Dropbox fiasco serves as reminder of cloud-storage insecurity

End-user ignorance is demonstrably more dangerous when let loose on public clouds. IT admins must educate users to approach cloud storage cautiously

From Dropbox and Google Drive to MediaFire and RapidShare, there's an abundance of services providing space in the cloud for people to park their files. These file-sharing services are superconvenient for users who want to easily store large files or share them with colleagues. But as the recent spam attacks against Dropbox users demonstrate, cloud-based file-sharing services represent a potential security challenge for cloud-wary IT admins -- who are already dealing with the security challenges brought on by the BYOD movement.

Specifically, this spam attack against Dropbox users (which could have been far worse) came as a direct result of a single end-user's ignorance (or naiveté, if you prefer) about basic password security -- possibly coupled with unclear or nonexistent data-security policies.

To better understand the challenges, first you need to understand what happened. A hacker got his or her hot little hands on stolen log-in credentials for one or more websites. It's not clear which sites, and it doesn't really matter here. What matters is that among the credentials were those belonging to an unnamed Dropbox employee. The hacker discovered that employee was using the same password for his or her Dropbox account as for the mystery site. Thus, the hacker was able to access the employee's Dropbox and found "a project document containing user email addresses," according to Dropbox's Aditya Agarwal.

Soon after, the owners of those email addresses found themselves receiving an abundance of spam messages directing them to gambling sites.

That may not sound too bad at first blush. So a few Dropbox users had to deal with some easy-to-ignore spam -- it's not as though their passwords got swiped and their data got stolen, right? But it easily could have been worse. Instead of sending Dropbox users unsolicited ads for a gambling website, the spammers could have crafted a convincing-looking phishing message to dupe users into divulging their Dropbox passwords, thus giving the bad guys access to whatever sensitive or valuable info others users might have stored in the cloud (such as, say, a document containing sensitive client contact information). Alternatively, the phishing message could include a link to a site meant to look like Dropbox but that infects a visitors' machine with malware.

End-user ignorance played a key role in all this. The Dropbox employee was reusing passwords among various sites, which is a big security no-no -- perhaps more so if you're using the same password for a work-related account as for a personal account. Imagine having only one key that opened your house, your car, your office door, your safe deposit box, your file cabinet, and so forth. Now imagine if a bad guy got a copy of that all-access key. You'd run the risk of losing a lot more valuables than you would if you had a different key for each lock. It's not a difficult concept to grasp in the real world -- but it can be in the cyber world.

Additionally, one wonders why the employee put a document containing sensitive customer data into his or her Dropbox as part of a project. Why not a document with fake email addresses? Or an encrypted version of the file? Was it even permitted under Dropbox's internal security policies? As my InfoWorld colleague Woody Leonard observed over a year ago in an article about a Dropbox security risk, "storing sensitive, unencrypted information in the cloud is foolish, no matter how you slice it."

Dropbox has said it will introduce some changes to its security practices and features to prevent this kind of thing from happening again. Per Agarwal, those changes are as follows:

  • Two-factor authentication, which will optionally require two proofs of identity, such as your password and a temporary code sent to your phone, when signing in (coming in a few weeks)
  • New automated mechanisms to help identify suspicious activity; Dropbox will continue to add more of these over time
  • A new page that lets users examine all active log-ins to their accounts
  • In some cases, Dropbox may require users to change their passwords (if, for example, they are commonly used or haven't been changed in a long time)

Those changes are all well and good, if not overdue, but had they been in place, would they have prevented the recent series of events from occurring? As history has demonstrated time and again, even the strongest security measures can be undone by end-user ignorance and poorly devised (or nonexistent) internal IT policies.

Just as IT admins may not like the fact that users are bringing their personal devices onto the corporate network, they may not like that users are relying on public cloud file-sharing services. But they need to deal with it one way or another, which might mean blocking access to such sites, creating clear policies as to which such services can be used and how, and educating users to approach cloud storage with caution.

This story, "Dropbox fiasco serves as reminder of cloud-storage insecurity," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Copyright © 2012 IDG Communications, Inc.