection against rootkits as well. There are on the other hand a few security programs that deal solely with rootkits. One of them is Trend Micro’s RootkitBuster which has just been released in a new version which adds the ability to detect rootkits that hook the NT function “IofCompleteRequest”.

The portable software program is a rootkit scanner that scans for hidden files, registry entries, processes, drivers, and Master Boot Record (MBR) rootkits. The minimalistic interface makes program usage simple and straightforward. Users can either click directly on the scan button to perform a system scan for all forms of rootkits that can be detected by Trend Micro RootkitBuster or deselect some of the forms first before starting the scan.

Hidden objects will be displayed in the scan results in the program interface during the scan. It is possible to view the log file as well which contains additional information that are not displayed in the program itself. The difficulty part begins here. Users need to distinguish between harmless and dangerous files. Not every file that is listed in the program or log file is dangerous in nature. The best way to find out is to look at the suspicious file first and perform a search on the Internet afterwards.

Source:
http://www.ghacks.net/2009/10/01/trend-micro-rootkitbuster/

Or Download:
http://www.trendmicro.com/download/rbuster.asp

Posted in Internet, Privacy, Security, Software, Windows | No Comments

SSL trick certificate published

On the Noisebridge hacker mailing list, security specialist Jacob Appelbaum has published an SSL certificate and pertinent private key that together allow web servers to avoid triggering an alert in vulnerable browsers – irrespective of the domain for which the certificate is submitted. Phishers, for example, could use the certificate to disguise their servers as legitimate banking servers – which would only be detectable by subjecting the certificate to closer scrutiny.

For his trick, Appelbaum modified the certificate according to the method demonstrated by Moxie Marlinspike at the Black Hat conference, entering a zero character (\0) in the name field (CN, Common Name).

Unlike Marlinspike, however, Appelbaum didn’t enter the zero between the domain name and the name of Marlinspike’s thoughtcrime.org domain. Instead, he entered *\00thoughtcrime.noisebridge.net, effectively creating a wild card certificate for arbitrary domain names:

CN= *\00thoughtcrime.noisebridge.net
OU = Moxie Marlinspike Fan Club
O = Noisebridge
L = San Francisco
ST = California
C = US

Source:
http://www.h-online.com/security/SSL-trick-certificate-published–/news/114361

Posted in Internet, Networking, Privacy, Security | No Comments

New Microsoft Antivirus Tool Arrives Today

Microsoft Security Essentials, the company’s new anti-malware software, will be available Tuesday, according Bob Muglia, the president of Microsoft’s server and tools division.

The release of the software, which was code-named Morro, has been rumored for days, but Muglia on Monday confirmed that the free software would be available for download Tuesday.

“The combination of Windows Firewall and Security Essentials provides you with pretty complete coverage,” Muglia says.

Security Essentials is a malware scanning engine and is targeted at consumers running Windows. It shares technology with Microsoft’s Forefront Client Security, an enterprise desktop tool that can be centrally managed. Essentials provides only detection and removal of malware and lacks central management capabilities, however.

Source:
http://www.pcworld.com/article/172787/microsoft_free_antivirus.html?tk=rss_news

Posted in Internet, Security, Software, Windows | No Comments