Storing and sharing important files in the "cloud" can simplify your life and protect you from data loss — but it could also make you more vulnerable to data thieves.
To guard against loss resulting from theft or fire, it's long been considered wise to store critical personal and business information on remote servers. Large companies have used "co-location" services to back up data off-site for decades.
In the past few years, the plummeting price of "cloud-based" online storage has made similar options available to the average home computer user. It's also led to the rise of related file-sharing services that enable users to "take home" large files that are too big to email.
But issues raised last month about one of the most popular storage and syncing sites, Dropbox, underscore potential weaknesses that could leave users open to theft, and even intrusions into their privacy.
Dropbox, which not only provides storage but also lets users share files with friends and family and synchronize copies across multiple devices, is one of the largest consumer storage services, with 25 million users. Individuals can get 2 GB of free storage, or pay and get up to 100 GB for $19.99 a month.
Changing the rules
First, Dropbox changed its terms of service, which spells out how and when it may share a user's files.
Such stated terms are common at companies from Google to Twitter, and typically stipulate legal obligations the companies have concerning criminal activity and law-enforcement requests.
Dropbox had promised its users that not even service administrators could see users' uploaded files, which it said were protected with "military-grade encryption." But it changed its terms of service when it became clear that law enforcement would have to be given access in case of a court order.
That's understandable, although it didn't stop angry bloggers from essentially yelling, "You lied!" at Dropbox executives.
The real problem, however, surfaced in a detailed blog post by a digital forensics expert, Derek Newton. He pointed out that Dropbox has a much more serious security vulnerability.
Dropbox uses client software that is installed on a user's computer, smartphone or tablet. The software makes it easy to automatically keep all copies of important files up to date.
However, to identify an individual user, the Dropbox client software relies on unencrypted administrative files, each containing the user's unique Dropbox ID, stored on each of the user's Dropbox-connected devices.
If that user ID is copied to the Dropbox administrative files on another device — any other device, no matter who owns it — it can be used to secretly access the first user's files on Dropbox, with no login, username or password needed.
Repeated requests by SecurityNewsDaily to Dropbox for comment were not replied to. But the company did post several online statements concerning the problem.
Initially, the company pointed out, correctly, that if someone were able to grab a subscriber's identification file, it would mean that the person's device had already been compromised.
In other words, the hacker would already have broken into the victim's computer, have access to all its data, and the user would have much bigger problems than the security of his or her Dropbox files.
However, Dropbox's argument failed to quell criticism. It was the equivalent of saying that software designers shouldn't bother to encrypt password files on computers because each PC should have a login password, and if a hacker got around that, then the system was compromised anyway.
Responding to consumers
Two weeks ago, Dropbox co-founders Drew Houston and Arash Ferdowsi promised to change the ID file in the Dropbox software to make it more difficult to copy and hack.
The saga raises a number of important points that all consumers — whether they use Dropbox or not —need to be aware of:
- Any files you store on any online service may be subject to review by the hosting company. This is akin to credit-card service representatives accessing your account when you call in with a problem.
- Law enforcement may at any time access files, images, videos, etc., that you've stored online, and in the U.S., subject to certain ever-shifting guidelines, the hosting company has to comply. In some cases, they may even be barred from telling you that law enforcement is looking at your personal files.
- Just as any individual computer can be hacked and attacked, so can any hosting service you use. Even giants like Google have been the victims of extensive attacks.
So should you avoid backup and storage services like Dropbox or its competitors Carbonite and Mozy?
Probably not. For most law-abiding citizens, the risks of not using online storage — the potential loss of all those family photos, say, or Quicken files — outweigh the risks of legal scrutiny or digital break-ins.
A system crash at home could wipe out months of work or priceless photos of your family's vacation. A service like Dropbox can be an invaluable safeguard against such digital disasters.
That said, there are some steps you should take to protect yourself when using a third-party storage or backup service:
- Read the company's terms of service. Some firms use subscriber information for advertising and marketing purposes, meaning that your storage and backup habits may be tracked.
- Consider encrypting important files, such as those that contain financial information, before uploading them to the cloud. There are several commercial products available, as well as free open-source programs such as TrueCrypt.
- If possible, do not allow programs to “remember” your password on your computer. (The basic version of Dropbox doesn’t seem to permit this; it automatically logs in users upon device startup.) It means having to log in every time, so there's some loss of convenience, but it's worth it.
- Check for recent activity on any storage accounts you may have. It could alert you to a recent theft or spying attempt.
Also look for special security features from vendors. Mozy, for example, allows subscribers to use a personal encryption key that remains unknown to the company.
"If the government comes to Mozy asking us to hand over someone's data, we have to direct them to the customer to get that," explains Dave Robinson, the company's vice president of marketing. “We have no choice — we don't hold their key.”
Taking such extra steps may sound paranoid, but considering the array of threats and the regularity with which credit-card and personal information is stolen these days, it may just be the prudent thing to do.