CBR rounds up the reaction to the news of Dropbox's security blunder, where the reuse of a password by an employee resulted in attackers gaining access to customer email addresses.
Claudio Guarnieri, Security Researcher at Rapid7
It looks like a very straightforward breach. Dropbox has always been an appetising target as it was one of the first services to bring cloud storages to a broad audience in an easy-to-use fashion.
When it comes to breaches into storage services like this, it's always interesting to understand the reasons behind the attacks: Dropbox's synchronisation capability made it very popular in the corporate world with R&D and development teams using it a lot for sharing data, which could be particularly valuable for a dedicated attacker.
In this case, it seems like the end goal was simply getting access to a large set of email addresses in order to distribute spam, which makes the case somewhat less interesting, but still another lesson to learn for the guys at Dropbox.
Graham Cluley, senior technology consultant at Sophos
The Dropbox incident underlines the necessity of having different passwords for every website. As people pile more confidential information onto the web, hackers are being given a greater incentive to penetrate accounts. The frequency and severity of these data breaches is proving time and time again that users must make better efforts to protect themselves.
If you are going to entrust sensitive data to Dropbox, my advice is that you should automatically encrypt it before sharing it with the service. That way anyone who raids your account won't be able to make sense of what you have stashed in the cloud anyway. Businesses are waking up to the need to use automatic and invisible encryption alongside their cloud storage - protecting users who make use of services such as Dropbox.
David Gildeh, Director of Cloud Services at Alfresco Software
There has always been a concern about cloud security in the enterprise space and there always will be, but I don't think it will slow down the momentum of enterprises adopting cloud services.
Dropbox is very much a consumer service without many of the security controls that enterprise services offer. There are a lot more assurances vendors in the enterprise file-sharing space can give in helping organizations secure their data. This is a good lesson on the importance of using enterprise-proven solutions when it comes to the security of your organisation's content.
Users should not use the same password across all sites on the Internet because they have no idea how secure they are.
Hackers know that users are lazy and will exploit this on popular services once they get emails and passwords from a compromised site.
Enterprises can prevent some of these issues by implementing tougher password control such as two-factor authentication and SAML SSO to connect their existing security infrastructure to cloud services they use. With SAML SSO they can ensure they provide a consistent security policy across all their applications regardless of where they're hosted.
Grant Taylor, European Vice President at Cryptzone
Most governance experts - ourselves included - will tell you to use different passwords for different systems, but this case is one of those `wake-up-and-smell-the-coffee' moments for IT security professionals, as it shows the need to also keep passwords separate for work and personal internet activities.
We would go further and argue that people should not be using Dropbox for many business purposes. CISOs and compliance managers would be horrified to know that confidential data was being moved out of the organisation's sphere of control. Free services by their very nature don't have the features to facilitate corporate control and management.
Rob Sobers, technical manager at Varonis
Given their poor track record when it comes to security, I was floored by this statement [that Dropbox will be resetting the passwords to the accounts it believes to have been compromised].
They are assuming they know exactly which accounts were compromised. What about the accounts whose passwords might have been stolen but haven't been breached (yet)?
LinkedIn made the same mistake a few months ago -- they only reset the passwords for the accounts they believed to be affected. What did they base this on? The list of hashes that were published BY THE HACKERS? Is it beyond the realm of possibility that the attacks might not have published the whole list? They're HACKERS!
Another unsettling thing is that apparently a Dropbox employee was storing customer data in their own Dropbox account. That blew my mind.
Mike Byrnes at Entrust
Cloud based solutions like DropBox present new areas of vulnerability for corporations, and therefore it is crucial that companies adopt solutions to help strengthen identity based security for cloud applications.
Not only does this help secure access and mitigate the impact when user ID's & passwords are stolen, but because the user's existing corporate ID to access the cloud is extended, the end-user experience is simplified by reducing the need to maintain separate credentials to access cloud applications.