Page 1 of 1

New to this site

PostPosted: Sat Dec 01, 2012 8:03 am
by IsTheCloudSafe2USE
I am new to this site. I am here to do some research for my employer.
They are a law firm that wants to use the cloud to store and access their client information.
We are talking about ssNos, phone number, bank account info, CC nos, everything!
The product they are looking at is

I am very concerned that having client information on the cloud is not safe.
They claim their system can not be hacked. I would like feedback from
some experts, "Is there such a thing as a site that can not be hacked?"

From news reports, it would seem everything can be hacked.
Would you feel comfortable if your mother used an attorney that put her information on the cloud?

Thanks for any feedback

Re: New to this site

PostPosted: Sat Dec 01, 2012 9:14 am
by Amazingred
You may need to redefine what you consider "hacking". Most theft of sensitive data is going to occur from someone stealing the info off of the lawfirms computer instead of some stupid hacker trying to hack the same information out of a company that specializes in protecting data. That being said....unhackable and publically accesible will most likely never be in the same sentence truthfully. Unless all the users are computer professionals the odds go down even more. The less computer experience someone has, the more user friendly it has to be. Normally user friendly is synonymous with Security Flaw in these situations.

The service you mentioned uses 256-bit SSL encryption and they look acceptible from the little i read about them. Remember tho, I can almost guarantee that whatever setup your law firm has is nowhere near as secure as they are and thats where the customer data theft will occur if it happens. The reviews look solid so you should be okay.

Re: New to this site

PostPosted: Sat Dec 01, 2012 5:54 pm
by not_essence2
There will never be such a thing as a site that cannot be hacked.
However, even if the employees yell at you for half an hour on how every "computer guy" that comes in here says about it, you have to tell them to use long, long passwords that are either huge combinations of letters or just don't make sense (preferably an above-20 character one like mine), and just about everything we repeat to civilians but half of them don't listen to anyways.
If I'm correct on what you're thinking, you're not thinking about the case where a person inside the network is a saboteur, but a random person from outside of the network trying to get in. The most likely way is that they'll try to get in by getting into the employee's accounts, which is easy as many civilians don't care that much about security and thus are the most vulnerable.
They could dox your employees and Social Engineer them with a malicious link or attachment or Trojan, etc. as a client-side attack to get into their accounts, or they could just brute-force a password out. I don't see a MiTM attack having a chance unless the hacker is a seasoned one. Of course, if they are able to successfully dox an employee and brute-force or SE his password on another site they've found in the dox, there is a big possibility that the password gained will be the same password to their accounts.

Re: New to this site

PostPosted: Sat Dec 01, 2012 10:29 pm
by weekend hacker
Its no more or less safe then doing it all yourself. Things to remember when storing client information are your local laws on privacy(which may require you to be certified to be allowed to store this kind of information, or do reasonable effort to keep the information private).
The hosting you mentioned is SAS 70 Type II Certified. Which is suposed to mean they are secure enough to handle financial data(which is the highest form of data asfar as I know, not including state secrets) and whatever security they have in place actualy worked for atleast 6 months(thats what the type II is). If I remember correctly banks and some other places that deal with financial data HAVE to have this certification.
The certificate ofcourse doesn't protect them against things actualy going wrong but when things do go wrong you could argue that you did everything in your power to prevent the dataloss by using a SAS 70 certified hosting company. Chances are they also have more experience at this sort of thing and its less likly that their servers will be rooted because an employee opened a funny link on facebook.
I have no idea what lawfirms require or if the services provided by this company is a benifit. I assume your client already knows how to email and bill people for their time. But if they're wasting time on those tasks and can't work while on the road then this might actualy be a good service.

As to your last question, nobody is ever comfortable using any type of attorney, no mather where they host their stuff.

Re: New to this site

PostPosted: Sun Dec 02, 2012 2:25 am
by Amazingred
Weekend....+1 for the breakdown and another +1 for the zinger...made me smile.

Re: New to this site

PostPosted: Tue Dec 04, 2012 10:10 am
by IsTheCloudSafe2USE
Thanks for your replies. You have made some good points.

I agree it seems no site is hack proof, based on news reports not on my experience or skill set. Our current system runs on our local network and is not exposed to the web, ie. no browser access, except for folks possibly downloading a something via email or browsing.

I agree if someone wanted to hack our firms data, they probably will find a way to do so.

My biggest concern is that a site that hosts thousands of attorneys may be a more interesting target than going after one individual law office, unless that single law office was a hackers specific target. By being on a group site, I am concerned, our client's data may be at a higher risk than being on a local network.

Another site they are considering is DropBox, to access documents remotely. Which was hacked back in July. It seems to have the same level of security as, which adds to my concerns.

Is a big red X, even if it is technically more secure, a more interesting target that a small x that is less secure?

Thanks again for your feedback.

Re: New to this site

PostPosted: Tue Dec 04, 2012 5:59 pm
by weekend hacker
It may be a more interesting target, but it would also be considered a much harder target. Hackers are still lazy, a lot of those with bad intentions don't even bother with anything that is considered big. Really guys, who here ever bothered to portscan the (protip: they'll block your connections after getting just a few ports on default settings)
IsTheCloudSafe2USE wrote:Our current system runs on our local network and is not exposed to the web, ie. no browser access, except for folks possibly downloading a something via email or browsing.

By my definition, your data is on the net. If it should be safe it should not be connected to any network connected to the internet. This means that all computers on the network that can contact it aren't connected to the net either, nor should there be a wireless access point on the same network. I understand that this is usually not effective in this day and age, thats why at the very least some very serious firewall settings should be set.(won't help though, I'll explain later)

The way a big site that uses the cloud buzzword usually works is the following:
-At the front line exposed to the internet are reverse proxy servers/load balancers. These have the ip's the users connect to, they'll then forward the connection to a server that isn't at max capacity.
-Those other servers are normally only available to those load balancers or some admins. Those servers will do all the logic required, running code, and in turn will connect to a database server(or cluster).
-The database is where your data actually lives. Again those servers aren't accessible to the net, and only to those servers.

So the places that have your data(the db/dbcluster) or the places that have the potential to access that data(those other servers, not the load balancers that users can see) are not connected directly to the net. And the local network that they are on doesn't have normal users who DO have access to the net, or who may have been infected at other points. The only entry point would be the load balancers, who very much limit where users can connect.
(note, these servers I described CAN be on the same machine though(by using VMs or jails), but from a network point of view are totally separate entities, and getting full access to one shouldn't mean full access to the other.)

The network you described is ripe for abuse. People are on there browsing, reading emails etc. There may even be laptops on there that go home on networks totally out of your control. Maybe even a poorly configured wifi router. You don't only run the risk of a targeted attack, but of accidental pwnage.
Imagine a random criminal hacker, infecting machines as usual for profit. Normally these guys run by the numbers, as in, why target 1 or 10 high value targets who may or may not have a vulnerability, when you can target 100000 people who may or may not be vulnerable. If 10% of those people are vuln, they'll have plenty of machines to scrape for useful data and use for other profitable schemes at their disposal(and often enough more people are targeted, it can take less effort than trying out 10 high value targets and the chance of success is dramatically greater).
These type of guys may already have access to some machines at your firm, but one of the downsides of working with this many machines is that you don't usually keep a close eye on them and maybe won't even bother to infect other machines they are connecting with or try to gather data in a manual way(although, almost all malware that has been news worthy DOES try to infect other machines on the network too).
If one of these guys cared to take a closer look at what he had at his disposal he may notice that he has access to all your client information if he wanted to(if he controls a machine that has access to this data, then he has access to this data). Luckily for you in most cases these guys don't care to look and are too buzzy reselling the access to the machines they have. Depending on your setup the client data has more or less chance of being accidentally discovered and used.(example: a network drive looks like a normal drive to windows, malware that gathers cc info will look there just as it would look at other partitions on the machine)

So unless if your network is locked tight, and all machines on there are super secure, all employees know how to avoid getting owned, updates are pushed as soon as they come out and a bunch of other factors. Then I'd say a service like is better secured.
But again, there is no guaranty, they could make mistakes too. Or worse, they could be noobs posing as professionals to make lots of money.
And another important difference here is: if you make a mistake you may be liable(or whatever, you should know those terms better then me). If that certified company makes a mistake, it (and you!) can claim they did the best they could, after all, they have a certificate that proves it.

wow.. long text is long
TL;DR; your network doesn't sound secure to me, maybe more important than security is liability when things go wrong?