Posts

After Dropbox Breach, Is It Safe to Use? (Snowden Would Say No)

,

Did Edward Snowden Actually Comment on the Dropbox Breach? No.

Almost as fast as every media source out there could jump on the “Yet Another Breach” bandwagon and report that Dropbox had been hacked, the company was denying it. So let’s play a little game of true or false to try to sort out fact from fiction:

Statement: Hackers were able to access logins and passwords of Dropbox users and then leaked 400 account passwords and usernames on to the site Pastebin.

True.

Statement: The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the Internet, including Dropbox.

True. (In fact that is a direct quote from the Dropbox blog of October 13, 2014 in which they bluntly proclaim “Dropbox wasn’t hacked”.)

Statement: The post also threatened that 6.9 million further Dropbox account details had been obtained, including photos, videos and other files, which they were prepared to leak for Bitcoins.

True. What is unclear is whether or not they have any valid data. There have been a few more pastes of credentials, but they do not appear to be genuine. Also, Dropbox claims, “We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.”

Statement: Edward Snowden thinks we should stop using Dropbox because of the breach.

False. Okay, this was a trick question. Snowden does think we shouldn’t use Dropbox, BUT he stated that long before the “breach” made the news. Instead, he said that those who care about their privacy should “get rid of Dropbox” because he considers it “hostile to privacy,” saying it doesn’t support encryption. Again, Dropbox responded to his comments in a June 2014 post, stating, “All files sent and retrieved from Dropbox are encrypted while traveling between you and our servers,” as well as when they’re “at rest on our servers.”

For Snowden, who urges people to consider an alternative like SpiderOak, the difference is that SpiderOak encrypts the data while it’s on your computer, as opposed to only encrypting it “in transit” and on the company’s servers. I have to agree that this is a more secure form of file storage and so, like in everything cyber security related, it is a matter of degrees. 

Ask yourself three questions to determine what’s the right storage solution for you:

  1. Are the files you store in the cloud (e.g. Dropbox) ones that wouldn’t cause you to lose sleep if they were made public? If so, then Dropbox is a good solution. That said, you MUST enable two-factor authentication on the service to keep it as protected as possible.
  2. Are the files sensitive enough that you’d still like a cloud-based solution for convenience sake, but need more security? Then a service like SpiderOak might be right for you. There are many other options out there of varying security levels.
  3. If the files you store in the cloud (e.g., Dropbox) were to be hacked, would the damage be irreparable? If so, DON’T STORE THESE PARTICULAR FILES IN THE CLOUD! Instead, store them on servers that you own, control and constantly monitor. If the files are that confidential, disconnect the server they are stored on from the internet. Then again, that isn’t practical for most situations.

Final Statement: Password re-use is the real culprit in this supposed Dropbox breach.

TRUE, TRUE, TRUE! Remember, even if Dropbox wasn’t technically hacked, the final result is that user accounts have been compromised, and that is something we can’t continue to ignore. I can’t stress enough how important it is to use a strong password and even better, to use a strong password manager, like 1Password. And, as mentioned above, 2-Step Verification is a MUST for all but the most casual Dropbox users.

How is your organization using the cloud?

John Sileo is delivers keynote speeches on cyber security, identity theft, internet privacy and social engineering. He specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Dropbox a Crystal Ball of Cloud Computing Pros & Cons

, ,

Dropbox is a brilliant cloud based service (i.e., your data stored on someone else’s server) that automatically backs up your files and simultaneously keep the most current version on all of your computing devices (Mac and Windows, laptops, workstations, servers, tablets and smartphones). It is highly efficient for giving you access to everything from everywhere while maintaining an off-site backup copy of every version of every document.

And like anything with that much power, there are risks. Using this type of syncing and backup service without understanding the risks and rewards is like driving a Ducati motorcycle without peering into the crystal ball of accidents that take the lives of bikers every year. If you are going to ride the machine, know your limits.

This week, Dropbox appears to have altered their user agreement (without any notice to its users), making it a FAR LESS SECURE SERVICE. Initially, their privacy policy stated:

… all files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password. (Quoted from PCWorl)

Currently, the privacy policy says that Dropbox can access and view your encrypted data, and it might do so to share information with law enforcement. Why is that important? Because it means that the encryption keys that keep your files private are actually stored on Dropbox’s server, not on your own computer. This puts the keys to your data (and every other Dropbox user) in the hands not only of Dropbox employees and law enforcement, but vulnerable to hackers. When the encryption key is located on your computer, at least the risk is spread over Dropbox’s user’s network.

But there is an even bigger issue that this exposes about the world of cloud computing in general: anytime your data lives on a device that you don’t own, you lose a certain amount of control over what happens to it. Here is just a sampling of factors that can affect the privacy and confidentiality of your cloud-stored data:

  • The cloud service provider changes their Terms of Service (like Dropbox just did) to cover their legal bases, making your data less secure without your even being alerted. This happens almost every week with Facebook, which changes privacy terms constantly. When you log back into your account, you are automatically agreeing to the new Terms of Service (and probably not reading the tens of pages of legal jargon).
  • The provider is bought out by a new company (possibly one overseas) or has its assets liquidated (the most valuable assets are generally information), that has different standards for data security and sharing. You, by default, are now covered by those standards.
  • The security of your data is weak in the first place. Security costs money, and many smaller cloud providers haven’t invested enough in protecting that data, leaving the door wide open for savvy hackers. SalesForce.com might be well protected, but is the free backup service or contact manager that you use?
  • Your data exists in a more public domain than when it is stored on internal, private servers, meaning that it is subject to subpoena without your being notified! In other words, the government and law enforcement has access to it and you will never know they were snooping around. This isn’t a concern for most small businesses, but it is still a cautionary note.

So does this mean we should all shut down our Dropbox, Carbonite, iBackup accounts? No. Does this mean that corporations should not implement the highly scalable, dramatically efficient solutions provided by the cloud? No. It means that both individuals and businesses must educate themselves on the up and down sides of this shift in computing. They can  begin the process by realizing that:

  1. Not all data is created equal and that some types of sensitive data should never be placed in someone else’s control. This is exactly why there are data classification systems (I subscribe to those used by the military and spy agencies: Public, Internal, Confidential and Top Secret).
  2. Not all cloud providers are created equal and you must understand the privacy policy, terms of service and track record of each one individually (just like you would choose a car with a better crash-test rating for your family).
  3. Anything of immense power comes with costs, and those costs must be calculated into the relative ROI of the equation. In other words, the answer here, like most complex things in life, exists in the gray area, not in a black or white, one-size-fits all generalization.

John Sileo writes and speaks on Information Leadership, including identity theft prevention, data breach, social media risk and online reputation. His clients include the Department of Defense, Homeland Security, the Federal Reserve Bank, FDIC, FTC and hundreds of corporations of all sizes. Learn more about his motivational data security events.