Saturday, June 4, 2011

Dropbox Drops the Ball on Security?

Dropbox Drops the Ball on Security?

by David Scott,

Oh oh – a report regarding Dropbox and security has me, and many others, concerned. I use Dropbox for personal as well as business considerations.

First, for the uninitiated: Dropbox is a handy, free, enablement that grants users the quick and efficient share of files. In fact it’s almost too easy. Think of it as storage in The Cloud and synchronization of content between authorized bodies.

In most cases, one simply opens Dropbox by double-clicking its icon: It then opens in an Explorer window. On the left is your computer’s directory tree, with Dropbox being open. On the right are folders and files within Dropbox.

Sharing is simple and straightforward – you can drag-and-drop files into Dropbox’s subfolders, and any and all specific people who are in the share network for that folder will have access to that file within seconds. You can also copy-and-paste files.

As in any endeavor, security reigns supreme. In the course of my own consulting, I have to advise clients who are working on sensitive material, laboring within the discipline known as Obligation of Confidentiality: Thus potential for exposures – breaches – simply cannot be tolerated.

So, where does the problem lie? According to Christopher Soghoian, security researcher, University of Indiana Ph.D., and former Federal Trade Commission researcher, Dropbox has made an active deception to users about its level of encryption. According to Mr. Soghoian, Dropbox does encrypt all files, however – because Dropbox is doing the encrypting, the keys for both encrypting and decrypting are also stored. In storing those keys, Dropbox, and by extension its employees, has the ability and means to decrypt files. In this case, because inside employees can reverse this encryption, it marks a violation of best industry practices.

Soghoian writes that the company is not being forthright about this liability, and if all of this is true, this represents a misrepresentation of Dropbox’s service given the diminished security posture.

Mr. Soghoian also writes, "Dropbox has and continues to make deceptive statements to consumers regarding the extent to which it protects and encrypts their data. Dropbox's customers face an increased risk of data breach and identity theft because their data is not encrypted."

Whether true, it is clearly Soghoian’s opinion that Dropbox has infringed Section 5 of the Federal Trade Commission Act through deception.

There is a “work around” of sorts for any potential Dropbox encryption liabilities. Encrypt your files yourself, prior to “drop.” However, be aware that other users who are authorized to share those files must have the means to decrypt on their devices, whether PC, Mac, or mobile.

Stay safe out there.

NP: You Go to my Head, Art Pepper -

Original Page:

Shared from Read It Later

Sent from my iPad | ross | 

No comments:

Post a Comment