Data/Cyber/Cloud Security, Privacy, Website Security, Data Encryption, Malware/Viruses, Open Source Intelligence, Cyber Defence, Data Breaches

Contact Graeme

Journalists, students, potential clients or anyone else email.......
graeme@datasecurityexpert.co.uk

Something private to say?
PGP public key
No this is not a Punch and Judy article, its much more serious than that, its about guarding your data.

Last Saturday night (12th) I stumbled upon a company which offered "ultra secure" web hosting, vps, dedicated servers, hosted email and backup. So I sent them a email asking for more detailed information and securing policy details. In the meantime I thought there "ultra secure" backup option might be useful so I noticed they did a trial and signed up.

The strange thing was is that the login and signup page was http, i.e. not https and no encryption between me and them. So I signed up with a new password and also checked the source code and there was definitely no encryption. I installed the client backup agent and gave it a test folder to do.

It backed up swiftly and appears on the online portal. Great, all seems ok? Now time for some testing so I opened up Wireshark and could sniff the username/password, o/s, url, ips, file names, hard drive addresses - both for the website and backup agent. Shocking! I emailed the provider with what I found and no reply so far.

So the next time a company claims to have military grade security and encryption do not take their word for it! This is the problem with cloud service, you do not know how its controlled.

Capture of passwords, usernames, hard drive addresses, file names etc.


Login page which is non https and also gives more details than it should, i.e. admin login and manuals.


Screenshot showing the html post of the form is non https and the entire page is also.