• 08/14/2012
    10:02 AM
  • Rating: 
    0 votes
    Vote up!
    Vote down!

5 Dropbox Security Warnings For Businesses

Recent Dropbox hack showed the risks of storing unencrypted, sensitive information on cloud services. Understand these security points.
What security secrets might an attacker unearth about your business on Dropbox?

The recent "life hack" of journalist Mat Honan has demonstrated the degree to which many technology-savvy consumers have tied together numerous online services, including Gmail, Twitter, Amazon, and Apple iCloud. Due to rampant password reuse, however, attackers have been able to take passwords used on one site, and reuse them to log into a person's account on another site. In the case of Dropbox, that means that any corporate secrets stored there could be easily accessed.

An example of such an exploit came to light this month, owing to a Dropbox employee having stored an unencrypted document on the service that contained Dropbox users' email addresses. An attacker logged into the Dropbox employee's account, using a password that the employee had reused on another--compromised--site, obtained a copy of the document, then used the email addresses to unleash a flood of spam at Dropbox users.

[ What will it take for cloud service providers to get serious about social engineering attack vectors? See Apple, Amazon Security Fails: Time For Change. ]

Given the threat of such attacks, any business with employees that use Dropbox should keep the following five information security essentials in mind:

1. Monitor Dropbox Use

Too many businesses today are turning a blind eye to employees' use of file-sharing services. Accordingly, the first step to getting a handle on the related security concerns is to begin paying attention. "Based on our conversations with business users and IT staff, there is a fair bit more 'Dropbox' and 'Box'-like use out there than many enterprise IT would like or know about," said IDC analyst Richard Villars via email.

What's the risk? "The more we transfer everything onto the Web, onto the cloud, the less we're going to have control over it," warned Apple co-founder Steve Wozniak at a recent event in Washington, reported Agence France-Presse.

2. Compare Cloud Service Security

But many current cloud users don't do their security homework. According to a recent survey of 4,000 business and IT managers recently conducted by Ponemon Institute, which was commissioned by security firm Thales, many business users distrust cloud security, but use the cloud anyway.

"Nearly two-thirds of those that move sensitive data to the cloud regard their service providers as being primarily responsible for protecting that data, even though a similar number have little or no knowledge about what measures their providers have put in place to protect data," according to a report written by Larry Ponemon, chairman of Ponemon Institute. Accordingly, businesses must evaluate whether the cloud services being used by their employees are safe for doing business, and if they're not, which add-ons--or entirely different services--should be used instead.

3. Beware Lackluster Security Cloud Service Practices

Are cloud providers serious about security? Consider that in the Dropbox password breach that came to light this month, the company only reset the passwords of users who were known to have been affected--because their usernames or other credentials had been seen in uploads hackers made to password-cracking forums. But security experts believe that attackers typically excise any passwords they've already cracked from such uploads, as well as edit out duplicates, and they've criticized such services for not resetting all users' passwords.

"LinkedIn made the same mistake a few months ago--they only reset the passwords for the accounts they believed to be affected," said Rob Sobers, technical manager at Varonis Systems, in a blog post. "What did they base this on? The list of hashes that were published by the hackers? Is it beyond the realm of possibility that the attackers might not have published the whole list? They're hackers!"

On the upside, however, in the wake of Dropbox's password breach, the company said that it would be introducing two-factor authentication, alerts whenever it detected odd user behavior, as well as audit logs of user access.


re: 5 Dropbox Security Warnings For Businesses

Especially for part 4 (and of course for other reasons), it is important to make sure the files uploaded to Dropbox or other cloud storage services are client-side encrypted. Because even if the files will once be available to the public, the public won't be able to decrypt and use the files.
Our free tool cloudfogger ( ) provides that for al major cloud storage services.

Claudius from Cloudfogger

re: 5 Dropbox Security Warnings For Businesses

To be a proper business cloud service, security must be the fundamental building block in designing the product. Suggesting that you get that in the Dropbox for Teams product by simply adding a 3rd Party product like Okta for Active Directory integration, which adds further to the $800 cost, does not hold true. It provides authentication, but none of the important group policy functions used by IT departments.


re: 5 Dropbox Security Warnings For Businesses

There are other options to use with Dropbox or any cloud service, like secreteSync to add an extra level of encryption, the above points are important- there are options to help protect what is placed in the storage.

re: 5 Dropbox Security Warnings For Businesses

The B2B file transfer solutions are usually branded under "Managed File Transfer".
There is a number of forums and groups that discuss these issues in depth. Take a look at the LinkedIn Managed File Transfer Group located here

There are many vendors that provide software solutions in this space, FileCatalyst is one of these vendors.

re: 5 Dropbox Security Warnings For Businesses

Another option is It also encrypts encrypts your content before it is synced to the cloud by Dropbox.

Unlike some of the other tools mentioned in these comments, Safebox doesn't require you to setup an account (disclaimer, I am on the Safebox development team).

Secure and control the files you share on Dropbox

I think that if you use Dropbox to store professional or personal files and you want to share them with other people, you need an extra tool to prevent unwanted information leakage.

I use Prot-On because i can decide who and when access my documents and track document use.

Pretty scary result with "LAN sync"

It's not only about Data leach weaknesses, but also the way Dropbox works (billateraly), that makes it a possible danger for our data.

This week I happened to see 5k files "vanish" after I launched Dropbox on both computer 2 (that had an older version of ~8GB documents, and the main computer.

After Dropbox on both computers say "up to date", I soon noticed some folders and documents where missing on computer 2. « That's strange! Well OK, since the're still on my main machine I'll sync them another way. » Then I realized the data had been deleted on computer 1 as well, GASP!

Run to, login, and go to "Events": and amongst many events, read « You deleted 4973 files. » WTH? While on I opened a folder then another etc (tells it to display the deleted files): each one had a random number of deleted folders and files.

I'm so glad I had a backup from that day! While technically possible, restoring from by myself would have been unrealistic with hundreds of folder to open and restore one after the other.

For the record, rsync from the backup says it all:

Number of files: 36,552 (reg: 34,701, dir: 1,573, link: 278)
Number of created files: 5,496 (reg: 5,040, dir: 427, link: 29)
Number of deleted files: 0

Meaning that 5.496 files were deleted on computer 1 in the Dropbox process.
Is it a bug in Dropbox's "LAN" feature? or should I have done another way? Meanwhile I'll never even think of Dropbox as a backup app (nor a real sync one).

Re: Pretty scary result with "LAN sync"

You might find this blog interesting...Do you use Dropbox or Box to backup your most important files and share them with your co-workers or friends? If so, you might just be sharing them with somebody else you've never even met - See more at: