Posts

Showing posts from April, 2011

Dropbox Is Not Secure - Steps To Mitigate Security Risks

Security consultant Derek Newton has discovered a security vulnerability in Dropbox, a cloud-based file sharing and syncing service that is popular amongst lawyers. The security flaw allows any user with access to the Dropbox files (in particular, "config.db") to get perpetual and unrevokable access to the files stored on Dropbox. In other words, a hacker can sync an unauthorized computer to the Dropbox account with no way to stop him. A disgruntled employee typically can have his access revoked by changing the password, but this would not work with Dropbox. This article will discuss how to mitigate the security risks associated with Dropbox.

An initial note: as I have discussed before, Dropbox is not secure in any environment that requires multiple users. In fact, I would claim that it is inherently insecure. There is no way to generate user accounts with different access permissions. In contrast, a file server allows the creation of classes, so only lawyers and staff worki…