Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
8/2/2012
04:06 PM
Dark Reading
Dark Reading
Security Insights
Connect Directly
RSS
E-Mail
50%
50%

Latest Black Eye For Dropbox Shines Spotlight On Larger Problem

Handing off your unencrypted data to a cloud storage service doesn't suddenly make it the service's problem if the data is compromised or lost. Responsibility runs in both directions

With Dropbox's admission this week that usernames and passwords, stolen from other websites, were used to sign in to a "small number" of Dropbox accounts, it's becoming clear the cloud storage company is becoming the poster child for the anti-cloud crowd who maintain the convenience of cloud storage is offset by its perceived lack of security.

This news follows the company's mid-July admission of fault when users noticed they were getting spam directed to email accounts they only use to access Dropbox.

In fact, in a blog post announcing the breach, Aditya Agarwalm, the company’s VP of Engineering, included the following admission: "A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We're sorry about this, and have put additional controls in place to help make sure it doesn't happen again."

And yes, we've all been down this path before. As you may recall, a year ago Dropbox disclosed that all of its users' files were publicly accessible for nearly four hours due to a bug in the company's authentication mechanism. And, adding insult to injury, according to this article in Venture Beat in April, a security hole was discovered in Dropbox's iOS app, which allowed anyone with physical access to a user's phone could copy that user's login credentials -- because it stored user login information in unencrypted text files.

So that's that. Dropbox is to blame. Someone has supplied the obligatory maxima mea culpa and we have yet another instance that proves cloud storage, while easy to use, just can’t be made secure.

Well, lessons learned and time to move on to the next data breach, right? Not exactly.

Among the security cognoscenti, it's a given that you should always vary your password from site to site and the effect of repeating it across multiple sites opens it to compromise.

Even Microsoft agrees.

Writing in a blog post following July’s Yahoo breach that exposed 400,000 user details, Microsoft Account Group Manager Eric Doerr related the fact that people reuse passwords and login details across service from different providers. According to Doerr, around 20% of the logins found on lists of compromised credentials match those of Microsoft accounts due to consumers using the same login details across more than one service. Note: the lists Doerr alludes to are circulated by organizations and hackers in the wake of attacks on third-party service providers.

"These attacks shine a spotlight on the core issue -- people reuse passwords between different websites," said Doer, "That reuse means that if one set of logins is compromised, other accounts are at risk."

Even Dropbox's Agarwalm acknowledges that the responsibility for data protection goes both ways, "At the same time, we strongly recommend you improve your online safety by setting a unique password for each website you use. Though it's easy to reuse the same password on different websites, this means if any one site is compromised, all your accounts are at risk."

And although it might seem onerous to use unique passwords for multiple sites, there is decided upside.

As Graham Cluley, senior technology consultant at Sophos recently commented, "The Dropbox incident underlines the necessity of having different passwords for every website. As people pile more confidential information onto the web, hackers are being given a greater incentive to penetrate accounts. The frequency and severity of these data breaches is proving time and time again that users must make better efforts to protect themselves. If you are going to entrust sensitive data to Dropbox, my advice is that you should automatically encrypt it before sharing it with the service. That way anyone who raids your account won't be able to make sense of what you have stashed in the cloud anyway. Businesses are waking up to the need to use automatic and invisible encryption alongside their cloud storage -- protecting users who make use of services such as Dropbox."

Now don't get me wrong. I'm not willing to place blame exclusively in either camp for this latest Dropbox debacle. There's shared responsibility at work here: users who appreciate the risk they take when they store unencrypted data in the cloud and cloud services that have not yet implemented (as Dropbox promises) at least two-factor authentication to mitigate risk to their customer base. Without such accountabilities, this certainly won't be the last time we hear about customer data breached in B2C cloud storage services.

For more information on the benefits of encrypting cloud storage, download the Sophos whitepaper, Fixing your Dropbox problem

Brian Royer, a security subject matter expert, Sophos U.S., is partnering with SophosLabs to research and report on the latest trends in malware, web threats, endpoint and data protection, mobile security, cloud computing and data center virtualization.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RichieB
50%
50%
RichieB,
User Rank: Apprentice
8/3/2012 | 7:41:47 AM
re: Latest Black Eye For Dropbox Shines Spotlight On Larger Problem
I agree 100% with AnonymousMan. Security professionals should stop beating the "do not reuse passwords" drum. In my mind it is perfectly ok to reuse passwords for unimportant websites such as forums, webshops, etc. Do you really expect average users to use unique passwords for the dozens of websites they have accounts on? It is just not feasible. Who cares that compromising my forum account on site X gives an attacker access to my webshop account on site Y? (Webshops in my country do not use or store credit card details.)

Instead, tell users to not to reuse passwords on important systems such as E-mail, E-banking, online file storage, home computer, etc.
AnonymousMan
100%
0%
AnonymousMan,
User Rank: Moderator
8/2/2012 | 9:55:53 PM
re: Latest Black Eye For Dropbox Shines Spotlight On Larger Problem
I keep hearing this same advice about having a different password for each website.-á That, at least by itself, cannot be the solution. You have to create a new set of credentials every time you sneeze on the Internet these days.-á Most humans just can't and won't create unique credentials each time.-á If it makes you feel better, keep suggesting that, but I would focus on other ways to solve the problem (e.g. I think we need MUCH better password management systems).
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.