OCS banner and logo
Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe 
Search All Articles

Browse by Category

powered by pmc2m


More DropBox Security Issues

Most of you know that I've documented before how insecure DropBox is and how I don't think anyone should use it. Those links are here and here. The problem is not simply that your data is insecure, it is that their management does not seem to consider security important and fails the simplest criterion for any security review. The software is so bad, it simply could not have been reviewed by anyone who had any idea how to do security. If they do not know anything about security, and connect you to the Internet with software that they do not review for security issues, then they will have more than their share of problems. Add to that the fact they are a large target, thus tempting to hackers, and you have a recipe for disaster.

Some people tell me that they just don't put anything that needs to be private on Dropbox, to which I reply, "But you install their software on YOUR computer and connect with it to the Internet". Sometimes I get through to people and sometimes not. After all, it is easy.

So, it didn't surprise me when they had yet another security breach in late July that caused the loss of clients' email addresses, resulting in an onslaught of new spam to those people. The security company Sophos branded their latest breach "a mixture of poor practice both inside and outside the organization". Which is what you would expect from a company that has a zero priority for security even while holding the data for 50 million clients and connecting 250 million devices to the Internet.

Here is what seems to have happened:

A Dropbox employee stored an unencrypted document on the service that contained Dropbox users' email addresses. An attacker logged into the Dropbox employee's account, using his password. The hacker got the password from the employee's hacked Linked-In account. He then obtained a copy of the document, and used the email addresses to unleash a flood of spam to Dropbox users.

The employee made at least 3 mistakes. He re-used a password. The password was no good to start with, because if it had been any good, then it wouldn't have been cracked. The LinkedIn break-in got password and email address hashes, which would only have been decrypted if the password was weak. So he had a weak LinkedIn password which he reused for DropBox. The third mistake was storing important information in Dropbox.

So, why would the employee violate a basic rule of not re-using passwords? Why would he store client email addresses in plain text on the website? The answer obviously is that this is what you get when you do not prioritize security. My issue with Dropbox, is that they run their company in such a way that these issues were expected.

Date: October 2012

Creative Commons License
This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

  Please direct questions/suggestions about website to the webmaster