Cyber

Dropbox update

by Mark Rowe

If you signed up for the file sharing cloud service Dropbox before mid-2012 and reused your password elsewhere, you should change it, says Dropbox. The cloud storage company recommends what it calls strong, unique passwords, and two-step verification. Also, the firm asks users to be alert to spam or phishing because email addresses were included in now exposed passwords. Separately, it’s been reported that cloud-based access product company OneLogin has been breached.

Comments

Tony Sweeney, Cyber Security Director for the KCS Group Europe, said: The news of 68 million Dropbox passwords being leaked online is not a shock; after all, the breach occurred in 2012 when LinkedIn and MySpace were also hacked. It is safe to assume any online accounts held since 2012 are at risk and ALL passwords should be changed. Realistically, no accounts are safe from being compromised.

“One way to make accounts more secure is by enabling two-factor authentication, such as a code being sent via text to your mobile device in addition to entering your password. However, the secret here is not to wait until you are told your details have been breached but instead be prepared that a beach could happen at any time. It needs to be recognised that normal cyber defences are not enough; it’s about being proactive, rather than simply reactive. Testing the security of the whole business – from the perimeter all the way through to employee awareness training – coupled with the advanced warning provided by constant monitoring, saves crucial time, protects reputation and gives the CISO a better night’s sleep.”

Nigel Hawthorn, chief European spokesperson at Skyhigh Networks, a cloud access security broker, argues that a data breach at Dropbox, or any other file sharing service, is a huge threat to businesses. He says: “While some companies respond to data breaches with denial, it’s good to see Dropbox being proactive and advising users to update their passwords. Compromised accounts not only represent a threat to consumers, but employees are increasingly using personal accounts at work too; leaving sensitive business data vulnerable. Individuals reuse the same passwords for convenience but, as more corporate information is migrated to the cloud, it’s incredibly difficult for organisations to monitor and control the risk posed without the right measures in place.

“Businesses must be aware of all cloud services in use across the enterprise. This enables them to respond to news stories such as this, analysing how it may impact them and mitigating the risk to data by forcing password changes or halting traffic completely. They should set policies regarding the handling of corporate data and define a sanctioned cloud services list. By including options for all the common reasons for use, such as collaboration, file conversion and project management, employees can be encouraged to use only approved applications over riskier alternatives. By combining cloud monitoring technology with existing identity and access management controls, firms can more easily identify and act when accounts have been compromised.”

David Mount, director, security solutions consulting EMEA, at IT access product company Micro Focus, said: “The news that the 2012 Dropbox breach revealed millions of passwords as well as usernames is a cause for significant concern for businesses as well as consumers, and not simply because it’s common practice for employees to store sensitive business data in personal Dropbox accounts.

“An additional danger for businesses is posed by users who signed up for Dropbox for work purposes using their work credentials because in that event, these credentials are now available on the open market. Organisations practising good password hygiene should be safe because users will have been forced to change their passwords since then, but not every business will have these sorts of processes in place. This means that some organisations will now be at risk as these compromised credentials could be used to access their systems.

“To help guard against this threat, it’s good practice for all businesses to monitor for anomalous activity to make sure it’s appropriate – enforcing the principle of least privilege. This is key to controlling how users are accessing data, especially for any accounts with privileged access.

“With this visibility into data access, organisations need to evaluate the risk of access attempts in real time and based on contextual factors such as device, location and normal usage patterns. The use of multi-factor authentication to augment passwords ensures that users are always who they say they are, limiting the risk of an individual successfully masquerading as an employee. Finally, those businesses able to monitor user activity to spot issues quickly must then act quickly to take remedial action with absolutely no delay. This will help to limit any damage.

“Following the 2012 attack, Dropbox did change its password hashing mechanisms to bcrypt from SHA-1, so whilst the password hashes might be available, it could be argued that they’re reasonably safe as the encryption has not been cracked. This can’t be said for every system. Employees may also do this on cloud services that have less robust standards than Dropbox, so ensuring businesses and employees follow these best practices is vital in limiting damage and protecting corporate data.”

Justin Harvey, chief security officer at Fidelis Cybersecurity, said: “Dropbox and OneLogin users likely woke up to disturbing news this morning following these latest breaches, not least because the cloud-based storage service is used to store and access sensitive data, documents and personal photos. The likelihood that sensitive information such as this – and potentially confidential corporate data – could be in someone else’s hands is extremely concerning.

“Dropbox users should immediately change their passwords, and ensure that if the same username and password combination is used for other sites and services, that these are changed too. Indeed, it’s not uncommon for hackers to use stolen username and password combinations to push out phishing scams and further exploit their victims, for example by gaining a foothold in the corporate network, and moving laterally to harness powerful access controls and steal valuable data. For OneLogin users, the breach is more complicated as its unknown what text may have been accessed. Additionally, both Dropbox and OneLogin support the recommended use of multi-factor authentication; every user should be enabling this on as many websites as possible.

“Above all, it’s clear that no company is immune from a data breach and with cloud-based third party applications being targeted, the scope for damage is vast. This is exactly why the security industry is moving to a detection versus protection standpoint, where it’s just as important to identify and expel an attacker as it is to protect the corporate network. With many companies likely affected by these latest breaches, they need to take note of this shift and build their defences accordingly.”

And Ross Brewer, VP and MD of EMEA, LogRhythm said: “Data breaches, both old and new, are continuing to dominate our headlines. Hackers were able to view OneLogin notes in clear text for over two months before the breach was identified, while it has taken four years for the repercussions of the Dropbox breach to resurface. Although the cloud storage company did admit the data breach had taken place back in 2012, it’s clear that the scope and scale of the breach was unknown, with them only now prompting users to change their password.

“The biggest concern in both of these cases is not that either company was breached – unfortunately, hackers’ tactics are becoming more and more sophisticated and breaches are almost inevitable. The main problem is that the breaches were able to go undetected. Fortunately, in Dropbox’s case, the passwords were suitably encrypted, so the data should be of limited value to hackers. However, this isn’t always the case, and it only takes one hacker to get their hands on a set of unprotected log-in details dumped on the web for a company to find themselves the victim of a breach – as OneLogin has now found.

“Businesses are wising up to the fact that hackers will get in, but they need to make sure they have the right tools in place to stop them before any damage has been done. Businesses need to shift their investments to full network monitoring and response capabilities so that they can identify breaches the moment they happen. Indeed, security intelligence and rapid detection is key to preventing large gaps between breach and detection, such as these. With the EU GDPR’s breach notification window pending, businesses are under growing pressure to spot and disclose a breach the moment it happens, and this can only be done with a deep understanding of network activity.”

Related News

  • Cyber

    Year of malicious code

    by Mark Rowe

    The year 2016 saw 702 million attempts to launch an exploit – malware that uses bugs in software to infect devices with…

  • Cyber

    Reducing exposure

    by Mark Rowe

    A recently published European Cybersecurity Index revealed that the UK is the eighth worst in Europe for cyber safety. Using a range…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing