Dropbox Password Breach Highlights Cloud Security Weaknesses

 
 
By Wayne Rash  |  Posted 2012-08-03 Email Print this article Print
 
 
 
 
 
 
 

NEWS ANALYSIS: While cloud service providers try to ensure their offerings are reasonably secure, they usually fail in this basic requirement because their greatest weakness is their failure to anticipate how users will defeat their security.

The now well publicized Dropbox security breach was the result of two things that Dropbox could have foreseen, and could have prevented. The first was failing to anticipate user misconduct, and the second was failing to take steps that would allow the site to remain secure even if the users weren€™t. This was exacerbated by Dropbox employee practices that should never have been allowed and by lax management oversight.

In other words, Dropbox created the perfect storm when it comes to security. For me, the whole thing took on a form of déjà vu. A few days prior to the disclosure of the Dropbox breach, I€™d been chairing a panel at the NetEvents Americas Press and Analyst Summit in Miami. The topic of that panel was specifically about the security challenges to mobile users of cloud applications and services. A significant part of the discussion was about just the sort of weakness that Dropbox revealed.

The list of problems with Dropbox was hardly surprising since the same list applies to other providers of public cloud services. First, the security depends solely on a name and password to gain access to a person€™s files. Second, Dropbox apparently had no oversight into employee practices, including the use of live customer data in development. Third, it€™s fairly clear that Dropbox had not provided adequate training in basic security practices such as password reuse.

Because of these shortcomings, the Dropbox breach was not a matter of if it would happen, but rather when it would happen. In this case, the only thing that we know has happened was that a number of Dropbox users got some spam for gambling sites. As far as we know, only the customer email addresses in the Dropbox employee€™s breached storage area were compromised.

Dropbox has now promised to clean up its act. The company will begin requiring two-factor authentication, a way to spot suspicious activity and a means for users to examine the activity on their accounts for suspicious activity. And the company is asking for password changes on some accounts. If you€™re a Dropbox user you should at the very minimum change your password to one that€™s both very strong and unique, and don€™t wait for the company to tell you to do it.

Unfortunately, the Dropbox breach has implications that stretch far beyond Dropbox. Most public cloud services have similar weaknesses because they, too, rely only on a user name and password to protect the data. If that information becomes known then the contents of a user€™s cloud storage area are open for the taking.



 
 
 
 
Wayne Rash Wayne Rash is a Senior Analyst for eWEEK Labs and runs the magazine's Washington Bureau. Prior to joining eWEEK as a Senior Writer on wireless technology, he was a Senior Contributing Editor and previously a Senior Analyst in the InfoWorld Test Center. He was also a reviewer for Federal Computer Week and Information Security Magazine. Previously, he ran the reviews and events departments at CMP's InternetWeek.

He is a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine. He is a regular contributor to Plane & Pilot Magazine and The Washington Post.
 
 
 
 

0 Comments for "Dropbox Password Breach Highlights Cloud Security Weaknesses"

  • Cloud_Surfer August 06, 2012 3:11 pm

    Even if it is late it's nice to see that leading companies in their respective verticals are giving users the better balance between security and user experience by implementing 2FA which allows us to telesign into our accounts. I know some will claim this make things more complicated but the slight inconvenience each time you log in is worth the confidence of knowing your files are secure. I'm hoping that more companies start to offer this awesome functionality. This should be a prerequisite to any system that wants to promote itself as being secure....

  • ScottChampine August 03, 2012 4:49 pm

    A more appropriate caption for this article would be Dropbox Password Breach Highlights Non-Compliant Cloud Security Weaknesses. After all a properly executed GRC strategy could have very well averted this unfortunate event. Compliant Cloud Providers delivering well executed GRC strategies should not be lumped into the large group of cloud providers that fail to execute appropriately. ...

  • Fred Luchetti August 03, 2012 3:06 pm

    This is the very reason why at Jumpto we got the security right FIRST. Jumpto has been out for over a year with near flawless operation as we take our security protocols out for a spin. Our suite of products took a back seat to the security system because we want this done right the first time. There is no second chance for critical failures like this. This problem that Dropbox has had underscores our thinking that public clouds are a bad idea. At Jumpto when a user creates an account they are actually creating a private anonymous and encrypted cloud. Our users go from an Internet of over 2 billion to an Internet of ONE. Sure they can then drop down and browse just like everyone else but when the Internet looks back on them all it sees is the faceless cloud. They can also secure their kids with the most aggressive protocols for the protection of children online anywhere. But the real power of Jumpto is the VCN. The Virtual Cloud Network. This is where each of our users will be able to connect to any other Jumpto user BY CHOICE. You choose who is in your Internet who you connect with. The power of the Internet is now under your control with Jumpto. Use this link to check it out for a 250MB bonus: http://jumpto.com/i/eWcG ...

Leave a Comment

 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel