Categories: SecurityWorkspace

The DropBox Hack That Wasn’t

Dropbox is a widely used cloud-based storage platform that is now the target of security researcher scrutiny, as user data privacy is being called into question. A pair of researchers at the USENIX security conference in August released a white paper in which they describe methods for attacking Dropbox and obtaining user data. While the merit of the actual research is debatable, it raises questions about what enterprises should be doing to protect the integrity and security of data in the cloud.

While Dropbox is aware of the research, it isn’t treating it as a security risk that demands immediate attention. A Dropbox spokesperson noted in an email to eWEEK that Dropbox appreciates the contributions of security researchers and everyone who helps keep Dropbox safe. That said, Dropbox does not currently hold the view that the research presented at the USENIX conference presents a vulnerability in the Dropbox client.

Not such a big risk?

“In the case outlined there, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user’s Dropbox, open to attacks across the board,” the spokesperson said.

Although Dropbox is not raising the alarm bells about cloud storage security, others are. Willy Leichter, senior director at CipherCloud, told eWEEK that the problems with the cloud storage security model go beyond the bugs found in Dropbox’s authentication method.

“Cloud-based file sharing sites bypass most corporate security, but businesses still need to be able to inspect information leaving their networks and prevent loss of sensitive or regulated data to unauthorized outsiders,” Leichter said.

Steven Sprague, CEO of Wave Systems, told eWEEK that in his view, the fundamental problem is that Dropbox can read all of the files, for all of the customers.

“The fact that they are stored encrypted is of no value if the keys are owned by Dropbox,” Sprague said.

Geoff Webb, director of Solution Strategy at NetIQ, agrees that ownership of the encryption keys is a key consideration. Webb told eWEEK that one of the big fallacies that users make is assuming that simply because companies like Dropbox encrypt their data, that it’s somehow perfectly safe.

Who has your keys?

“So while you may be assured that data you upload to Dropbox is encrypted, you can’t be sure of who has access to the keys themselves, and if the keys are compromised, the encrypted data is no longer protected,” Webb said.

The challenge for Dropbox and indeed for anyone trying to provide a secure online cloud service is that ease of use and security are often antithetical. Matt Richards, vice president of products at open-source cloud storage vendor ownCloud, told eWEEK that it’s important to remember that security is relative: The most secure system is one that no one can access. In his opinion, that is the opposite of the Dropbox experience, which is all about ease of use.

“The question for us is more; is this model secure enough for what you want to do with it?” Richards said. “In other words, can you trust sensitive corporate data to a service designed for consumers? Pictures of that trip to Amsterdam are very different than your draft earnings statements, sales forecasts, product roadmaps or financial spreadsheets.”

Best Practices

So, what should enterprise users be doing to properly protect data in the cloud? Enterprises need to be able to protect sensitive or regulated information before it leaves the organisation, CipherCloud’s Leichter said. In his view, security models need to move beyond just securing Secure Sockets Layer (SSL) tunnels or relying on application vendor security promises to proactively preventing certain types of data from leaving the organization and/or encrypting sensitive data before it goes to the cloud.

Wave Systems’ Sprague recommends the use of independent encryption and independent provisioning of encryption keys.

“This way, the content uploaded to Dropbox can’t be read by the provider,” Sprague said.

Not coincidentally, Wave Systems enables its customers to encrypt data uploaded to the cloud through a product called scrambls. Sprague explained that to hack the scrambls system, an attacker must have access to both systems. This provides protection from internal and external attacks at either Dropbox or scrambls.

Fundamentally when it comes to putting data in the cloud, control is the key.

“Don’t put sensitive information in a cloud you don’t own and don’t control,” ownCloud’s Richards suggests. “In practice, the need for privacy/security has to be balanced with the need for access.”

The ability to integrate a cloud storage solution with existing security practices is also key to success. The ownCloud approach leverages an open-source project that can be installed on-premises or remotely, and integrated with existing IT policies and procedures.

“When you configure ownCloud, you can choose your primary storage location, add secondary storage location(s), and make those as safe as your existing enterprise storage because you control it,” Richards said.

The ownCloud storage locations could include Amazon’s S3 storage, Google or even Dropbox.

In the final analysis when it comes to cloud-based storage, Dropbox or otherwise, it’s important for enterprises to understand the risks and the limitations.

“Like most cloud services, the assumption they should make is that the user is still responsible for security,” NetIQ’s Webb said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

What do you know about Internet security? Find out with our quiz!

Originally published on eWeek.

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

View Comments

  • Guys, check out the cloud storage service Copy. It is excellent and cheaper than Dropbox. Copy is the new Dropbox now. I use both currently, but Copy offers you more space for free than Dropbox. Both are good and both come with the desktop client to sync your files to their cloud servers. Check it out and use this link to sign up for Copy to get 20GB free instead of the regular 15GB

    https://copy.com?r=DFygGq

Recent Posts

Reddit Introduces AI Search Tool

AI-powered Reddit Answers allows users to access information based on Reddit posts, in move to…

10 hours ago

Former OpenAI Researcher Raises $40m For AI Voice Start-Up

Former co-developer of voice mode for OpenAI's ChatGPT launches WaveForms AI to make AI voice…

11 hours ago

OpenAI Releases Sora Video-Generation Tool

OpenAI releases Sora AI video-generation tool to ChatGPT Plus and Pro subscription users amidst concern…

11 hours ago

Tesla To Use Human Back-Up Drivers For Cybercab Fleet

Tesla to initially use human back-up controllers for company-owned robotaxi fleet at launch next year,…

12 hours ago

China Opens Nvidia Antitrust Probe After US Sanctions

Chinese government opens antitrust probe into Nvidia's $7bn acquisition of Mellanox, in move seen as…

12 hours ago

Google Announces Quantum Chip Error ‘Breakthrough’

Google Willow quantum chip makes significant improvements in error correction, moving quantum computing closer to…

13 hours ago