Risk
8/1/2012
10:47 AM
Connect Directly
RSS
E-Mail
50%
50%

Dropbox Admits Hack, Adds More Security Features

Flood of email spam blamed on attacker grabbing an internal document containing users' email addresses.

Dropbox Tuesday confirmed that its users have been experiencing a spam onslaught, and pointed the finger at any unlikely source: an internal employee.

"Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We've contacted these users and have helped them protect their accounts," said Aditya Agarwal, VP of engineering at Dropbox, Tuesday in a blog post.

The Dropbox spam investigation began two weeks ago, after users began reporting spam attacks against email addresses that they used only for the service.

[ Security officials are using data analysis tools to combat cybercrime at the London Olympics. Read about it here: Olympics Tap Big Data To Enhance Security. ]

But many of the spam attacks were ultimately traced to a password-reuse problem that existed within Dropbox itself. "A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses," said Agarwal. "We believe this improper access is what led to the spam. We're sorry about this, and have put additional controls in place to help make sure it doesn't happen again." Those controls will include a page that lets users review the login history related to their account, mechanisms for identifying suspicious activity, as well as two-factor authentication.

But do those fixes--and related explanations--go far enough? "For me, there are a few really concerning elements to this news and the way it was handled. A Dropbox engineer was using live customer information in a 'project document' --why? Shouldn't they be using dummy data?" said Rik Ferguson, director of security research and communication at Trend Micro, in a blog post. "This document was accessible, it seems, because the Dropbox employee was reusing their corporate password on other Web services which were compromised. It is not specified which services they refer to, but again, why?" Ferguson also criticized Dropbox's use of email--without first publicizing the breach--to inform affected users that their password may have been compromised, and for including "reset your password" links in those emails, thus making them virtually indistinguishable from the spam and phishing attacks that currently flood people's in-boxes. "This practice goes against the years of advice that we have given, warning users not to click links in unsolicited mails, especially those requesting that you visit a website to enter any kind of credentials," he said.

What could Dropbox have done better? "Instead of [sending] a password reset link, they should direct users to browse to the corporate homepage and follow the information there."

As the Dropbox breach illustrates, password reuse continues to be a prevalent security challenge. It works like this: Attackers breach a website such as LinkedIn or eHarmony, steal usernames--or emails--plus passwords, then use those to try and log into other services. Should such log-ins be successful, attackers harvest personal data, contact lists, try an "urgent request from a friend" scam, or use the compromised account to launch large volumes of spam emails.

The easiest way to stop password-reuse attacks is to stop reusing passwords. But according to an online password survey of 250 people recently conducted by software vendor mSeven Software, 76% of users rely solely on their memory--versus writing passwords down, entering them in a computer file, or using a password manager. In addition, 48% of respondents said they maintain just four passwords--or fewer--for any website they use that requires a password, even though 75% of people said they use at least 10 sites that require passwords.

In other words, most people don't seem to bother varying their passwords across different websites. As a result, when attackers obtain one password, they can use it to unlock that person's account on numerous other websites. "The Dropbox incident underlines the necessity of having different passwords for every website," said Graham Cluley, senior technology consultant at Sophos, via email. "As people pile more confidential information onto the Web, hackers are being given a greater incentive to penetrate accounts. The frequency and severity of these data breaches is proving time and time again that users must make better efforts to protect themselves."

Of course, even without password reuse, no cloud service is impenetrable. "If you are going to entrust sensitive data to Dropbox, my advice is that you should automatically encrypt it before sharing it with the service," Cluley said. "That way anyone who raids your account won't be able to make sense of what you have stashed in the cloud anyway."

Your networks may be under attack as you read this, but unless your security personnel are analyzing logs and leveraging common tools that are well known to your network operations teams, you may not find out until it is too late. In our What's Going On?: Monitor Networks To Thwart Intrusions report, we explain how your security and network teams can cooperate and use common tools to detect threats before your databases are compromised. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
edyang73
100%
0%
edyang73,
User Rank: Apprentice
5/24/2014 | 11:41:00 PM
Fine for personal pictures
Dropbox is fine for casual things such as personal pictures, but not senstive business or customer data. For that I use CertainSafe, the only file sharing service with MicroTokenization, which breaks a file up and encrypts the pieces. Almost unhackable.
AustinAnalyst
50%
50%
AustinAnalyst,
User Rank: Apprentice
8/2/2012 | 2:54:57 PM
re: Dropbox Admits Hack, Adds More Security Features
What methods/software are available to encrypt data at the PC level ? How would we recover the encryption for all the encrypted files stored on the cloud in the event of a PC crash & rebuild ??
cruiz
50%
50%
cruiz,
User Rank: Apprentice
8/2/2012 | 9:39:37 AM
re: Dropbox Admits Hack, Adds More Security Features
Well sorry but I've had enough with Drpbox.. I decided changing of online backup solution. Surfing the net I found something called "Bajoo" and read everything about what they do. I'm really interested cause they have, like, everything! encryption, secret pass phrase, etc... I'm considering it.
NMORRIS926
50%
50%
NMORRIS926,
User Rank: Apprentice
8/1/2012 | 7:00:53 PM
re: Dropbox Admits Hack, Adds More Security Features
After last yearG«÷s embarrassing data breaches, Dropbox promised to implement additional safeguards G«£to prevent this from happening again.G«• Whoops, it just happened again.

here are my thoughtsG«™
http://jacksonshaw.blogspot.ca...

Read more at http://macdailynews.com/2012/0...
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.