Tuesday, October 21, 2014

Dropbox Wasn't Hacked... This Time!

   I'm sure that many of you have read the news about an apparent attack, and subsequent account breach at Dropbox this past week.  There have been conflicting reports flying around, but Dropbox's own blog points out what appears to be the truth... Dropbox wasn't hacked.

   The story is that apparently the attackers got user IDs and passwords from attacks on other applications.  They then tried these same credentials on a number of internet sites, including Dropbox.  You can read the Dropbox blog post here.

  This is a typical attack scenario, as I've discussed before.  Among the value of stealing a password file from a site or organization is that people unfortunately reuse their IDs and passwords on other sites.  This is because it's difficult to remember all those passwords!  I won't go into that issue because I've covered it plenty of times in the past.

   In this case, like many others, the attackers simply try the IDs and passwords on other sites.  It's almost guaranteed that they will get some logins that work.  That is apparently what happened here.

   So... Dropbox wasn't hacked... this time!  Of course, there have been a number of successful breaches of Dropbox in the past!

   More on that in a moment, but I want to make a quick editorial comment on the use of the term "hacked".

Tuesday, October 7, 2014

Celebrate Cyber-Style!

   It's time again to celebrate that wonderful US event... Happy Cyber Security Awareness month!  This event started in 2003 as a way to build awareness for online security and privacy and to encourage individuals, business and government.

   Over the past couple of posts I've focused on Identity Fraud (here and here).  We'll pause on that topic until next time.

   Today I give you...  The Top 10 Ways to Celebrate Cyber Security Month 2014!
  1. Change your password
  2. Yes, I know... I said in the past that just changing your password is not the effective measure.  That's true but with the frequency with which online sites get compromised, it's not a bad idea.  Even better - use really long passwords.  Remember, when it comes to passwords... size matters!

  3. Use a password vault
  4. A password vault is a program that encrypts and holds all your passwords.  I explain these in detail, and list some good products, in this post.

  5. Look before you click
  6. With most links to can "mouse over" the link.  That means you just move your mouse so it's on the link, but don't click yet!  Your browser will display the address to which the link will lead.  This displays at the bottom of the browser.  The actual link in the display should make sense and be the location you're expecting.  If not then... don't click!