GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View flipbook of this issue

Care to Share?


Table of Contents

Lead Story

Drive retail business with augmented reality - think Pokémon Go

Patti Murphy

News

Industry Update

PayPal, Mastercard expand partnership, payment options

Visa, Uber reward small merchants, riders

Fintech in sync with smartphone OEMs

Security analysts question Dropbox's response to hack

Views

Do you dream in retail?

Dale S. Laszig
DSL Direct LLC

Critical issues in payments today - Part 1

Brandes Elitch
CrossCheck Inc.

Education

Street SmartsSM:
Reap the benefits of shifting MLS roles

John Tucker
1st Capital Loans LLC

Grow your business with financing

Bob Neagle
Ascentium Capital LLC

GDPR: Why it affects businesses even outside of the EU

Lorie Schrameck
CSR Professional Services Inc.

Help merchants avoid subscription legal headaches

Theodore F. Monroe and Bradley O. Cebeci
TFM Law

Company Profile

Womply

Features

Peter Scharnell

New Products

Multichannel wallet for managing, monetizing loyalty

Inspiration

Focus prospecting to stir attention, interest, desire

Departments

Letter from the editors

Readers Speak

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

September 26, 2016  •  Issue 16:09:02

previous next

Security analysts question Dropbox's response to hack

The security community has been sharply critical of Dropbox for not sharing pertinent details of a massive security breach initially reported in 2012. The system-wide hack of the cloud-storage firm could potentially impact up to 68 million subscribers; security experts have warned consumers and business owners to update passwords and keep a close watch on payment and online activity.

"Our security teams are always watching out for new threats to our users," wrote Dropbox representatives in a statement to the press. "As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time."

It is unclear whether Dropbox failed to fully assess damages related to the breach or deliberately withheld information. An Oct. 13, 2014, blog post on the company's website stated, "Recent news articles claiming that Dropbox was hacked aren't true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the Internet, including Dropbox. We have measures in place to detect suspicious login activity, and we automatically reset passwords when it happens."

Remedial actions, protections

Despite its nonchalance in reacting to the cyberattack, Dropbox has consistently promoted its two-step authentication process and has repeatedly warned against reusing passwords "across services." Payments and security analysts have called these efforts too little, too late.

"The Dropbox hack is gathering a great deal of attention now that Dropbox has formally recognized the breach," said John Wethington, Vice President Americas at Ground Labs Pte. Ltd., an international security company. "Sadly, this data is over four years old but still dangerous due to its scale and the fact that 50 percent of the passwords were encrypted with a relatively weak hashing algorithm."

Wethington called the issue a reminder that no one is immune from security breaches. "Even a four-year-old breach can come back to haunt you as a vendor or customer," he said. "It's time that vendors began taking data security seriously as a business as usual practice and not an afterthought." Cloud storage users must protect their sensitive data by regularly changing passwords and not using the same passwords on multiple websites, he added.

Change passwords, add salt

A number of independent security analysts have confirmed the Dropbox breach, comparing it to recent episodes at LinkedIn, MySpace, Tumblr and VK.com. Joseph Cox, Contributing Writer at Motherboard, reported as many as 32 million passwords at Dropbox use hashing method 'bcrypt' to make passwords indecipherable to unauthorized users. "These hashes seem to have also used a salt; that is, a random string added to the password hashing process to strengthen them," he wrote. "Dropbox has changed its password hashing practices several times since 2012, in order to keep passwords secure."

Cox and other security analysts have seen a marked difference between bcrypt and older hashing methods such as SHA1. "Only half the accounts get the 'good' algorithm, but here's the rub: the bcrypt accounts include the salt whilst the SHA1 accounts don't," wrote security expert Troy Hunt. "It's just as well because it would be a far more trivial exercise to crack the older algorithm but without the salts, it's near impossible."

Hunt emphasized the importance of independent verification of all data breaches, which he said is easy to do with Dropbox, where "there's no shortage of people with accounts who can help verify if the data is correct. People like me." He advocates the following simple, effective strategies to help protect data: use a password manager, use strong passwords and routinely change passwords.

Regarding the Dropbox intrusion, Hunt wrote, "Definitely still change your password if you're in any doubt whatsoever and make sure you enable Dropbox's two-step verification while you're there if it's not on already." Hunt praised Dropbox for its recent email communications, which mandated password changes. "Not only was the password itself solid, but the bcrypt hashing algorithm protecting it is very resilient to cracking and frankly, all but the worst possible password choices are going to remain secure even with the breach now out in the pu

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Electronic Merchant Systems | Board Studios