You know the general public is suffering from security fatigue when something as big as the Dropbox breach appears in the news, and almost as quickly, disappears. In case you blinked, online magazine Vice.com broke the news last week that a database recently surfaced which contains over 60 million Dropbox.com user accounts (email addresses) and hashed passwords. Almost immediately following this news, Dropbox itself issued an email warning to its users that it was resetting passwords of users who might have been impacted by a 2012 breach. Breach notification site HaveIBeenPwned.com also corroborated the reports that the account information found in the database does contain valid usernames and encrypted passwords.
What this means for you:
Even though breach data may be years old it can still be valuable, especially if the passwords are stored with weak, easy-to-crack encryption. In the case of the Dropbox breach, approximately half of the passwords are strongly encrypted, and are unlikely to be decoded, and the other half stored in a slightly weaker, but still formidable encryption method. As proof of their continued value, many databases from breaches as far back as 2012 and earlier as still actively traded and sold in the digital blackmarket, and as technology continues to advance, you can bet that even strongly encrypted databases will eventually be cracked. If your account and password only showed up in the Dropbox.com breach, you could consider your password relatively safe (change it anyways!) for now, but if you used it elsewhere, and that account was exposed in another breach, like the LinkedIn.com breach that happened in the same year, and you used the same password as you did for Dropbox, your security is considerably more compromised. Multiply that exposure for every other breach you were a part of and used the same password again, and we can’t even account for the breaches that haven’t yet been publicized!
Long story short: check HaveIBeenPwned.com, change your passwords, and don’t reuse passwords!
I am increasingly encountering a dangerous misconception about data backups that could lead to some serious “facepalm” moments. On at least three separate occassions while speaking with someone about data backups, the person I was with referred to DropBox as their primary data backup platform. In case you are unfamiliar with DropBox, it’s a cloud-based platform that can be used to sync files and folders between multiple computers, while also maintaining a copy of that data in the cloud as well. This cloud component is what many folks like to believe is their “offsite backup”. It’s true – if your local hard drive were to fail and you lost files that were being synced by DropBox, you could retrieve a copy from one of your other mirrors or the copy in the cloud. However, what if you or one of your employees who has access to the DropBox repository accidentally deleted some important files? DropBox doesn’t know you (or they) didn’t mean to delete those files, but it will make sure that change is reflected across your entire DropBox repository. What if you got hit with one of those nasty ransomware viruses which encrypts files, including the files in your DropBox repository? DropBox will dutifully overwrite your data with the encrypted copies, effectively destroying your “offsite backup”.
Let me ‘splain:
DropBox’s strength lies in easily establishing a set of files and folders that can easily be synced across multiple machines and locations, and it does this through a simple mechanism which essentially looks at each endpoint (and the cloud) and says, “Make all these the same.” This same strength is a resounding weakness when it comes to proper backup methodology. In a nutshell, your backups should keep track of your data across time, in set intervals, so that you can, in theory, go back to any one of those points in time and retrieve the data as it was at that moment. The reason this is important is for the two situations mentioned above (and many other scenarios as well). In both cases, mistakes were made. Our best course of action would be to go back in time to before those mistakes were made, but seeing as we can’t actually time travel yet, we use backups to accomplish nearly the same thing with our data. Even if the mistakes weren’t noticed for a period of time, as long as you have sufficient version depth in your backup strategy, you can look back to a time interval before the deletion and retrieve the files. This is something that DropBox can’t do, and probably shouldn’t, as it’s not meant to be a data backup platform. There are hundreds of viable backup solutions that range in price and complexity, and many of them are as easy to set up as DropBox. Don’t stop short of using a real backup solution just because you’ve got a copy of your files somewhere else. A good backup solution requires some thought and determination, but can pay back huge dividends when mistakes or disaster strikes.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
If you thought you had data breach fatigue, prepare to be exhausted this week:
- Hacker tries to scam Internet with fake DropBox password database – DropBox refutes the claim, noting the “proof of hack” provided consisted of known stolen passwords from other sources.
- Kmart Hacked – Undisclosed Quantity of Credit Card Numbers Stolen – Sears-owned retail outlet may have been a victim of known point-of-sale malware “Backoff”, says no identity info stolen, just credit and debit card numbers.
- SnapChat denies it was source of potential racy photo leak – Third-party addon app “SnapSaved” blamed for providing an avenue for hackers to save pictures from SnapChat. SnapSaved admits to security breach, but downplays claims that hackers could provide a “searchable” database of photos.
- NATO Summit Gets Breached by Russian Hackers – Hackers whom security analysts believe to be Russian exploited a Zero-day flaw in Windows operating systems through a spearphishing campaign targeting Ukrainian government workers, leading to breaches on government servers and probably information leaks from Summit proceedings.
- Google Documents Flaw in SSL 3.0 Protocol – Google documents a serious flaw in encryption protocol SSL 3.0, immediately removes it from Chrome web browsers. Though outdated, SSL 3 is still widely used as a fallback protocol when newer protocols fail to function.
- 850K Records Exposed in Oregon Employment Dept Website Breach – State-run website exposes personal information on hundreds of thousands of job seekers. No financial information was exposed, but leaked info could lead to identity theft.
Though no comment has been forthcoming from Apple yet, the mainstream press has been awash in reports that dozens of Hollywood celebrities had their iCloud accounts hacked over the Labor Day holiday weekend and, as you might have guessed, explicit images and videos have surfaced on the internet. News of the breach first surfaced on infamous website 4Chan where an unidentified individual offered to share the explicit material in exchange for bitcoin donations. Representatives for some of the celebrities confirmed the legitimacy of the material, and threatened legal action against both the hackers as well as the various websites where the the photos and videos started appearing. As of now, authorities are still trying to identify the party or parties responsible.
What this means for you:
Despite the numerous, very public incidents of famous people taking explicit photos of themselves and reaping the consequences (good or bad), everyone – famous and not – continues to underestimate the weakness of technology security on mobile devices and cloud platforms, as well as the fact that erasing a file on your smartphone does not necessarily equate to destroying it permanently. Both iOS and Android devices are designed to upload any photos or videos you take with your device to their respective cloud storage platforms, ostensibly to back them up in case of device loss, as well as to facilitate the ability to share them via the internet. What most don’t realize is the default for both platforms is to allow this, and you have to pay attention when setting up your device at the very start to disable this functionality. If you quickly punch “OK” through this process, you can easily miss this very important setting.
As always, if you need to store important information must remain confidential, cloud storage (iCloud, Dropbox, OneDrive, Google Drive, etc.) is a very high-risk option that should only be considered with eyes wide-open to the worst-case scenario. The terms of service/use for most of these platforms indemnify them from these types of breaches, so if even if your information was leaked through no personal fault of your own (as might be the above mentioned hack), it’s highly unlikely you will be able to hold anyone accountable aside from yourself.
Malicious agents continue to use increasingly sophisticated email templates to fool victims into installing malware on their computers. Most recently, people have been falling prey to an email that appears to be from Dropbox.com, a very widely used cloud storage website. The email uses Dropbox artwork and is kept short and to the point: it warns the user that they need to change their password and provides a link (which, of course, leads to a hijacked website). Adding to this email’s apparent credibility is the fact that Dropbox has engaged in this very same practice to legitimately warn users about password changes. Couple this with the fact that it’s highly likely you have a Dropbox account, and the hook is set before you know it.
What this means for you:
Whenever you receive a warning like this, the safest method to take action is to manually type the URL of the service in question in your browser and never click links in the email, unless you are confident they don’t lead to a hijacked website. Most email clients, including web-based ones like Gmail and Yahoo Mail, allow you to roll over the links in any email and see the actual linked destination (it may take a second or two, be patient while hovering), as it’s trivial to fake the visible destination while sending you down a dark road to infection. For more tips on spotting fake emails like this one, read my previous post, “Fake Emails are Getting Harder to Spot“.
On October 26 of last week, a number of popular, “cloud-based” services suffered multi-hour interruptions. Among the outages was Google’s App Engine, a platform that is used by thousands of other websites and internet platforms including one of my favorites, Passpack.com. Some of your favorites may have been impacted as well: Dropbox, Tumblr and even YouTube were affected. For many, this was a non-event, particularly those who operate and compute within enterprise-based platforms, or rely solely on the desktop and storage of their own computers. C2 Technology relies heavily on cloud-based services, primarily Google products, for our core information systems, and I use Passpack to track the multitude of passwords I need to do my work. So when those outages hit on the 26th, I found myself unable to access the keys to my various digital kingdoms, and felt very much like someone who finds themselves locked out of their car, and at the mercy of another person’s timetable. In this particular case, Passpack.com wasn’t even to blame, as their own reliance on Google’s App Engine service hamstrung their ability to deliver service to their customers, and the fine engineers at Google themselves were struggling with the outage. Everyone’s brand took a hit, and yet there was no one any one of us could blame for the outage – not even a radical hackivist group looking to ruin someone’s day for political currency.
What this means for you:
Very simply, “Never put all your eggs into one basket.” This homily, however pastoral-seeming, still very much applies to how you should use technology, especially when it comes to your core business processes. As an illustration of how this can be bad: I was using Passpack to store my Gmail password, which was complicated and impossible to remember, and instead relying on a complicated, but easier-to-remember passphrase to access Passpack to retrieve that password whenever I needed it. When Passpack went down, so did my ability to access Gmail and all of my client contact information. The lesson to take away from this: if you are going to store critical information online, have a back-up plan for continuing to operate without access to that information. Either back-it up locally (fraught with its own set of risks), or compartmentalize parts of your operations so that they aren’t heavily reliant on a single service provider, or the presence of the internet.
Image courtesy of “vichie81” / FreeDigitalPhotos.net