And the moral of this story is, keep your CC#'s, password lists, etc. in a password protected spreadsheet on an encrypted thumb physically hidden with a spare in the safe deposit box. And don't backup your collection of Japanese tentacle porn to the cloud.
________________________________
From: Mike Bydalek <
mike.bydalek@gmail.com>
To:
michael@butash.net; Main PLUG discussion list <
plug-discuss@lists.plug.phoenix.az.us>
Sent: Tuesday, July 31, 2012 8:48 PM
Subject: Re: Dropbox popped
Just some random thoughts to expound on Michael's ...
I get what you're saying, but I think limiting it to cloud storage
isn't enough (or fair). Having *any* NPI (non-public information)
stored in any means *other* than being encrypted is just asking for
trouble - Dropbox or at home. You can have all your sensitive data on
your computer at home until you get robbed and now someone has all
your CC#s, bank login info, etc. (or lose your laptop). I pretty much
live by the rule of thumb saying, "Anyone can get access to this data.
How can I prevent them from using it?"
To get back to Dropbox, the employee in question had a file of e-mail
addresses. Their account password was probably weak and someone
guessed it. This situation can happen under *any* web-based system
that isn't using two-factor authentication (Gmail.com? Mint.com?
etc.). That's why when websites have really stupid password policies
(ie. no more than 8 characters, no special characters, etc.) or don't
have a system which locks the account after X failed attempts,
auditing successful logins, etc., I have a really hard time believing
they are taking security seriously.
-Mike
On Tue, Jul 31, 2012 at 7:59 PM, Michael Butash <
michael@butash.net> wrote:
> http://arstechnica.com/security/2012/07/dropbox-confirms-it-got-hacked-will-offer-two-factor-authentication/
>
> So yeah, about not trusting cloud storage services...
>
> "At any rate, users may want to think about examining more secure
> alternatives, encrypting their files, or simply not storing ultra-sensitive
> information in Dropbox."
>
> An employee account was exploited for this, probably a password gotten via
> some other exploited site, or cracked (weak pw policy). Sad
> proprietary/confidential data, let alone pii, was even publicly accessible
> in any means. Why I'll keep mine on my rfc1918 ip lan, thanks.
>
> -mb
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)