More DropBox Security Issues

Most of you know that I've documented before how insecure DropBox is and how I don't think anyone should use it. Those links are here and here. The problem is not simply that your data is insecure, it is that their management does not seem to consider security important and fails the simplest criterion for any security review. The software is so bad, it simply could not have been reviewed by anyone who had any idea how to do security. If they do not know anything about security, and connect you to the Internet with software that they do not review for security issues, then they will have more than their share of problems. Add to that the fact they are a large target, thus tempting to hackers, and you have a recipe for disaster.

Some people tell me that they just don't put anything that needs to be private on Dropbox, to which I reply, "But you install their software on YOUR computer and connect with it to the Internet". Sometimes I get through to people and sometimes not. After all, it is easy.

So, it didn't surprise me when they had yet another security breach in late July that caused the loss of clients' email addresses, resulting in an onslaught of new spam to those people. The security company Sophos branded their latest breach "a mixture of poor practice both inside and outside the organization". Which is what you would expect from a company that has a zero priority for security even while holding the data for 50 million clients and connecting 250 million devices to the Internet.

Here is what seems to have happened:

A Dropbox employee stored an unencrypted document on the service that contained Dropbox users' email addresses. An attacker logged into the Dropbox employee's account, using his password. The hacker got the password from the employee's hacked Linked-In account. He then obtained a copy of the document, and used the email addresses to unleash a flood of spam to Dropbox users.

The employee made at least 3 mistakes. He re-used a password. The password was no good to start with, because if it had been any good, then it wouldn't have been cracked. The LinkedIn break-in got password and email address hashes, which would only have been decrypted if the password was weak. So he had a weak LinkedIn password which he reused for DropBox. The third mistake was storing important information in Dropbox.

So, why would the employee violate a basic rule of not re-using passwords? Why would he store client email addresses in plain text on the website? The answer obviously is that this is what you get when you do not prioritize security. My issue with Dropbox, is that they run their company in such a way that these issues were expected.

Date: October 2012

This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe Search All Articles Browse by Category Security Internet Mobile Business Hardware Fun		More DropBox Security Issues Most of you know that I've documented before how insecure DropBox is and how I don't think anyone should use it. Those links are here and here. The problem is not simply that your data is insecure, it is that their management does not seem to consider security important and fails the simplest criterion for any security review. The software is so bad, it simply could not have been reviewed by anyone who had any idea how to do security. If they do not know anything about security, and connect you to the Internet with software that they do not review for security issues, then they will have more than their share of problems. Add to that the fact they are a large target, thus tempting to hackers, and you have a recipe for disaster. Some people tell me that they just don't put anything that needs to be private on Dropbox, to which I reply, "But you install their software on YOUR computer and connect with it to the Internet". Sometimes I get through to people and sometimes not. After all, it is easy. So, it didn't surprise me when they had yet another security breach in late July that caused the loss of clients' email addresses, resulting in an onslaught of new spam to those people. The security company Sophos branded their latest breach "a mixture of poor practice both inside and outside the organization". Which is what you would expect from a company that has a zero priority for security even while holding the data for 50 million clients and connecting 250 million devices to the Internet. Here is what seems to have happened: A Dropbox employee stored an unencrypted document on the service that contained Dropbox users' email addresses. An attacker logged into the Dropbox employee's account, using his password. The hacker got the password from the employee's hacked Linked-In account. He then obtained a copy of the document, and used the email addresses to unleash a flood of spam to Dropbox users. The employee made at least 3 mistakes. He re-used a password. The password was no good to start with, because if it had been any good, then it wouldn't have been cracked. The LinkedIn break-in got password and email address hashes, which would only have been decrypted if the password was weak. So he had a weak LinkedIn password which he reused for DropBox. The third mistake was storing important information in Dropbox. So, why would the employee violate a basic rule of not re-using passwords? Why would he store client email addresses in plain text on the website? The answer obviously is that this is what you get when you do not prioritize security. My issue with Dropbox, is that they run their company in such a way that these issues were expected. Date: October 2012 This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.
		I attempt to provide reliable information, but make no warranty as to the accuracy or safety of these articles. I disclaim all legal responsibility for what following these instructions may do. Follow my advice at your own risk