Is Dropbox safe for users?

I’m sure everyone has used Dropbox to upload important documents, and priceless photos that they would like to have access to anywhere, forever, right? Dropbox is a free, cloud based storage service that allows users to upload documents, photos, and videos using a computer, and share them using a tablet or mobile device. This file hosting service is used by over 175,000 people around the world including in some businesses. But what if I told you that your private files can be hacked?

About a year ago, Dropbox was hacked, which prompted the company to add extra security protection such as encryption and “two factor authentication” which were put in place as enhancements. Well, it seems as if that extra security protection that was added, wasn't as great as Dropbox thought it was.

Two security researchers named Przemyslaw Wegrzyn and Dhiru Kholia were able to zoom past Dropbox’s security features, access users files, then published a paper on how it was possible! Crazy right? First thing first, the researchers disabled the two protections that were put in place, then tried “reverse engineering” which allowed them to look at the programming code that Dropbox uses. Although the researchers shouldn't have been able to view the programming code, they were successful. The whole idea was to protect Dropbox and share with the company on how to be more secure.

Since the published paper, in April of 2014, Dropbox has tightened security and added multiple updates to “Dropbox for Business”, which will target businesses and IT professionals who will administer the service. But is it enough?

 This case is just another way to remind you that internet safety and security is very important. Be careful when using sensitive information on the web, and on different web applications. You will never know when your information may become compromised.

Dropbox is still the leader in cloud based storage service. 

To read the published article "Looking inside the (Drop) box", click here.

References:

http://www.businessinsider.com/researchers-prove-dropbox-can-be-hacked-2013-8

http://readwrite.com/2013/08/28/dropbox-hacked-reverse-engineered-client#awesm=~oBxuxQC3OafIvw

http://www.cmswire.com/d/dropbox-p001128

http://en.wikipedia.org/wiki/Dropbox_(storage_provider)

If you don't know what the heartbleed bug is, you need to start now!

The Internet’s Most Widespread Vulnerability

Remember when you were a little kid and you and your friends had your own secret code words and no one was able to tell what you were saying???  Now, imagine that someone had a secret decoder ring and was able to understand everything you were saying.  But this is the best part, you didn’t even know that a decoder ring existed for your imaginary language!  Oh, and this decoder ring has been available in every box of cereal on store shelves!

Now lets change some of the details of the story….

• Store Shelves = Internet
• Cereal Boxes = Websites/Webservices
• Secret Code = encryption
• Friend = Server
• Decoder = Heartbleed bug

How many boxes of cereal were on store shelves that came with a prize?  Imagine if 66% of them did.  That is a lot of decoder rings.

xkcd comics

From the Heartbleed homepage:

[The Heartbleed bug] compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content... As long as the vulnerable version of OpenSSL is in use it can be abused.  

So, when you are accessing a website and sending your information out and getting information back, all this 'computer talking' should be encrypted, and no one should have the key except for you and the server you are talking with.  And in some cases, this is probably true and hasn't changed.

But if the website you are using protects information using any version of OpenSSL released in the past 2 years (May 2012), than you probably should change your password...NOW!  

OpenSSL is used by the web servers Apache and nginx, it is used to protect "email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client side software."  This pretty much includes more than half the internet.  

Well, at least it was discovered by a researcher for Google and the security engineers at Codenomicon instead of a hacker, right???  At least everyone assumes, but there really is no way to tell for sure because Heartbleed is undetectable, untraceable. 

The only way to be safe now is to change your passwords.  If you have entered a password on any account that has been using the OpenSSL Versions issued in the past 2+ years, change it!  But not until you know that the site has installed a patch and issued new certificates.  If they haven’t, don’t try to access that account!  Any information passed between you and the server is still susceptible.   

For more information on the Heartbleed Bug, or to see if a site you use could be affected, check out these sources:

• Heartbleed.com

• Heartbleed Test: http://filippo.io/Heartbleed/

• Top 10000 Heartbleed List 

• Mashable's Heartbleed Hit List 

• Another Heartbleed Test site:  https://lastpass.com/heartbleed/

• Cnet's Top 100 

Resources:

www.heartbleed.com

http://mashable.com/2014/04/09/heartbleed-nightmare/

https://lastpass.com/heartbleed/

http://www.cnet.com/news/heartbleed-bug-what-you-need-to-know-faq/

Where do you go for information security?

If you are interested in more information on Web Application Security, be sure to check out our Resources page for direct links to some of the top informational sources.

There you will find links to the SANS Institute, as well as pertinent information and affiliated sources by them, the National Cybersecurity & Communications Integration Center, and the US Computer Emergency Readiness Team.

These sources provide valuable information on what threats exist, emerging threats, and how to protect your Web Application.