Dropbox popped
Derek Trotter
expat.arizonan at gmail.com
Tue Jul 31 21:16:11 MST 2012
It looks like a lot of corporate execs in this country are about as
bright as whoever in India is in charge of that country's power grid.
On 7/31/2012 21:08, Michael Butash wrote:
> It's them, as a consumer organization, trying to walk the line around
> convenience. Same as some organizations *still* do not enforce
> auto-password locks on workstations because some grumpy executive
> doesn't want to remember a password. Blizzard eventually had to do
> dual-factor when warcrack accounts/items became profitable to sell,
> and others just to keep from becoming a scandal from lazy users.
>
> I enforce mostly the same standards at home I would at work, but sadly
> naive companies treat their data just the opposite - not someone I
> would do business with. No proprietary/pii data should live outside a
> firewall. You'd think they'd at least hold employee accounts to a
> complexity standard, but that assumes they just didn't use the same
> pass everywhere and it got lifted externally. This is common these days.
>
> So yeah, dual-factor externally where possible. And don't use mschap
> v2 to send it (lots of enterprise wifi does). ;)
>
> http://erratasec.blogspot.com/2012/07/the-tldr-version-of-moxies-mschapv2.html
>
>
> -mb
>
>
> On 07/31/2012 08:48 PM, Mike Bydalek wrote:
>> Just some random thoughts to expound on Michael's ...
>>
>> I get what you're saying, but I think limiting it to cloud storage
>> isn't enough (or fair). Having *any* NPI (non-public information)
>> stored in any means *other* than being encrypted is just asking for
>> trouble - Dropbox or at home. You can have all your sensitive data on
>> your computer at home until you get robbed and now someone has all
>> your CC#s, bank login info, etc. (or lose your laptop). I pretty much
>> live by the rule of thumb saying, "Anyone can get access to this data.
>> How can I prevent them from using it?"
>>
>> To get back to Dropbox, the employee in question had a file of e-mail
>> addresses. Their account password was probably weak and someone
>> guessed it. This situation can happen under *any* web-based system
>> that isn't using two-factor authentication (Gmail.com? Mint.com?
>> etc.). That's why when websites have really stupid password policies
>> (ie. no more than 8 characters, no special characters, etc.) or don't
>> have a system which locks the account after X failed attempts,
>> auditing successful logins, etc., I have a really hard time believing
>> they are taking security seriously.
>>
>> -Mike
>>
>> On Tue, Jul 31, 2012 at 7:59 PM, Michael Butash<michael at butash.net>
>> wrote:
>>> http://arstechnica.com/security/2012/07/dropbox-confirms-it-got-hacked-will-offer-two-factor-authentication/
>>>
>>>
>>> So yeah, about not trusting cloud storage services...
>>>
>>> "At any rate, users may want to think about examining more secure
>>> alternatives, encrypting their files, or simply not storing
>>> ultra-sensitive
>>> information in Dropbox."
>>>
>>> An employee account was exploited for this, probably a password
>>> gotten via
>>> some other exploited site, or cracked (weak pw policy). Sad
>>> proprietary/confidential data, let alone pii, was even publicly
>>> accessible
>>> in any means. Why I'll keep mine on my rfc1918 ip lan, thanks.
>>>
>>> -mb
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20120731/e326bce4/attachment.html>
More information about the PLUG-discuss
mailing list