internet, cloud, security

Dropbox is a free service that more than 100 million of us worldwide have used at least once.  It’s a quick and handy tool for sharing files with friends and colleagues.  The real beauty of Dropbox, however, is that it is free if you don’t require more than 2 GB of storage.  So that’s the good news.

Over the past year or so, Dropbox has endured several embarrassing security blunders including leaving all accounts accessible for over 4 hours with no password required.  More recently, their list of user accounts (aka email addresses) was compromised and resulted in many of their users being spammed mercilessly.  So far, these incidents have resulted in little more than light public ridicule.

A bigger vulnerability, however, was recently discovered that will result in some serious second thoughts about allowing employees to use this service.  Jacob Williams, a digital forensic scientist for CSR Group, recently found a vulnerability in Dropbox’s synchronization process that allowed him to upload infected documents with the capability of compromising entire networks of sensitive files.  The propagation system for this type of vulnerability is built into the Dropbox tool itself.

Williams makes it clear that he is only the messenger.  Others have no doubt already discovered this vulnerability and are using it to gain access to corporate data around the world.  His advice is to disallow the use of Dropbox or similar synchronizing tools.  Any successful remedy would also remove most of the reasons that people use Dropbox in the first place.

This news underscores what we at Promethius have been saying for years.  Allowing users to synchronize files outside the company’s security measures is a mistake.  Once those files leave your secure environment, they can’t be retrieved.  This vulnerability, of course, takes the threat to a new level in that it can compromise all computers and/or files on the entire network.  Our ncommand SHARE solution does allow document synchronization, but our recommendation is to only allow it under very controlled circumstances.  Keeping centralized control is very important in any collaboration situation.

If you have any concerns about your collaboration software, please give Promethius a call at 317-733-2388.