8 November 2014
The Report ‘Research shows enterprises leaking shadow data to the cloud’ by Rob Wright is absolutely worth reading:
‘A new study by cloud security startup Elastica shows that enterprise employees are unknowingly leaking sensitive data through cloud apps and services.’
The results from a review of about 100 million files from approximately 100 different companies are really alarming:
‘185 files on average are shadow data — data that is uploaded to cloud services such as Dropbox or Google Drive — which has been broadly shared without approval via cloud services with either the entire enterprise or people outside of the company. Worse, 20% of those broadly shared files contain compliance data, with 56% of that compliance data being personally identifiable information such as social security numbers, 29% being personal health information, and 15% being payment card information.’
But the assumption that employees share sensitive information unknowingly, is in my opinion unrealistic. Employees use Dropbox or Skydrive to simplify their daily work!
Although BYOD is a hot topic for years now most of the businesses are not yet aware of the problem. Even if a company has not started a BYOD program, or has deliberately opted against a BYOD program, the existing policies have to be updated and communicated to all employees. If the company has decided against a BYOD program it is very important to communicate the reasons for this decision to all employees.
IT groups must implement appropriate measures to support the business strategy regarding BYOD, e.g. block Dropbox or Skydrive and provide effective and easy to use means for communication with external Partners.
Enjoy the colors …
Evening Colors, 49°35’48.1″N 6°37’05.8″E
to find some peace of mind for reading the White Paper.
16 October 2014
I heard the news Tuesday evening at 10 o’clock: “Dropbox hacked”. About 7 million usernames and passwords stolen.” I could hardly believe it. My first thought was: Why only 7 million credentials? Dropbox has 200+ million users? Why should someone be satisfied with 7 million credentials if he could have 200 million? Something seems to be very wrong with this story. Moreover, the quality of the data is very bad. Please check the Pastebin site for a sample.
And then the recantation: Dropbox announced that there was no data breach. “‘These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks, and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well,’ a Dropbox spokesman said in an email to Reuters.” For details see Hundreds of alleged Dropbox passwords leaked.
Since the media interest is nearly zero today the story is certainly true.
What really annoys me is how sloppy user credentials are treated by the ‘other services’. Data and log-in credentials were stolen from third-party apps, which actually should simplify the daily life with Dropbox. For more details see the great report Snapchat And Dropbox Breaches Are Really Third-Party-App Breaches by Elise Hu from 14 October 2014.
Unfortunately these apps increase the complexity of our life and gadgets. Each app comes with its known and unknown vulnerabilities which could be used by an attacker to get access to our private data. But the worst is yet to come: You are surrounded by friends with buggy gadgets which will have an impact even on your life when hijacked by an attacker.
To put it concisely: The more apps you use, the greater becomes your attack surface and, the higher is the danger of a data breach.
How to solve this problem? Simplify! Focus on the really important apps and uninstall the others. Activate TFA and use strong passwords. And tell your friends to decrease their attack surface as well.