Dropbox security breach: expert reaction

by | 02 August 2012

CBR rounds up the reaction to the news of Dropbox's security blunder, where the reuse of a password by an employee resulted in attackers gaining access to customer email addresses.

Claudio Guarnieri, Security Researcher at Rapid7
It looks like a very straightforward breach. Dropbox has always been an appetising target as it was one of the first services to bring cloud storages to a broad audience in an easy-to-use fashion.

When it comes to breaches into storage services like this, it's always interesting to understand the reasons behind the attacks: Dropbox's synchronisation capability made it very popular in the corporate world with R&D and development teams using it a lot for sharing data, which could be particularly valuable for a dedicated attacker.

In this case, it seems like the end goal was simply getting access to a large set of email addresses in order to distribute spam, which makes the case somewhat less interesting, but still another lesson to learn for the guys at Dropbox.

Graham Cluley, senior technology consultant at Sophos
The Dropbox incident underlines the necessity of having different passwords for every website. As people pile more confidential information onto the web, hackers are being given a greater incentive to penetrate accounts. The frequency and severity of these data breaches is proving time and time again that users must make better efforts to protect themselves.

If you are going to entrust sensitive data to Dropbox, my advice is that you should automatically encrypt it before sharing it with the service. That way anyone who raids your account won't be able to make sense of what you have stashed in the cloud anyway. Businesses are waking up to the need to use automatic and invisible encryption alongside their cloud storage - protecting users who make use of services such as Dropbox.

David Gildeh, Director of Cloud Services at Alfresco Software
There has always been a concern about cloud security in the enterprise space and there always will be, but I don't think it will slow down the momentum of enterprises adopting cloud services.

Dropbox is very much a consumer service without many of the security controls that enterprise services offer. There are a lot more assurances vendors in the enterprise file-sharing space can give in helping organizations secure their data. This is a good lesson on the importance of using enterprise-proven solutions when it comes to the security of your organisation's content.

Users should not use the same password across all sites on the Internet because they have no idea how secure they are.

Hackers know that users are lazy and will exploit this on popular services once they get emails and passwords from a compromised site.

Enterprises can prevent some of these issues by implementing tougher password control such as two-factor authentication and SAML SSO to connect their existing security infrastructure to cloud services they use. With SAML SSO they can ensure they provide a consistent security policy across all their applications regardless of where they're hosted.

Grant Taylor, European Vice President at Cryptzone
Most governance experts - ourselves included - will tell you to use different passwords for different systems, but this case is one of those `wake-up-and-smell-the-coffee' moments for IT security professionals, as it shows the need to also keep passwords separate for work and personal internet activities.

We would go further and argue that people should not be using Dropbox for many business purposes. CISOs and compliance managers would be horrified to know that confidential data was being moved out of the organisation's sphere of control. Free services by their very nature don't have the features to facilitate corporate control and management.

Rob Sobers, technical manager at Varonis
Given their poor track record when it comes to security, I was floored by this statement [that Dropbox will be resetting the passwords to the accounts it believes to have been compromised].

They are assuming they know exactly which accounts were compromised. What about the accounts whose passwords might have been stolen but haven't been breached (yet)?

LinkedIn made the same mistake a few months ago -- they only reset the passwords for the accounts they believed to be affected. What did they base this on? The list of hashes that were published BY THE HACKERS? Is it beyond the realm of possibility that the attacks might not have published the whole list? They're HACKERS!

Another unsettling thing is that apparently a Dropbox employee was storing customer data in their own Dropbox account. That blew my mind.

Mike Byrnes at Entrust
Cloud based solutions like DropBox present new areas of vulnerability for corporations, and therefore it is crucial that companies adopt solutions to help strengthen identity based security for cloud applications.

Not only does this help secure access and mitigate the impact when user ID's & passwords are stolen, but because the user's existing corporate ID to access the cloud is extended, the end-user experience is simplified by reducing the need to maintain separate credentials to access cloud applications.

Comments
Post a comment

Comments may be moderated for spam, obscenities or defamation.

Join our network

752 people like this.
0 people follow this.

Intelligence

Suppliers Directory

  • Neverfail Overview

    The Neverfail Group is dedicated to creating a world where business applications are continuously available. High Availability, Disaster Recovery...

  • Qualys - IT security risk and compliance solutions

    Qualys is the leading provider of on demand IT security risk and compliance solutions - delivered as a service. Qualys solutions enable...

  • SDL Tridion - Web Content Management Solutions

    SDL Tridion is a global leader in Web Content Management (WCM) solutions.

  • Capscan

    Capscan is a leading supplier of international address management solutions and data integrity services. Capscan has more than 1800 customers...


See more
Privcy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.