Jump to content
RESET Forums (homeservershow.com)

Dropbox


awraynor
 Share

Recommended Posts

The internet is quite busy of talk about Dropbox's latest security mistake. Their new terms of

service doesn't seem to help either. Anyone leaving them, have an opinion or alternative?

Link to comment
Share on other sites

For me this is part of the reason I don't trust any of "the cloud" with storage of my sensitive data if I can help it. We have more and more companies trying to sell the company I work for some cloud based service. While there is a place for it and we may use it for some purposes, we are a LONG way away from trusting it for any day-to-day critical business functions or storage of our data.

 

As for Dropbox, for what I use it for, I will continue to use it.

Link to comment
Share on other sites

I have data in my Dropbox that is more sensitive than I should have there.

Going to remove it and formulate a plan from there. I like having the

continuous access to it, but that isn't worth it being utilized without

my permission.

Link to comment
Share on other sites

Guest no-control

Assuming this is the config file exploit we're talking about. This isn't a simple flaw to exploit. If they are able to gain access to this files I'm pretty sure they already had access to everything else. In my circles this isn't a dropbox issue this is a client-side security issue. Simply encrypting files would go along way to deter exposing your "important" data. Storing unencrypted copies of your tax and financials on your server isn't too smart either, much less in the cloud. Do you leave your car unlocked withe windows rolled down in long term parking?

 

For me this is part of the reason I don't trust any of "the cloud" with storage of my sensitive data if I can help it. We have more and more companies trying to sell the company I work for some cloud based service. While there is a place for it and we may use it for some purposes, we are a LONG way away from trusting it for any day-to-day critical business functions or storage of our data.

 

 

As you are an accountant I find this funny.....Where is all of your money stored in the cloud or in your mattress? wink.gif

Link to comment
Share on other sites

As you are an accountant I find this funny.....Where is all of your money stored in the cloud or in your mattress? wink.gif

 

So, as an accountant, let me give you my thoughts on this. First, you are thinking about it wrong. Money and data in the "cloud" are in many ways not comparable. Back when it looked like the banking industry would collapse, I looked at multiple ways to protect my companies cash assets. One method was a type of CD that would be spread across multiple banks with non having more than the $100k the FDIC insured at the time. This works fine for small amounts of cash, but doesn't scale up as nicely as we wanted. The FDIC eventually provided coverage up to $50 million in a non-interest bearing disbursement account. So i stopped all overnight investment sweeps into the money markets (they were not earning anything anyway) and we tracked our individual deposit accounts daily drafting them into the master account anytime their balance approached $250k (was raised from the $100k by the FDIC). Eventually the banks where bailed out and we never lost a cent. In addition, while we have all sorts of ACH filters, blocks and positive pay protecting our accounts, sometimes a fraudulent charge will get through. We discover these through the recon process and in my 20+ years with the company, we have NEVER paid even 1 cent of these charges. The bank has always reimbursed them.

 

So while our cash has Federal support behind it, that same level of protection is not available for our data. I have companies approach me on almost a weekly basis trying to get us to do some cloud based crap. From things like outsourced A/P services to fully hosted IT solutions. While some of them are interesting, they ALL add risk. In the case of the A/P solution, the added risk is that this company will remain in business, it's systems will not be compromised, it's work force will not be disrupted by unions or natural disasters and more.

 

As for our data, as with any company, there is some data you never want leaked. I produce detailed financial forecast, cash flows and other very sensitive data. Plus we have detailed location data and expansion data we would never want let out. So, can the "cloud" protect these assets the same way the "cloud" protects our cash, NO! The two are not comparable!

Link to comment
Share on other sites

@arraynor - I think the solution is to encrypt data before it hits the cloud, as no-control says. Not as convenient, but definitely more secure.

Link to comment
Share on other sites

Assuming this is the config file exploit we're talking about. This isn't a simple flaw to exploit. If they are able to gain access to this files I'm pretty sure they already had access to everything else. In my circles this isn't a dropbox issue this is a client-side security issue. Simply encrypting files would go along way to deter exposing your "important" data. Storing unencrypted copies of your tax and financials on your server isn't too smart either, much less in the cloud. Do you leave your car unlocked withe windows rolled down in long term parking?

 

 

Hmm. Not quite sure I agree with the analogy, and I'm more concerned with the "mistake" that allowed unfettered access without the proper password for four hours until the message board exploded and they became aware. How would you put into public use an UPDATE that wasn't first confirmed through testing when your sole purpose in life is storing people's data? Unacceptable.

 

Regarding the analogy, I'm not storing my data in my open share to everyone on my unencrypted wireless network. That would be more akin to your comment - i.e. available for any unscrupulous person to come along although I should be able to have faith in the goodness of man (hah.) Storing it on Dropbox, while certainly not military grade safe, should allow for the same level of security, if not more, than storing it on your home server especially given Dropbox's statement on their commitment to security.

 

Bottom line; I can forgive some exploit driven errors, as they may not be publicly known at time of install. But the allowing of anyone access without correct password is simple incompetence.

Link to comment
Share on other sites

I am in agreement with timekills. If it is my free 2GB well I get what I pay for. However,

I pay $10 a month and I expect my data to be reasonably secure. It's not like Anonymous

or LulzSec went after them, they literally left the door wide open.

 

I tried SugarSync before, but it just didn't execute on it's features very well.

Link to comment
Share on other sites

Guest no-control

@GA while I made a loose analogy, it was in response to your loose statement of "any cloud". Not to debate the obvious differences between the two. You're arguing a point that was meant in jest hence the emoticon as I thought it was a funny point. As per usual for this site, i should have prefaced that I was making a "funny" or not even post at all. rolleyes.gif

 

 

@TK are we talking about the same sec flaw? I was speaking of the config file exploit not an update that left no requirements for authentication. Link pls?

 

 

Continuing on the point I was trying to make, If the data is so sensitive then it shouldn't be sitting on a perimeter server (ie cloud) this is common sense. The point is look at it for what it is and use reasonable BMPs to protect the data. If you're going to store "sensitive" data on the cloud, be it dropbox , your own server, or whatever, then you should take the proper precautions. Placing critical and sensitive company data (as you suggest) on a $10/mo dropbox account in the clear (no encryption) is stupid.

 

When I look at services like dropbox, I think consumer level file/folder sync. A convenience application for regular people to store and/or share files between machines. Including those not necessarily under your control like friends and family. It's not a backup repository for your password list, tax returns, corporate data, the colonel's recipe of 11 herbs and spices or the recipe for Coca-Cola. To me its still a client side issue. You shouldn't store your sensitive data in the clear on dropbox. and if an encrypted file sitting on a consumer grade cloud storage service is still too sketchy for you don't use it.

 

The easiest way to "hack" is still social engineering. This includes exploiting just basic human error like leaving the front door wide open. I hate to say it but I will most of your "sensitive" data is already in the cloud on someones server somewhere and while most institutions would like to think they are secure they are not impenetrable. There are much better ways of accessing sensitive content, SSL VPN, VNC over SSH, etc... are much better way to access "sensitive" data.

 

So again my point was you need take responsibility on the client side as well as understand the level of security a service is providing AND what are the ramifications if it failed.

Link to comment
Share on other sites

So, as an accountant, let me give you my thoughts on this. First, you are thinking about it wrong. Money and data in the "cloud" are in many ways not comparable. Back when it looked like the banking industry would collapse, I looked at multiple ways to protect my companies cash assets. One method was a type of CD that would be spread across multiple banks with non having more than the $100k the FDIC insured at the time. This works fine for small amounts of cash, but doesn't scale up as nicely as we wanted. The FDIC eventually provided coverage up to $50 million in a non-interest bearing disbursement account. So i stopped all overnight investment sweeps into the money markets (they were not earning anything anyway) and we tracked our individual deposit accounts daily drafting them into the master account anytime their balance approached $250k (was raised from the $100k by the FDIC). Eventually the banks where bailed out and we never lost a cent. In addition, while we have all sorts of ACH filters, blocks and positive pay protecting our accounts, sometimes a fraudulent charge will get through. We discover these through the recon process and in my 20+ years with the company, we have NEVER paid even 1 cent of these charges. The bank has always reimbursed them.

 

So while our cash has Federal support behind it, that same level of protection is not available for our data. I have companies approach me on almost a weekly basis trying to get us to do some cloud based crap. From things like outsourced A/P services to fully hosted IT solutions. While some of them are interesting, they ALL add risk. In the case of the A/P solution, the added risk is that this company will remain in business, it's systems will not be compromised, it's work force will not be disrupted by unions or natural disasters and more.

 

As for our data, as with any company, there is some data you never want leaked. I produce detailed financial forecast, cash flows and other very sensitive data. Plus we have detailed location data and expansion data we would never want let out. So, can the "cloud" protect these assets the same way the "cloud" protects our cash, NO! The two are not comparable!

 

I agree with No Control that critical data will never be in a DropBox account, but what about payroll processing with ADP? And procurement data in an Ariba implementation? For critical functions, I always ask for a SAS70 from the provider. Which generally ends the conversation with all but the biggest providers. If you can't give me a SAS70 report, you can't have my data.

 

The Dropbox incident really drives home the importance of good general controls environments for business data. The rise of having employees bring their own harware will only increase the need to secure business data that is increasingly outside our controlled datacenters. If you store critical business data unencrypted on a cloud service, you are asking for trouble. And if you outsource a critical business function without positive assurance around basic general controls, you deserve to lose your gig when something goes wrong.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...