Dropbox popped

Michael Butash michael at butash.net
Tue Jul 31 21:08:50 MST 2012 

It's them, as a consumer organization, trying to walk the line around 
convenience.  Same as some organizations *still* do not enforce 
auto-password locks on workstations because some grumpy executive 
doesn't want to remember a password.  Blizzard eventually had to do 
dual-factor when warcrack accounts/items became profitable to sell, and 
others just to keep from becoming a scandal from lazy users.

I enforce mostly the same standards at home I would at work, but sadly 
naive companies treat their data just the opposite - not someone I would 
do business with.  No proprietary/pii data should live outside a 
firewall.  You'd think they'd at least hold employee accounts to a 
complexity standard, but that assumes they just didn't use the same pass 
everywhere and it got lifted externally.  This is common these days.

So yeah, dual-factor externally where possible.  And don't use mschap v2 
to send it (lots of enterprise wifi does).  ;)

http://erratasec.blogspot.com/2012/07/the-tldr-version-of-moxies-mschapv2.html

-mb


On 07/31/2012 08:48 PM, Mike Bydalek wrote:
> Just some random thoughts to expound on Michael's ...
>
> I get what you're saying, but I think limiting it to cloud storage
> isn't enough (or fair).  Having *any* NPI (non-public information)
> stored in any means *other* than being encrypted is just asking for
> trouble - Dropbox or at home.  You can have all your sensitive data on
> your computer at home until you get robbed and now someone has all
> your CC#s, bank login info, etc. (or lose your laptop).  I pretty much
> live by the rule of thumb saying, "Anyone can get access to this data.
>   How can I prevent them from using it?"
>
> To get back to Dropbox, the employee in question had a file of e-mail
> addresses.  Their account password was probably weak and someone
> guessed it.  This situation can happen under *any* web-based system
> that isn't using two-factor authentication (Gmail.com? Mint.com?
> etc.).  That's why when websites have really stupid password policies
> (ie. no more than 8 characters, no special characters, etc.) or don't
> have a system which locks the account after X failed attempts,
> auditing successful logins, etc., I have a really hard time believing
> they are taking security seriously.
>
> -Mike
>
> On Tue, Jul 31, 2012 at 7:59 PM, Michael Butash<michael at butash.net>  wrote:
>> http://arstechnica.com/security/2012/07/dropbox-confirms-it-got-hacked-will-offer-two-factor-authentication/
>>
>> So yeah, about not trusting cloud storage services...
>>
>> "At any rate, users may want to think about examining more secure
>> alternatives, encrypting their files, or simply not storing ultra-sensitive
>> information in Dropbox."
>>
>> An employee account was exploited for this, probably a password gotten via
>> some other exploited site, or cracked (weak pw policy).  Sad
>> proprietary/confidential data, let alone pii, was even publicly accessible
>> in any means.  Why I'll keep mine on my rfc1918 ip lan, thanks.
>>
>> -mb
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>

More information about the PLUG-discuss mailing list