Cloud storage provider DropBox provides a great example of some of the security issues that individuals and companies face when entrusting sensitive data to the cloud.  Over the past few weeks,  DropBox has made the news twice regarding its security and we all know that making the news is generally not a good thing when it comes to security.

Dropbox’s first issue came up in early April, when a security researcher named Derek Newton discovered a significant weakness in the service’s authentication mechanism.  One of the primary benefits of DropBox is that it allows the user to set up synchronized file systems across multiple devices.   When files are added to, modified on or deleted from any DropBox enabled computer, iPhone, iPad or other device, the changes are automatically replicated to all of the other devices associated with the user’s account.  This is a really useful feature for many people.  In order for this file synchronization to work properly, you need to install a piece of software on each device used to access your account.  Newton found that the Windows  DropBox  client stores the information needed to access the DropBox server in a configuration file which contains a “host ID” used to authenticate to DropBox.  Simply by copying this file to another computer with the DropBox software installed on it, an attacker would have full read/write access to the files in the DropBox account.

This opens up a whole range of possibilities for attackers.  For instance, it would be possible to write malware which specifically looks for the DropBox configuration file and sends it back to the attacker.  Once an attacker has the configuration file, they would have continued access to the compromised DropBox account even after the malware was removed from the user’s computer.  The user would have to remove their own computer from the list of devices allowed to access their DropBox account and reinstall the software to close the door on the attacker.

As of today, the vulnerability still exists… DropBox plans to rollout a software update which would make the configuration file useless on a second machine, but has not provided a timeline for remediation.  I would recommend not using DropBox until such a fix is made.

DropBox also made the news for a change in their terms of service.  The original terms of service assured users that since their files were stored in encrypted form on the DropBox servers, DropBox employees could not peek into their data.  Well, it turns out that this is not exactly the case.  A “limited number” of DropBox employees do, in fact, have the ability to decrypt user files in order to comply with law enforcement requests for data in connection with an investigation.  Now, I understand that DropBox wants to be a good corporate citizen, but there is a significant distinction between “our employees can’t read your data” and “only some of our employees can read your data.”  I applaud DropBox for making their terms of service clearer (and more accurate), but this incident (and the reaction from DropBox users) is an example of one of the major problems facing users and organizations when they make the decision to move their data to the cloud.

The problem is two fold… customers don’t know the right questions to ask and vendors just don’t seem to understand that users require security for their cloud data, even if they cannot exactly describe what security measures they are looking for.  A recent Ponemon survey on cloud computing providers’ views of the security of their services showed that among survey respondents (who we can assume are amongst the more security aware providers), vendors had the least confidence regarding some important security features of their services, such as

• Their ability to authenticate users before granting access
• Their ability to prevent or curtail external attacks
• Their ability to encrypt sensitive or confidential information assets whenever feasible
• Their ability to determine the root cause of cyber attacks

It is clear to me that many individuals and business are rushing in to take advantage of the cost advantages and convenience of cloud computing without knowing how safe or unsafe their information is while it rests in the cloud.  The efforts of organizations like the Cloud Security Alliance to develop baseline language, best practices and assessment tools are a step in the right direction, but the road to cloud security is still foggy and treacherous.