If you don’t know me, you may think I spend all my time writing about security breaches. Believe me I really would like to stop writing about them. I do hope organizations start paying attention. It just seems breaches are more pervasive. They are in the news more often, shared in social media regularly and part of casual conversations. Breaches are becoming so prevalent the news is more often background noise than a glaring headline. With that said, I really must make exception and commend whoever was behind the Dropbox security spoof.
I say this not only for the creativity demonstrated in spoofing a breach, but also for taking cyber crime to a new level. By threatening to release password data in exchange for Bitcoins, these cyber thieves demonstrated a nice finishing twist to the typical breach by trying to swindle other fraudsters. Even more, they probably did not even commit a crime, because experts agree the data was stale and no evidence of a security breach was detected. At this point I must also stop and applaud the cyber thieves for their exploitation of third party apps and human behavior. Whoever masterminded the plan should write a book, perhaps consider selling the movie rights, or best yet, they could produce reality television.
They may be onto something… a new form of disruptive programming.
For those of you who require some background, let me fill you in on what happened. Forget any headlines you read, heard or viewed. Dropbox security was not compromised as announced on Dark Reading and elsewhere. Although nearly 7 million alleged Dropbox accounts were reported as compromised and some 400 accounts leaked on Pastebin.com as proof, the data did not come from Dropbox user credentials. Nonetheless, the cyber thieves continue to release data in exchange for Bitcoin donations, because someone obviously believes stale security data has currency.
“6,937,081 DROPBOX ACCOUNTS HACKED… As more BTC is donated, More pastebin pastes will appear.”
If this is a hoax, why should you care?
Password Reuse Is an Information Security Killer
Dropbox quickly confirmed it was not the source. Instead, the passwords were stolen from other third party Dropbox applications. These credentials were then used in attempts to log into Dropbox accounts. Hackers assumed enough users would reuse their passwords for access to systems like Dropbox to make them valuable. The lesson for information security leaders is the reuse of passwords and weak passwords expose too many risks. Users often reuse the same password combinations across the Internet, social media and enterprise systems. The practice makes remembering passwords easier while putting enterprise security at greater risk. Fortunately in this case, the passwords hackers claimed were Dropbox credentials had already expired.
That’s not surprising when you consider the findings in “The Tangled Web of Password Reuse”, where research from the universities of Illinois, Indiana and Princeton found 43 to 51 percent of users reuse the same password across multiple sites. In reusing passwords, enterprise users create potentially significant risks to a company’s information security, because a single social media password may access multiple enterprise systems, applications, cloud services and SaaS platforms. Since user credentials are often obtained through a combination of sources, compromised passwords may actually work in numerous systems a user accesses.
To remove password reuse risks, an enterprise solution requires password policy, access management, and governance controls. The system must enable robust controls over every application, system and service a user accesses. It must offer flexibility to every employee, contractor, partner, customer and literally anyone who are part of your online and mobile ecosystems. The Dropbox spoof would not be so alarming except that the reuse of passwords makes all access to enterprise systems, applications and services potentially vulnerable.
Two-Factor Authentication Reduces Password Exposure
As a precaution, a Dropbox security notice urged customers to enable two-factor authentication, adding another layer of security. For example, a second factor of authentication could be to send a one-time password from the company to an employee’s mobile phone. This password would then be entered to complete login. In requiring your users to engage in an additional step such as SMS two-factor authentication, you add protection against password hacks. You also leverage your existing mobile and computer messaging systems, which means better security without added costs.
Keep in mind; this extra security obviously requires additional steps, equipment and technology, thereby, adding complexity for users. To balance security against convenience, multiple options exist from authentication questions to SMS; security tokens; voice recognition, and biometrics. By providing options for multi-factor authentication you help remove barriers to users to securely access enterprise systems, applications and services.
This incident was not the only event causing customers to question Dropbox security. They came under fire earlier this month when Edward Snowden identified Dropbox along with Google and Facebook as “hostile to privacy”, because they hand over user data to the government. Stay tuned, safeguarding against snooping governments is certainly a topic worthy of another blog.
Get the Top 10 Identity Manager Migration Best Practices Workbook
Start your migration from legacy software with the Top 10 Identity Manager Migration Best Practices Workbook. Use this workbook to think through your information security risk before you transition to next generation identity manager software.