We, as individuals or organizations, often need to securely transfer files over the Internet to another person or organization on the Internet. In this post, we will try to get acquainted with the common solutions for this purpose and examine these file transfer methods from a security point of view.

Sending a file over the Internet also can be considered a kind of file sharing. File sharing is public or private sharing of data in a network (or Internet) with separate levels of accessibility. In other words, when you move one or more files from your local computer to another device or remote location, you are partaking in the activity of file sharing.

The most common ways to transfer files over the Internet (or file sharing) are:

  • Email
  • FTP, FTPS and SFTP
  • Cloud Services
  • Peer-to-Peer Networks

There are some risks on file sharing that include:

  1. Downloading a file that contains malware
  2. Downloading an illegal, copyrighted file
  3. Using a file sharing app that requests firewall services be disable/ turn off
  4. Accidentally placing sensitive files in public file hosting location

Also, here are some advice:

  • Pick a service that offers end-to-end encryption.
  • Always double-check permission settings.
  • Run audits on your files to see who is accessing them.
  • Delete files that are no longer needed.

Securing the transfer of files by the Internet is done with these goals:

  1. Service provider of the file sharing service shouldn’t be access the content of the file.
  2. Hackers should not be access the file and its content.

Before continuing this article, it is better to know that data is divided into two categories according to one definition:

  • At rest Data (Static Data): These data are saved on servers, desktops, laptops, etc.
  • In motion Data (Dynamic Data or In-transit Data): These data travel over a network or the internet.

Source:  varonis.com  and  pandasecurity.com

 

 

FTP, FTPS, SFTP 

File Transfer Protocol (FTP) was one of the first methods invented for moving data across networks and it remains very popular today thanks to its reliability and efficiency. FTP is a great option for large files, unusual file types, or legacy data. FileZilla, Telnet, WinSCP are examples of FTP. FTP uses two connections to send data. Authentication data (e.g., usernames and passwords) is exchanged on a command channel. Data files are sent on a separate channel that is established after the authentication is complete.

But FTP is not very secure. For example, FTP dos not include any options for encrypting data. So, from the heart of this old protocol, newer and more secure protocols emerged:

  • FTP Secure or FTP-SSL (FTPS)
  • Secure FTP or SSH FTP (SFTP)

Both protocols use FTP’s basic concepts, but with stronger security. Both protocols are subsets of the secure FTP concept.

Source: coviantsoftware.com

 

FTPS 

FTPS uses SSL or TLS for encryption. FTPS uses two connections

  • Command channel
  • Data channel

You can choose whether to encrypt either connections or only the data channel.

FTPS protects only “In-transit” data and not protects “at rest” data. So, it is very important that you encrypt your files before sending through FTPS.

FTPS uses public key encryption and FTPS servers must provide an X.509 certificate signed by a trusted certificate authority. A client/server FTPS implementation runs in one of two modes:

  • Implicit Mode: An FTP server requires a secure channel without giving the client the option to choose. No negotiation takes place with implicit connections. In other words, in this mode negotiation is not supported. Implicit FTPS connections use port 990 for the control channel and 989 for the data channel.
  • Explicit Mode: This mode is the standard mode and sometimes is called FTPeS. It requires an FTP client to first explicitly request a secure connection and then to “step up” to a mutually agreed upon encryption method. The control channel connection and data channel connection can step up separately. As a result, the data can be encrypted when encryption is required, but it doesn’t have to include the overhead of encryption when it isn’t needed.

FTPS uses a combination of symmetric (Data Encryption Standard (DES)/Advance Encryption Standard (AES)) and asymmetric (Rivest-Shamir-Adleman (RSA)/Digital Signature Algorithm (DSA)) algorithms to deliver security and uses X.509 certificates for authentication.

In summary, this protocol has the following features:

  • Widely known and used
  • Requires a secondary DATA channel
  • Does not have a uniform directory listing format
  • FTP and SSL/TLS support is built into many internet communications frameworks
  • Not all FTP servers support SSL/TLS
  • Provides services for server-to-server file transfer
  • SSL/TLS has good authentication mechanisms
  • Does not define a standard for file name character sets (encodings)

Source:  blog.ipswitch.com

 

SFTP 

SFTP uses only one connection and encrypts both authentication information and data files being transferred. SFTP able to leverage a secure connection to transfer files and traverse the file system on both the local and remote system. By default, SFTP uses the SSH protocol to authenticate and establish a secure connection. Learn about SSH here.

It is recommend you create SSH keys and transfer your public key to any system that you need to access. This is much more secure and can save you time in the long run.

In summary, this protocol has the following features:

  • Strictly defines most aspects of operations.
  • Has only one connection.
  • Manipulation, file locking, and more functionality.
  • The connection is always secured.
  • No built-in SSH/SFTP support in VCL and .NET frameworks.
  • The directory listing is uniform and machine-readable.
  • Uses SSH keys while SSH keys are hard to manage and validate.
  • No server-to-server copy and recursive directory removal operations.
  • Sometimes leads to certain compatibility problems between different software titles from different vendors.

You can learn more about SFTP here.

Source:  help.relativity.com  and  digitalocean.com

 

 

Sending File by E-mail

Many people and organizations use email service to transfer files over the Internet. This service is suitable for transferring small files. This solution is also useful for when we want to write a written explanation about the file or files for the file recipient.

So the procedure is to we create a regular email (it include the recipient’s address, subject, text) and then we attach the file. This is same the file that needs to be sent.

There are three forms of email service:

Private Email Service: Any organization can have a dedicated e-mail system within its network. This service has many uses and benefits for organizations, but is not the subject of this our post.

Private email service that is published on the Internet: This type is actually an explanation of the previous type. In fact, this is the same as private e-mail service, which can be sent to other private and public e-mail services because it is accessible via the Internet. Many organizations prefer not to use public email services (such as Google and outlook) to communicate with other organizations and individuals via email, but rather to have a dedicated email service. Details of the advantages and disadvantages of this strategy, as well as how to implement this type of email service, is not the subject of this our post.

Public Email Service: We are all familiar with these services. There are e-mail providers such as Google, Yahoo, etc. which most of us have at least one e-mail account in them, and we send emails through these public services.

In terms of file transfer security, it doesn’t matter what type of email service we use. However, we must be able to send and receive emails securely. The most important thing to do for secure email is to encrypt the email. In this post, we have provided the necessary detailed training on email encryption.

 

 

Cloud Storage 

With a cloud file sharing service, one user uploads their data to a central repository and then other users can download the files to their own devices. All data is hosted by a third party provider, although users can specify what types of permission levels to put on the files.

Cloud storage is a model of data storage in which the data can be accessed, managed, and stored in a remote cloud server via the Internet. Cloud storage is maintained and supported by a cloud storage provider. In cloud storage user’s data is available and accessible at any time. Cloud storage systems share the following characteristics:

  • The cloud storage provider is fully responsible for the back-end support and maintenance of the application.
  • The user can get direct access to cloud-based resources and enjoy the built-in services without involving the service provider.
  • Cloud-based resources can be accessed over the Internet at any time.
  • One cloud environment can be shared by multiple users. It is called multi-tenant model.

Cloud storage services like Dropbox, OneDrive, Box, iCloud and Google Drive are good for storing files, photos and videos from your laptop to one centralized location – the cloud.

To use these services, a person must create an account. Creating an account is usually free. Most of the Cloud storage providers also determine a volume for each user for free. For example 10GB.

After you upload the file to these cloud storage, you can:

1- Generate a download link from this file and give it to the person who should have access to this file.

2 – Or, attach this file to an email and send it to the recipient.

Either way, you need to be able to determine access permissions for other people. Permissions such as read-only, read/write, and even full.

There are many cloud storage providers. You need to choose one of them. Here are some criteria to consider when preparing this service:

  • Limitations: make sure to identify any limits or restrictions the provider has in terms of the number of files shared or the total amount of data stored.
  • Price: How much the service costs upfront and on a monthly or yearly?
  • Free space: Does this provider also provide any free space for you?
  • Security: Make sure to research how that information is stored and what is done to protect it.
  • Compatibility: Find out what types of devices and operating systems will support the file transfers.

Source:  varonis.com  and  techopedia.com

Here are some of the cloud storage providers:

 

Dropbox 

Dropbox seeks to provide a single place for individual users and organizations to store all of their important data. Syncing is a big focus of Dropbox, as it has native applications for mobile devices and allows you to take your files on the go.

File sharing with Dropbox is quick and simple. By just sharing a link, you can send anything – from photos and videos to zipped folders and large files – with anyone.

Click on this link to learn about file sharing features on Dropbox.

Drop box have two plans for individuals:

  • Plus
  • Professional

And it have two plans for teams or organizations:

  • Standard
  • Advanced

You can compare all these plans here.

Even if you don’t have a Dropbox account. Share links and files from anywhere, using your phone, tablet or computer. A good Cloud Storage should provide mobile App (IOS, Android and windows phone), as well as the desktop version and the web version. The good news is that Dropbox has them all.

Dropbox is great for small and medium-sized businesses that do not require advanced features, and also for users looking to back up critical data.

Finally, Dropbox give 2GB space to any free account.

But it’s time to look at security:

  1. Dropbox files at rest are encrypted using 256-bit Advanced Encryption Standard (AES).
  2. Dropbox supports two-step verification.
  3. Public files are only viewable by people who have a link to the file(s).
  4. Dropbox applications and infrastructure are regularly hardened to enhance security and protect against attacks.
  5. Also Dropbox uses SSL/TLS to protect data in transit between Dropbox apps and Dropbox servers.

Source: dropbox.com

 

Google Drive 

Google Drive was one of the first companies to bring document collaboration to the cloud with its Google Docs suite of browser-based tools.

If you have a google account, then you can share links and files from anywhere, using your phone, tablet or computer. By Google Drive, you can share your files with any email address.

Google Drive provides some sharing permissions for files and folders that you can use them when share file and folders.

Google Drive has mobile App (IOS, Android and windows phone), desktop version and web version. It’s great.

You also can make files available offline so you can view them when your phone or tablet loses service.

Google Drive is great for Persons who already have a Gmail account, also for small organizations that don’t want to worry about local storage.

Google Drive gives 15GB to any new user.

And but security. Google Drive is encrypted using SSL, the same security protocol used on Gmail and other Google services.

The files you add to your Google Drive app or folder are stored on servers in secure data centers. Your data stored with Google is encrypted during transfer from your computer — and while it sits on Google Drive servers.

Google recommends using two-step verification on Google Drive accounts to add an extra layer of protection, and it says to always fully log out of your account when using shared or public computers.

Google Drive includes Google Docs, an online software suite for creating and collaborating on documents, spreadsheets and presentations. Google imposes a very high level of security on these online applications.

Google Drive designed the security of infrastructure in layers that build upon one another, from the physical security of data centers to the security protections of our hardware and software. This is Defense in depth’s concept.

Furthermore, google claims that never gives any government entity, U.S. or otherwise, “backdoor” access to user data.

Source: nytimes.com

 

iCloud Drive 

Apple has steadily been releasing improvements to its iCloud suite of online software. New Mac computers and iOS devices now come with iCloud Drive already installed so that files can be synced automatically.

You can keep files and folders up to date across all of your devices by iCloud Drive.

iCloud Drive is great for users who use Apple products at home and at work.

One of iCloud Drive advantages is that frees up storage space on local hard drive, integration with iMessage and other Apple services.

iCloud Drive has some disadvantages also:

  • It has limited in integration with Windows.
  • It has limited in business support.

iCloud Drive gives 5 GB free apace to any new user. Is it advantage or disadvantage?

iCloud Drive has web version in some internet browsers. iCloud Drive also has a app for Windows PCs and Mac.

You can store any type of file in iCloud Drive, as long as it’s 50GB or less in size and you don’t exceed your iCloud storage limit.

iCloud Drive has four plan:

  • 5 GB Storage: Free
  • 50 GB
  • 200 GB
  • 2 TB

iCloud employs strict policies to protect your information, and it adopts privacy-preserving technologies like end-to-end encryption for your data. This means that only you can access your information, and only on devices where you’re signed into iCloud. No one else, not even Apple, can access end-to-end encrypted information.

End-to-end encryption provides the highest level of data security. Your data is protected with a key derived from information unique to your device, combined with your device passcode, which only you know.

iCloud Drive encrypts these data in both ” At rest” and “in-transit”. iCloud Drive uses a minimum of 128-bit AES encryption.

End-to-end encryption requires that you have two-factor authentication turned on for your Apple ID. Keeping your software up-to-date and using two-factor authentication are the most important things that you can do to maintain the security of your devices and data.

Source: support.apple.com

 

Microsoft OneDrive 

OneDrive tool has become an essential part of the Windows operating system. Individual users can back-up their data and create shared folders across an organization.

OneDrive is great for businesses that use PCs with Windows, also for individuals with an Outlook email account.

OneDrive has granular permission settings and it is also usable with Office.

One Drive has mobile App (IOS, Android and windows phone), desktop version and web version. It’s great.

Almost all of Microsoft365’s different plans have One Drive. (Usually 1TB for ant user). But One Drive is also available in a 100 GB plan. One Drive gives 5 GB free apace to any new user.

However, One Drive also has disadvantages:

  • It has no support for Mac OS.
  • Upload and download speeds is slow.

To ensure security, One Drive recommends that users do the following:

  1. Creating a strong password for Microsoft account.
  2. Adding security info to Microsoft account (such as an alternate e-mail address, a security question and answer or phone number) to if the user forgot his/her password or if his/her account is hacked, Microsoft will be able to use this security information to identify the user and return his/her account or allow him/her to reset his/her password.
  3. Using two-factor verification helps protect account by requiring user to enter an extra security code whenever user signs in on a device that isn’t trusted. The second factor can be a phone call, text message, or app.
  4. Enabling encryption on mobile devices. If user has the OneDrive mobile app, it is better that he/she enables encryption on his/her iOS or Android devices.
  5. Subscribing to Microsoft365 to advanced protection from viruses and cybercrime, and using methods to recover files from malicious attacks.

But Microsoft also thinking of ways to securely transfer files as well as secure file storage on One Drive. Including:

One of our customers’ concerns, is that Microsoft engineers have access to our files. Microsoft claims that its engineers manage OneDrive using a Windows PowerShell console that requires two-factor authentication and none of them has standing access to the service. When engineers need access, they must request it. Eligibility is checked, and if engineer access is approved, it’s only for a limited time.

Also, Microsoft tries very hard not to happen personal data breach.  At result Microsoft’s engineers do not have access to the service unless it is explicitly granted in response to a specific incident that requires elevation of access. Whenever access is granted it is done under the principle of least privilege: permission granted for a specific request only allows for a minimal set of actions required to service that request. The “Access to Customer Data” role is distinct from other roles that are more commonly used to administer the service and is scrutinized most heavily before approval.

OneDrive and Microsoft 365 are equip with to real-time security monitoring systems. These systems raise alerts for attempts to illicitly access customer data, or for attempts to illicitly transfer data out of Microsoft service.

To secure “In-transit data”, Microsoft won’t allow authenticated connections over HTTP, but instead redirect to HTTPS. Microsoft uses TLS encryption.

And for ‘ At rest data”, Microsoft does several types of protection:

  • Each file is encrypted at rest with a unique AES256 key.
  • One Drive servers isolated from the Microsoft corporate network.
  • Only a limited number of essential personnel can gain access to datacenters.
  • If OneDrive detects a ransomware or malicious attack, it immediately alerts to Microsoft 365 subscriber.
  • IDS alerts monitor anomalous activity.
  • Firewalls limit traffic into the environment from unauthorized locations.
  • Virus scanning on download for known threats.
  • There are on-premises security officers, motion sensors, and video surveillance.
  • To prevent unauthorized access to accounts, OneDrive monitors for and blocks suspicious sign-in attempts.
  • A Microsoft 365 subscriber be able to easily recovers his/her files to a point in time before they were affected, up to 30 days after the attack. Also he/she can restore his/her entire OneDrive up to 30 days after a malicious attack or other types of data loss, such as file corruption, or accidental deletes and edits.

Source: support.microsoft.com

 

Box 

Box is great for large companies that need to manage huge data systems across the globe because it integrates well with enterprise security systems and it allows for workflow configuration.

Box has 4 general plans:

  • Individual
  • Business
  • Enterprise
  • Platform

Box gives 10 GB free space to each user.

Box has mobile apps for IOS, Blackberry and Android. Also, Box has desktop version for Windows and Mac and web version.

And but security solutions:

  • Box provides Granular user permissions, with 7 user-friendly sharing roles.
  • Box also creates a secure folder for users in which everything they place inside it is automatically encrypted.
  • Box protect customer data through CipherCloud by constantly scanning customer Box account for matches to PHI.
  • Box uses data encryption.

Box supports role-based access controls.

 

Aside from the cloud services we’ve studied together, there are countless cloud storage service providers. Here are just some of them:

https://rapidgator.net/

https://nitroflare.com/

http://uploaded.net/

 

 

Peer to Peer (P2P) 

The purpose of a P2P file transfer is to remove the need for a central server that hosts the data. Instead, individual clients connect to a distributed network of peers and complete the file transfers over their own network connections. P2P is very popular and it is great for sharing files with a small group of people, and also for files that are unavailable in public repositories.

If we want to explain how these networks work, it will be extremely long. So it is better to read this article first. (From arxiv.org website)

P2P networks also present privacy and identity issues. In respect to privacy, a peer’s data stream may be compromised by fellow peers who assist in transmitting the data. In P2P networks which distribute resources of dubious legality, once the peer’s identity is compromised, further attacks, whether physical or legal, can continue to be directed at that specific target.

An approach towards attacking a P2P network is to inject useless data (poison) into the system. An attacker can inject large amounts of useless lookup key-value pairs into the index.

Poisoning can also be used as fodder for DDoS attacks. This can be accomplished in two ways, by index poisoning or route table poisoning.

  • In index poisoning, fake records are inserted into the index pointing to a target IP and port number. When a peer goes to search for a resource, it would receive bogus location information from a poisoned index, either from a central directory or from another peer.
  • In route table poisoning, almost all P2P clients need to maintain some kind of routing state of the current peers with which it is connected. At result, target receives a flood of connection requests, and the target will likely reject them.

The basis of security in these networks that is to make it difficult or impossible to identify network traffic. Also, if a node can do something that its own traffic will be unrecognizable. it will be a very important step.

So, there are two approaches to securing P2P networks:

  • Encrypting P2P traffic: With the actual connection stream completely encrypted, it becomes much harder for the P2P traffic to be detected, and, thus, attacked, blocked, or throttled. Using only 60-80 bits for the cipher, to simply obfuscate the stream enough so that it is not detectable without incurring much of a performance hit.
  • Anonymizing the peers: By anonymizing peers, the P2P network can protect the identity of nodes and users on the network, something that encryption only cannot ensure. Using encryption together with anonymous P2P would yield possibly the most secure P2P usage experience available today.

Source: varonis.com  and  cse.wustl.edu

 

———————————

Sources:

varonis.com

blog.ipswitch.com

techopedia.com

nytimes.com

cse.wustl.edu

dropbox.com

support.apple.com

pandasecurity.com