Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Dropbox Admits Hack, Adds More Security Features

Flood of email spam blamed on attacker grabbing an internal document containing users' email addresses.

Dropbox Tuesday confirmed that its users have been experiencing a spam onslaught, and pointed the finger at any unlikely source: an internal employee.

"Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We've contacted these users and have helped them protect their accounts," said Aditya Agarwal, VP of engineering at Dropbox, Tuesday in a blog post.

The Dropbox spam investigation began two weeks ago, after users began reporting spam attacks against email addresses that they used only for the service.

[ Security officials are using data analysis tools to combat cybercrime at the London Olympics. Read about it here: Olympics Tap Big Data To Enhance Security. ]

But many of the spam attacks were ultimately traced to a password-reuse problem that existed within Dropbox itself. "A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses," said Agarwal. "We believe this improper access is what led to the spam. We're sorry about this, and have put additional controls in place to help make sure it doesn't happen again." Those controls will include a page that lets users review the login history related to their account, mechanisms for identifying suspicious activity, as well as two-factor authentication.

But do those fixes--and related explanations--go far enough? "For me, there are a few really concerning elements to this news and the way it was handled. A Dropbox engineer was using live customer information in a 'project document' --why? Shouldn't they be using dummy data?" said Rik Ferguson, director of security research and communication at Trend Micro, in a blog post. "This document was accessible, it seems, because the Dropbox employee was reusing their corporate password on other Web services which were compromised. It is not specified which services they refer to, but again, why?" Ferguson also criticized Dropbox's use of email--without first publicizing the breach--to inform affected users that their password may have been compromised, and for including "reset your password" links in those emails, thus making them virtually indistinguishable from the spam and phishing attacks that currently flood people's in-boxes. "This practice goes against the years of advice that we have given, warning users not to click links in unsolicited mails, especially those requesting that you visit a website to enter any kind of credentials," he said.

What could Dropbox have done better? "Instead of [sending] a password reset link, they should direct users to browse to the corporate homepage and follow the information there."

As the Dropbox breach illustrates, password reuse continues to be a prevalent security challenge. It works like this: Attackers breach a website such as LinkedIn or eHarmony, steal usernames--or emails--plus passwords, then use those to try and log into other services. Should such log-ins be successful, attackers harvest personal data, contact lists, try an "urgent request from a friend" scam, or use the compromised account to launch large volumes of spam emails.

The easiest way to stop password-reuse attacks is to stop reusing passwords. But according to an online password survey of 250 people recently conducted by software vendor mSeven Software, 76% of users rely solely on their memory--versus writing passwords down, entering them in a computer file, or using a password manager. In addition, 48% of respondents said they maintain just four passwords--or fewer--for any website they use that requires a password, even though 75% of people said they use at least 10 sites that require passwords.

In other words, most people don't seem to bother varying their passwords across different websites. As a result, when attackers obtain one password, they can use it to unlock that person's account on numerous other websites. "The Dropbox incident underlines the necessity of having different passwords for every website," said Graham Cluley, senior technology consultant at Sophos, via email. "As people pile more confidential information onto the Web, hackers are being given a greater incentive to penetrate accounts. The frequency and severity of these data breaches is proving time and time again that users must make better efforts to protect themselves."

Of course, even without password reuse, no cloud service is impenetrable. "If you are going to entrust sensitive data to Dropbox, my advice is that you should automatically encrypt it before sharing it with the service," Cluley said. "That way anyone who raids your account won't be able to make sense of what you have stashed in the cloud anyway."

Your networks may be under attack as you read this, but unless your security personnel are analyzing logs and leveraging common tools that are well known to your network operations teams, you may not find out until it is too late. In our What's Going On?: Monitor Networks To Thwart Intrusions report, we explain how your security and network teams can cooperate and use common tools to detect threats before your databases are compromised. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
edyang73
100%
0%
edyang73,
User Rank: Apprentice
5/24/2014 | 11:41:00 PM
Fine for personal pictures
Dropbox is fine for casual things such as personal pictures, but not senstive business or customer data. For that I use CertainSafe, the only file sharing service with MicroTokenization, which breaks a file up and encrypts the pieces. Almost unhackable.
AustinAnalyst
50%
50%
AustinAnalyst,
User Rank: Apprentice
8/2/2012 | 2:54:57 PM
re: Dropbox Admits Hack, Adds More Security Features
What methods/software are available to encrypt data at the PC level ? How would we recover the encryption for all the encrypted files stored on the cloud in the event of a PC crash & rebuild ??
cruiz
50%
50%
cruiz,
User Rank: Apprentice
8/2/2012 | 9:39:37 AM
re: Dropbox Admits Hack, Adds More Security Features
Well sorry but I've had enough with Drpbox.. I decided changing of online backup solution. Surfing the net I found something called "Bajoo" and read everything about what they do. I'm really interested cause they have, like, everything! encryption, secret pass phrase, etc... I'm considering it.
NMORRIS926
50%
50%
NMORRIS926,
User Rank: Apprentice
8/1/2012 | 7:00:53 PM
re: Dropbox Admits Hack, Adds More Security Features
After last yearGs embarrassing data breaches, Dropbox promised to implement additional safeguards Gǣto prevent this from happening again.Gǥ Whoops, it just happened again.

here are my thoughtsGǪ
http://jacksonshaw.blogspot.ca...

Read more at http://macdailynews.com/2012/0...
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27187
PUBLISHED: 2020-10-26
An issue was discovered in KDE Partition Manager 4.1.0 before 4.2.0. The kpmcore_externalcommand helper contains a logic flaw in which the service invoking D-Bus is not properly checked. An attacker on the local machine can replace /etc/fstab, and execute mount and other partitioning related command...
CVE-2020-7752
PUBLISHED: 2020-10-26
This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands.
CVE-2020-7127
PUBLISHED: 2020-10-26
A remote unauthenticated arbitrary code execution vulnerability was discovered in Aruba Airwave Software version(s): Prior to 1.3.2.
CVE-2020-7196
PUBLISHED: 2020-10-26
The HPE BlueData EPIC Software Platform version 4.0 and HPE Ezmeral Container Platform 5.0 use an insecure method of handling sensitive Kerberos passwords that is susceptible to unauthorized interception and/or retrieval. Specifically, they display the kdc_admin_password in the source file of the ur...
CVE-2020-7197
PUBLISHED: 2020-10-26
SSMC3.7.0.0 is vulnerable to remote authentication bypass. HPE StoreServ Management Console (SSMC) 3.7.0.0 is an off node multiarray manager web application and remains isolated from data on the managed arrays. HPE has provided an update to HPE StoreServ Management Console (SSMC) software 3.7.0.0* U...