Page 5 - index
P. 5
The aforementioned Dropbox is just one EFSS public cloud vendor that, having accumulated
end users on a “freemium” basis, is attempting to gain traction in the enterprise segment. With
recent breaches as proof, Dropbox and other cloud-based file sharing tools, including Google
Drive and Box, have some security issues to overcome before becoming truly enterprise-ready.
Here are just a few examples that highlight these concerns:
• In 2011, Dropbox disclosed that all of its users’ files were publicly accessible for almost
four hours. As VentureBeat reporter Sean Ludwig noted, this snafu underscored the
security risks of cloud services. When all of your files are stored on another company’s
servers, can you trust that company to keep your data safe?
• In August 2012, Dropbox announced that some usernames and passwords were stolen
from other websites and their accounts were accessed. Since this security breach came
on the heels of Dropbox’s snafu just three months earlier it led many to question whether
the cloud is secure enough for the enterprise. Karsten Strauss at Forbes stated in his
article on the security breach that, “This type of central intel hub – these server facilities
and their contents – may require more than tweaked third-party security software to
assure safety.”
• This past May – just one month after Dropbox released its enterprise-facing product
Dropbox for Business product – BBC announced that users of some cloud-based file
storage services such as Dropbox and Box could be at risk of inadvertently leaking their
own files as a result of a sharing function that creates a public link. Intralinks uncovered
the problem when it found links to documents including bank statements and mortgage
applications during routing use of Google’s Adwords and Analytics services.
• In May 2014 Google announced a security hole in Google Drive where clicking
hyperlinks within a document sent referrer data to a website, meaning the owners of the
site could see the document's URL. Even though the issue was fixed quickly, a weak
spot remains because anyone who has or guesses a private link can still access it.
• Dropbox has also been battling an ongoing malware problem – black hats have
discovered how to use Dropbox’s features to spread malware, particularly the kind that
holds your files hostage until you pay a fee. Dropbox tests for viruses and malware using
a variety of different anti-virus and anti-malware programs, but Slashgear reported on
June 23 that these abuses of Dropbox’s services are still happening.
• And most recently, an anonymous Pastebin user claimed to have hacked 7,000,000
Dropbox accounts and posted several hundred username-password pairs as proof of the
claim. Dropbox issued a confusing statement in which they said they had “not been
hacked,” but that the credentials were stolen from third party services and used to
attempt to gain access to Dropbox. Dropbox then went on to say they had “previously
detected these attacks and the vast majority of the passwords posted have been expired
for some time now.” So, apparently they were not hacked. But they were attacked, and
they fended off the “vast majority” of those attacks “some time” ago. But it’s not yet clear
what we should call the not-vast minority of attacks that were not thwarted.
Still not ready for enterprise prime time
Dropbox recently took steps to improve matters by announcing Dropbox for Business API,
which connects Dropbox for Business with a variety of third-party enterprise tools that can
5 Cyber Warnings E-Magazine – December 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
