Posts

After Dropbox Breach, Is It Safe to Use? (Snowden Would Say No)

,

Did Edward Snowden Actually Comment on the Dropbox Breach? No.

Almost as fast as every media source out there could jump on the “Yet Another Breach” bandwagon and report that Dropbox had been hacked, the company was denying it. So let’s play a little game of true or false to try to sort out fact from fiction:

Statement: Hackers were able to access logins and passwords of Dropbox users and then leaked 400 account passwords and usernames on to the site Pastebin.

True.

Statement: The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the Internet, including Dropbox.

True. (In fact that is a direct quote from the Dropbox blog of October 13, 2014 in which they bluntly proclaim “Dropbox wasn’t hacked”.)

Statement: The post also threatened that 6.9 million further Dropbox account details had been obtained, including photos, videos and other files, which they were prepared to leak for Bitcoins.

True. What is unclear is whether or not they have any valid data. There have been a few more pastes of credentials, but they do not appear to be genuine. Also, Dropbox claims, “We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.”

Statement: Edward Snowden thinks we should stop using Dropbox because of the breach.

False. Okay, this was a trick question. Snowden does think we shouldn’t use Dropbox, BUT he stated that long before the “breach” made the news. Instead, he said that those who care about their privacy should “get rid of Dropbox” because he considers it “hostile to privacy,” saying it doesn’t support encryption. Again, Dropbox responded to his comments in a June 2014 post, stating, “All files sent and retrieved from Dropbox are encrypted while traveling between you and our servers,” as well as when they’re “at rest on our servers.”

For Snowden, who urges people to consider an alternative like SpiderOak, the difference is that SpiderOak encrypts the data while it’s on your computer, as opposed to only encrypting it “in transit” and on the company’s servers. I have to agree that this is a more secure form of file storage and so, like in everything cyber security related, it is a matter of degrees. 

Ask yourself three questions to determine what’s the right storage solution for you:

  1. Are the files you store in the cloud (e.g. Dropbox) ones that wouldn’t cause you to lose sleep if they were made public? If so, then Dropbox is a good solution. That said, you MUST enable two-factor authentication on the service to keep it as protected as possible.
  2. Are the files sensitive enough that you’d still like a cloud-based solution for convenience sake, but need more security? Then a service like SpiderOak might be right for you. There are many other options out there of varying security levels.
  3. If the files you store in the cloud (e.g., Dropbox) were to be hacked, would the damage be irreparable? If so, DON’T STORE THESE PARTICULAR FILES IN THE CLOUD! Instead, store them on servers that you own, control and constantly monitor. If the files are that confidential, disconnect the server they are stored on from the internet. Then again, that isn’t practical for most situations.

Final Statement: Password re-use is the real culprit in this supposed Dropbox breach.

TRUE, TRUE, TRUE! Remember, even if Dropbox wasn’t technically hacked, the final result is that user accounts have been compromised, and that is something we can’t continue to ignore. I can’t stress enough how important it is to use a strong password and even better, to use a strong password manager, like 1Password. And, as mentioned above, 2-Step Verification is a MUST for all but the most casual Dropbox users.

How is your organization using the cloud?

John Sileo is delivers keynote speeches on cyber security, identity theft, internet privacy and social engineering. He specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Keeping Grounded When the Surveillance Accusations Start to Fly

, , ,

NSAI’m in the business of encouraging people to keep their guard up.  I’m always telling people to watch for signs of something that doesn’t feel quite right, take precautionary measures, and stay informed.  But even I have to question the tactics some are recommending when it comes to reacting to the NSA PRISM surveillance program leaked by Edward Snowden.  In a previous post on this topic, I said it isn’t a black or white argument, but some people are asking you to make it one.

Best-selling author, technology expert and Columbia Law School professor, Tim Wu, has said that web users have a responsibility to quit Internet companies like Google, Facebook, Apple, Yahoo and Skype if it is indeed verified that they have been collaborating with the NSA.  In fact, Wu bluntly proclaimed, “Quit Facebook and use another search engine. It’s simple.  It’s nice to keep in touch with your friends. But I think if you find out if it’s true that these companies are involved in these surveillance programs you should just quit.”  Wu acknowledged that there is still much to learn about this program and admitted it was no surprise that PRISM exists, saying, “When you have enormous concentrations of data in a few hands, spying becomes very easy.”

Of course, the companies in question vehemently deny such complicit cooperation.  Google CEO Larry Page stated, “any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false.  Facebook CEO Mark Zuckerberg said reports of Facebook’s involvement are “outrageous,” adding  “Facebook is not and has never been part of any program to give the U.S. or any other government direct access to our servers.”  Yahoo’s Ron Bell stated, “The notion that Yahoo! gives any federal agency vast or unfettered access to our users’ records is categorically false.”  Similar statements were issued by from spokespersons for Apple, Microsoft and others accused of complying.

To add fuel to the fire of this debate, top US intelligence officials have stepped forth with their own comments.  US Director of National Intelligence James Clapper asserts the National Security Agency’s PRISM program is “not an undisclosed collection or data mining program” but instead “an internal government computer system used to facilitate the government’s statutorily authorized collection of foreign intelligence information.”

In addition, claims that the sweeping surveillance programs have prevented multiple attacks keep swelling.  Immediately following the leak, House Intelligence Committee Chairman Mike Rogers cited one attack that he said was thwarted by the program, but would not give specifics.  Since that time, however, there have been dozens of reports of foiled terrorist attempts, from a plot to bomb the New York Stock Exchange to an attack against the New York subway system, that were prevented because of the surveillance.  Army Gen. Keith Alexander, director of the National Security Agency, said more than 50 attacks have been averted.  Alexander also stated that Snowden’s leaks have caused “irreversible and significant damage to this nation” and undermined the U.S. relationship with allies.

No doubt, the debate over the propriety, as well as the effect, of Snowden’s actions will rage on for some time.  There will be others who recommend and take drastic actions, such as quitting the Internet giants, for fear of their safety and/or privacy.  The key is to keep cool, find the facts and then NOT forget. The biggest risk is that our discomfort will be forgotten in a week when the next big topic arises. You can take the reasonable steps of doing your research, acting in calculated moderation and following through on what YOU feel is important.

John Sileo is a keynote speaker and CEO of The Sileo Group, a privacy think tank that trains organizations to harness the power of their digital footprint. Sileo’s clients include the Pentagon, Visa, Homeland Security and businesses looking to protect the information that makes them profitable.

Snowden chills in Hong Kong as we boil like frogs in a stew of NSA surveillance

,

snowden-hk-papers,jpgDo you value national security? Do you want to live free of fear from random terrorist acts like the Boston Marathon bombing? Do you value your privacy? Should you be allowed to act in legal ways without others (namely, the government) digitally eavesdropping on your secrets?

A former data spy is asking us to decide where we stand on the spectrum separating security and privacy. Edward Snowden, 29, a former contractor to the National Security Agency (the guys and gals in charge of wire-tapping phones and internet traffic) and an employee of the CIA, leaked classified documents to reporters about two far-reaching U.S. surveillance programs. Fearing government reprisal, Snowden is hiding in Hong Kong, a country he believes has “a spirited commitment to free speech and the right of political dissent”.

Here’s what happened. Snowden provided reporters at The Guardian and The Washington Post with top-secret documents detailing two NSA surveillance programs being carried out by the U.S. Government, all without the average voter’s knowledge. One gathers hundreds of millions of U.S. phone records and the second allows the government to access nine U.S. Internet companies to gather all domestic Internet usage (your phone calls and emails, in other words). The intent of each program respectively is to use meta-data (information about the numbers being called, length of call, etc., but not the conversation itself, as far as we know) to detect links to known terrorist targets abroad and to detect suspicious behavior (by monitoring emails, texts, social media posts, instant messaging, chat rooms, etc.) that begins overseas.

In other words, close to 100% of our phone calls and internet communications are being digitally sniffed, even if we are innocent, to expose the .01% of terrorists among us. The means (ubiquitous digital surveillance) don’t seem to justify the ends (less terrorism), UNLESS it’s your child or spouse that dies in a 9/11 attack, and then you tend to fall on the side of national security while privacy seems little more than a luxury.

I’m simply saying that this isn’t a black or white argument. The right answer lies in the gray area between security and privacy – a place where checks and balances, bi-partisan oversight and transparency keep our leaders from overstepping the line that divides the highly effective from the clearly unethical.

The decision to go public on Snowden’s part came after many years of deliberation because he felt an obligation to inform the public of “the greatest danger to our freedom and way of life.”  While Director of National Intelligence James Clapper counters that they do not target U.S. citizens, Snowden maintains that there is still a good chance the system will be abused. He states, “Even if you’re not doing anything wrong, you’re being watched and recorded. You simply have to eventually fall under suspicion from somebody, even by a wrong call, and then they can use the system to go back in time and scrutinize every decision you’ve ever made, every friend you’ve ever discussed something with.” In other words, if we don’t control the degree to which our private information is now collected in small, apparently insignificant pieces, the surveillance stew will have parboiled our privacy before we fully recognize what has happened.

Snowden’s actions have put the Obama administration into defensive mode, having to justify the legal grounds for secret phone snooping and data mining. Chief White House correspondent Major Garrett said, “…the White House has had to admit a politically and tactically startling truth: It conducts more surveillance than the Bush White House.

House Republican leader Rep. Eric Cantor, acknowledging that the NSA programs, as set up, were legal, said that an investigation this week on Capitol Hill into the NSA programs “will be very serious, obviously. We’ll be dealing with a balance between national security and safeguarding our civil liberties.”

Snowden has stated that he will not hide despite the fact that the government could charge him with treason and he may face years in prison for his actions.  He is even aware there could be threats to his life, stating (I will be) “made to suffer for my actions, and that the return of this information to the public marks my end”. He is hopeful Hong Kong will refuse to extradite him, and he will “ask for asylum from any countries that believe in free speech and oppose the victimization of global privacy.”

At the risk of boiling a cliché to death, is Snowden a traitor, or just a sacrificial frog willing to take the heat on our behalf?

John Sileo is a keynote speaker and CEO of The Sileo Group, a privacy think tank that trains organizations to harness the power of their digital footprint. Sileo’s clients include the Pentagon, Visa, Homeland Security and businesses looking to protect the information that makes them profitable.