The Last Watchdog

on Internet security by Byron Acohido

Dropbox breach leads to spam attack against storage service’s users

Posted on | August 3, 2012 | 9 comments

The intruders who obtained access to a Dropbox employee’s company account to steal customer data from the popular storage service very well could have used “Google hacking” techniques.

This breach was disclosed Tuesday, just as Stach & Liu released NotInMyBackYard Diggity, a free tool designed to crawl sites like Dropbox and reveal your personal data lays exposed

Dropbox has acknowledged that a recent outbreak of spam spam promoting online gambling sites was likely the result of a Dropbox employee’s account being compromised.

The attackers evidently used passwords stolen from other websites to access a “small number” of Dropbox accounts, including an employee who happen to have a project file containing live customer data, Dropbox said.

Chiu

Observes Eric Chiu, cloud security expert and president & founder of HyTrust: “The datacenter is being transformed at a rapid pace — cloud, virtualization, converged infrastructure, BYOD, and mobile are all big shifts being driven by ROI, cost savings, and productivity business goals.

“However, at the same time, many of the other core elements such as security and compliance tools as well as processes have not changed to meet this new environment. Dropbox is a great example of an application that has infiltrated the enterprise, which can have serious security consequences since employees are hosting corporate confidential data without any enterprise security controls.

“With external and internal breaches happening daily, this is a perfect formula for major disasters to happen. The need for consistent configuration, and controls for access, management and visibility are critical.”

And Mark Bower, data protection expert and VP at Voltage Security commented: “This proves again that walls around data do nothing to protect it. How many enterprises are putting sensitive corporate data into Dropbox? Probably close to zero if their CISO’s and regulators have anything to do with it. This breach illustrates the risk: until the data is protected BEFORE it goes into Dropbox, it will never be ready for enterprise use.”

Bower outlines a couple of plausible scenarios for you the employee’s password might have made it into the hacker’s hands, in the first place.

Bower

Says Bower: “Attackers have recently been going after badly protected passwords from third party sites; a common password across two sites, for example, can become a fast-track to a treasure trove of unprotected information.

“Another possibility is that targeted malware can steal credentials or perform another direct attack by exploiting vulnerable infrastructure and applications, bypassing traditional defenses. This has become a major issue for any internet-facing system, and cloud file sharing sites aren’t immune.”

So could the bad guys have used Google hacking techniques to ferret out the password?

“It is possible,” Brower says. “The real problem is that there are myriad ways to gain access to sensitive information if the data itself is not protected. So, if a hacker finds a way to bypass an application, sniff unprotected traffic on a network, bypass a cloud from the back-end, or if there’s an insider in the cloud, then it’s game over.

“The only way to avoid this is to protect the data outside the cloud – encrypt it before it goes into it. Keep the cryptographic keys and live data independent of the cloud . . . Bottom line: NEVER allow sensitive information to be accessible in the cloud.”

–Byron Acohido

 

 

Category: For consumers, Imminent threats

Comments

9 Comments »

  1. It will never be ready for enterprise use.”

    Comment by Hannelore Reichert — 8/10/2012 @ 12:42 am

  2. The popular storage service very well could have used “Google hacking” techniques.

    Comment by Carline Bach — 8/11/2012 @ 12:50 am

  3. Dropbox has acknowledged that a recent outbreak of spam spam promoting online gambling sites was likely the result of a Dropbox employee’s account being compromised.

    Comment by Tamala — 8/16/2012 @ 1:12 am

  4. Dropbox has acknowledged that a recent outbreak of spam spam promoting online gambling sites was likely the result of a Dropbox employee’s account being compromised.

    Comment by Oneida — 8/17/2012 @ 3:56 am

  5. The popular storage service very well could have used “Google hacking” techniques.

    Comment by Farah Mcinnis — 9/3/2012 @ 12:56 am

  6. The popular storage service very well could have used “Google hacking” techniques.

    Comment by Jennefer Woodley — 9/8/2012 @ 12:30 am

  7. The result of a Dropbox employee’s account being compromised.

    Comment by Yan Holguin — 10/6/2012 @ 12:37 am

  8. Which can have serious security consequences since employees are hosting corporate confidential data without any enterprise security controls.

    Comment by Genie Brinkman — 10/8/2012 @ 3:36 am

  9. Superb article mate but how do get your rss feed? Please sending us an e-mail with instructions?

    Comment by Vella — 12/22/2012 @ 2:02 am

RSS feed for comments on this post.

Leave a comment

Search Last Watchdog

Navigate Last Watchdog