Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label cloud storage security. Show all posts
Technology
cloud storage security End-to-End Encryption Google Drive encryption Google Drive privacy Google Drive security Technology

Why Privacy-Conscious Users Should Think Twice Before Storing Sensitive Files on Google Drive

 

Google Drive has become an essential tool for millions of users worldwide. Whether it's storing contacts, backing up WhatsApp chats, or saving photos, videos, and important documents, the platform serves as a central hub for digital storage. Its deep integration with Google's ecosystem makes it a convenient choice for Android and Gmail users alike.

However, while Google Drive offers robust security against cyber threats, questions remain about whether it is the best place to store highly sensitive personal information. Documents such as passport scans, banking records, legal contracts, and tax returns may require an additional layer of protection beyond what the service provides by default.

From a security standpoint, Google Drive employs industry-standard safeguards. Data is encrypted while being transferred using TLS protocols, and files stored on Google's servers are protected with AES-128 encryption. Users can further strengthen account security through features like passkeys and two-factor authentication.

The key concern, however, lies in how the encryption system works. Unlike services that provide end-to-end encryption, Google retains control of the encryption keys used to access stored files. This means the company has the technical ability to decrypt and view user data when necessary.

"When you upload a file, Google encrypts it with a unique data encryption key, then encrypts that key with another key it controls, and stores both on its servers. To read the file, Google's systems unwrap the keys on the fly. With true end-to-end encryption, only your device holds the key, so even the service provider sees nothing but scrambled bytes. Google's setup doesn't meet that bar."

As a result, while hackers and unauthorized third parties face significant barriers in accessing files, Google itself can access stored content. Additionally, government agencies or courts may compel the company to share user data through legal processes because Google possesses the necessary decryption keys.

Another privacy consideration is automated content scanning. Google uses systems that review files for policy enforcement purposes, including identifying known illegal content and potential violations of its terms of service. Although the company states that Drive content is not used for advertising purposes, automated systems can sometimes generate false positives, potentially leading to account restrictions or suspensions.

Artificial intelligence is also expanding Google's access to stored data. As Gemini becomes more deeply integrated into Workspace products, it requires permission to analyze files in order to generate summaries and provide contextual assistance. While Google maintains that Drive files are not used to train its general AI models, some privacy advocates argue that increased AI integration broadens the potential exposure of personal information.

"This doesn't mean Google is malicious or will snoop on you. It means the threat model is different from what most people assume. You're not just trusting Google to fend off hackers; you're trusting it never to read, mishandle, or be compelled to share your data."

For users seeking stronger privacy protections, encrypting files before uploading them to Google Drive is often recommended. Applications such as Cryptomator allow users to create encrypted vaults on their devices, ensuring that files remain unreadable to Google. VeraCrypt is another option that enables users to create secure encrypted containers that can be synced to cloud storage services.

Those looking for built-in privacy protections may consider alternative platforms. Services such as Proton Drive, Tresorit, and Sync.com offer end-to-end encryption, ensuring that providers cannot access the contents of user files because they do not possess the decryption keys.

There are trade-offs, however. End-to-end encrypted files often cannot be searched by content, previewed in a browser, or edited collaboratively in the same way as standard cloud storage files. Additionally, users are solely responsible for managing recovery credentials, meaning forgotten passwords may result in permanent loss of access.

For particularly sensitive documents, some users may choose to avoid cloud storage altogether. External hard drives or self-hosted solutions such as Nextcloud can provide greater control over personal data while reducing dependence on third-party providers.

Despite these concerns, Google Drive remains a secure and practical solution for everyday storage needs, including photos, shared documents, and routine work files. The issue is less about security and more about privacy.

"The privacy story shifts when you start storing things that would hurt to lose to a stranger, a Google reviewer, or a court order. For those files, the answer isn't to abandon Drive but to stop treating it as a vault. Encrypt sensitive documents before you upload, or move them to a service that can't read them at all. The few minutes of friction are worth knowing that the most personal pieces of your life aren't sitting on a server with someone else's keys."

For privacy-focused users, the best approach may be to continue using Google Drive for convenience while reserving encrypted storage solutions for highly confidential files.

Read more »
Zero-click vulnerability
cloud storage security Data Breach malware infection network storage flaw Pwn2Own hack Ransomware attack Synology NAS Synology Photos app Synology QuickConnect Zero-click vulnerability

Zero-Click Vulnerability in Popular NAS Devices Exposes Millions to Cyber Attacks

 

A widely used device and application for storing documents, trusted by millions of users and businesses globally, has been found to have a vulnerability. A team of Dutch researchers revealed that this zero-click flaw could potentially compromise many systems worldwide.

This flaw, termed "zero-click" because it requires no user interaction to trigger, affects Synology's photo application, a default program on network-attached storage (NAS) devices from the Taiwanese company. Through this vulnerability, attackers could gain unauthorized access to these devices, allowing them to steal files, plant malicious code, or install ransomware, which could lock users out of their data.

The Synology Photos app comes pre-installed on Synology’s BeeStation storage devices and is also popular among users of their DiskStation models. These NAS devices enable users to expand storage via add-on components. Since 2019, Synology and other NAS brands have frequently been targeted by ransomware groups. Recently, DiskStation users have reported specific ransomware attacks. The vulnerability was uncovered by Rick de Jager, a security researcher with Midnight Blue in the Netherlands, during the Pwn2Own hacking event in Ireland. De Jager and his team identified hundreds of thousands of vulnerable Synology NAS devices online, although they warn that the real number of at-risk devices is likely in the millions.

The researchers, alongside the Pwn2Own organizers, alerted Synology about the flaw last week.

Network-attached storage systems are attractive targets for cybercriminals due to the large volumes of data they store. Many users connect their NAS directly to the internet or utilize Synology’s cloud storage for backup. Although security credentials can be required to access the devices, this specific zero-click flaw in the photo app doesn’t require authentication. Attackers can exploit it remotely over the internet, granting them root access to execute malicious code on the device.

The photo app allows users to organize images and provides attackers easy access whether the NAS is connected directly to the internet or via Synology’s QuickConnect, which offers remote access. Once an attacker compromises one cloud-connected Synology NAS, it becomes easier to identify others, thanks to how the system registers and assigns IDs.

The researchers found several cloud-connected Synology NAS devices linked to U.S. and French police departments, as well as numerous law firms in North America and France. Other compromised devices were used by logistics and oil companies in Australia and South Korea, along with maintenance firms in South Korea, Italy, and Canada, serving industries like energy, pharmaceuticals, and chemicals.

“These organizations store a range of critical data, including management documents and sensitive case files,” Wetzels said.

Beyond ransomware, the researchers warn of other threats, such as botnets, which infected devices could join to assist in hiding broader hacking operations. The Chinese Volt Typhoon group, for example, previously used compromised home and office routers to mask espionage activities.

Synology has not responded publicly to requests for comment, but on October 25, the company issued two security advisories marking the vulnerability as “critical.” Synology confirmed the discovery was made during the Pwn2Own contest and released patches for the flaw. However, without automatic updates on NAS devices, it is unclear how many users are aware of or have implemented the patch. Releasing the patch also increases the risk that attackers could reverse-engineer it to exploit the vulnerability.

While finding the vulnerability independently is challenging, “it’s not hard to connect the dots from the patch,” Meijer explained.
Read more »
Subscribe to: Posts (Atom)