Customers of cloud-based file storing-and-sharing company Dropbox should check on the data they’ve entrusted to the service, following the company’s admission that it messed up its access controls for several hours.
(Updated: please see footnote below.)
Unlike the majority of data breaches we’ve reported on lately – where usernames and passwords were stolen, allowing attackers and miscreants to access other people’s accounts illegally – Dropbox’s “hack” was of a more embarrassing sort.
Apparently, Dropbox published a code update which inadvertently removed the need to authenticate. So you could log in to other people’s accounts without knowing their passwords at all. (Dropbox isn’t alone in having made this sort of mistake. Facebook did something similar last year, leading to Mark Zuckerberg’s own fan page being hacked.)
Ouch.
One popular use of services like Dropbox is to get around the restrictions many companies put on emailing around large files. If I’m working at home and have a huge spreadsheet which I know my IT manager won’t let through the email gateway, I can just upload it to Dropbox and share the resulting web link with my colleagues.
In theory, the risk of this should be no worse that me copying the file to a USB key and letting my colleagues copy it from there. (In fact, if you’re not careful with USB keys, they may pose a larger risk than sharing web links, since the USB key may contain other files – such as malware – besides the spreadsheet you just saved on it.)
But the safety of a web link allowing you to share a file “through the cloud” depends very strongly on who’s able to access that link. If anyone can download it, you run the risk of data leakage. And if anyone can access and modify it, you run the risk of something much worse.
Dropbox can also automatically synchronise your own files between all your various devices, such as your desktop PC, your Mac laptop and your smartphone.
In the company’s own promotional video, an intrepid adventurer named Josh uses Dropbox to share and to synchronise detailed information between his numerous devices for his forthcoming safari in Africa.
That means that unauthorised access to your Dropbox data could give cybercrooks an enormous amount of information about your life, your plans and your identity. And unauthorised modification of your Dropbox data could propagate incorrect information throughout your digital world.
Dropbox did well to fix the problem within four hours, and to admit this openly on its blog.
But the “eternal beta” flavour of many cloud services – where updates and improvements are rolled out regularly and frequently to suit the service provider rather than its users – is an often-underestimated risk.
By the way, one way to improve the safety of web-based file sharing is to encrypt the files you share before you upload them. Only someone with the password will be able to decrypt those files. And if you don’t have the password, you won’t be able to alter their content, either.
If you’re interested, Sophos has a free tool for Windows users that you can use to encrypt and compress sensitive information. You can use it for free both commercially and personally.
* Download now (direct download, no registration, Windows only)
Footnote. As alert Twitterer Andy Durdin points out, you can readily see if someone else has changed your Dropbox files. But you can’t see if someone else has been snooping through your data.
Dropbox suggests on its blog that less than 1% of accounts were accessed during the unprotected period, and that it will contact those users in case the access was unauthorised.
If your account was accessed, be sure to ask Dropbox for a detailed log of what happened so you can find out what got stolen as well as what got changed. Unauthorised access and unauthorised modification are both bad for your digital well-being.
Is there a Mac version of the encryption software available or coming?
The best free, open, and multi-platform encryption solution is Truecrypt. Perfect if you're a Mac, or Linux, or Windows, or Android user 🙂
Paul,
As Sophos' free tool is Windows only, I'd be interested to hear your recommendations for similar applications for Mac users.
I've read a plethora of reviews of the various Mac solutions available, but I'm curious if you and/or the Sophos team have some personal favorites that you would be willing to share?
Cheers!
bswins
For a quick option, although the UI is a little techie, Mac users can use the built-in "Disk Utility" (under Utilities in the Applications folder) to create an encrypted container that you can put files in.
Instructions here on Apple's website: http://support.apple.com/kb/ht1578
Only catch is that you'll only be able to decrypt those files on a Mac.
well i found this (http://www.sophos.com/en-us/products/free-tools/sophos-free-encryption.aspx) but its a pain to download. I used the Windows version and I like it (it seems way easier to use than TrueCrypt). It'd be nice to have a Mac version as well.
If you click on either of the "Download now" links in the article, there's no pain at all in downloading – the URI takes you directly to the executable. (No registration form. You don't even have to give us a made-up email address.)
I think the "Beta" moniker is a wonderful tactic. It allows you to point to it whenever an issue arises. The fact that people trust important data to a 3rd party without really considering the ramifications is disturbing. But they do, and they do it often. And to be fair, I'm in that category as well.
While cloud technology is growing by leaps and bounds and the adopters of it are increasing exponentially, shouldn't we stop for a minute and just think about it? There is a rather interesting thing about clouds; they can obfuscate.
"Beta" is a sensible warning label and any user downloading such software would be better off learning exactly what it means and making an informed choice whether to use such appropriately labelled software. That said, "beta" software should have strict standards of quality control (no bugs currently known about at the time of release) and certain software should never really be released to the wider public in beta testing (such as those that manage sensitive or mission critical data).
Is there a IOS version ? Nice feature of DropBox is that I can get to my files from iPhone or iPad.
Apparently one can not use dropbox with Sophos anyway. Sophos blocks dropbox installation.
I don't believe we block the installation of DropBox by default. Speak to your network administrator – it is probably they who have configured Sophos to block installation of Dropbox.
Not sure about Microsoft Office, but I use Libre Office and it is possible to encrypt your files with a password (I think the same is true for OpenOffice/ApacheOffice).
That way you won’t have to bother with the extra layer of a disk encryption program such as TrueCrypt (which I use when the program doesn’t offer encryption).