Tag Archives: dropbox

Evernote hacked, an early warning for the Cloud Storage storm coming?

In recent years I have written various articles warning of the risk related to uncontrolled cloud storage solutions usage in the corporate world.

Evernote is a popular online note storage solution which is often used by mobile users. You could see it as a cut down version of Dropbox as it is more restrictive to what one can store online.

It got hacked a few days ago, as reported by the Verge, what was stolen includes usernames, email addresses and encrypted passwords. We don’t know what password algorithm they used and how hard/easy/feasible it is for the hackers to crack them, but the company behind Evernote now asks *all* its (millions) users to reset their passwords.

This should really serve as a wake up call, to check what policies and controls are in place to prevent your users to transfer all sorts of corporate documents outside of your corporate security controls. If Evernote is used within your company, and those passwords were cracked, how different would it be from having those users loosing unencrypted USB sticks or unencrypted laptops containing corporate documents? Not all users would have access to sensitive data, but those who do should certainly not be free to use any cloud storage solutions they like without extra security controls.

With the increase popularity and demand of BYOD and Mobile Devices, are you restricting your HR, VIP, Financial department users when it comes to syncing data in the cloud? do you know what data is leaving your company to Dropbox? Skydrive? GoogleDoc? … Evernote?
If you don’t, now would be a good time to find out… before a government data privacy agency asks you!

Boxcryptor, a great tool to secure your cloud storage solution.

I made my feelings very clear about the use of Dropbox in the enterprise, through a previous post. I still believe Dropbox and similar other cloud sotrage solutions such as Google drive or Sky Drive are a timebomb waiting to happen for many companies who are busy securing their infrastructure but forget to look at the data leaving their premises through the back door. Or just not appreciating how tablets and smartphones are driving their users’ behaviours and requirements.

There will be a lot of red faces if/when Dropbox and Co announce they have been hacked.

However, I have recently come accross a great tool that can help reducing the impact of such a bad scenario. It is called Boxcryptor.

Boxcryptor creates an encrypted folder under your Cloud Storage directory (i.e.: Dropbox) and allows for files to be encrypted on the fly thus making it much faster and transparent than the solution I described before with Truecrypt. The encryption keys are stored locally and only known to you. Their client runs on many different platforms, Mac, PC, iOS, Android.

Boxcryptor works very well but it is important to note a difference in software behaviour between a MAC and a PC.

On a MAC, if you install boxcryptor it will create an encrypted folder in your Cloud Storage directory.
It will also create a new “disk” which gives you direct access to that encrypted folder.

You then have a choice, you can either drop files to this “disk” or to that encrypted folder in your cloud storage directory. Those 2 actions are the sames and the files will be encrypted in both cases.

On a PC, if you install Boxcryptor it will create a folder in your Cloud Storage directory. Note that I did not say encrypted folder. It will also create a new “disk”.
The difference between the PC and MAC implementation of Boxcryptor is that, on a PC, files are only encrypted if you drop them into your Boxcryptor disk. They will not be encrypted if you drop them in your cloud storage boxcryptor folder directly. That folder and the boxcryptor disk are not the same. Those 2 actions are therefore not the same.
This could be confusing, and a user may forget about that difference and copy sensitive files directly onto his cloud storage boxcryptor folder, thinking those files are going to be encrypted when they are not.
To be fair, there is a readme file in the Boxcryptor “encrypted” folder. But the chances are nobody will read it and more importantly, could forget about it.

My recommendation is to get used to copy files to the boxcryptor disk only. That way, you are always sure they get encrypted (and that the software is running in the background!).

I have contacted the authors and they are aware of this behaviour difference. Although they did not commit on any release dates, they are apparently working on it.

New Dropbox Issues and a work around

More issues have been found with Dropbox, they were major issues and the researchers worked with the vendor to fix them before going public.
Although they are now fixed they highlight the time bomb Dropbox is for enterprise users as usage convenience and security risk ignorance means sensitive information is likely to be transferred centrally on Dropbox from many different companies and user profiles.

The 3 security issues discussed in the this article were:
– Hash value spoofing to access other customer’s data
– Stealing Dropbox hostID to access other customer’s data
– Potential replay attack when providing other customer’s data hash combined with any valid host ID (i.e.: the attacker’s host ID) to get access to the corresponding data.

One key point made in the article is that all this happens in the cloud, therefore the victims and/victims networks would be blind to these attacks.

There is no denial that Dropbox is very convenient, but those repeated security issues really means your data is at risk when hosted on their servers.

One solution, in this case, is encryption. I have listed a number of “on the fly” encryption solution in a previous post. But none of those solutions really ticked all the boxes so far, they either do not support enough OS, are not OpenSource and from very young and unknown companies, etc.

I have also previously said that using TrueCrypt would defeat the main attraction of Dropbox: seamless, streamlined and constant backups.

However, right now I see it as one of the only solution for securing Dropbox.

Why?
Because TrueCrypt is a well established encryption solution you can trust. Of course, other encryption tools such as PGP and co could fit the bill too, but I like TrueCrypt because it is free and OpenSource.

For using TrueCrypt with Dropbox and not trade off security for performance too much you would need to be more disciplined though…
In essence you need to break down your data into chunks in different containers so the TrueCrypt disks are as small as possible and the chunks of data that are not likely to change do not get sync up everytime you update a document which is unrelated to that data.

What worked for me is the following:
– Store data you consider as public into a public folder , you don’t have to share it with the world, but need to assume it could be.

– Separate your other data, the potentially sensitive one, into folders
i.e.: Subject1, Subject2, Subject3

– Within your folders create some subfolders about data that is likely to change and data that will not
i.e.: {Subject1_New, Subject1_Old} and {Subject2_New, Subject2_Old}, etc

– Keep the Change/New folders small

– Breakdown the Nochange/Old folders into sizes of around 500Mb or 1Gb maximum

– Create a TrueCrypt disk for each of the folders (Old and New).

– Ideally you will have a different passwords for each of the TrueCrypt disks but it depends on what process you use to remember those passwords!

– Store the public folder in Dropbox unencrypted

– Store all the TrueCrypt disks into Dropbox

Now, you will have access to your “public” data as before but for any potentially sensitive data you will have to mount the TrueCrypt disk before. You will also have to umount the disk before it can by synchronised back.

Because you have broken down your data into different chunks/encrypted disks, if you update or add a document into one of those disks it should not take long to synchronise back to Dropbox when you unmount it.
Also, the old/reference data which you are unlikely to change can be accessed by mounting those larger “old” disks without requiring for a large and lengthy re-sync.

What you are introducing with the method described above is added security through a check in/check out process while leveraging performance by dividing your data into chunks.

More importantly, you are securing your data without relying on Dropbox security.

Dropbox in the Enterprise

In the never ending story that is more issues/concerns with Dropbox, there is an interesting article discussing the recent changes of Terms and Conditions with using Dropbox:

TechRepublic Post

In a nutshell, Dropbox is trying to protect themselves with what they do and can do with your data hosted in their data centre. So it means granting Dropbox and those they work with “worldwide, non-exclusive, royalty-free, sub-licensable rights to use, copy, distribute, prepare derivative works “ from your data.

The TechRepublic article stresses that it is already the case with sites such as Facebook. There is however a big difference. Facebook is mainly used for social content, personal “stuff” (to use Dropbox’s term). Dropbox is not only used for personal “stuff” but also for professional “stuff”.

It sounds as if Dropbox could now use any intellectual property stored on their servers. I am not sure many companies who have users syncing work related documents would be very happy with sharing it to the world.

So, to add to the data leakage risks related to the previous security issues there is a new data loss concerns with Dropbox. Not only do they have the keys to your data but you must agree they can use/reuse it how they see fit.

This raises the question if Dropbox is fit to be used at an enterprise level. From all the above, clearly not. If their claim of having 25 Million users is true, then there is bound to be sensitive information on their servers. If hacker groups go after the likes of Dropbox, they would not target just one company, instead they would impact many.

Dropbox could just be the perfect modern Trojan horse, while companies are busy securing their perimeter they could be loosing control of their data being stored outside those defences.