So, we all heard about that iCloud leak last week. Over one hundred high-profile, celebrity accounts were hacked and their personal photos were leaked. What is perhaps most frustrating is how easily the whole thing could’ve been avoided.
Apple has stated that there were no known security vulnerabilities and no signs of a breach of their systems. After 40 hours of investigation, it was concluded that the hackers targeted individual accounts, guessing passwords until they eventually hit the jackpot.
We can’t stress enough how important it is to use strong passwords (mixed upper case and lower case, include numbers and punctuation, no pets names, etc) and change these regularly. Don’t use a password that you’ve already used in the last 12 months, and don’t use the same password on more than one site.
But, even with the most secure password, if a hacker finds their way in to a cloud storage service like Dropbox or iCloud, they can gain access to your data. Most consumer cloud products don’t encrypt your stored data, or when they do the encryption is not particularly strong.
BuddyBackup is different. We take your privacy very seriously. All of your data is encrypted locally before it even reaches your Buddy’s computer – this means nobody, not even your Buddy, can access your files. If your Buddy’s computer was hacked, your data would be completely unreadable. The full list of encryption we use can be found below.
A copy of your encryption key is kept on the BuddyBackup server. This is so that when you recover a lost account, the keys can be securely sent to you to enable you to recover your files. But these keys are encrypted on your password so that not even members of the BuddyBackup team can access them.
A copy of your password may also be saved securely on our server so that if you forget it, we can send you a reminder. For maximum security though, you can choose to disable this feature and permanently remove your password from the BuddyBackup server.
Integrity and authentication checking is done at all stages of backup and recovery to protect against accidental or malicious corruption of data. In particular we aim to ensure:
- A Buddy cannot send your encrypted data to someone other than you
- A Buddy cannot maliciously send you tampered backups when you are restoring data
- You know the files you receive are really from your Buddies, and no one else.
The technical stuff
- AES – 256 keys for file data. Certified by the US NSA for use with classified information. Separate AES keys for file contents and file names.
- RSA – 2048 Public Keys for authentication – the same technology used by SSL on websites
- SSL (TLS) encryption between client and BuddyBackup servers
- Salsa20 stream cipher used for buddy – buddy communication (note this is in addition to the AES – 256 encryption of files).
Author: Cassie Holmes, BuddyBackup