Your questions answered by security specialists. Our expert this issue is cloud-storage expert Bill Carey of Siber Systems
Q: Why don’t many cloud-storage providers offer two-factor authentication?
A: There’s a constant battle between security and convenience. Greater security often means less convenience for the person using it, and most consumers typically go for convenience over security, so companies typically design products with that in mind. That’s why I believe most storage providers don’t enforce two-factor authentication (which requires two ways of proving who you are). Few users will stick around if they have to carry around a USB, or buy equipment just to access one service. However, storage companies should offer users the option to use multifactor authentication if they want to. That way, no one’s being strong-armed into a situation that’s too inconvenient or too insecure for his or her taste.
Q: Is there anything you shouldn’t upload to the cloud?
A: Users should take some responsibility for their data security. It’s especially wise to use strong, unique passwords for each of their sites, particularly those that store personal information. However, it’s not users that caused recent security breaches, but hackers who bypass the security measures companies have put into place, which isn’t something users can control. Bearing this in mind, I don’t think it’s currently a great idea to store very personal information in cloud-storage sites if you have other safekeeping options. Should your information be compromised at these data-storage companies, you can at least minimise the damage by choosing not to store very personal information with them.
Q: I’ve heard that cloud servers are based in the desert or in warehouses. Is this true, and how well protected are they?
A: While I don’t have firsthand knowledge of actual locations, I’d imagine that each of the major storage providers are hosted in secure facilities and have all the proper controls in place. However, the physical location of the servers shouldn’t be a major security concern, as that hasn’t been a factor in any recent high-profile security breaches.
DECODED | Security jargon explained
Crypto-ransomware
You might have heard of ransomware, which is malicious software that locks users out of their PC until they have paid money to the criminals running it. Crypto-ransomware is the latest form of this threat. It locks you out of files saved on your PC (photos, videos, music and so on) by encrypting them. In September, Sophos spotted crypto-ransomware that searches for specific types of file, encrypts them, and then renames them in an unreadable file. You’re then told to email the criminals so your files can be unlocked.
SECURITY ALERT!
Facebook video attack via Twitter
Beware of direct messages on Twitter that appear to come from a friend, saying you’ve been captured in a Facebook video. According to Sophos, clicking the link in the message brings up an alert urging you to install a YouTube update. If you do, it will infect your PC with a Trojan. If you fear you have been hacked, contact Twitter using this form: bit.ly/form302.
bit.ly/sophos302
YouTube hoax videos
Security experts at Bitdefender have spotted thousands of fake YouTube videos that claim to show how to hack software, hardware and games. Clicking links in these videos takes you to pages asking you to fill in surveys, or suggesting apps to download. You should ignore both requests, then email YouTube the details of the hoax video: security@youtube.com.
bit.ly/bd302
Gmail iPad prize scam
Watch out for emails claiming to be from Gmail, saying you’ve won an iPad in a “one-time promotional event”. Hoax-Slayer’s experts say that if you follow the email’s instructions by typing the URL ‘GmailReward.com’ into your browser, you’ll be taken to a page asking for your mobile number. If you give it, you’ll be subscribed to an expensive premium-rate line.
bit.ly/gmail302
Fake emails from Microsoft
If you receive an email from privacy@ microsoft.com titled ‘Microsoft Windows Update’, don’t click the link it contains. It will take you to a fake Microsoft website that says your PC is at risk. You’ll be asked to sign in using Gmail, Yahoo Mail, Windows Live or AOL. If you do, your username and password will be used by criminals to access your personal accounts. Read Microsoft’s security pages for more phishing scams to avoid.
bit.ly/msoft302
