Wednesday, June 15, 2011

Dropbox: Convenient? Absolutely, but is it secure?

By Michael Kassner
June 13, 2011, 8:03 AM PDT

Takeaway: A potential security lapse and possibly misleading statements are plaguing Dropbox, a hugely popular file-syncing app. What are the issues and is concern justified?

Some statistics:

  • Currently 25 million people use Dropbox.
  • Dropbox members are spread over 175 countries.
  • On any given day, over 200 million files are saved in Dropbox.

Not bad for a service four years old. Drew Houston, co-founder and CEO points out:

“Dropbox transforms the way people create and share their life’s work. Whether that’s designing buildings, writing music, or raising a family, we’re focused on making it effortless to have your files wherever you need them, on any computer or phone.”

So, what is Dropbox?

From Dropbox:

“Dropbox is a service that lets you bring all your photos, docs, and videos anywhere, and share them easily. Any file you save to your Dropbox will automatically save to all your computers, your phone or iPad, and the Dropbox website.”

Dropbox offers:

  • 2 GB of Dropbox space for free, with subscriptions up to 100 GB available.
  • Work offline. Your files are available, whether you have a connection or not.
  • Files are also available from the Dropbox website.
  • Dropbox works with Windows, Mac, Linux, iPhone, iPad, Android, and Blackberry.
  • To save time and bandwidth, Dropbox only transfers the parts of a file that change.

Dropbox also has the ability to share files with others. And, if your computer melts down, you can restore all your files from the Dropbox website.

Is there a problem?

Any one that knows me understands something. I ask questions, lots of questions. It’s my grandfather’s fault. I still can hear him: “How in hell can you make a good decision if you don’t know the facts.” Thanks to Grandpa, I pay attention if something is “up close and personal”.

Warning: This is one of those times.

Two highly-skilled researchers Derek Newton and Christopher Soghoian have issues with Dropbox. Newton stumbled onto a viable attack vector and Soghoian found serious inconsistencies in the Dropbox privacy policy.

I use Dropbox. And, when security researchers I’m familiar with publically post warnings, a bomb goes off in my head. Besides, I know many people who use Dropbox.

So, like all good journalists–particularly those with grandfathers like mine–I feel obligated to gather the facts as presented by all parties. To that end, I contacted Dropbox. The following questions were answered by ChenLi Wang, Business Operations at Dropbox.

Kassner: The “How secure is Dropbox?” web page states:

“Your files are actually safer while stored in your Dropbox than on your computer in some cases. We use the same secure methods as banks and the military.”

What does that mean?

Dropbox: We all have stories from our family and friends about the file that was accidentally deleted or replaced, the inadvertent coffee spill, the dropped laptop, the USB stick gone missing.

We believe that storing data in Dropbox is far safer than how many of them store data currently, and we’ve designed Dropbox to help users avoid the most common threats to their data.

Kassner: Derek Newton posted the following on his blog:

“If you gain access to a person’s Dropbox config.db file (or just the host_id), you gain complete access to the person’s Dropbox. Taking the config.db file, copying it onto another system then starting the Dropbox client immediately joins that system into the synchronization group.”

I understand this requires contact (physical or remote access) with the computer. Still, if successful, a third party would have access to all the files in the Dropbox account. Do you consider this to be a problem?

Dropbox: Unfortunately, when a computer is compromised physically or by a trojan/virus, all applications and data on the computer are at risk. That said, there were things we could do to make Dropbox more resistant to attacks from someone with access to your computer, and we immediately began working on a solution.

First, we released an update to the Dropbox client software that set more restrictive permissions on the folder that stores the authentication file.

Next, about a month ago, we released to our user forums a build of the client that encrypts the entire config.db file, making user credentials much harder to steal. We will be auto-upgrading all users to this build soon; the encrypted config.db file breaks several third-party apps, so we want to give them a chance to design workarounds first.

Also, it is possible to see what computers have access to the Dropbox files by logging into the web interface and going to this link.

If a computer is not recognized, unlink it.

Kassner: Christopher Soghoian filed a complaint with the FTC. He alleged Dropbox mis-informed the public about the protection of user data. Prior to April 2011, Dropbox stated on this webpage:

“All files stored on Dropbox servers are encrypted (AES256) and are inaccessible without your account password.”

After April, it changed to:

“All files stored on Dropbox servers are encrypted (AES 256).”

Would you explain why you changed this?

Dropbox: We were explaining that there are multiple safeguards on your data: that the files are stored encrypted and in addition, protected by your access credentials. However, a security professional could incorrectly infer that the encryption key comes from the user’s password, so we’ve separated the two points for clarity.

Kassner: Soghoian also pointed out that the following quote from the same Dropbox webpage:

“Dropbox employees aren’t able to access user files, and when troubleshooting an account, they only have access to file metadata (filenames, file sizes, etc. not the file contents).”

Became:

“Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations).”

Why did the statement change?

Dropbox: “Dropbox employees aren’t able to access user files.” That means that we prevent such access via access controls on our backend as well as strict policy prohibitions. That statement didn’t say anything about who holds encryption keys or what mechanisms prevent access to the data. We updated our help article and security overview to be explicit about this:

“Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations). Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule.

We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.”

Kassner: Thank you for providing your position with regards to the allegations. I have a few security questions as well.

In the iPhone Dropbox app, a four-digit passcode is required to open the application. Do you have any plans for an option that would allow more-complex pass codes?

Dropbox: Users have not requested this feature to date. The iPhone passcode is intended to protect the user’s files in case the phone is lost or stolen. Users can enable a setting that will delete the Dropbox data on the phone should the wrong passcode be entered over ten times. It is not a replacement for the password on the account, which is required to link the Dropbox to the iPhone for the first time.

Kassner: There is a third party application called SecretSync that encrypts files before they are transferred to Dropbox. Would you recommend it for people that would like additional security? Would TrueCrypt be another option?

Dropbox: Yes, we have always recommended third-party encryption solutions for advanced users who are comfortable managing their own encryption keys. TrueCrypt has been the most popular option to date, but other solutions include EncFS, SecretSync, and BoxCryptor.

It’s important to understand that user-managed encryption has tradeoffs. First, many people publicly share photos and documents through Dropbox, and this will not possible if those files are encrypted before being placed in Dropbox. Second, if they lose the password or encryption key to the files they encrypted themselves, those files are lost forever.”

Final thoughts

Convenience versus security, the problem with all SaaS applications, has landed at Dropbox. How much do you trust the service provider?

Hopefully, I have provided enough information to make an informed decision about how to use Dropbox. Thanks, Grandpa.

Source: http://www.techrepublic.com/blog/security/dropbox-convenient-absolutely-but-is-it-secure/5618?tag=nl.e036


Posted by at 1 comment:

Five tips for protecting customer data

By Adam Blitzer
June 13, 2011, 6:07 AM PDT

Recent headlines prove that the threat against customer data is alive and well. Massive attacks on databases from Sony and Epsilon show that big companies with enough money to have the right kind of security don’t necessarily have an advantage. Clearly, antivirus, firewall, and other security technologies aren’t enough. Companies need to think carefully about how and where they are storing customer data, who has access to it, and how to prevent prying eyes from stealing the data and sharing it with other cybercriminals and manipulating customers with email phishing attacks.

1: Limit access to customer PII

Companies today have an open culture when it comes to data. But that policy shouldn’t be consistent across all data types, particularly personally identifiable information, or PII. In our company, we recently reviewed who has access to our customer database and noticed that not all of the authorized users needed access to certain types of data. As a result, we have pared down access to just a few employees.

2. Bulletproof your security software and your network

Protect customer data as you would financial data. Organizations can refer to publicly available guidelines, such as those published by the PCI Security Standards Council. You should encrypt all of your customer information at the database level to avoid unauthorized users from hacking into your accounts. You may want to consider Tokenization, which is a higher level of security. Often used for e-commerce transactions, including credit card data, tokenization replaces sensitive data with unique identification symbols so that PII stays out of the data stream.

Another option is to deploy anti-phishing software, which can secure the email channel by blocking malicious emails purporting to be from you. The software does this by checking for proper email authentication and issuing alerts when fraudulent activity is detected. These are just a few examples of the kind of security protections you need for customer data. A third-party security audit of your systems and processes can evaluate your infrastructure, provide recommendations, and issue annual certifications.

3. Require that partners and vendors with access to customer data also have the best available protection

Agencies, software firms, and email service providers should have the same (if not better )controls as your company. For instance, if you use a marketing automation solution for campaign generation and tracking, your provider should require IP address blocking so that only users from within your firewall can access customer data and email addresses. External IP addresses will be locked out if they obtain passwords and attempt to log in to a customer database. If any of your partners stores customer data for you, understand exactly how they are securing their information systems and handling access control.

4. Get the help of a lawyer

If a breach occurs, your company could be on the line for thousands or millions of dollars in lawsuits and other fees to your customers. What type of protections can you build into your services to prevent financial disaster and what guarantees do you need to provide to customers if their data is compromised, lost, or stolen? This also applies to your marketing vendors. What are their obligations if a breach occurs in their systems? This could include legal fees and other financial penalties. Have your lawyer draft the appropriate language for your Web site, customer documentation, and vendor contracts.

5. Educate your employees

Developing policies and providing regular training for employees handling customer data is imperative. Consider adding internal security measures to protect against the possibility of social hacking incidents. These are situations in which, for example, an employee who has access to your data has the account password stolen. In many cases, if that password was stolen, there is the possibility that other passwords, such as an email password, were also stolen and a simple email verification link won’t be secure enough. To minimize risk in this situation, consider requiring employees to use a two-step verification process to access your data. For instance, employees logging in to your application from a new location would have to use a code sent to their cell phone and also provide an answer to a security question before gaining access. This process is similar to the standard used by many financial institutions.

Adam Blitzer is cofounder and CEO of Pardot, in Atlanta.


source: http://www.techrepublic.com/blog/five-tips/five-tips-for-protecting-customer-data/875?tag=nl.e036


Posted by at No comments:

Tuesday, June 14, 2011

The 5 First SQL Errors to Check For

By Andy Owl, 2011/06/14

Total article views: 131 | Views in the last 30 days: 131

As a trainer and programmer using T-SQL I see the same errors repeated over and over again. This inspired me to list out the 5 DOH errors which - no matter how many times you make them - just keep on recurring.

Common SQL Error 1 - too few or too many commas

This is - by far - the most common mistake made in writing SQL (to the extent that I've taken to coughing loudly behind delegates who transgress). The following query is typical, containing as it does an extra comma:

-- list out the name and release date for each film
-- in a table
SELECT
 FilmName,
 FilmReleaseDate,
FROM
 tblFilm

Just as bad is to miss out a comma:

-- list out the name and release date for each film
-- in a table
SELECT
 FilmName
 FilmReleaseDate
FROM
 tblFilm

In this latter case, however, the SQL won't generate an error; instead, Management Studio (SSMS) will assume that the second column name is an alias for the first, and display a single column with the wrong header:

Do yourself a favour: check your commas before you do anything else!

Common SQL Error 2 - part of a command already selected

How many times have I seen this? If you have part of a query selected - even if it's only a single word - SSMS will run the selected text rather than the entire query. So for the example below, if you press F5 or click on the EXECUTE button you won't get a good result!

The moral? Before you run your query, make sure that you have either nothing selected, or that you've selected an entire command.

Common SQL Error 3 - You're Using the Wrong Database

If you run a query and SSMS tells you that it doesn't recognise your table, there could be a good reason for this!

Perhaps SSMS can't find the table TBLFILM in the above error because there is no such table in the current database! Either add the command:

USE Movies

Or change to the correct database using the dropdown at the top of SSMS:

Either way, SQL Server should then be able to find your table.

Common SQL Error 4 - Order of Commands

There's nothing wrong with each part of the following SQL command:

-- show for each film director the average run
-- time for their films, including only films
-- which won at least 1 Oscar and only directors
-- whose average film length was more than 2.5 hours
SELECT
 d.DirectorName,
 avg(FilmRunTimeMinutes) AS [Average length]
FROM
 tblDirector AS d
 INNER JOIN tblFilm AS f
 ON d.DirectorId = f.FilmDirectorId
GROUP BY
 d.DirectorName
HAVING
 avg(FilmRunTimeMinutes) > 150
WHERE
 f.FilmOscarWins >= 1
ORDER BY
 [Average length] DESC

What there is something wrong with is the order. Can you spot the problem? Use the following mnemonic to help:

  • Sweaty
  • Feet
  • Will
  • Give
  • Horrible
  • Odours

This shows that the WHERE clause should come between FROM and GROUP BY - but it's oh-so-easy to overlook this.

Common SQL Error 5 - Try Again!

If you're tried all of the other 4 things above, and you're absolutely convinced your query is error-free, try executing it one more time. SSMS does - just occasionally - report an error where none exists. However, this only happens once: if you run your query twice and it still generates an error, then it's you who's at fault, not sQL Server!


source: http://www.sqlservercentral.com/articles/T-SQL/73634/


Posted by at No comments:

Monday, June 13, 2011

some usefull links

Benefit of performing Salat (Daily Prayer)

সঠিক সময়ে ফজরের নামাজ আদায়ের কৌশল


ইসলামী ব্যঙ্কিং ব্যবস্থা : ইসলামী ব্যাংক বাংলাদেশ

Posted by at No comments:
Subscribe to: Comments (Atom)