Posted on | August 3, 2012 | 9 comments
Dropbox has acknowledged that a recent outbreak of spam spam promoting online gambling sites was likely the result of a Dropbox employee’s account being compromised.
The attackers evidently used passwords stolen from other websites to access a “small number” of Dropbox accounts, including an employee who happen to have a project file containing live customer data, Dropbox said.
Observes Eric Chiu, cloud security expert and president & founder of HyTrust: “The datacenter is being transformed at a rapid pace — cloud, virtualization, converged infrastructure, BYOD, and mobile are all big shifts being driven by ROI, cost savings, and productivity business goals.
“However, at the same time, many of the other core elements such as security and compliance tools as well as processes have not changed to meet this new environment. Dropbox is a great example of an application that has infiltrated the enterprise, which can have serious security consequences since employees are hosting corporate confidential data without any enterprise security controls.
“With external and internal breaches happening daily, this is a perfect formula for major disasters to happen. The need for consistent configuration, and controls for access, management and visibility are critical.”
And Mark Bower, data protection expert and VP at Voltage Security commented: “This proves again that walls around data do nothing to protect it. How many enterprises are putting sensitive corporate data into Dropbox? Probably close to zero if their CISO’s and regulators have anything to do with it. This breach illustrates the risk: until the data is protected BEFORE it goes into Dropbox, it will never be ready for enterprise use.”
Bower outlines a couple of plausible scenarios for you the employee’s password might have made it into the hacker’s hands, in the first place.
Says Bower: “Attackers have recently been going after badly protected passwords from third party sites; a common password across two sites, for example, can become a fast-track to a treasure trove of unprotected information.
“Another possibility is that targeted malware can steal credentials or perform another direct attack by exploiting vulnerable infrastructure and applications, bypassing traditional defenses. This has become a major issue for any internet-facing system, and cloud file sharing sites aren’t immune.”
So could the bad guys have used Google hacking techniques to ferret out the password?
“It is possible,” Brower says. “The real problem is that there are myriad ways to gain access to sensitive information if the data itself is not protected. So, if a hacker finds a way to bypass an application, sniff unprotected traffic on a network, bypass a cloud from the back-end, or if there’s an insider in the cloud, then it’s game over.
“The only way to avoid this is to protect the data outside the cloud – encrypt it before it goes into it. Keep the cryptographic keys and live data independent of the cloud . . . Bottom line: NEVER allow sensitive information to be accessible in the cloud.”