امنیت، ویژگی های فنی و حفظ حریم خصوصی DigitalSafe

حریم خصوصی

DigitalSafe به طور کامل به موارد زیر پایبند است:

  • قانون فدرال سوئیس در رابطه با حفاظت اطلاعات (FADP)،
  • آزادی اطلاعات و حفاظت حریم خصوصی (FOIPPA)،
  • قانون انتقال و پاسخگویی اطلاعات شخصی (PIPEDA)،
  • قانون انتقال و پاسخگویی بیمه سلامت (HIPPA)،
  • استانداردهای امنیت داده صنعت کارت های پرداخت (PCI-DSS).
  • تمام داده ها در سوئیس دخیره می شوند!
  • معیارهای امنیت و محرمانگی سوئیسس ۱۰۰% تضمین شده است!

ویژگی های فنی

پشتیبانی سیستم

DigitalSafe از همه سیستم عامل ها و نرم افزارهایی که قادر به اجرای برنامه های زیر باشند پشتیبانی می کند:

  • اینترنت اکسپلورر ۷ یا جدیدتر
  • فایرفاکس ۳ یا جدیدتر
  • سافاری ۴ یا جدیدتر
  • کروم ۴ یا جدیدتر

سیستم عامل های پشتیبانی شده شامل (سیستم عامل ۳۲ بیت و ۶۴ بیت) ذکر شده در زیر می باشد، اما فقط به این موارد محدود نیست:

  • ویندوز XP
  • ویندوز Vista
  • ویندوز 7
  • مک Mac OS X
  • لینوکس
  • FreeBSD

زیربنای مرکز اطلاعات

معماری سخت افزار تایید شده PCI-DSS شامل موارد زیر می شود:

  • کنترل بی وقفه تمام سرورها، وسایل و محیط شبکه توسط شخص ثالث
  • سرورهای وب کاملا بدون استفاده دارای قابلیت فیل اوور
  • سرورهای پایگاه داده ای کاملا بدون استفاده دارای قابلیت فیل اوور
  • کانکشن های شبکه فیل اوور
  • قابلیت دسترسی فرد به تمام تجهیزات
  • دوربین های دارای قابلیت تشخیص حرکت
  • سیستم پشتیبان داخلی کاملا اتوماتیک برای ریکاوری سریع در مواقع خراب شدن وسیع سیستم
  • طبیعت دوستی و استحکام بالای تجهیزات مرکز داده - مرکز داده مستقر در سوئیس بصورت کامل از تکنولوژی های سبز استفاده می کند
  • بررسی سوابق تمام کارمندان‌ (از جمله کارکنان اجرایی)
  • تمام اطلاعات در یک مرکز اطلاعات رده ۳ (Tier 3) سوئیس نگهداری می شوند.
  • مرکز اطلاعات دارای گواهینامه ISO 9001:2000 از طرف SGS می باشد
  • مرکز داده ما با استانداردهای امنیتی کمیته SFB (بانکداری فدرال سوئیس) کاملا مطابق می باشد
  • توافقنامه سطح خدمات ۹۹.۹۹۹%
  • معیارهای امنیت و رازداری سوئیسی بصورت کامل تضمین می شود!

کد گذاری

در DigitalSafe، تمام اطلاعات از جمله اطلاعات تایید کننده کاربر از طریق اینترت ارسال و به صورت کد در سرورهای ما ذخیره می شوند.

تمام ارتباطات به سرورهای ما، برای همه کاربران، به وسیله کد گذاری ۲۰۴۸ بیت SSL محافظت می شوند.

رمز های عبور

رمزهای عبور به وسیله الگوریتم بای کریپت (bcrypt algorithm) کد گذاری می شوند. قفل شدن حساب کاربری بعد از تعداد از پیش تعیین شده ورود ناموفق مانع از حدس زدن رمزعبور توسط افراد دیگر می شود. به دلیل ویژگی بای کریپت، حدس زدن رمزعبور زمان بندی شده امکان پذیر نیست.

هنگامی که مرحله کنونی به پایان رسید، در شرایطی که کسی با کامپیوتر کار نمی کند، سیستم به صفحه ورود هدایت می شود.

نوشته ها

نوشته ها به وسیله کد گذاری AES-256 در سیستم کد گذاری می شوند و کلید کد در سرور دیگری که از اینترنت قابل دسترسی نیست نگه داری می شود.

به منظور فراهم آوردن بالاترین سطح حریم خصوصی و امنیت، کاربران می توانند انتخاب کنند که رمزعبورشان در داده های کد گذاری شده استفاده شود یا خیر. در صورتی که رمزعبور در داده های کد گذاری شده استفاده شود، امکان کد گذاری کردن اطلاعات کاربران بدون دانستن رمزعبور ممکن نیست و حتی کارکنان DigitalSafe نیز نمی توانند این اطلاعات را کد گذاری کنند.

با این وجود، این همچنین بدان معناست که رمزعبور کاربران قابل بازیابی نیست و در صورت گم شدن این رمزعبور اطلاعات آن ها برای همیشه غیرقابل دسترسی خواهد بود.

امنیت فیزیکی

برنامه کاربری ایمن یادداشتهای شخصی DigitalSafe اطلاعات را در با کیفیت ترین مرکز داده سوئیس، کشوری که به کنترل کیفیت و استانداردهای دقیق معروف است، ذخیره می کند. DigitalSafe دارای فضای فیزیکی لازم برای نگه داری سرور ها و فعالیت این سرور ها در ۲۴ ساعت شبانه روز و هفت روز هفته و حتی در زمان قطع برق یا بلایای طبیعی بزرگ می باشد.

این تجهیزات با کیفیت بر اساس نیاز ما طراحی شده اند و دارای کف های کاذب، سیستم های کنترل حرارت اچ‌ وی‌ ای‌ سی همراه با نقاط خنک کننده مجزا و شانه های مستحکم می باشند. تجهیزات ما بالاترین سطح امنیت فیزیکی را فراهم می سازند و به سیستم های پیشرفته تشخیص دود و اطفاء حریق، حسگرهای حرکتی، دسترسی ایمن ۲۴ ساعته در هفت روز هفته، دوربین های مدار بسته و آژیرهای هشدار دهنده ورود غیر مجاز مجهز هستند.

امنیت شبکه

در راستای استاندارد امنیت اطلاعات صنعت کارت های پرداخت (PCI DSS)، ساختارهای شبکه ما در ۲۴ ساعت شبانه روز و هفت روز هفته توسط یک فرد ثالث کنترل می شوند تا آسیب پذیری خدمات و برنامه ها مورد بررسی قرار گیرد. علاوه بر این، بازرسی سالانه درون مجموعه ای ما که چند روز به طول می انجامد را انجام می دهیم و در آن همه جنبه های سیستم: از توسعه نرم افزار تا استقرار سخت افزار، از سیاست های مربوط به کارکنان تا مدیریت رمزهای عبور بررسی می شود. بیش از ۲۰۰ معیار توسط DigitalSafe رعایت می شود تا پیروی از قانون در بهترین سطح قرار داشته باشد.

تعهد امنیت کاربردهای تحت وب باز

DigitalSafe بر طبق پروژه امنیت نرم افزار تحت وب باز (OWASP) توسعه داده شده است و تمام طراحان بر طبق OWASP آموزش داده شده اند. بر طبق مقتضیات PCI DSS، طراحان DigitalSafe تمام ۱۰ آسیب پذیری برتر OWASP را مد نظر قرار می دهند.

No USA PATRIOT Act Storage

DigitalSafe prides itself in storing your information in politically and economically stable and neutral country, Switzerland. Switzerland does not abide by the USA PATRIOT Act. This ensures that your information is safe from competing predators or agencies and entities with personal motives who would pry into your privacy and steal your data without your knowledge.

We have compiled a small list of website links and sample texts in order to inform you of what the USA PATRIOT Act is. DigitalSafe has no servers based in the USA. ALL our servers are based in Switzerland where we run our Swiss online backup digital vaults platform.

USA PATRIOT Act – how it impacts business:

(All the information posted is taken from various sources. The links are provided for each section)

http://en.wikipedia.org/wiki/USA_PATRIOT_Act

The USA PATRIOT Act (commonly known as the “Patriot Act”) is an Act of the U.S. Congress and signed into law by President George W. Bush on October 26, 2001. The title of the Act is a contrived acronym, which stands for Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001.

The Act dramatically reduced restrictions on law enforcement agencies’ ability to search telephone, e-mail communications, medical, financial, and other records; eased restrictions on foreign intelligence gathering within the United States; expanded the Secretary of the Treasury’s authority to regulate financial transactions, particularly those involving foreign individuals and entities; and broadened the discretion of law enforcement and immigration authorities in detaining and deporting immigrants suspected of terrorism-related acts. The act also expanded the definition of terrorism to include domestic terrorism, thus enlarging the number of activities to which the USA PATRIOT Act’s expanded law enforcement powers could be applied.

http://en.wikipedia.org/wiki/USA_PATRIOT_Act

Title II: Surveillance procedures

Main article: USA PATRIOT Act, Title II

Title II is titled “Enhanced Surveillance Procedures”, and covers all aspects of the surveillance of suspected terrorists, those suspected of engaging in computer fraud or abuse, and agents of a foreign power who are engaged in clandestine activities. It primarily made amendments to FISA, and the ECPA, and many of the most controversial aspects of the USA PATRIOT Act reside in this title. In particular, the title allows government agencies to gather “foreign intelligence information” from both U.S. and non-U.S. citizens, and changed FISA to make gaining foreign intelligence information the significant purpose of FISA-based surveillance, where previously it had been the primary purpose.[37] The change in definition was meant to remove a legal “wall” between criminal investigations and surveillance for the purposes of gathering foreign intelligence, which hampered investigations when criminal and foreign surveillance overlapped.[38] However, that this wall even existed was found by the Federal Surveillance Court of Review to have actually been a long-held misinterpretation by government agencies. Also removed was the statutory requirement that the government prove a surveillance target under FISA is a non-U.S. citizen and agent of a foreign power, though it did require that any investigations must not be undertaken on citizens who are carrying out activities protected by the First Amendment.[39] The title also expanded the duration of FISA physical search and surveillance orders,[40] and gave authorities the ability to share information gathered before a federal grand jury with other agencies.[41]
The scope and availability of wiretapping and surveillance orders were expanded under Title II. Wiretaps were expanded to include addressing and routing information to allow surveillance of packet switched networks[42] — the Electronic Privacy Information Center (EPIC) objected to this, arguing that it does not take into account email or web addresses, which often contain content in the address information.[43] The Act allowed any district court judge in the United States to issue such surveillance orders[42] and search warrants for terrorism investigations.[44] Search warrants were also expanded, with the Act amending Title III of the Stored Communications Access Act to allow the FBI to gain access to stored voicemail through a search warrant, rather than through the more stringent wiretap laws.[45]

Various provisions allowed for the disclosure of electronic communications to law enforcement agencies. Those who operate or own a “protected computer” can give permission for authorities to intercept communications carried out on the machine, thus bypassing the requirements of the Wiretap statute.[46] The definition of a “protected computer” is defined in 18 U.S.C. § 1030(e)(2) and broadly encompasses those computers used in interstate or foreign commerce or communication, including ones located outside the United States. The law governing obligatory and voluntary disclosure of customer communications by cable companies was altered to allow agencies to demand such communications under U.S.C. Title 18 provisions relating to the disclosure of electronic communications (chapter 119), pen registers and trap and trace devices (chapter 206) and stored communications (121), though it excluded the disclosure of cable subscriber viewing habits.[47] Subpoenas issued to Internet Service Providers were expanded to include not only “the name, address, local and long distance telephone toll billing records, telephone number or other subscriber number or identity, and length of service of a subscriber” but also session times and durations, types of services used, communication device address information (e.g. IP addresses), payment method and bank account and credit card numbers.[48] Communication providers are also allowed to disclose customer records or communications if they suspect there is a danger to “life and limb”.[49]

Title II established three very controversial provisions: “sneak and peek” warrants, roving wiretaps and the ability of the FBI to gain access to documents that reveal the patterns of U.S. citizens. The so-called “sneak and peek” law allowed for delayed notification of the execution of search warrants. The period before which the FBI must notify the recipients of the order was unspecified in the Act — the FBI field manual says that it is a “flexible standard”[50] — and it may be extended at the court’s discretion.[51] These sneak and peek provisions were struck down by judge Ann Aiken on September 26, 2007 after a Portland attorney, Brandon Mayfield was wrongly jailed because of the searches. The court found the searches to violate the provision that prohibits unreasonable searches in the Fourth Amendment to the U.S. Constitution.[52][53]

Roving wiretaps are wiretap orders that do not need to specify all common carriers and third parties in a surveillance court order. These are seen as important by the Department of Justice because they believe that terrorists can exploit wiretap orders by rapidly changing locations and communication devices such as cell phones,[54] while opponents see it as violating the particularity clause of the Fourth Amendment.[55][56] Another highly controversial provision is one that allows the FBI to make an order “requiring the production of any tangible things (including books, records, papers, documents, and other items) for an investigation to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution.”[57] Though it was not targeted directly at libraries, the American Library Association (ALA), in particular, opposed this provision. In a resolution passed on June 29, 2005 they stated that “Section 215 of the USA PATRIOT Act allows the government to secretly request and obtain library records for large numbers of individuals without any reason to believe they are involved in illegal activity.”[58] However, the ALA’s stance did not go without criticism. One prominent critic of the ALA’s stance was the Manhattan Institute’s Heather Mac Donald, who argued in an article for the New York City Journal that “[t]he furor over section 215 is a case study in Patriot Act fear-mongering.”[59]
The title also covers a number of other miscellaneous provisions, including the expansion of the number of FISC judges from seven to eleven (three of which must reside within 20 miles (32 km) of the District of Columbia),[60] trade sanctions against North Korea and Taliban-controlled Afghanistan [61] and the employment of translators by the FBI.[62]

http://w2.eff.org/patriot/

General information on the Act

Here are some excerpts from websites explaining the USA PATRIOT Act, and also information on the Act being renewed in 2010 by
President Obama:

http://www.slate.com/id/2087984/

Section 215 modifies the rules on records searches. Post-Patriot Act, third-party holders of your financial, library, travel, video rental, phone, medical, church, synagogue, and mosque records can be searched without your knowledge or consent, providing the government says it’s trying to protect against terrorism.

Would you know if Section 215 had been used on you? Nope. The person made to turn over the records is gagged and cannot disclose the search to anyone.

Section 218 aka “FISA (Foreign Intelligence Surveillance Act): What it does: Secret searches can now be authorized by a secret court without public knowledge or Department of Justice accountability, so long as the government can allege there is any foreign intelligence basis for the search.

Would you know if Section 218 had been used on you? Only if you were later prosecuted using information gathered pursuant to a FISA warrant. Then you’d have the opportunity to try to suppress that evidence in a regular court proceeding

Section 213: Section 213 is another extremely controversial part of the Patriot Act, engendering protest from across the political spectrum. By allowing the state to rummage first and let you know later (sometimes much later), the act upends the traditional requirement that the state advise you in advance that you are being searched.

What it does: “Sneak and Peek” warrants extend sneak-and-peek authority from FISA searches to any criminal search. This allows for secret searches of your home and property without prior notice.

Section 206: Section 206 authorizes roving wiretaps: taps specific to no single phone or computer but to every phone or computer the target may use. It doesn’t get as much attention as it should. If the government decides to tap a computer at the UCLA library, every communication by every user can theoretically be intercepted.

What it does: Expands FISA to permit surveillance of any communications made to or by an intelligence target without specifying the particular phone line or computer to be monitored.

Section 505: This section authorizes the attorney general or a delegate to compel holders of your personal records to turn them over to the government, simply by writing a “national security” letter. Section 505 has garnered a lot less national attention than Section 215—the library records section of the act—which may be why it is invoked a lot more often.

What it does: Section 505 authorizes the use of what’s essentially an administrative subpoena of personal records. The subpoenas require no probable cause or judicial oversight.

The law before and how it changed: Before Patriot, these letters could only be issued against individuals who were reasonably suspected of espionage. But Patriot loosened the standard by allowing the letters to be used against anyone, including U.S. citizens, even if they themselves are not suspected of espionage or criminal activity. These letters may now be issued independently by FBI field offices, rather than by senior officials. And unlike Section 215 warrants, they are not subject to even perfunctory judicial review or oversight.

The records that can be obtained through the letters under Patriot include telephone logs, e-mail logs, certain financial and bank records, and credit reports, on the assertion that such information would be “relevant” to an ongoing terrorism investigation. They cannot be used in ordinary criminal investigations. Unlike 215, no court order—not even a rubber-stamped order—is required. Those forced to turn over records are gagged from disclosing the demand.

Would you know if Section 505 had been used on you: Not unless some action was brought against you based on the information produced.”

Here are a few links that have information on the new and revised (and extended) USA PATRIOT Act, signed recently by President Obama.

http://w2.eff.org/patriot/20020925_patriot_act.php

(A pasted copy of the actual US patriot act on this site)

http://tastethecloud.com/content/patriot-act-and-martial-law

This section is of particular relevance to businesses:

Expands surveillance powers to grant easier government access to bank accounts, home computers, telephones, and credit card accounts based upon subpoenas issued by the Department of Justice. The entities subpoenaed to obtain information about you could not refuse to provide the information (an expansion of current powers under Patriot I). Evidence obtained that would link a person to terrorism or terrorist groups (as defined by the State Department) would not be disclosed except to a court (individuals would have no right to know why they were charged) and pretrial detentions would be mandatory. You would have little possibility of defending the charges.

http://www.eff.org/deeplinks/2010/02/epic-fail-congress-usa-patriot-act-renewed-without

(this explains how patriot act can access business files)

http://en.wikipedia.org/wiki/Controversial_invocations_of_the_USA_PATRIOT_Act

(Explains the dangers of USA PATRIOT Act)