LAWYER ALERT– Alleged Dropbox Security Issues and New Fix

In a previous post, I sang the praises of Dropbox as a file transfer application for the iPad and discussed the application developer’s security representations See  http://hytechlawyer.com/?p=49

Dropbox allows the user to put a file into the Dropbox on one device  (PC, Mac, iPad, iPhone, Blackberry, etc.) and the document is automatically synched to “the cloud” and can then be accessed on the users other devices that also have Dropbox installed.  This functionality is especially useful for iPad users, who have few file transfer options.  For this reason,  many applications rely upon Dropbox as their file transfer conduit.

Dropbox is now reported to have over 25 million users worldwide.  The application is also on almost every “Best Application for Lawyers” list.   So many in the legal tech arena becamed concerned when security expert Derek Newton recently exposed a vulnerability that could theoretically allow hackers to invisibly access users Dropbox accounts. See  Dropbox: authentication: insecure by design,  http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/

 Newton obbserved that to gain access to the victim’s Dropbox files, a hacker need only  obtain the Dropbox configuration file from the victim’s computer.  This file contains a unique value called “host_id” (think of it as the key to the account) that gets generated when the computer is first linked with a Dropbox account.  The value is not system-dependent, meaning it’s not tied to a particular computer or configuration.  Thus, if a hacker can obtain this “key” by getting physical access to an unsecured computer or by use of a virus designed to exploit this vulnerability, they could use the key on another computer equipped with Dropbox to download the files in the victim’s Dropbox.

Dropbox responded to Newton’s observations stating:

“[W]e don’t agree with the assertion that there is a security flaw – dropbox is a perfectly safe place to store sensitive data. the article claims that an attacker would be able to gain access to a user’s dropbox account if they are able to get physical access to the user’s computer.

In reality, at the point an attacker has physical access to a computer, the security battle is already lost. the research claims dropbox is insecure because it is possible to copy authentication information straight from the user’s hard drive. this ‘flaw’ exists with any service that uses cookies for authentication (practically every web service 🙂 cookies are stored on your hard drive and are susceptible to all the same attacks mentioned by the research (i.e. a virus could steal your cookies and gain access to all your web services).

There are measures that can be taken to make it more difficult (though not impossible) to gain access to the authentication cookie which we’ll consider in the future. that said, dropbox isn’t any less secure than other web service.”

To their credit, the programmers at Dropbox have quickly followed up on their promise to enhance security.  Dropbox has just released a new test version of its client for Windows, Mac and Linux that reportedly fixes the security issue described above.  You can download the current version of this fix from https://www.dropbox.com/     A file backup is recommended before installation.   Early reports are that this fix is stable, but it does appear that functionality with some applications has been impaired. These applications will need to be updated to address the security changes.   You can follow the discussion regarding the fixes at http://forums.dropbox.com/topic.php?id=37911 .  Hopefully this addresses the problem for this important application.


Comments

LAWYER ALERT– Alleged Dropbox Security Issues and New Fix — 4 Comments

  1. Pingback: Use of Dropbox by Lawyers is Risky Business—Ethical Issue | The Hytech Lawyer

  2. I’m impressed, I have to say. Really not often do I encounter a weblog that’s each educative and entertaining, and let me tell you, you’ve gotten hit the nail on the head. Your thought is excellent; the issue is something that not sufficient persons are talking intelligently about. I am very comfortable that I stumbled throughout this in my search for one thing referring to this.

  3. My issues with DB concern the exposure of personally identifiable information. This doesn’t just extend to exposing this information to the general public but even to people within Dropbox itself. I work at a large county government office and constituent records are held as a mandate and responsibility. I have read the acceptible Use agreement for dropbox and I am stunned that any lawyer would keep confidential data on this website. While they have “asked” their employees not to look at the data, can you imagine one of their employees scanning data and finding a lawers notes especially on a high-publicity trial? The fact is that none of these cloud companies have signed ANY non-disclosure agreement with the entity I work for and I doubt that any employees/administrators have signed any non-disclosure agreements with anyone. They also respond to subpoenas and can decrypt and hand over your data. If the data belongs to it’s proper owner, they should not be allowed to do that. Suppose that a district attorney has case data on there and a member of the defense team could get a court order to release the information.

    Now, if you want to see a really unacceptable AUA, just look at the Terms of service for Google (Google Docs). They clain that they own your data, can read it, modify it and do anything they please with it. What lawyer would want case data available to the general public by a Google search?

    I agree with Gartner that, while extremely convenient, there will be a long way to go before iPads and online storage is considered secure enough to store constituent PII.

    IMHO.

Leave a Reply

Your email address will not be published. Required fields are marked *



*