Wednesday, April 9, 2014

TeamDrive and the Heartbleed OpenSSL bug - Is my Data Secure?

In case you have not heard about it yet, a rather nasty security vulnerability in the Open Source cryptographic library OpenSSL has been discovered. Dubbed "Heartbleed", it can result in unwanted information disclosure on both ends of a communication channel that is encrypted with SSL/TLS (for more details, check the dedicated web site about this issue at http://heartbleed.com/).

 How does this affect TeamDrive and your data?

The TeamDrive Client uses cryptographic functions provided by OpenSSL to perform local AES-256 encryption of your data before it is transmitted to a TeamDrive Server. Because the data has already been encrypted locally, the TeamDrive Client-Server communication does not establish an additional secure communication channel via SSL/TLS - this reduces the overhead and makes it easier to propagate data through proxy servers. Therefore we're not affected by this vulnerability here, as it only affects secure communication channels established via SSL/TLS.

However, there are two scenarios in which the TeamDrive Client establishes SSL connections:

  • If you need to access TeamDrive Spaces hosted on an SSL-enabled WebDAV server 
  • If you publish versions of a file on a TeamDrive Host Server that has SSL enabled for publishing (this requires a TeamDrive Professional Client license). Publishing via SSL is currently not enabled on the host servers of our public TeamDrive cloud, but may be enabled on TeamDrive Host Servers that you manage on your own premises.
 In both cases, the client will establish an SSL connection to the server, thus making it potentially vulnerable to this particular bug, if the server has been taken over by a malicious user. However, the server itself would have to be compromised beforehand and modified in such a way that it can be used to exploit this vulnerability. Simply running a server with an affected OpenSSL library does not automatically lead to any information disclosure here, but may provide a potential attack vector for gaining access to the server.
The TeamDrive Client's version of OpenSSL depends on the client version and platform. With the exception of Mac OS X and Windows, our Clients have been built against a bundled version of OpenSSL, which is currently at version 1.0.1 for the latest builds. We'll be releasing updated clients shortly to fix this bug.

By Lenz Grimmer

Tuesday, January 7, 2014

TeamDrive receives Amazon Partner Network Advance Technology Partner Status

by Volker Oboda, CEO TeamDrive


We are proud to announce that TeamDrive Systems received the status of Amazon Partner Network Advanced Technology Partner.


Amazon Partner Network Advanced Technology Partner logo


The entire TeamDrive team has worked hard to build and refine our secure and industry leading sync and share solution and this designation is an important milestone that reinforces our past and present achievements.

We also want to thank our numerous customers and users and are thankful for your continuing support. Your input helped us shaping and improving TeamDrive and made this possible.


For all those who have not used TeamDrive yet:
TeamDrive is a collaboration software and service to sync your files easily and securely with 256 bit AES end-to-end encryption using the TeamDrive cloud or your own server.


Download TeamDrive today and check out our web site for more information.


Tuesday, October 29, 2013

Die Geheimdienste haben uns verraten und verkauft!

Wie sollten sich Unternehmen in Zukunft verhalten?

von Volker Oboda, CEO TeamDrive

Kein Tag vergeht, an dem wir nicht mit neuen Horror Szenarien durch Edward Snowden informiert werden. Dabei geht es schon lange nicht mehr nur alleine um PRISM, Tempora oder XKeyscore. Es geht um die Willkür der Geheimdienste nach ihrem Ermessen zu entscheiden, was sie tun und lassen dürfen. Jeder von uns muss sich daher nun die Frage stellen, wie er in Zukunft mit dieser Bedrohung umgehen wird, die nicht von vermeintlich bösartigen Hackern ausgeht, sondern von denjenigen Einrichtungen, die den Auftrag erhalten haben uns zu schützen.


Unternehmen sind zum Handeln gezwungen


Neben Unternehmen, Behörden und anderweitigen Organisationen, die mit besonders sensiblen und personenbezogenen Daten arbeiten, ist jeder von uns im Besitz von kritischen Informationen die schützenswert sind. Angesichts der aktuellen Spionagediskussion, aber auch durch Angriffe sowohl im privaten als auch im geschäftlichen Umfeld, nimmt die Bedrohung stetig zu. Insbesondere im unternehmerischen Umfeld sind Daten maximal schützenswert.

Mobile Endgeräte und Applikationen sind in unserer mobilen Gesellschaft und der sich ständig verändernden Arbeitsweise und Kommunikation unter Mitarbeitern, Geschäftspartnern und Kunden nicht mehr wegzudenken. Die Herausforderung besteht darin, diese Kommunikation im Interesse aller Beteiligten unter allen Umständen zu schützen. Sensible Informationen und Unternehmensdaten haben in den Händen unberechtigter Dritter und Geheimdiensten nichts zu suchen. Diese Zugriffe gilt es zu unterbinden. Das gilt selbstverständlich auch für das Erstellen, Bearbeiten und Teilen mit vertrauenswürdigen Personen.

Konzepte wie „Bring Your Own Device“ (BYOD) haben in Unternehmen zu einer neuen Dimension von Schutzbedürfnissen geführt, die für jede Organisation eine besondere Herausforderung darstellt, um unternehmenskritische Daten und geistiges Eigentum bestmöglich zu schützen. Zudem verschärft ein unkontrollierter IT-Wildwuchs (Schatten-IT) durch Dropbox und anderweitige, bevorzugt private Cloud-Lösungen, diese Situation. Das führt zu einer immensen Bedrohung der Informationssicherheit in Unternehmen, wovon gleichermaßen böswillige Hacker und Geheimdienste profitieren. Nichts desto trotz müssen Mitarbeiter mit denselben komfortablen Technologien und Lösungen weiterarbeiten können. Aber das auf eine sichere Art und Weise.


Kontrolle alleine reicht nicht aus, SSL ist unsicher


Berufsskeptiker bekommen durch die aktuellen Diskussionen wieder Oberwasser und raten der Cloud den Rücken zuzuwenden und die Aktivitäten in der eigenen IT-Infrastruktur zu stärken. Kontrolle ist ein wichtiges Thema. Wer seine Systeme und Daten unter eigener Aufsicht betreibt hat mehr Kontrolle über die Prozesse und einen besseren Überblick darüber wo sich welche Informationen befinden. Bei diesen Diskussionen wird nur immer leicht unterschätzt, dass wir uns in einer globalen Welt befinden und, wie oben geschrieben, wir auf mobile Endgeräte und Applikationen angewiesen sind, um die täglichen Geschäfte zu führen.

Mitarbeiter müssen sich mit ihren Endgeräten, Daten und Informationen also trotzdem weiterhin frei bewegen können, obwohl die Kontrolle in den Händen der eigenen IT-Abteilung liegen soll. Ein wichtiger Schritt, den jedes Unternehmen aber insbesondere jeder Anbieter von IT-Services schon seit Jahren hätte berücksichtigen müssen ist die Verschlüsselung. Es ist schon als ein Armutszeugnis zu bezeichnen, das Anbieter plötzlich damit beginnen, ihre Systeme kryptographisch zu härten und dies sogar noch als Mehrwert an ihre Kunden zu verkaufen. Sicherheit ist kein Mehrwert. Sicherheit ist ein zentraler Bestandteil eines jeden Produkts und das nicht erst seit Edward Snowden. Und dazu gehört Verschlüsselung.


SSL-Verschlüsselung ist unsicher


Hierbei darf jedoch eines mittlerweile eines nicht vergessen werden. Die NSA und der GCHQ haben einige Verschlüsselungstechnologien, die im Internet eingesetzt werden, unterwandert, darunter SSL . Das bedeutet, dass sämtliche Anbieter, die ausschließlich auf die SSL-Verschlüsselung setzen, als unsicher einzustufen sind. Einzig und allein der AES 256Bit Verschlüsselungsstandard gilt weiterhin als sicher. Schätzungen ergeben, dass erst im Jahr 2018 die technischen Möglichkeiten vorhanden sind, um eine AES 256Bit Verschlüsselung zu knacken . Die Dauer hängt zum Teil ebenfalls von der Stärke des gewählten Passworts ab. Sicherheitsexperten empfehlen eine Passwortlänge von mindestens 20 Zeichen und dabei eine Kombination aus Klein- und Großbuchstaben, Zahlen und Sonderzeichen zu wählen.



End-to-End Verschlüsselung ist unumgänglich

Trotz aller Versprechungen nützt eine Verschlüsselung nichts, wenn der Anbieter über den Schlüssel verfügt, mit dem er Zugriff auf die verschlüsselten Daten erhält. Aus diesem Grund führt kein Weg daran vorbei, dass ausschließlich der Nutzer über den privaten Schlüssel verfügt und die Daten auf dem lokalen System des Anwenders verschlüsselt werden und anschließend über eine verschlüsselte Kommunikation auf die Server des Anbieters übertragen werden, wo diese ebenfalls verschlüsselt gespeichert werden. Der Anbieter darf zu keinem Zeitpunkt die Möglichkeit haben, den privaten Schlüssel wiederherzustellen und auf die Daten Zugriff erhalten.

So sieht das auch New Age Disruption Analyst René Büst . Er hält die Thematisierung der Kontrolle über die Daten für wichtig, macht aber darauf aufmerksam, das zwangsläufig früher oder später extern kommuniziert wird und eine harte End-to-End Verschlüsselung dafür unumgänglich ist. Büst empfiehlt daher auf folgende Eigenschaften bei der Sicherheit respektive Verschlüsselung zu achten:

  • Advanced Encryption Standard – AES 256 für die Verschlüsselung der Daten.
  • Diffie-Hellman und RSA 3072 für den Schlüsselaustausch.
  • Message Digest 5/6 – MD5/MD6 für die Hash-Funktionalität.
Weiterhin macht Büst deutlich, dass die Bedeutung der End-to-End Verschlüsselung der gesamten Kommunikation immer stärker zunehmen muss. Das bedeutet dass der gesamte Prozess, den ein Nutzer mit der Lösung durchläuft, von Anfang bis Ende durchgehend verschlüsselt ist. Das beinhaltet u.a.:

  • Die Benutzerregistrierung
  • Die Anmeldung
  • Den Datentransfer (Versand/ Empfang)
  • Übertragung der Schlüsselpaare (Public/ Private Key)
  • Der Speicherort auf dem Server
  • Der Speicherort auf dem lokalen Endgerät
  • Die Sitzung während ein Dokument bearbeitet wird


Wie sich Unternehmen verhalten sollten

Das Zusammenspiel von Vertrauen und Sicherheit wird immer wichtiger. Allerdings baut ein Anbieter nur Vertrauen auf, wenn er sich öffnet und seinen Kunden technische Einblicke gewährt. Diese Offenheit ist bei vielen IT-Anbietern nicht gegeben, wodurch diese berechtigterweise in der Kritik stehen. Unternehmen müssen aus diesem Grund einen Anbieter finden, der keine Geheimnisse hat und bereitwillig mit seinen Kunden spricht. Was sollten Unternehmen neben dem Aufbau von Vertrauen weiterhin beachten:

  • Gewinnen Sie Kontrolle über ihre Daten und Systeme zurück.
  • Bauen Sie vertrauen innerhalb ihrer Organisation und zu ihrem Anbieter auf. Das kann über eine gute Beziehung aber auch über Verträge entstehen.
  • Ziehen Sie ein Hybrid Szenario in Betracht, um Ihre Mitarbeiter auch bei ihren mobilen Tätigkeiten zu unterstützen.
  • Ihre Mitarbeiter, Kunden und Partner sollten weiterhin die Möglichkeit erhalten sicher(!) auf Daten und Informationen zugreifen zu können.


Was Sie unter allen Umständen berücksichtigen sollten sie die vollständige Kommunikation End-to-End Verschlüsselung und die Vermeidung von Medienbrüchen bei der die Verschlüsselung unterbrochen wird. Identifizieren Sie zudem sichere Verschlüsselungsverfahren und berücksichtigen Sie diese bei der Ihrer Anbieterauswahl.


[1] http://www.spiegel.de/politik/ausland/nsa-und-britischer-geheimdienst-knacken-systematisch-verschluesselung-a-920710.html
[2] http://nsa.gov1.info/utah-data-center/
[3] http://clouduser.de/analysen/wie-schutzen-unternehmen-ihre-daten-gegen-die-uberwachung-in-der-cloud-20173

Intelligence Agencies Sold Us Down the River

How should enterprises proceed in the future?

By Volker Oboda, CEO TeamDrive

With every passing day we hear more and more horror stories stemming from the eye-opening information we received thanks to Edward Snowden’s leaks. Lately, the stories have not only been about PRISM, Tempora or XKeyscore, but, lately, the stories have revolved around the arbitrariness of the intelligence agencies and their decision to act at their own discretion in terms of what to and what not to do and allow. Each and every one of us needs to ask ourselves, “How can we deal with a threat like this? Not one coming from an alleged malicious hacker, but, instead, a threat coming from those agencies whose sole mission is to protect us and our privacy.


Enterprises Forced to Act


Besides government offices and agencies, enterprises, and any and all other organizations who work with particularly sensitive and personal data, each and every one of us possesses information we deem critical and worth protecting. In the face the current debates on espionage, whether based on attacks on data in personal or business environments, the overall threat continues to rise and, of course, data in business environments are particularly worth protecting at a maximum level.

Today’s mobile society is constantly changing and improving the way we work and communicate with one another. At this point it is almost hard to imagine business partners, coworkers and customers alike communicating without mobile devices and mobile applications. The overarching challenge here consists of how to successfully secure the communication in everyone's interest and at any price. Sensitive information and business critical data have no place in the hands of unauthorized third parties, intelligence agencies or, for that matter, even random standard users. It is necessary to prevent unwanted access no matter who the unauthorized person is. Naturally, this also applies to the creating, editing and sharing of data with a trusted third party.

Concepts like “Bring Your Own Device” (BYOD) have led to a new dimension of, and need for, privacy protection within the enterprise. It has also allowed organizations to meet new and existing challenges to secure business critical data and intellectual property. In addition, the uncontrolled growth of IT security holes (shadow-IT) due to Dropbox, and other preferred personal cloud solutions, cause this situation to be even more nerve wrecking.

This, in turn, leads to an increased threat to an enterprise’s ability to securely protect its critical information and data while at the same time creating a beneficial situation for both malicious hackers and intelligence agencies alike. Nevertheless, employees should continue to work with the same comfortable technology and solutions, but in a more secure manner.


Just to Control is Not Good Enough. SSL is Unsecure


Professional skeptics have once again gained the upper hand, due to the current security debates, and advise users to turn their backs on the cloud and, instead, strengthen their own IT infrastructures. Control is an important issue. Enterprises that operate and supervise their own data and systems have more, if not total, control over the processes that take place and they also have a better overview of where their data is located. However, these debates underestimate just how much of a global world we are living in and how much we rely on mobile devices and applications to run our daily business.

This means employees still need to be able to move about freely with their devices, data and information, while having the control lie in the hands of the enterprise’s IT department. An important factor each enterprise, in particular each vendor of IT services, needed to consider for years is encryption. It is evidence of incapacity that suddenly, out of nowhere, vendors started to harden their systems cryptographically sell this as an added value to their customer! Security is not an added value! Security is a central component of each product and this expectation existed before the events of Edward Snowden. That includes encryption.


SSL-encryption is Unsecure


Here is something that should not be forgotten. The NSA and GCHQ infiltrated some of the best known encryption technologies used to secure common Internet data transfers, among them SSL .This means all vendors exclusively using SSL as an encryption standard should be now classified as unsecure. Solely, the AES 256-bit encryption standard is still secure. According to estimates, we will not have the technological capabilities to crack AES 256-bit encryption until 2018 . The duration also partially depends on the strength of the password. Security experts recommend to choose a password length of at least 20 characters and to use a combination of upper and lowercase letters, numbers and special characters.



End-to-End Encryption is Inevitable

Despite all assurances, encryption is useless if the vendor owns the key that allows access to the encrypted data. For this reason there is no way around the fact that the user should exclusively own the private key, the data is encrypted in the user’s local file system and is, afterwards, transferred via an encrypted communication channel to the vendor’s servers where it is also stored in its encrypted form. On no account should the vendor have the capability to restore the private key in order to access the data.

New Age Disruption analyst René Büst also sees it that way . He thinks who has control over the data is an important topic but, however, calls attention to the idea that sooner or later external communication will be necessary and hardened end-to-end encryption is inevitable. Büst recommends to pay attention to the following respective characteristics of encryption:

  • Advanced Encryption Standard – AES 256 to encrypt the data.
  • Diffie-Hellman and RSA 3072 for the key exchange.

In addition, Büst makes it clear that the meaning of the entire communication being end-to-end encrypted needs to be strengthened. This implies that the entire process a user passes through with the solution is encrypted from beginning to end. This includes:

  • The user registration process
  • Logging in
  • The transfer of data (sending/receiving)
  • The transfer of key pairs (public/private key)
  • The storage location on the server
  • The storage location on the local device
  • The session while a document is being edited


How Enterprises Should Act

The interplay of trust and security is becoming more important. However, a vendor only gains the trust of its users if it opens up and allows its technical insights to be transparent to the user. This type of voluntary transparency cannot be found with many IT vendors, whereby these vendors are justifiably criticized. For this reason, enterprises need to find a vendor that has no secrets and is eager to communicate with its customer. Besides building trust, enterprises should also consider:

  • Regaining control over your data and systems.
  • Building trust within your organization and your vendor. This can be established with either a good relationship or with contracts.
  • Considering a hybrid scenario to support your employees while they are mobile.
  • Continuing to offer employees, customers and partners the opportunity to securely access their data and information.

What should by all means be considered is the end-to-end encryption of the entire communication and the avoidance of media disruptions during the encryption. Moreover, to identify secure encryption methods and to consider these methods during vendor selection.


[1] http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security/print
[2] http://nsa.gov1.info/utah-data-center/
[3] http://clouduser.de/en/analysen/how-to-protect-a-companies-data-from-surveillance-in-the-cloud-20234

Thursday, September 5, 2013

TeamDrive SecureOffice: Seamless and secure document processing for smartphones and tablets

René Büst, Principal Analyst and Senior Advisor covering cloud computing, business technology and collaboration published an insightful report about TeamDrive SecureOffice which was just released a few days ago.

TeamDrive SecureOffice is a collaborative product between the data security experts at TeamDrive and the mobile office provider Picsel combining one of the most secure tried-and-true ways to sync and share files "TeamDrive 3" with one of the most downloaded mobile office solutions "Smart Office 2".






You can find out more about TeamDrive SecureOffice right here.

Here are some interesting excerpts:

"A sandbox provides seamless security on the device

Based on sandbox technology, shared documents never leave the secure environment provided by the application. Complete end-to-end encryption is initiated when employees send and receive files via mobile devices."

"For large companies, government agencies and any other organization working with particularly sensitive data, it is crucial to adapt to the mobile habits of employees and to respond to these habits with appropriate solutions. A first look at the Android version of the app displays how the seamless workflow of Picsel’s Smart Office for mobile devices in conjunction with TeamDrive’s cloud-based sync and encryption technology for business can help to achieve this goal."


You can read the whole article right here on clouduser.de.



Monday, July 15, 2013

So, where do we go from here? The protection of our privacy must be a priority!

Tensions have somewhat subsided since the recent news about PRISM and Tempora rocked the globe. So, what’s next? Where do we go from here? Is this somewhat relaxed state truly a relaxed state? Or is it just the calm before the storm?

As we delve deeper into the labyrinth of data we find out there is a surprisingly large interest in corporate data, an interest level far greater than many would have ever imagined. But tell me, are we really surprised? Are we truly that naïve? Truth be told, at some point we all had that burning sensation in our stomachs; we all had that feeling that in some form or fashion we were being ‘observed’. Well, now it’s official! Yep! Right there in black and white! But what does this mean for us and our privacy? Should we throw away all we have worked for, trash years worth of technological developments and head back to the drawing board? I would think not.

The show must go on; the sprockets and the wheels must keep turning. In hindsight we can see where we went wrong; we can see where we put a false sense of hope and security for our privacy in the hands of wrong people; we can see where we did not take the time to be more aware and to better inform ourselves as to how our privacy is actually being protected. Let’s not make the same mistake twice. “Fool me once, shame on you; fool me twice, shame on me.”



Hacker



We like to share everything.

The ease and practicalities of easily sharing data and information with one another is steadily increasing. The main cause of this is because we, as people, like, and sometimes need, to communicate with each other. On the one hand, we are just social beings. On the other hand, we need our communicative skills for use in the world of business to promote the exchange of ideas, information, developments, solutions and to find ways of implementing all of these factors in a timely and efficient manner. This, in-turn, leads to mountains and mountains of data that other parties presumably have interest in and who, as we have now found out, are casually given access. At this point, “We like to share everything”, as described on www.dropboxpartners.com, is as much of a punch line as it is an advertising slogan, especially when it’s written in its terms of use that data will be released to security agencies. As written by the Guardian, “The NSA document indicates that it is planning to add Dropbox as a PRISM provider”. On top of that, why should the user feel safe and feel as if his/her privacy is protected when their data will supposedly be stored in an encrypted form by their provider who, incidentally, has the keys to decrypt their data? So whose data is it really when you don’t even have the keys to access your ‘own’ data? The provider owning the keys to your data interferes with your right to have access to the data at will.

Control is good. Integrated encryption is even better.

Given the current state of our digital privacy, one could also say that an end-user who only relies on an ‘encryption at rest’* approach is betting on the wrong horse. Eventually, the data will leave its storage location and be transmitted in an unencrypted form and without further security measures. Can you say, ‘disaster waiting to happen’? For this sole reason is why all end-users, companies and private users alike, trust and confidently rely on 100% end-to-end encryption. 100% end-to-end encryption provides the level of security needed to allow end-users to communicate and easily and confidently share private data with whomever they choose. This has been confirmed by the results of a recent survey. However, the truth of the matter is that not one single US-based provider can meet this requirement. At the moment, Wuala, from Switzerland, and TeamDrive, are the only companies able to provide this high level of security.

But, what does end-to-end encryption mean exactly? As the name states, the data are encrypted before leaving the user’s device**. This means that the data are transmitted to the server in an encrypted format and also reside on the server in an encrypted format. While the data are being transmitted back to the user’s device they remain in their encrypted state. The data are encrypted during their entire time away from the user’s device. Once the data returns to the user’s device it can only be accessed if the proper encryption keys are available and these reside with the user. Yes. The user is the only person with access keys to their data. There is no master key maintained by the service provider which means there is no way for them to decrypt the user’s data and allow access to them.

Legal space and trust are a key factor

What the above-mentioned survey also reveals is that the location in which the data are stored is of high importance. 92% of voters agree Europe is the safest and most trustworthy region worldwide to store data. America tallies up a measly 2% of the votes and weighs in behind Africa which managed to receive 4% of the votes.

With all that said, it is probably pretty clear which vendor should only come into question today. Right?

* The data is stored physically encrypted.
** With third party tools the data can also be stored in an encrypted form on the user’s device. The best way to ensure 100% security is to encrypt your data locally as well.

Saturday, March 16, 2013

“Sync & Share” - Business Continuity Management (BCM) Solution with TeamDrive


Another sample of utilizing the secure sync&share technology from TeamDrive was demonstrated by our reseller partner "No Limit IT-Services" at the CeBIT show in Hannover Germany earlier this month.  "No Limit IT-Services" presented a secure and cost efficient solution for the IT Contingency Plan (IT-Notfallplanung 2.0)

Detlef Schmuck, COO of TeamDrive and Thomas Stueber, Sales Director of Nolimit IT-Services at CeBIT 2013 in Hannover, Germany
TeamDrive makes it possible to replicate contingency plans, and other documentation, regarding risk factors in order for them to be readily available offline in emergency situations. More than ever, a company’s ability to act is determined by the constant availability of its data. The IT Contingency Plan, also a part of the Business Community Management (BCM), gains more and more relevance and importance in today’s business world. Utilizing appropriate safety strategies should therefore be a standard action. On the basis of synchronization, NoLimit IT has developed various solutions for  IT Contingency Plan solutions. The secure and reliable “Sync & Share” solution from TeamDrive offers the advantage that the data are automatically encrypted, using AES 256-bit encryption, before being uploaded. All this is done without the user having to worry or press any extra buttons. This ensures that no unencrypted data leaves the machine and that the data cannot be, under any circumstances, accessed by unauthorized persons. The synchronized and encrypted data are always available to you at any of your favorite workstations and even available for use offline.