Dropbox popped

Mike Bydalek mike.bydalek at gmail.com
Tue Jul 31 21:17:27 MST 2012 

I'm going to play Devil's advocate here for a second.  Let's say it
*wasn't* Dropbox, but instead was an employee of Joe's Mail Flyers,
Inc.  In this case, the *same* thing would have happened, but we would
*still* blame Dropbox; "How dare you not secure our data!"  You hit
the nail right on the head by saying, "a consumer organization."  As
such, it is all about convenience.  When people (*especially* internal
Dropbox employees), start putting unencrypted NPI data out there, that
falls in the whole, "You're doing it wrong!" bucket.

I agree with everything in your post except I'm not so sure about the
"no pii data should live outside a firewall."  While generally (for
network accessed data), yes, the reality is that it is not always
practical.  Products like IronKey and Full Disk Encryption (which the
FBI doesn't seem to have realized is out there ...) exist exactly for
this use case.

-Mike

On Tue, Jul 31, 2012 at 9:08 PM, Michael Butash <michael at butash.net> wrote:
> It's them, as a consumer organization, trying to walk the line around
> convenience.  Same as some organizations *still* do not enforce
> auto-password locks on workstations because some grumpy executive doesn't
> want to remember a password.  Blizzard eventually had to do dual-factor when
> warcrack accounts/items became profitable to sell, and others just to keep
> from becoming a scandal from lazy users.
>
> I enforce mostly the same standards at home I would at work, but sadly naive
> companies treat their data just the opposite - not someone I would do
> business with.  No proprietary/pii data should live outside a firewall.
> You'd think they'd at least hold employee accounts to a complexity standard,
> but that assumes they just didn't use the same pass everywhere and it got
> lifted externally.  This is common these days.
>
> So yeah, dual-factor externally where possible.  And don't use mschap v2 to
> send it (lots of enterprise wifi does).  ;)
>
> http://erratasec.blogspot.com/2012/07/the-tldr-version-of-moxies-mschapv2.html
>
> -mb
>
>
>
> On 07/31/2012 08:48 PM, Mike Bydalek wrote:
>>
>> Just some random thoughts to expound on Michael's ...
>>
>> I get what you're saying, but I think limiting it to cloud storage
>> isn't enough (or fair).  Having *any* NPI (non-public information)
>> stored in any means *other* than being encrypted is just asking for
>> trouble - Dropbox or at home.  You can have all your sensitive data on
>> your computer at home until you get robbed and now someone has all
>> your CC#s, bank login info, etc. (or lose your laptop).  I pretty much
>> live by the rule of thumb saying, "Anyone can get access to this data.
>>   How can I prevent them from using it?"
>>
>> To get back to Dropbox, the employee in question had a file of e-mail
>> addresses.  Their account password was probably weak and someone
>> guessed it.  This situation can happen under *any* web-based system
>> that isn't using two-factor authentication (Gmail.com? Mint.com?
>> etc.).  That's why when websites have really stupid password policies
>> (ie. no more than 8 characters, no special characters, etc.) or don't
>> have a system which locks the account after X failed attempts,
>> auditing successful logins, etc., I have a really hard time believing
>> they are taking security seriously.
>>
>> -Mike
>>
>> On Tue, Jul 31, 2012 at 7:59 PM, Michael Butash<michael at butash.net>
>> wrote:
>>>
>>>
>>> http://arstechnica.com/security/2012/07/dropbox-confirms-it-got-hacked-will-offer-two-factor-authentication/
>>>
>>> So yeah, about not trusting cloud storage services...
>>>
>>> "At any rate, users may want to think about examining more secure
>>> alternatives, encrypting their files, or simply not storing
>>> ultra-sensitive
>>> information in Dropbox."
>>>
>>> An employee account was exploited for this, probably a password gotten
>>> via
>>> some other exploited site, or cracked (weak pw policy).  Sad
>>> proprietary/confidential data, let alone pii, was even publicly
>>> accessible
>>> in any means.  Why I'll keep mine on my rfc1918 ip lan, thanks.
>>>
>>> -mb
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>>
>>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

More information about the PLUG-discuss mailing list