Save content
Have you found this content useful? Use the button above to save it to your profile.
AIA

Dropbox users: Reset your passwords

by
7th Aug 2012
Save content
Have you found this content useful? Use the button above to save it to your profile.

The recent debate on AccountingWEB about the pros and cons of Dropbox for exchanging client documents took a worrying twist last week when the online storage service admitted it had been hacked.

The problem came to light after Dropbox investigated the rising incidence of spam to some of its users.

In a subsequent blog post, blog post, Dropbox said it had discover that a stolen employee password had given hackers access to a Dropbox account containing a project document with user email addresses.

The developer said that only a small number of accounts had been affected and that it had contacted them to help protect their data. But the incident confirmed some of the warnings put forward by AccountingWEB members, who urged accountants not to entrust confidential documents to the consumer-oriented service.

“It’s great for granny's photos, not for business,” said AccountingWEB member Hansa in a typical comment.

Rival providers and security consultants lined up to kick Dropbox while it was down.

Grant Taylor, European vice president of Cryptzone confirmed the Hansa view that people should not use Dropbox for many business purposes. “Compliance managers would be horrified to know that confidential data was being moved out of the organisation’s sphere of control. Free services by their very nature don’t have the features to facilitate corporate control and management,” he said.

Rob Sobers, technical manager at Varonis, criticized the Dropbox explanation that only a small number of usernames and passwords were compromised.

“They are assuming they know exactly which accounts were compromised,” he said.  “What about the accounts whose passwords might have been stolen but haven’t been breached (yet)?”

LinkedIn made a similar mistake a few months ago when it reset the passwords for accounts it believed to be affected, based on a published by the hackers themselves.

Sobers was concerned that a Dropbox employee was storing customer data in their own Dropbox account and wondered what other customer information was stored in Dropbox folders?

His advice to Dropbox users was to reset their passwords, even if Dropbox neglected to do it for them. One of the alternative suppliers mentioned by members on our Dropbox: What you need to know article was SugarSynch. Robb Henshaw, the company’s “communications Czar” has been in London to promote the Cloud-based storage and synchronisation service at the Olympics.

He promised that a new product would be launched in the UK before the end of the year featuring enhanced interfaces and features requested by customers.

He also highlighted inherent weaknesses in free, consumer services such as Dropbox, Google Play and Yahoo.

“You simply have to be diligent about security practices,” he said. “We try to be more diligent than the others.  We have regular third party security audits. Because SugarSynch partners with global brands like Samsung and Lenovo, they also put us through their own security audits on a regular basis.”

SugarSynch offers all users 5GB of AES 128-bit encrypted storage for free, with paid plans starting from $5/month for 30GB up to $80/moth for 1TB.

“The bulk of our users are probably around the 60GB region,” Henshaw said.

Tags:

Replies (5)

Please login or register to join the discussion.

avatar
By louisVW4
08th Aug 2012 13:48

Secured Cloud Storage

The use of the Cloud to store content will go in one direction only ...UP! So, we have no choice but to put the necessary governance in place to manage that growth, or suffer from the inevitable hiccups we have seen recently.

For example, the use of Microsoft SharePoint is exploding, and is forecast to be the largest content repository solution in the next 2 years. It's already causing companies to run out of database resource requiring them to deploy additional servers, which compounds the problem. If it's there, it will be used! Also, we have seen the fiascos where staff at e.g. NHS Hospital Trusts copy confidential patient information to data sticks, which is about the most insecure way of working and rightly deserves the fines they have been given.

Consequently, companies are looking to exploit the Cloud to reduce their storage costs yet provide capacity on demand to support growth, securely handle larger and larger amounts of data and requests wherever staff work (and mobility is increasing rapidly), reduce complexity and management overheads, and provide a non-intrusive experience to the business user. A tall order!

Admittedly, I am talking here about larger companies, and maybe the likes of LinkedIn and Dropbox should take note of this.

I recommend you take a quick look at a new offering from software innovator, Stealth Software (www.stealth-soft.com), which I believe is game-changing technology. It does all the things above, and more.

It will reduce total cost of ownership by 30%-50% and deliver a return on investment within 12 months. Welcome news to hard pressed CFOs and IT management. What's more, it addresses the security issues by seamlessly encrypting data before it leaves SharePoint and leaves the metadata in the on-premise server, and offers built-in backup and content failover (the extent of my technical knowledge!). It has already been endorsed by Microsoft, who can actually sell the offering for Stealth Software, packaged up with a significant chunk of their Azure Cloud storage... at a very attractive price... for a limited time.

Of course, I have an interest in this because we represent Stealth in the UK, but it really is a game-changer, and we have put our reputation on the line to take it on when there are plenty of long established 'market leaders' out there we could have looked at.

I will be happy to discuss Stealth with anyone who's interested... no hard sell! [email protected]

 

 

 

Thanks (0)
avatar
By User deleted
09th Aug 2012 10:10

advertising - all the same ! .....

irrespective of whether it is 'hard sell' or not

what has it added to the specific Dropbox debate - nothing discernable

Thanks (0)
avatar
By louisVW4
10th Aug 2012 11:28

...what has it added to the Dropbox debate?

JC - Sorry you don't perceive any value in my contribution.

It may be advertising, but there are quite a few 'advertisers' in John's article, and I simply wanted to address the main concern everyone has with securely storing data in the Cloud; the main reason for the Dropbox debate. 

Stealth Software is the only solution of its kind which offers companies a cost-effective and secure approach to storing data in the Cloud.

As ex-Dropbox users, we share those concerns, and being a finance-oriented website, I had hoped saving money combined with security, would be of interest to readers, and give them something to suggest to their clients as being worth a look, if nothing else.

Thanks (0)
avatar
By daveforbes
10th Aug 2012 12:11

dropbox debate

I think the lesson to learn from this particular security scare is, don't use the same userids and passwords for multiple sites.

 

Without mentioning names, a different website lost a bunch of userids and passwords a few weeks back. Some enterprising individual realised that many drop box users would use the same userids and passwords for dropbox as for this other website and therefore gained access to various drop box accounts.

 

What compounded this is that one of these accounts belonged to a dropbox employee who had a big list of dropbox users email addresses.

 

Oops.

 

Thanks (1)
avatar
By Billbill100
17th Aug 2012 11:45

Cloud Security

The cloud is a GREAT development.  We like.

But as long as someone, somewhere, knows your password, then it can never be secure.

2 solutions:

1a) Never, ever share your password.  (But that's simply not possible, with Cloud servers, as its part of the logon process.) 

1b) Use a unique 20 digit alpha-numeric assword for each site.  Such as MP*1a22#lLI0Mt174hq.......  (Good luck remembering that!)  And change it each month

1c) But never write down your password. 

1d) Nor use your house name/number, nor your nephew's name, nor your wife's birthdate backwards.... (All obvious, but how many people do that...?)  It's too easy for the 'Bad Guys' to trawl through all data linked with your presence on the web (registrations, posts, blogs, Likes, address details etc etc), and use those findings, to foocus a brute force attack, to "guess" your password, all while they are drinking their first coffee of the morning...

So use a password that absolutely NO-ONE knows...

 

2) And/or: Make sure that Encrypyt all data, before it goes to the cloud.  Using a private channel for your encryption Key (That NO-ONE cn get to...).

 

Only then can the Cloud be safe.

Then 'enjoy' it...and all the benefits it brings.

 

 

Vested interest>  We currently provide exactly this solution, to judges, lawyers, accountants military, and many other professionals across Europe and US.

Tell me (via Accounting Web?), if you want to know more.

 

 

 

Thanks (0)