The recent "life hack" of journalist Mat Honan has demonstrated the degree to which many technology-savvy consumers have tied together numerous online services, including Gmail, Twitter, Amazon, and Apple iCloud. Due to rampant password reuse, however, attackers have been able to take passwords used on one site, and reuse them to log into a person's account on another site. In the case of Dropbox, that means that any corporate secrets stored there could be easily accessed.
An example of such an exploit came to light this month, owing to a Dropbox employee having stored an unencrypted document on the service that contained Dropbox users' email addresses. An attacker logged into the Dropbox employee's account, using a password that the employee had reused on another--compromised--site, obtained a copy of the document, then used the email addresses to unleash a flood of spam at Dropbox users.
[ What will it take for cloud service providers to get serious about social engineering attack vectors? See Apple, Amazon Security Fails: Time For Change. ]
Given the threat of such attacks, any business with employees that use Dropbox should keep the following five information security essentials in mind:
1. Monitor Dropbox Use
Too many businesses today are turning a blind eye to employees' use of file-sharing services. Accordingly, the first step to getting a handle on the related security concerns is to begin paying attention. "Based on our conversations with business users and IT staff, there is a fair bit more 'Dropbox' and 'Box'-like use out there than many enterprise IT would like or know about," said IDC analyst Richard Villars via email.
What's the risk? "The more we transfer everything onto the Web, onto the cloud, the less we're going to have control over it," warned Apple co-founder Steve Wozniak at a recent event in Washington, reported Agence France-Presse.
2. Compare Cloud Service Security
But many current cloud users don't do their security homework. According to a recent survey of 4,000 business and IT managers recently conducted by Ponemon Institute, which was commissioned by security firm Thales, many business users distrust cloud security, but use the cloud anyway.
"Nearly two-thirds of those that move sensitive data to the cloud regard their service providers as being primarily responsible for protecting that data, even though a similar number have little or no knowledge about what measures their providers have put in place to protect data," according to a report written by Larry Ponemon, chairman of Ponemon Institute. Accordingly, businesses must evaluate whether the cloud services being used by their employees are safe for doing business, and if they're not, which add-ons--or entirely different services--should be used instead.
3. Beware Lackluster Security Cloud Service Practices
Are cloud providers serious about security? Consider that in the Dropbox password breach that came to light this month, the company only reset the passwords of users who were known to have been affected--because their usernames or other credentials had been seen in uploads hackers made to password-cracking forums. But security experts believe that attackers typically excise any passwords they've already cracked from such uploads, as well as edit out duplicates, and they've criticized such services for not resetting all users' passwords.
"LinkedIn made the same mistake a few months ago--they only reset the passwords for the accounts they believed to be affected," said Rob Sobers, technical manager at Varonis Systems, in a blog post. "What did they base this on? The list of hashes that were published by the hackers? Is it beyond the realm of possibility that the attackers might not have published the whole list? They're hackers!"
On the upside, however, in the wake of Dropbox's password breach, the company said that it would be introducing two-factor authentication, alerts whenever it detected odd user behavior, as well as audit logs of user access.