UPDATED 08:02 EST / JANUARY 30 2013

NEWS

How Do I Keep My Data Safe Using a Cyberlocker Like Mega?

Kim Dotcom’s Mega recently launched as the spiritual successor to the now extinct Megaupload. It contains a lot of interesting security features, including what looks like some impressive encryption; however, in spite of its much-trumpeted security, it seems to be riddled with flaws and this may well give pause to anyone who wants to use it as a secure cyberlocker.

The suggestions below on how to keep yourself safe using a cyberlocker will hopefully provide an understanding of the first level of safety using and cloud service, not just Mega. However, in light of Mega’s flaws, I will be using that to highlight the what-and-why of each point.

Encrypt thyself

Never trust a lock that isn’t yours.

If you’re going to store anything even mildly sensitive in the cloud or on a cyberlocker service consider putting it in an encrypted container first starting from your side of the transaction. That means that you encrypt it and decrypt it on your secure space before sending it into the cloud.

You can choose to do this to individual files on a case-by-case basis or even produce a multi-megabyte encrypted safe file to store them in when you exchange them with the cyberlocker service. However you do it, the first-best-way to store anything in the cloud securely is to use your own lock. Mega and other cyberlockers might flaunt their security and encryption and other measures to help protect your information.

For most consumers the standard encryption products on the market will do to give them a sufficient edge on any cyberlocker to secure their information. I wholeheartedly suggest looking into GPG and TrueCrypt. For the fairly savvy GPG is an excellent resource but it’s not very user friendly; for those looking for an out-of-the-box solution that functions well, TrueCrypt is the way to go.

As always: Encrypt thyself or suffer the consequences.

Secure communication of passwords, keys

One of the first things that security researchers have discovered about Mega is that while they use some pretty hefty encryption, the communication of the keys involved in that encryption appears to be a little bit shifty. In fact, some of the elements of the keys are e-mailed to users insecurely which means that when receiving the first password or a new password things could get problematic.

You may want to use a secure e-mail service such as Hushmail.com to sign up for services such as Mega and receive password changes.

In this section I’d admonish readers to use strong passwords, but the security conscious reading this already do that, so the problem becomes keeping them safe. By using a secure e-mail service to interact with a cyberlocker like Mega it will help reduce the chances of a man-in-the-middle (MITM) attack where another individual might obtain information needed to guess or crack your password.

A stronger password will always help even in the case of an MITM attack with Megaupload when you change or receive a password because the attacker still must guess or crack it even from the hash sent.

Use a secure browser

Mega exists as an in-browser cyberlocker service that does most of its interaction via Javascript, this means that the browser is privy to a great deal of information passing through it.

To stay fully secure you will want to use a browser well known for security features, not currently suffering from any zero-day exploits, and perhaps even totally clean (i.e. no plugins running.) Currently, one excellent suggestion might be to run Google Chrome in Incognito mode—if set up correctly, this will disable most (if not all) plugins and it will not leave a record of the interaction with Mega. Chrome is already a fairly solid browser and consumer available.

On the free-but-designed-secure browser front there’s products such as Comodo Dragon.

For the more paranoid, other browsers exist that enable much greater security such as the sandboxed Firefox version available on the IronKey S250 USB drive or using a Check Point Abra USB key.

No more link exchange and sharing

Also, you may not ever want to exchange links to the content that you post on Mega. While the cyberlocker service does allow you to generate a link other people can use, there are distinct security issues with sharing that link that might allow 3rd parties access to more than just what the link provides. If you want a cyberlocker account for sharing items make a separate account for secure information from your sharable information (perhaps even on a different cyberlocker.)

This is one of the spaces in which Mega’s much-trumpeted encryption and partial-anonymity may break down.

The service is designed to help protect the internal data from external viewing (and even from employees knowing what’s stored there) but once a link to that data is shared externally it’s opened up to 3rd parties seeing it. This puts a crack in the security wall that cannot be closed and as a result, it means using it opens up lots of avenues of attack against your secure data.

Mega also wants to encourage people to share from the cyberlocker, so they make it as easy as possible, as always this means that they will tend to do so in the least secure way possible. If at all, avoid sharing via Mega if you want to keep all your other information protected.

Don’t store anything incriminating on a cyberlocker

If you’re reading this because you want to know how to prevent your personal information from being accessed by bad guys if you store it on a cyberlocker, then everything above will probably aid you in greatly increasing your security—however, if what you want is to be an anonymous distributor of pirated warez perhaps most of this will help a little.

For the rest of the world this last point is a simple social “think about what you’re using.”

If you have something that you believe is incriminating, super sensitive, or otherwise not-fit-for-a-cyberlocker don’t put it there.

Security is a question of risks and often those risks are balanced with convenience. Cyberlockers are an extremely convenient method for keeping and moving information through the cloud, but it’s also an extremely insecure way to do so due to the convenience. Mega has done a good job of adding several layers of security along with that convenience but in the end expedience will tend to weaken security (sometimes fatally.)

If you have something extremely sensitive or incriminating you’re probably better off keeping it on a USB key, putting it in a safe, or otherwise not transmitting it over the Internet or putting it in the cloud in the first place.


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU