This week I have been more out of the UK than in it as I attend the ISSE and Black Hat Europe conferences.
However, to the delight of this writer, there has been no shortage of security news to keep me hunched over my laptop. One such story surrounded the apparent leaking of usernames and passwords from file-sharing website andscourge of IT staff and privacy campaigners, Dropbox.
Many news websites and expert comments claimed that the website had been hacked, and it was a fair case to suggest that this had happened. Not by Dropbox though, who said in a blog that “recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe.”
It said that those leaked usernames and passwords were stolen from unrelated services, not Dropbox, and attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. “We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens,” it said. “Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services.”
It also said that another list of usernames and passwords had been posted online and, after checking them, it deemed that they were not associated with Dropbox accounts.
Good advice as ever is not using the same credentials across multiple websites and applications, and it seems that all is good at Dropbox. So why the hysteria? Tony Pepper, CEO of Egress, said that the incident does highlight the insecurities of the cloud and the fact user passwords can easily be sourced from other areas.
He said: “Usernames and passwords used to access services such as Dropbox are being targeted, and once hackers have access they can see everything. It is not just personal information that is at risk but commercially sensitive data as well.”
Pepper pointed out that as IT becomes increasingly consumerised, people are not only bringing their own devices to work, they are bringing their bad habits too and given the frequency that we are seeing data being intercepted and stolen, it is just common sense to add in such layers of security. “Businesses should ensure that they can offer users secure alternatives, with built-in encryption and auditing, so that they can still use Dropbox-like services without compromising data security.”
Whether the leak was within, or in this case (and in the case of breach at Snapchat) from a third-party, it highlights the problem that businesses have with such “consumerised” applications. Troy Gill, manager of security research at AppRiver, said: “Although it is not clear what particular third party services are/were responsible for this breach users should think twice when giving any third party service permission to access data.”
Tim Erlin, director of security and risk at Tripwire, said that services like Dropbox provide a valuable service, but they also provide a back channel file sharing mechanism for business users when IT isn’t meeting their needs. “That means that uncontrolled, often forgotten, sensitive d
ata is being stored outside of policy and corporate protections. If you don’t have visibility into who in your environment is using services like Dropbox, you are at risk,” he said.
It seems that the big problem here is the use of email addresses as the username, and the lack of adoption of two-factor authentication. The latter is easily added but I would assume not generally adopted by business, the former is something that the application needs to address.
In conversation with Barry Scott, CTO EMEA at Centrify, he said that he would question how much information an application needs from you, and that there should be a level of authentication and a maximum number of attempted logins before you are locked out to prevent brute force entry efforts.
He said: “Applications are beginning to do that, and one recommendation is to use SAML authentication and federated authentication, and they are making the effort but we can only keep banging away at them on stuff like this. Users need to keep on at them to get the message home.
“There is an onus on the user and on the company who need a password policy, but the onus is on the SaaS application to lock you out if you try and enter it more than five times. You cannot stop people using mobile devices, but they have got to have an easy way of authenticating but because of history don’t have the answer and lets mitigate while the passwords are still there.”
I’ve been hearing suggestions that industry may be suffering from “breach fatigue”, but what chances are there that another bigger and worse breach is around the corner, yet the application at fault can blame it on another website? We’ve seen it this week, and we will likely see it again soon. The problem is with attribution and accepting responsibility, and if that is done and we are able to sort problems out, then fatigue will drain away and we can move forward in a more secure way.