Tuesday, October 21, 2014

Dropbox Wasn't Hacked... This Time!

   I'm sure that many of you have read the news about an apparent attack, and subsequent account breach at Dropbox this past week.  There have been conflicting reports flying around, but Dropbox's own blog points out what appears to be the truth... Dropbox wasn't hacked.


   The story is that apparently the attackers got user IDs and passwords from attacks on other applications.  They then tried these same credentials on a number of internet sites, including Dropbox.  You can read the Dropbox blog post here.

  This is a typical attack scenario, as I've discussed before.  Among the value of stealing a password file from a site or organization is that people unfortunately reuse their IDs and passwords on other sites.  This is because it's difficult to remember all those passwords!  I won't go into that issue because I've covered it plenty of times in the past.

   In this case, like many others, the attackers simply try the IDs and passwords on other sites.  It's almost guaranteed that they will get some logins that work.  That is apparently what happened here.

   So... Dropbox wasn't hacked... this time!  Of course, there have been a number of successful breaches of Dropbox in the past!

   More on that in a moment, but I want to make a quick editorial comment on the use of the term "hacked".

<soapbox>
Hacking, Hackers, Hacked... have all become misused words.  "Back in the day...", hacking was a good thing.  It's how we figured out how to make technology work before manuals and point-and-click.  These days, the term has become demonized.  A hacker is not a bad person... just a curious person.  There can be good hackers or malicious hackers.  So the term should be appropriately qualified.  And we should speak of attacks or breaches, not hacks of sites.
</soapbox>

   Back to the story... Dropbox was attacked and suffered breaches in both 2011 and 2012.  In 2011 attack, a coding bug allowed anyone to connect to any user's files without logging in.  In the 2012 attack, similar to this most recent issue, password reuse contributed to a number of accounts being compromised, including the account of a Dropbox employee. That employee did have access to accounts and contact info for many Dropbox users.

   There are three critical lessons to learn here:
  1. Don't reuse passwords!  I've covered this topic a number of times.  If you reuse your login credentials among sites, when one of those sets gets compromised... all of them are.  At home, you can make this all so much easier by using a password vault.
  2. Use 2-factor or 1-time passwords on any internet site that allows them.  Here's a few links with instructions.  Here's how to do it for Dropbox.
  3. At work, use only sanctioned file sharing methods.  If you share work information on a filesharing site that has not specifically been sanctioned by your IT and Security groups, you are putting yourself, your organization and your customers' data at risk as well as likely violating policy.  Check with your organization to see what is allowed.  In Dropbox's defense, they do offer enterprise contracts... but it's only the right choice if it meets your business requirements and your organization has such a contract!  First, figure out why you need to keep company information on the public internet... then decide what technology accomplishes that purpose!  Work with your IT and Security teams.
   We should all know that these attacks and breaches are an ongoing issue.  It's not a matter of if an organization will suffer a breach, but when, and how they will respond.  Things will get worse before they get better.  New security technologies are emerging and those of us in the security field do try to make security usable.  But there will also be a trade-off for some convenience.   There are other solutions that should be explored, for example taking steps to decrease the "value" of breached information, thereby decreasing the incentive to attack, while also using incentives for companies to adopt a more secure posture.  I'll talk about those in the future.

   Does your organization have a policy and solution around online file storage?  Do you store company information or data on unsanctioned internet sites?  Have you checked your dropbox credentials lately?  Are you using a password vault at home?

1 comment:

  1. File sharing products like Dropbox, OneDrive and Google Drive are made for consumers not for business. When you start using it for your company you will discover that you miss some features. Therefore my company use Virtual data room services.

    ReplyDelete