Last week's admission by Dropbox showed a fallibility in one of the most talked about consumer products to impact the enterprise.
Dropbox's vice president of engineering Aditya Agarwal said that its investigation found that usernames and passwords, recently stolen from other websites, were used to sign in to a small number of Dropbox accounts.
Agarwal said: “A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We're sorry about this, and have put additional controls in place to help make sure it doesn't happen again.”
It's an age old story when it comes to password re-use. Garry Sidaway, global director of security strategy at Integralis, said that the breach highlights not only this issue, but also that sensitive corporate data is beyond the corporate boundary.
He said: “[There is an] increasing demand to make our passwords more and more complex in an attempt to ensure that they are not easily guessed. Whilst the threat is against our corporate infrastructure, the initial target is you the employee.
“With the ever increasing obsession with sharing our lives and our thoughts, social engineering or more accurately social interaction (as it takes very little effort to gather a wealth of information about an individual), is the initial starting point of an attack. This information is then used to make the attack targeted and focused. Because of the increasing complexity it's easy to see why individuals use the same ‘complex' password for multiple sites.”
Likewise, Grant Taylor, vice president of Europe at Cryptzone, said that this is a `wake-up-and-smell-the-coffee' moment for IT security professionals, as it shows the need to also keep passwords separate for work and personal internet activities.
A recent study by Experian found that internet users in the UK have, on average, 26 different email accounts. Brian Spector, CEO of CertiVox, writing for IT Times said that if you can contrast a combination of the username and password then you have a good chance of scoring several of the others.
“As the Dropbox debacle appears to have shown, it only takes one of those compromised users to be ‘in the trade' and using the same username and password for both professional and private purposes to create the perfect storm that can give hackers corporate-level access to something much, much bigger,” he said.
Sidaway said: “Whilst we may use a complex password for online data storage, using that same password to order flowers for our mum from a site we may use only once is not a good practice. Putting corporate emails and personal information in the cloud unencrypted is also not good practice and individuals need to be aware of this. Information, no matter where it is obtained can and will be used against you.”
If we are managing 26 username and password combinations, it is no surprise that this happened. I suspect that in most cases the username is replaced by an email address, but the password is an ongoing security issue that can be resolved, but requires a commitment to security and usability from the application.
As for Dropbox, its response was very genuine and its move to introduce security options will be welcomed by its users and more importantly, by security managers.