Tuesday, February 12, 2013

Dropbox and security?

A friend of mine tweeted about Sam Glover's article about Dropbox security, which I responded to with a tweet saying that "The technology behind dropbox is just fine. The weakness is people - convenience vs security."  Of course there are other views being presented as well, and as you can only fit so much of an argument in 140 characters, I thought this was worth some more in-depth discussion.

Firstly, let's define what we mean by "secure". In the context of Dropbox I'll define this to mean that no one gets access to files you store with Dropbox, other than the files you explicitly want them to have access to. Secondly, with a definition agreed, let's outline the threats to Dropbox security (note some of this is already covered in Sam Glover's article):

Threat 1: The Dropbox T&Cs allow Dropbox to access your data, or provide access to your data to the US government.

I'm going to ignore this threat, as I see it no differently to any other IT situation.  There is always someone somewhere who has "god access" to the system.  This applies to your on-site file share, your email (regardless of who is is managed by), and any other IT systems you use.

Threat 2: How secure is your Dropbox password?

People are lazy. I include myself in this, please don't take it as an accusation.  I have a bunch of different passwords, but for things that I don't consider critical, I have one password that I use over and over again.  This is not secure - if one of the sites I use that password for is hacked, and they happen to be foolish enough to be storing my password in an insecure way, then the hacker most likely will have my email address and my password.  They will then look at other sites (Facebook, Google, Microsoft (Live/Hotmail), Yahoo, Dropbox, LinkedIn, etc etc) - in many cases a user will have used the same password across many of them.

If you use the same password for Dropbox as you do for other systems, then you are relying not only on the security of Dropbox, but also the security of the other system.  If you are using Dropbox for sensitive information then I highly suggest you use a password for Dropbox that you don't use anywhere else.  Can't remember your password?  Simple - download the free KeyPass application (or similar) to store your passwords in.  Don't forget that this then becomes another risk, you need to ensure your passwords are safe, just because an application says they're safe, they may not be (I can vouch for KeyPass).

Note that any IT system will be exposed to this threat, however IT systems that can be accessed from the Internet (ie most cloud systems, or any system you host yourself but have decided to expose to the internet) are more vulnerable to this due to the ease with which a hacker can re-use a stolen password.

Threat 3: How secure is your email?

Moving on from the above, even if you do as I say and have a separate password, if your email is not secure, then neither is any system that has a "reset your password" link.  Dropbox, as with many other systems, allows you to reset your password via email.  If I can hack into your email, then I can simply go to Dropbox, click the reset password button, and voila, I now have access to your Dropbox account.  A well known IT journo Mat Honan was victim to this style of attack last year.

Threat 4: Do you share Dropbox files with other people?

Dropbox is great, you can easily upload a file and send a link to someone else so they can see that file - this gives you the option to tweet, email, facebook, or send the link through whichever channel you might want to  - very valuable given that some of these channels don't support attachments.  However, there's a downside to this.  There is the possibility that you might share more of your Dropbox account than intended, and in doing so give people access not only to the file you intended to share, but also to other files that you don't want to share.  If you think this is unlikely, pause to consider that a significant proportion of security vulnerabilities are not due to highly technical hacking technique, but instead due to a system administrator misconfiguring something.  If an IT professional can get it wrong, so can you.

Threat 5: Do you grant other applications access to your Dropbox account?

If you use an smartphone or tablet, the chances are that you have an application installed that has the ability to store or share content with Dropbox. This is great from a convenience point of view, but opens up more points at which someone can get access to your account.  If there's a bug in that application, or a malicious person has access to that application, the integration with Dropbox is suddenly not only convenient for you, but also for a hacker.

What should I do?

So, what is my advice? Unless you have a dedicated IT Security function, Dropbox will probably do you just fine, provided you follow some basic tips:

  1. Acknowledge that there is a system administrator somewhere who can look at your data.
  2. Use a unique strong password.  Don't write it down - instead use KeyPass or similar if you want to store it.
  3. Treat your email as a highly important secure system.  Use two-factor authentication if it is offered by your email provider (Google and Yahoo provide this, Microsoft do not)
  4. If you use Dropbox to share files, use a different account to do so, or make sure you know what you're doing.
  5. Be wary of applications that require access to your Dropbox account.
Finally - I'm sure that experienced Information Security Professionals could elaborate on the above, I don't consider myself to be all-knowing with regard to Information Security, but I think the above covers the key points.

No comments:

Post a Comment