Risk
8/1/2012
10:47 AM
Connect Directly
RSS
E-Mail
50%
50%

Dropbox Admits Hack, Adds More Security Features

Flood of email spam blamed on attacker grabbing an internal document containing users' email addresses.

Dropbox Tuesday confirmed that its users have been experiencing a spam onslaught, and pointed the finger at any unlikely source: an internal employee.

"Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We've contacted these users and have helped them protect their accounts," said Aditya Agarwal, VP of engineering at Dropbox, Tuesday in a blog post.

The Dropbox spam investigation began two weeks ago, after users began reporting spam attacks against email addresses that they used only for the service.

[ Security officials are using data analysis tools to combat cybercrime at the London Olympics. Read about it here: Olympics Tap Big Data To Enhance Security. ]

But many of the spam attacks were ultimately traced to a password-reuse problem that existed within Dropbox itself. "A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses," said Agarwal. "We believe this improper access is what led to the spam. We're sorry about this, and have put additional controls in place to help make sure it doesn't happen again." Those controls will include a page that lets users review the login history related to their account, mechanisms for identifying suspicious activity, as well as two-factor authentication.

But do those fixes--and related explanations--go far enough? "For me, there are a few really concerning elements to this news and the way it was handled. A Dropbox engineer was using live customer information in a 'project document' --why? Shouldn't they be using dummy data?" said Rik Ferguson, director of security research and communication at Trend Micro, in a blog post. "This document was accessible, it seems, because the Dropbox employee was reusing their corporate password on other Web services which were compromised. It is not specified which services they refer to, but again, why?" Ferguson also criticized Dropbox's use of email--without first publicizing the breach--to inform affected users that their password may have been compromised, and for including "reset your password" links in those emails, thus making them virtually indistinguishable from the spam and phishing attacks that currently flood people's in-boxes. "This practice goes against the years of advice that we have given, warning users not to click links in unsolicited mails, especially those requesting that you visit a website to enter any kind of credentials," he said.

What could Dropbox have done better? "Instead of [sending] a password reset link, they should direct users to browse to the corporate homepage and follow the information there."

As the Dropbox breach illustrates, password reuse continues to be a prevalent security challenge. It works like this: Attackers breach a website such as LinkedIn or eHarmony, steal usernames--or emails--plus passwords, then use those to try and log into other services. Should such log-ins be successful, attackers harvest personal data, contact lists, try an "urgent request from a friend" scam, or use the compromised account to launch large volumes of spam emails.

The easiest way to stop password-reuse attacks is to stop reusing passwords. But according to an online password survey of 250 people recently conducted by software vendor mSeven Software, 76% of users rely solely on their memory--versus writing passwords down, entering them in a computer file, or using a password manager. In addition, 48% of respondents said they maintain just four passwords--or fewer--for any website they use that requires a password, even though 75% of people said they use at least 10 sites that require passwords.

In other words, most people don't seem to bother varying their passwords across different websites. As a result, when attackers obtain one password, they can use it to unlock that person's account on numerous other websites. "The Dropbox incident underlines the necessity of having different passwords for every website," said Graham Cluley, senior technology consultant at Sophos, via email. "As people pile more confidential information onto the Web, hackers are being given a greater incentive to penetrate accounts. The frequency and severity of these data breaches is proving time and time again that users must make better efforts to protect themselves."

Of course, even without password reuse, no cloud service is impenetrable. "If you are going to entrust sensitive data to Dropbox, my advice is that you should automatically encrypt it before sharing it with the service," Cluley said. "That way anyone who raids your account won't be able to make sense of what you have stashed in the cloud anyway."

Your networks may be under attack as you read this, but unless your security personnel are analyzing logs and leveraging common tools that are well known to your network operations teams, you may not find out until it is too late. In our What's Going On?: Monitor Networks To Thwart Intrusions report, we explain how your security and network teams can cooperate and use common tools to detect threats before your databases are compromised. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
NMORRIS926
50%
50%
NMORRIS926,
User Rank: Apprentice
8/1/2012 | 7:00:53 PM
re: Dropbox Admits Hack, Adds More Security Features
After last yearG«÷s embarrassing data breaches, Dropbox promised to implement additional safeguards G«£to prevent this from happening again.G«• Whoops, it just happened again.

here are my thoughtsG«™
http://jacksonshaw.blogspot.ca...

Read more at http://macdailynews.com/2012/0...
cruiz
50%
50%
cruiz,
User Rank: Apprentice
8/2/2012 | 9:39:37 AM
re: Dropbox Admits Hack, Adds More Security Features
Well sorry but I've had enough with Drpbox.. I decided changing of online backup solution. Surfing the net I found something called "Bajoo" and read everything about what they do. I'm really interested cause they have, like, everything! encryption, secret pass phrase, etc... I'm considering it.
AustinAnalyst
50%
50%
AustinAnalyst,
User Rank: Apprentice
8/2/2012 | 2:54:57 PM
re: Dropbox Admits Hack, Adds More Security Features
What methods/software are available to encrypt data at the PC level ? How would we recover the encryption for all the encrypted files stored on the cloud in the event of a PC crash & rebuild ??
edyang73
100%
0%
edyang73,
User Rank: Apprentice
5/24/2014 | 11:41:00 PM
Fine for personal pictures
Dropbox is fine for casual things such as personal pictures, but not senstive business or customer data. For that I use CertainSafe, the only file sharing service with MicroTokenization, which breaks a file up and encrypts the pieces. Almost unhackable.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the ďsecurity connectedĒ approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5242
Published: 2014-10-21
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.

CVE-2012-5243
Published: 2014-10-21
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.

CVE-2012-5702
Published: 2014-10-21
Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to i...

CVE-2013-7406
Published: 2014-10-21
SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-4514
Published: 2014-10-21
Cross-site scripting (XSS) vulnerability in includes/api_tenpay/inc.tenpay_notify.php in the Alipay plugin 3.6.0 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via vectors related to the getDebugInfo function.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.