Is Dropbox authentication insecure by design? How and why users should secure Dropbox data
Dropbox security bug that allowed users to login to the system without using any password has lead to a serious debate on whether the data stored in Dropbox is secure even if the authentication was through a proper password.
How Dropbox works: Dropbox sync files across systems and devices that you own, automatically, with the support of the Dropbox client installed on a system that you wish to participate in this synchronization. The client runs constantly looking for new changes locally in your designated Dropbox folder and/or in the cloud and syncs as required.
Security issue: Dropbox uses a host key system, so your password is not stored anywhere on your system. The key is your authentication details. If the key is compromised, you can easily remove that particular host/key from your account and it will revoke access. So a third party gaining access to your Host ID will mean their complete access to the person's Dropbox until such time that the person removes the host from the list of linked devices via the Dropbox web interface.
Derek Newton, Security expert, says: Relatively simple targeted malware could be designed with the specific purpose of exfiltrating the Dropbox config.db files to interested parties who then could use the host_id to retrieve files, infect files, etc.
Why are you ever sending sensitive data (that needs encrypted) off to an outside provider unencrypted? I don't care whether they promise to encrypt it or not. I don't care about contract terms. Why are you ever trusting data you don't want disclosed to them in a form where they can disclose it and you'll only find out about it after the fact? Because that's the situation: someone can go to them with the legal paperwork and get the data and never need to be in contact with you at all. The first time you'll get any contact will be if the outside provider or whoever requested the data notifies you. I'd be encrypting the data on my end before sending it up. That way I don't have to trust the provider, the only thing they can provide to anyone is the encrypted data and whoever gets it will have to come to me (or crack my encryption, and I'm going to pick one that's as hard to crack as possible) if they want it decrypted, observed a user in a discussion board after the authentication bug was reported by Dropbox.
How to secure data: Instead of believing in your data host and their authentication, be proactive and create and encrypted volume in your Dropbox folder with FreeOTFE or TrueCrypt, and store there the data you want to keep secret.
Mac OS X: You can also create an encrypted Disk Image (.dmg) using Disk Utility (normally found in /Applications/Utilities). Alternatively, you may encrypt your entire home directory using FileVault (System Preferences -> Security -> FileVault).
Dropbox automatically connects to your account, which means anyone who can access your user profile (on the OS) is able to access your Dropbox files. They can also access your web interface, so although they cannot lock you out of your own account (Dropbox's password reset needs the current password, which is not compromised), they can inflict significant damage by deleting and purging important files.
The only secure way to prevent this is to encrypt your entire hard drive using something like FreeOTFE or TrueCrypt, however, these guidelines should be sufficient to protect your computer in your temporary absence.
-Disable automatic user login on your computer
-Set up a Strong Password for your user account (test your password strength using PasswordMeter)
-Make your computer prompt for the user password after waking from screen-savers, sleep, or hibernation
Windows Vista: Instead of setting a strong password which is a pain to remember, it may be more convenient to set a satisfactory password with an account lockout policy. This will, for example, allow 3 incorrect attempts before denying all login attempts for 15 minutes (12 tries per hour), rendering it virtually impossible for any human to guess the password during your temporary absence.
To do this, run secpol.msc (Start --> Run) then navigate to Security Settings > Account Policies > Account Lockout Policy. Account lockout threshold is the number of incorrect attempts to allow before locking the user. Account lockout duration is the amount of time to maintain the lockout, and Reset account lockout counter after should be the same as Account lockout duration, unless you want some rather interesting effects.
Vista Home Basic and Premium don't have this feature: Enable account lockout in Vista Home Basic and Premium
Ubuntu Linux: Tutorial to secure Dropbox
Be diligent about removing old systems from your list of authorized systems within Dropbox. Also, monitor the Last Activity time listed on the My Computers list within Dropbox. If you see a system checking in that shouldn't be, unlink it immediately, Derek Newton, security expert says.
Sources: wiki.dropbox.com, dereknewton.com
© Copyright IBTimes 2024. All rights reserved.