Incident response to Heartbleed (CVE-2014-0160)

09 Apr 2014 by Drew Fisher

As many of our security-conscious readers may already be aware, information was recently released about a vulnerability widely referred to as Heartbleed (CVE-2014-0160) in the OpenSSL toolkit, a cryptography library used by AeroFS and countless others across the Internet.

AeroFS has no reason to believe that the attack has been used to compromise the integrity or confidentiality of any of our services or of our users' data. Even so, due to the hard-to-detect nature of the attack, we're taking a very broad view of the potential impact and responding with maximal caution.

What is AeroFS doing in response?

AeroFS uses OpenSSL in many ways, and we've been working hard to make sure that our users' data and accounts are kept safe. Specifically:

  • We've been busily patching our servers. As of 2014-04-07 20:00 PDT, all of our servers have been updated to use a newer, protected version of OpenSSL.
  • We've been reissuing SSL keys and certificates for both our public *.aerofs.com servers and internal service credentials. As of 2014-04-09 10:00 PDT, all of our servers are using only newly-generated keys and certificates. Additionally, we've asked RapidSSL to revoke our old certificates, just to be on the safe side.
  • We've rebuilt and released a new version of the AeroFS Hybrid Cloud client with the fixed OpenSSL on 2014-04-08 15:10, which most of our users are already running. AeroFS 0.8.25 and 0.8.26 are both securely patched.
  • We've rebuilt and released a new version of the AeroFS Private Cloud appliance with the fixed OpenSSL.
  • We've forcibly reset browser sessions that were active prior to 2014-04-09 15:00 PDT.

What can you do?

AeroFS has no reason to believe that the attack has been used to compromise the integrity of any of our services or of our users' data. Even so, if you want to be extra careful, you can:

  • Make sure you update your AeroFS client to at least release version 0.8.25. AeroFS will update itself automatically, but you can do it manually too.
  • Reset your AeroFS password.
  • Double check your list of devices and shared folders for any unexpected devices or users in your shared folders.
  • If you are supremely paranoid, unlink and reinstall each of your devices.

Additionally, if you're a Private Cloud customer, or administer an AeroFS Private Cloud instance, you should:

  • Reset your Private Cloud password
  • Download and upgrade to the latest appliance (at least version 0.8.27) on your network. Be sure to take down any instances older than 0.8.27: these may still be vulnerable to Heartbleed.
  • Encourage your users to update their AeroFS clients and reset their AeroFS passwords.

If you have any questions about our security response, please email us at security@aerofs.com.

Reminder - New HIPAA Rules as of Sept, 2013

03 Apr 2014 by Yuri Sagalov

At AeroFS, a lot of our users and customers come from medical backgrounds -- doctors, hospitals, clinics, and other medical practitioners.

One of the most common questions we get asked is what to do about HIPAA compliance, specifically as it relates to personally identifiable information (PII) and HIPAA and they're often surprised to hear that new regulations that came into effect on September 23, 2013 mean that Software-as-a-Service (SaaS) vendors may now be directly subject to HIPAA rules.

As of September 23, 2013, any Business Associate is now directly responsible for complying with HIPAA's requirements for privacy and security of protected health information. Naturally, the next question is who is a "Business Associate"? A "Business Associate" is any party involved in the processing, storage or transmission of a patient's medical data, which includes many SaaS and Cloud providers.

This definition means that even if a third party simply transmits data and does not even store it, they are still subject to HIPAA regulations.

HIPAA Compliance is a tricky matter, and if you're reading this blog because you're wondering what sort of file sharing service will allow you to transmit/receive protected health information within your organization or team (or even to and from patients), we suggest adopting the AeroFS Private Cloud. Your organization will still be subject to HIPAA rules in its processing/handling of patient information, but at least you won't run into the issue of a SaaS provider prohibiting use of its service to share HIPAA protected information.

If you still have questions about HIPAA compliance, feel free to shoot us an email at support@aerofs.com

All the best,

Yuri & the AeroFS Team.

ps. In this particular blog post, I've been advised that I should leave a standard disclaimer -- this is not legal advice :)

Choosing the Private Cloud for secure file syncing

06 Mar 2014 by Ryan Lackey

Editor's Note: This is a guest post by Ryan Lackey (@octal)

One important security technique is ensuring all actions leave a record, and that that record is reviewed by multiple parties.

While preventing bad actions is always desirable, sometimes that’s difficult while meeting performance, reliability, cost, or other goals. A reliable record of malfeasance supports investigations after the fact, allows additional protections to be added to address specific threats, and is an inexpensive backstop for a variety of systems. Independent review of those records helps ensure the records are accurate and that improper activities are stopped.

This principle has been part of how humans deal with security for a very long time. Double-entry bookkeeping, invented in the late 13th century in Italy, is one of the first examples -- a clerk wouldn't be able to simply pay someone money without leaving a clear record for the owner to see. Audit and financial controls within a company are the modern business manifestation -- the employee who incurs the expense isn't the one to approve and pay the expense report. In retail, stores provide printed receipts to customers, both to prevent fraud by cashiers and for taxation authorities to prevent tax fraud by the stores. All of these systems are built around making it hard to hide the records of one's actions from independent review.

Consumerization of IT

A major trend in computing over the past decade has been the "consumerization of IT". In many ways this has been good -- a shift away from expensive, difficult to deploy, all-or-nothing systems toward smaller systems which can be selected, adopted, and maintained much closer to the end user. A general increase of performance and decrease in cost across all systems, a decreased level of training and increased ease of use, and rapid adoption of new technologies (mobile, tablets) are all contributing to an exciting time in the technology industry.

Unfortunately, one of the problems with the modern Software as a Service (SaaS) or public cloud model for applications is a weakening of this protection. Users have no visibility into back-end details of software running entirely on a provider's remote systems. While that software could be great when the contract is signed, it's possible for a company to weaken systems in a way invisible to the user -- perhaps to save money, or to add a new feature, or to comply with external pressure, or merely by mistake. Even more alarming, a rogue employee at a provider could subvert systems without the knowledge of the provider or the customer. Or, an outside attacker could subvert systems, and without a robust record-keeping infrastructure, make changes which are difficult to detect and which hurt both the customer and the reputation of the provider.

The Private Cloud

Boxed software, the predominant model in the past, largely addressed this problem by shipping discrete releases on a periodic schedule, to be run on the user's own infrastructure. This software, once it was handed over, could be reviewed by the buyer, sometimes including source code audits or third party security assessments and certifications. Most importantly, the publisher of the software couldn't readily substitute a new software update without leaving a record -- the binary application which would run on the client's own hardware. If a publisher included backdoors, major vulnerabilities, or other malware in their software packages, the user could see what had happened, and could either improve their pre-deployment security assessment process, or switch software vendors.

Running on the client's own infrastructure provided another protection. A smart deployment of packaged software included many interlocking layers of prevention, detection, and correction of improper behavior, both by software and by users. Firewalls could prevent sensitive systems from directly connecting to the outside world. External logging systems could create accurate records of the operation of systems, and independent systems could interoperate so the compromise of any one wouldn't be sufficient to leak data. Backup tools could allow protection from catastrophic failures, as well as a historical record of when system configurations changed. While any one of these controls may have been subverted, the combination could be made robust.

To resolve this conflict between the cost savings and feature advantages of the public cloud, and the security advantages of the old in-house IT model, we can try another model: the private cloud. Software for the private cloud is used in much the same way as public cloud software, but is designed to be deployed to physical infrastructure within the enterprise.

Private Cloud File Syncing

Private cloud file syncing and collaboration has many advantages over public cloud file sharing solutions (particularly around network performance and overall reliability), but from a security perspective, the private cloud is much more compatible with the kind of robust security architecture a smart enterprise would want guarding their critical data assets. By being hosted within the enterprise, on a private cloud, the existing firewall, IDS, logging, and other controls can protect the private cloud deployment. Private cloud auditing services provide a simple way for Security Information and Event Management (SIEM) and log analysis software to observe activities at the file level and protect critical data.

Private cloud deployments still offer the benefits of the consumerization of IT, being cheap and easy to deploy, easy to use, and supporting a variety of platforms, while having good intrinsic security and great compatibility with existing security controls.

Ryan Lackey is a computer security expert, conference speaker, and founder of several startups. He is interested in new models of cloud security, hardware tamper-response and trusted computing, and security for mobile users in hostile environments. He is currently CEO of CryptoSeal, Inc. in San Francisco, CA.

AeroFS Auditing and Content API Launch

11 Feb 2014 by Yuri Sagalov

The AeroFS Private Cloud is a great solution for businesses which suffer from unauthorized file syncing and collaboration usage due to the consumerization of IT. Today we're launching two new features for the AeroFS Private Cloud: The AeroFS Auditing Service, which allows IT to audit all usage within AeroFS in real-time, and the AeroFS API, which allows developers to build amazing new collaboration tools and products for the private cloud.

The AeroFS Auditing Service

Audit trails are the cornerstone of IT security, and although AeroFS has long supported them through features such as Sync History and "Recent Activities", today's feature launch centralizes this functionality through the AeroFS Auditing Service that logs most activities that happen within AeroFS:


  • Employee/Vendor accounts created/modified/deleted
  • File creations, modifications, deletions, as well as who performed them
  • New devices (whether corporate, or otherwise) that are added to your AeroFS Private Cloud
  • Sharing invitations with internal and external users, who performed them, and when
  • And so on.

The AeroFS Auditing Service provides a well-structured JSON feed that is timestamped with the exact time an event has happened. The Auditing Service integrates with Splunk, or your existing logging infrastructure out of the box.

Getting started with the AeroFS Auditing Service is easy, and you can learn more here

Content API

One of the most common requests we've heard from the technical community is the ability to build your own tools on top of the AeroFS Private Cloud ecosystem, and with today's Content API launch—you can!

The AeroFS Private Cloud now provides a RESTful Content API for content access and uses OAuth 2.0 for user authorization. The Content API allows developers to perform various operations on content stored in AeroFS:

  • List, create, move, and delete folders and files
  • Download metadata about files and folders(e.g. name, parent folder, last-modified, and so on)
  • Download content, and upload content

The get/upload content functionality allows developers to perform streaming uploads and downloads

We're firm believers in dog-fooding our own products, and the Content API is no exception. The AeroFS Content API is already in use by the AeroFS Private Cloud iOS Application.

The AeroFS developer documentation lives at https://www.aerofs.com/developers, and we encourage you to go through examples posted there.

You can sign up and start using the AeroFS Content API for internal development and experimentation today. However, before publication your application we ask that you contact us at api@aerofs.com.

We've also setup a mock Content API server at docs.apiary.io so you can begin experimenting immediately.

Finally, we encourage you to subscribe to our api-announce mailing list.

All the best,

Yuri & The AeroFS Team

An iOS Client for the AeroFS Private Cloud

22 Jan 2014 by Yuri Sagalov

As mobile continues to penetrate the Enterprise, BYOD is no longer simply a question mark, it is a reality. Not only do employees want access to their work data at home, they are now bringing in mobile devices like the iPhone and the iPad into the office.

Lacking a proper solution, these employees use (often in secret) public cloud file syncing and collaboration products which are undermining the ability of IT administrators to control the security and privacy of their corporate data. Worse, they are often violating compliance and regulatory requirements.

Last November we released the AeroFS Private Cloud. The AeroFS Private Cloud is an easy-to-configure file sync and share solution that lets corporations enable modern collaboration, while still keeping their data completely behind the corporate firewall.

Today we are releasing an important next step in the AeroFS Private Cloud ecosystem: The AeroFS Private Cloud iOS App.


AeroFS iOS app

The iOS App allows employees to access their corporate data, but unlike traditional cloud-based file syncing apps, the iOS app does not require data to be stored in the public cloud.

The iOS app is designed to address the growing BYOD movement within the Enterprise. It allows IT administrators to enable file syncing and collaboration on one of the most popular mobile platforms in the world without compromising their own data security and privacy policies.

Using the iOS App

Like the desktop AeroFS apps, the iOS app is designed to be easy to setup and use. Since the AeroFS iOS App is distributed through Apple's App store, it needs to easily be configured to talk to your organization's AeroFS Private Cloud.

However, instead of manually entering error-prone information such as hostnames, ports, and security certificates, we opted for the simple QR-code based approach shown below:


AeroFS iOS App Sign In Page AeroFS iOS App QR Code Page


This approach simplifies IT admin overheads by keeping the on-boarding flow for employees simple. Employees, in turn, get to experience the same "one-click" install process they've come to expect from the AeroFS Desktop apps, completely on their mobile platform.

Usage of the AeroFS iOS app is native and intuitive. The app displays the same folder hierarchy that you have on your own machine, allowing you to view and download whichever files you would like:


AeroFS iPad App screenshot


Questions? Comments? Shoot us an email at business@aerofs.com

All the best,

Yuri & The AeroFS Team