Dropbox Is Not Secure - Steps To Mitigate Security Risks

Security consultant Derek Newton has discovered a security vulnerability in Dropbox, a cloud-based file sharing and syncing service that is popular amongst lawyers. The security flaw allows any user with access to the Dropbox files (in particular, "config.db") to get perpetual and unrevokable access to the files stored on Dropbox. In other words, a hacker can sync an unauthorized computer to the Dropbox account with no way to stop him. A disgruntled employee typically can have his access revoked by changing the password, but this would not work with Dropbox. This article will discuss how to mitigate the security risks associated with Dropbox.

An initial note: as I have discussed before, Dropbox is not secure in any environment that requires multiple users. In fact, I would claim that it is inherently insecure. There is no way to generate user accounts with different access permissions. In contrast, a file server allows the creation of classes, so only lawyers and staff working on a matter can access the related files. Furthermore, Dropbox does not perform client-side encryption. Dropbox receives the files in plain text, then encrypts the files on their servers. A security flaw on their end would release all of the files to the hacker. A file server can encrypt the files transparently and require passwords to access the files. Thus, I recommend that anyone with the wherewithal to do so to set up and secure their own file server. A reliable small office networked-attacked server (NAS) can be had for less than $500.

Furthermore, the reaction from Dropbox is pretty galling. They simply do not see this as a security flaw. Basically, they contend that anytime a user has access to the files, all expectations of privacy go out the window. That is unsatisfactory because the Dropbox flaw allows a user to maintain access to the files even after his access to the computer is revoke and his passwords are changed. This directly contradicts the reasonable expectations of any user: once the password is changed and access to the work computer is denied, the logical conclusion is that any new files are not accessible to that disavowed user. If this is not the case, then this "feature" of Dropbox can only be considered a security flaw.

To mitigate the risks associated with this flaw, set up an encrypted TrueCrypt volume in Dropbox. The encryption used in TrueCrypt is block-level, which means that only the changed part of the volume file would need updating. This keeps the sync time of the TrueCrypt file low. Should the need arise, the password to the TrueCrypt volume can be changed quite easily, thus depriving the malicious user continued access to the files. However, a malicious user can simply change the password in advance, thus locking out all other users. In the end, the best way to store files is to set up a file server. There just isn't a convenient cloud solution that does live syncing without security concerns.

Comments

Popular posts from this blog

RAID on HP ProLiant Microserver