DropBox security

Word is, DropBox is insecure. Whats the rage, and really how bad is it? Here's what normally starts a rage about lack of security:

  1. It's about a really popular product or service
  2. The service provider lied, or "limited" the truth about the product or service
  3. The "security finding" is somewhat odd, oldschool, unexpected, or worth mentioning
  4. The researcher(s) behind the finding are trustworthy, and the IT community listens to them

Well, in the case of our beloved DropBox, perhaps all four will match. Now, please notice that security flaws are discovered every day in great numbers. It will take a while before DropBox joins Adobe or Microsoft in the vulnerability "Hall of shame". But again, one should take things like overall service value and complexity in account before dismissing products like Adobe Reader or Windows XP. If you do that, you might come to the conclusion that you would expect more from a simple file service like DropBox. A few ounces of forgiveness are added, as DropBox is a free service for the average Joe.

For those of you who have read other Arbi.se posts on security, you have noted that I say "security". Not "IT security" or "Information security". It will soon become clear..

Secure vs. insecure

Nothing is 100% secure. Please remember that! In the business world we talk about the security we "need", not the "most secure" solutions. You make security decisions everyday without thinking much about it. If you think less about those decisions, it is probably a low risk. If you think more, then it's probably a high risk.

So, how insecure is DropBox to you? If you have other people accessing your computer, or if malicious code is targeting your computer, then you have an increased possibility of having your DropBox account hijacked. If you at the same time have sensitive data stored at your DropBox, then you have an increased consequence if your DropBox account is hijacked.

Increased possibility + increased consequence = high risk!

If you a this stage feels that the risk is high, then DropBox might be insecure in your perspective. if not, when then DropBox might be secure enough for you.

How to manage your security

Information classification

A really easy way to decrease the risk you just discovered in the previous chapter, is to minimize the consequence. Dont store sensitive data on your DropBox. How to find out if it 's sensitive? If it's ok to post your texts in the newspaper or hand out the files to the inmates at your nearest correction institute, your information is not sensitive.

Add encryption

Ok, it is sensitive. Then what? Here's how I do it.

My DropBox folder contains x amount of files and folders, all worthless to an intruder. One of the files synced, is a TrueCrypt archive. Just a few hundred meg's big, it can easily store things like certificates, passwords, you name it. Whenever I have added something to the encrypted archive, it will be synced to my DropBox. Of course, I use an encryption password strong enough to make any attempt a waste of time. NSA would probably pull it off after a while, but I can say it right here: Theres nothing of value to the NSA in my DropBox.

Further, I have my DropBox password (even security specialists laugh at the password strenght..in a flattering sense) stored in my encrypted USB stick in my keychange. Whatever happens at home or to my computer, I will always have access to my DropBox. Voilá! I have a mobile business continuity and disaster recovery plan! I wont reveal any details on how I get access to the encrypted TrueCrypt archive, that's a different story. But it's waterproof..

So for the sensitive data that would lead to a high consequence, I have lowered the possibility of an intrusion, thus lowering the risk.

The real risks

What are the real risks? Anything as convenient as an unencrypted USB stick, will carry great risks with it. DropBox will pose great risks when introduced in the corporate world, wherever employees have the possibility of controlling sensitive information in what way they feel most appropriate. In most cases, it will be inappropriate. If you handle sensitive information at your job, don't use free services designed for the masses. Such services get popular, and vulnerable, and exploited.

Another area of risk, regardless of private or corporate use, is mobile apps. Any app for Android or iPhone will increase the risk, as you will increase the possibility of a compromise. Your phone is more exposed to all risks, as it often lacks the standard layers of physical or logical security. Do you even know who developed that fancy app you just downloaded?

Other sources

Some useful links





Leave a Comment