Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
8/2/2012
04:06 PM
Dark Reading
Dark Reading
Security Insights
Connect Directly
RSS
E-Mail
50%
50%

Latest Black Eye For Dropbox Shines Spotlight On Larger Problem

Handing off your unencrypted data to a cloud storage service doesn't suddenly make it the service's problem if the data is compromised or lost. Responsibility runs in both directions

With Dropbox's admission this week that usernames and passwords, stolen from other websites, were used to sign in to a "small number" of Dropbox accounts, it's becoming clear the cloud storage company is becoming the poster child for the anti-cloud crowd who maintain the convenience of cloud storage is offset by its perceived lack of security.

This news follows the company's mid-July admission of fault when users noticed they were getting spam directed to email accounts they only use to access Dropbox.

In fact, in a blog post announcing the breach, Aditya Agarwalm, the company’s VP of Engineering, included the following admission: "A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We're sorry about this, and have put additional controls in place to help make sure it doesn't happen again."

And yes, we've all been down this path before. As you may recall, a year ago Dropbox disclosed that all of its users' files were publicly accessible for nearly four hours due to a bug in the company's authentication mechanism. And, adding insult to injury, according to this article in Venture Beat in April, a security hole was discovered in Dropbox's iOS app, which allowed anyone with physical access to a user's phone could copy that user's login credentials -- because it stored user login information in unencrypted text files.

So that's that. Dropbox is to blame. Someone has supplied the obligatory maxima mea culpa and we have yet another instance that proves cloud storage, while easy to use, just can’t be made secure.

Well, lessons learned and time to move on to the next data breach, right? Not exactly.

Among the security cognoscenti, it's a given that you should always vary your password from site to site and the effect of repeating it across multiple sites opens it to compromise.

Even Microsoft agrees.

Writing in a blog post following July’s Yahoo breach that exposed 400,000 user details, Microsoft Account Group Manager Eric Doerr related the fact that people reuse passwords and login details across service from different providers. According to Doerr, around 20% of the logins found on lists of compromised credentials match those of Microsoft accounts due to consumers using the same login details across more than one service. Note: the lists Doerr alludes to are circulated by organizations and hackers in the wake of attacks on third-party service providers.

"These attacks shine a spotlight on the core issue -- people reuse passwords between different websites," said Doer, "That reuse means that if one set of logins is compromised, other accounts are at risk."

Even Dropbox's Agarwalm acknowledges that the responsibility for data protection goes both ways, "At the same time, we strongly recommend you improve your online safety by setting a unique password for each website you use. Though it's easy to reuse the same password on different websites, this means if any one site is compromised, all your accounts are at risk."

And although it might seem onerous to use unique passwords for multiple sites, there is decided upside.

As Graham Cluley, senior technology consultant at Sophos recently commented, "The Dropbox incident underlines the necessity of having different passwords for every website. As people pile more confidential information onto the web, hackers are being given a greater incentive to penetrate accounts. The frequency and severity of these data breaches is proving time and time again that users must make better efforts to protect themselves. If you are going to entrust sensitive data to Dropbox, my advice is that you should automatically encrypt it before sharing it with the service. That way anyone who raids your account won't be able to make sense of what you have stashed in the cloud anyway. Businesses are waking up to the need to use automatic and invisible encryption alongside their cloud storage -- protecting users who make use of services such as Dropbox."

Now don't get me wrong. I'm not willing to place blame exclusively in either camp for this latest Dropbox debacle. There's shared responsibility at work here: users who appreciate the risk they take when they store unencrypted data in the cloud and cloud services that have not yet implemented (as Dropbox promises) at least two-factor authentication to mitigate risk to their customer base. Without such accountabilities, this certainly won't be the last time we hear about customer data breached in B2C cloud storage services.

For more information on the benefits of encrypting cloud storage, download the Sophos whitepaper, Fixing your Dropbox problem

Brian Royer, a security subject matter expert, Sophos U.S., is partnering with SophosLabs to research and report on the latest trends in malware, web threats, endpoint and data protection, mobile security, cloud computing and data center virtualization.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RichieB
50%
50%
RichieB,
User Rank: Apprentice
8/3/2012 | 7:41:47 AM
re: Latest Black Eye For Dropbox Shines Spotlight On Larger Problem
I agree 100% with AnonymousMan. Security professionals should stop beating the "do not reuse passwords" drum. In my mind it is perfectly ok to reuse passwords for unimportant websites such as forums, webshops, etc. Do you really expect average users to use unique passwords for the dozens of websites they have accounts on? It is just not feasible. Who cares that compromising my forum account on site X gives an attacker access to my webshop account on site Y? (Webshops in my country do not use or store credit card details.)

Instead, tell users to not to reuse passwords on important systems such as E-mail, E-banking, online file storage, home computer, etc.
AnonymousMan
100%
0%
AnonymousMan,
User Rank: Moderator
8/2/2012 | 9:55:53 PM
re: Latest Black Eye For Dropbox Shines Spotlight On Larger Problem
I keep hearing this same advice about having a different password for each website.-á That, at least by itself, cannot be the solution. You have to create a new set of credentials every time you sneeze on the Internet these days.-á Most humans just can't and won't create unique credentials each time.-á If it makes you feel better, keep suggesting that, but I would focus on other ways to solve the problem (e.g. I think we need MUCH better password management systems).
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.