Get with IT: Breach in the Cloud

Aug. 24, 2012
Don’t blame your bad password choices on Dropbox

Uh oh…Dropbox is in the headlines again. Recently, account login credentials were obtained from third-party websites that criminal hackers subsequently used to sign into an undisclosed number of the cloud-based, file sharing accounts. It just so happens that one of those accounts belonged to a Dropbox employee, and the criminal hackers were able to obtain an e-mail list of certain users.

Many are saying this event does not bode well for the service, given its history of security breaches — however, based on what I know about the situation, this is not a Dropbox problem, it’s a user problem! This breach could have happened to any website such as eBay, Amazon.com or ESPN.com; in fact, I’m confident this scenario happens all the time. Picking on Dropbox, and the cloud in general, is just fashionable these days.

Don’t get me wrong — I am no cloud fan boy — I have written extensively about cloud oversights and gotchas that can come back to haunt us if we choose to ignore them. As far as the breached Dropbox employee’s account that the criminals found with Dropbox user e-mails goes: so what?

This is exactly why we have computers and networks — to store and share information. But since the breach involved a cloud-based service, it must be a big problem. I don’t think so — every business stores its customer information this way, whether it is vulnerable or not. If we are going to pick on Dropbox, it should be to point out the general lack of policy enforcement, and the fact that their own employees do not use strong passphrases for their accounts.

Dropbox’s recommendation is comical. It wants its users to come up with a unique password for each individual website they interact with…yeah, right! I don’t do that, you don’t do it and nobody else does it either. We all probably have a thousand or more unique Web accounts — imagine having a unique password for each one, that’s obviously not going to work. I’m sure I still have a few weak passwords on websites that were seemingly innocuous at the time. Let’s face it, we have all used passwords like “123456” and “password” when the account isn’t vital (and sometimes when it is) — there’s a reason why those are the most popular passwords on the net.

But this is where the criminal hackers and their software thrive. Unless and until we look in the mirror and take responsibility for our own actions in and around security, these breaches will continue — whether on a cloud-base file system, or on a major banking website.

Putting sensitive information in the cloud is one thing. Users are in denial when they assume that a weak password they use in numerous locations is going to keep things in check. Sadly, in the end, most elaborate security controls, no matter how well-designed and expensive, can all be negated by a simple weak password.

Dropbox is doing is putting the onus for security back on its users, where, in this case, it probably should be; however, the real problem is two-fold, and it involves both sides of the fence. The first is, of course, users who continue to choose weak passwords for their accounts; but the second major problem lies with website and application administrators who do not regularly test for security flaws.

Perhaps the worst part of the Dropbox breach is that some of the competing cloud vendors are trying to capitalize on this incident, which is marketing nonsense that just ends up creating a negative buzz around the whole product. The bottom line from a security standpoint is that it comes back to all of us — when are we going to outgrow our poor passwords?

Kevin Beaver is an information security consultant with Atlanta-based Principle Logic LLC (www.principlelogic.com). With more than 23 years of experience, he specializes in performing security assessments revolving around minimizing information risks. He has authored/co-authored 10 books on information security including the newly-released Implementation Strategies for Fulfilling and Maintaining IT Compliance. He’s the creator of the Security On Wheels information security audio books and blog. Follow him on Twitter at @kevinbeaver.