DROPBOX HACK – WHY YOU SHOULD CARE ?


DropBox is flying as a company.  More and more of us are entrusting our data to their servers in the Cloud.    I am one of those.  The service is great, it works and it works from multiple devices. 

However there is just one thing.  It is not secure.  Read about their latest breach here. (http://www.zdnet.com/dropbox-gets-hacked-again-7000001928/)  and also here (http://gigaom.com/cloud/dropbox-yes-we-were-hacked/)

I have been going on about passwords and their manifest weakness for months here and in other media.   DropBox have come back to their customers saying that they promise to do more – better passwords – better security …..blah blah blah.

So what kind of solution should they use?

Well first of all they have millions of customers.  So whatever they go for is going to have to be easy to deploy and should not require the distribution of some kind of hard token OTP generator a la all of the ‘big’ names  (some of whom of have already been hacked).    So the solution should be scalable and easy to use as they should not have to embark upon a user-training program.  If so they will lose half their customers and the rest will be resentful every time they use it.  As I am whenever I use my bank’s product ( a OTP hardware token ).

As important as usability is the fact that the product should work – it should be secure.    No point in building a fence around your property if it has gaping holes in it.    It should not require the ‘metaphoric’  use of hiding the keys under the mat – i.e. a shared secret – password ;-) ( security by obscurity ) but rather should incorporate a logic and a flow that makes it hard to break ( security by design).

Last and by no means least the product should be affordable i.e. for DropBox.   They have clearly not budgeted for this – hence the homegrown user name / password solution used to date.    So the solution should require minimal upfront investment and incorporate the best of a utility model and / or an annual per user license fee.     

Now there is a solution that fits the bill.   Live Ensure  leverages the smartphones that most DropBox users have.   DropBox customers will just have to download an App onto their phones and then go to the DropBox site when they login the next time and register their devices once off.  Thereafter it is as simple as waving a phone in front of the computer screen.  It really is that simple.  What do DropBox have to lose?   They can have it up and running within a day by downloading and integrating the Live Ensure API into their login form.     It is a simple mashup integration.

If you are a DropBox customer and you are concerned about the security of your data – write to them and ask them why they are not using Live Ensure.   And if they don’t do something about it then move to someone who takes you seriously.


Comments

Post a Comment

Popular posts from this blog

The End of Passwords

Finally it seems … the penny has dropped.   Passwords are a poor substitute for real online security.   There is more and more ‘chatter’ about it.    Robin Henry writing in the Sunday Times on New Years Day talks of the end of ‘password hell’ invoking solutions in the pipeline from the Web Gods – Apple and Google.  The talk is of new biometric solutions such as facial and hand movement recognition.  Even IBM is talking this way.  ( http://www.forbes.com/sites/thestreet/2011/12/20/ibms-tech-predictions-for-the-next-5-years/ )  I agree with the notion that passwords are a dying breed but not that biometrics will become vogue.   They are fraught with problems of their own such as reliability, accuracy and the need for referencing of data-bases ( fail !) .    Why are passwords defunct?   Basically they are difficult to remember and they are easy to steal.    The solutions needed are those that require no cognitive load for the user ( the most unreliable participant in this enterprise
Read more

WIKILEAKS - the fuss?

Why all the fuss ? Why the ‘outrage’ at this ‘threat to national security’ ?   Are we really worried that nuclear war is going to break out because of these ‘dirty’ secrets getting out.  As if the North Koreans are going to up the ante any more than their mock charge of last week because of the abuse and scorn heaped upon them by US Diplomats.  ? !    Come on. To me the irony of this bluster is that it is (largely) from the right wing establishment in the US - calling it treason!     Any party that parades a half wit like Palin as a presidential hopeful hardly holds any moral high ground when it comes to protecting the USA.   Her appointment as the ‘leader of the free World’ will be enough to send any level headed American ( let alone any one of their Allies ) into a panicky tailspin at the thought of what she may stumble into ( by accident or design) . So how did these documents get out there?   Poor security.  Plain and simple.   If the US is so worried about this incident su
Read more

HSBC EMBRACES OLD TECHNOLOGY IN ITS BATTLE AGAINST HACKERS

 If you live in the UK and are somehow involved in the business world and exposed to media you could not help but have noticed the extensive advertising campaign that HSBC has been running on its new (sic) ‘security device’ for online banking - Secure Key.    ( I was tempted to refer to them as  ‘ large UK bank’  - but it is so obvious who it is – no point in pretending. ) A lot of money has been thrown at this campaign – I would guess millions.  ( http://www.youtube.com/watch?v=Jx0Z5CiQMIw )   Full page spreads in large circulation newspapers cost big bucks not to mention prime time TV slots.   So here you have the worlds largest retail bank splashing millions on advertising and even more on a ‘cool’ little device that looks like a mini-calculator  - but basically a technology that has been around for about a decade.   This will be rolled out to 4m retail customers worldwide at a reported cost of up to £50 per pop! ( http://www.bankingtech.com/bankingtech/article.do?articleid=200002
Read more