An incident first reported last month involving 68 million Dropbox users’ (a cloud service) stolen contact information shed light on cloud security – or, the presence or lack thereof. Even more disconcerting is the fact that the Dropbox hack initially took place in 2012, when LinkedIn was hacked, and a Dropbox employee’s login info was stolen from that site and used to gain access to the Dropbox corporate network. Why did it take fully four years between the unauthorized access to Dropbox users’ personally-identifiable information and Dropbox’s announcement of it? And, besides the fact of whatever went on in those four years – why aren’t corporate entities who purvey cloud software and storage as a service held as accountable as, say, healthcare covered entities under HIPAA regulations?
Case in point: After reports surfaced that a list of the stolen passwords had been dumped online, Dropbox was forced to launch a brand new investigation in relation to the 2012 attack. Independent security experts verified the leak, and so Dropbox prompted users affected by the hacking of their cloud-service site to change their login credentials. The site then published a blog in early September encouraging all users who hadn’t changed their passwords since the middle of 2012 to do so immediately.
This still begs the question: Why did it take them four years to learn of the breach and make a public announcement about it?
“We’re doing this purely as a preventive measure,” Dropbox’s Head of Trust & Security, Patrick Heim, wrote. “Based on our threat monitoring and the way we secure passwords, we don’t believe that any accounts have been improperly accessed.”
In Dropbox’s defense, they were at least demonstrating good user data security practices at the time of the hack by encrypting millions of passwords. It has also already begun the process of upgrading its encryption to a stronger hashing function called bcrypt. That likely means, according to experts, that it was very unlikely the hackers would have ever been able to decrypt an estimated 32 million of the passwords they had stolen.
It should go without saying that Dropbox users employ two-factor or multi-factor authentication, and never reuse the same password for other websites. A noteworthy point is that it was the inability (or refusal) of Dropbox staff to follow this advice that led to the security breach in the first place. Sure, it can be a pain to have to remember a cache of encrypted passwords, but doing it – either on an individual level or en masse – helps assure greater levels of security authentication, and fewer successful bad guys.
A Look at Cloud Service Trends
Microsoft just announced that they are investing $3 billion USD in cloud services in Europe, and have made cloud policy recommendations towards a “cloud-powered digital transformation of Europe”. These 78 public policy recommendations in 15 categories include visions of a “trusted global infrastructure” that utilizes more intelligent access and “enhancing security and privacy,” and making cloud technologies “more trusted, responsible, and inclusive,” according to a Market Watch report dated October 3.
In the great exodus to the cloud, many are overlooking basic safety and security procedures – not least of whom are the cloud service proprietors themselves. But, subscribers also need to be taking a closer look at cloud services and, perhaps, demanding more from their SaaS providers. The herd mentality won’t do us any favors in terms of better security in the cloud, so ask all the questions necessary of your cloud service provider – both they and you will be better for it.
Need Better Cloud Security?
If you have questions regarding better cloud security, Where To Start is a proven leader in providing IT consulting and cybersecurity in San Francisco. Contact one of our expert staff at firstname.lastname@example.org today, and we can help you with all of your IT security needs.