Dropbox Accounts Exposed? Multi-factor Authentication and Encryption By Default

Introduction

The latest comprise of Dropbox accounts has nothing to do with a security breach at Dropbox, and relates to the hacks of other systems, but where users use the same email address and passwords across a range of systems. This type of hack is a particular problems in computer security, as users often have just a few passwords, and often use the same password for all of their logins. The originators of the hack claim that they have seven million compromised passwords, and where asking for Bitcoin donations for the release of the information, but, as of yesterday, had only managed to raise 4 cents worth of funding. It is reckoned that out of the 220 million users of Dropbox, that only around 3% of these accounts (6,937,081) could be at risk from the latest release of passwords.

A similar thing happened to Dropbox in 2012, where usernames and passwords were stolen from other sites and compromised a number of Dropbox accounts. For this, users found a folder such as:

16-Feb-12  03:15 PM    <DIR>          Your DropBox has been Hacked

which identified that a hacker had gained access to their Dropbox account. In 2011, too, Dropbox inadvertently published code on its own website allowing anyone to sign into anyone’s Dropbox account without any login credentials.  These issues have caused many to move towards multi-factor authentication for Dropbox storage.

Multi-factor authentication

For most, there is only one way to use Dropbox, and that is to use multi-factor authentication. In this way, just gaining access to someone’s email address and password will not allow access to their Dropbox account. In any multi-factor authentication, users are challenged with two or more of: “Something they know” [such as a username/password], “Something they have” [such as a smart card], “Something they are” [such as a fingerprint] and “Somewhere you are” [such as your location]. Increasingly systems are being designed to integrate these challenges, as usernames and passwords are becoming difficult for users to remember, and even when used correctly, often it is password for hackers to reverse the stored hashed version of the password (as have been seen with the Adobe hack, which involved the compromise of over 150 million usernames and passwords). Often we use out-of-band methods to allow the user to identify themselves, such as sending an SMS message through a mobile phone, which is then entered into a Web page for access. This is often more secure, as it is difficult for an intruder to gain access to both username/password and mobile phone device.

mfFigure 1: Multi-factor authentication

Encrypting into the Cloud

Increasing users are using Cloud-based systems, such as with Dropbox and SkyDrive, in order to share files with other users. With potential drive sizes which are greater than the disk space that corporations can offer, it is now an excellent method to store and share files. One of the best solutions is TrueCrypt, which is free and allows users to store files to an encrypted file contains. For more information on disk encryption:

HBGary Federal

The HBGary Federal example is the best one in terms of how organisations need to understand their threat landscape, and where a single password was used for a range of accounts. It started when Aaron Barr, the CEO of HBGary, announced he would unmask some of the key people involved in Anonymous, and contacted a host of agencies, including the NSA and Interpol. Anonymous bounced a message back saying that they shouldn’t do this, as they would go after them. As HBGary were a leading security organisation, they thought they could cope with this and went ahead with their threat.

Anonymous then searched around on the HBGary CMS system, and found that a simple PHP request of:

http://www.hbgaryfederal.com/pages.php?pageNav=2&page=27

gave them access to the complete database of usernames and hashed passwords for their site. As the passwords were not salted, it was an easy task to reverse engineer the hashes back to the original password. Their target, though, was Aaron Barr and Ted Vera (COO), each of which used weak passwords of six characters and two numbers, which are easily broken.

Now they had their login details, Anonymous moved onto other targets. Surely they wouldn’t have used the same password for their other accounts? But when they tried, the can get access to a while range of their accounts using the same password (including Twitter and Gmail). This allowed Anonymous access to GBs of R&D information. Then the noticed that the System Administrator for their Gmail Email account as Aaron, and managed to gain access to their complete email system, and which included the email system for the Dutch Police.

Slide9Figure 2: Access to email and a whole lot more.

Finally they went after their top security expert: Greg Hoglund, who owned HBGary. For this they send him an email, from within the Gmail account, from a system administrator, and asking for confirmation on a key system password, of which Greg replied back with it. Anonymous then went onto compromise his accounts, and which is a lesson for many organisations. While HBGary Federal has since been closed down, due to the adverse publicity around the hack, the partner company (HBGary) has went from strength-to-strength, with Greg making visionary presentations on computer security around the World.Slide10Figure 3: Greg’s compromise

Conclusions

For many who have seen the problems around public cloud-based storage, the only solution is multi-factor authentication, and the mobile phone is typically the device of choice in properly identifying the individual (especially through out-of-band authentication). Along with this users need to also look towards encrypting their data into the Cloud, as no remote storage can be completely free from malicious accesses. TrueCrypt, for example, allows users to encrypt data into the Cloud, so even if someone gets access to the cloud data, they will not be able to read it (as it requires a secure password). So, for companies, the only way forward in using public cloud storage, is to both implement multi-factor authentication, and, if possible, to encrypt into the public cloud.

Users are being advised to move toward multi-factor authentication, but that is only the first step in moving towards encryption-by-default.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s