Apr 11, 2019
Craig is back with another Security Thing. Today, he talks about the dangers of using Box, Dropbox, and other cloud storage services.
These and more tech tips, news, and updates visit - CraigPeterson.com
---
Related Articles
---
Below is a rush transcript of this segment, it might contain errors.
Airing date: 04/11/2019
Dangers Of Using Box Dropbox
Craig Peterson 0:05
Hey, good morning, everybody, Craig Peterson here. And of course,
it's time for our It's Security Thing. Man, I have been so busy the
last few weeks delivering on my cyber security course. I have to
apologize because I was looking in the logs and it's been like
two or three weeks since I got a security thing podcast out. So
sorry about that, everybody. But today, we are going to be talking
about a real danger that many businesses are facing when it comes
to using software as a service. You know, it has been kind of build
as a panacea for everybody that, hey, listen, you don't have to
worry about your servers, your file servers, your employees, etc.
Just use this cloud service. That's what software as a service is.
Instead of buying some software and having to run it yourself, all
you have to do is stick it up in the cloud. And once it's up in the
cloud, my goodness, then you got professionals who know what
they're doing that are going to keep all of your data safe, and
hopefully keep your data backed up and keep the software up to
date. Right? It's just wonderful. In reality, that's not the case.
And there's a great article that I put up on my website this week,
that's talking about security professionals, IT professionals
saying the biggest threat that they have is, drumroll please,
internal users. And the reason they're saying its own user basis
and biggest threat is because they just are not educated enough.
And you know, they're not IT professionals. Well, even if you are
an IT professional, what we're going to talk about right now is a
problem that dozens, probably hundreds of companies. But now this
researcher found dozens, it's called Adversus is the cybersecurity
firm, found dozens of companies that had misconfigured their Box
account. Now Box is used by many companies, we use it ourselves, we
use it for communicating with clients, we haven't set up for other
clients. Now, we've kind of switched from Box to Dropbox because I
like the integration better. But still, some of our clients are
using Box. And these security researchers found that many people
who are part of these corporate accounts on Box, Box calls them
their enterprise accounts, have been sharing files. Well, you know,
isn't that part of the purpose of using Dropbox or Box to be able
to share files with other people within the organization and
outside of the organization? That I do it all of the time? And the
answer is yes. Obviously, that's one of the purposes of using
Box.
Craig 2:58
But by default. What are your settings when you create this link to
share? Because once you've created this link, if you use default
settings, that link can be used by anyone inside or outside your
company to be able to access the information. So what you have to
do and this is true in Google Docs, have you noticed this before?
If you have a Google document or a file in Google Drive, and you
share it, you do have the option to change the default. So by
default, it's anyone with the link can view for instance, in Google
Docs, and you can change it to they can they can edit it. I think
that there's a third option to remember what it is right now. But
you can change those settings. But by default, it's view. Well, in
the case of Box here, and they may be changing this, but they have
found that the default in Box allows anyone to be able to view the
data that is shared with the link, which is not terrible, right.
But here's your problem. We've got now Singapore Airlines that we
found online a link to their Box account, and you're able to get in
there change reservations that were booked with Amadeus. Apple,
with several folders exposed containing what appeared to be non
sensitive internal data such as logs and regional price lists.
Craig 4:33
Oh that's not sensitive right?
Craig 4:35
Reading from the article here that you can find on my website down
on TechCrunch where it originated. Discovery Network had more than
a dozen folders, Edelman. I've worked with them many times it
booked many guests on my radio show hundreds. That's a big public
relations firm had an entire project proposal for working with New
York City mass transit divisions, including all of their detailed
proposal plans more than a dozen resumes, a potential staff for the
project, including their names, email address, phone numbers, etc.
Herbalife left several folders exposed continuing files and
spreadsheets on about 100,000 customers, including names email
addresses, phone numbers. Opportunity International, this is a
nonprofit, exposed a massive spreadsheet list of donor names,
addresses and account information amount given. Schneider Electric
Pointe Claire, United Tissue Network, I'm not going to go through
all of these will just kind of stop there. But my goodness
gracious.
Craig 5:38
So how do you stop this from happening because you do want to be
able to share, that's part of the purpose of these things like Box
and Dropbox? Well, there is a default setting for your business.
When you're in there. Make sure the default setting is to share
with internal company users by default. So that someone if they
want to share it outside of the company has to purposely change the
setting to share that file or that folder with someone outside of
your company's account, your Box account or Dropbox account. Now
this actually now reveals another potential security problem and
that is that you could have someone for instance, I've seen this
before. A sales guy, I hate to keep picking on sales guys, but
sales guy who shared a whole folder of all of the company's
customers, all of their contact information, all of their
purchases, payment records, everything, he shared it with his
personal email address, and then ended up leaving the company
within about I think was a week. Isn't that surprising. Well, isn't
that special. And so now he had all of the company's information,
of course, he ended up getting sued over this whole thing, that
company figured out what it happened. Which means, again, if you're
an IT professional, make sure these sharing sites are configured to
only share by default internally. Make sure also you audit what's
being shared and with whom, because the enterprise additions from
Box and Dropbox both give you that option. You might even want to
tie it in with an API into an internal database where you record
the logs, you save them and you analyze them. And then make sure
you educate your internal user base about some of the risks of
sharing these files. And for everyone out there, remember that just
because it's software as a service, and it's a cloud service,
whether it's Microsoft, Google, or in this case Box, remember that
they are maybe professionals, but their number one concern and
priority is not your data. And if you don't get in high enough
level of service with them, you might be completely out of luck.
And this is something I see all of the time. You know, we'll put a
proposal and say okay, here's what we're going to do for you going
to provide you because you want to move to the cloud, we can
provide you with Microsoft email and, and the Office 365. So you
can run all the Office apps on all your devices and link it
together. And they come back and they said no, thanks. We're all
set. And then we find out later on, they just went and bought a
regular subscription to Office 365. And it wasn't doing backups.
And it didn't have data locked down. It didn't have restrictions on
it. And it didn't have the right kind of filters and they ended up
getting compromised because they didn't know what they were doing.
And Microsoft just doesn't care about you, frankly, they just
don't. You are a number to them. And you think when they're billing
you 20 bucks a month, they're going to pay me much attention to
you. The answer is No. Of course not.
Craig 9:04
So anyhow, keep an eye out. Be careful out there. Software as a
Service, Cloud Services is not a panacea. And most IT department
surveyed in this country say that it is right now their number one
concern. So take care, pay attention.
Craig 9:24
You know, It's a Security Thing. And I'll probably be back tomorrow
I think I'm going to be able to carve out a little time to do
recording for you for Friday, because every day there's another
security breach. This is another recent one by the way, eighth of
March this came out. So about a month old.
Craig 9:40
Take care everybody. Bye Bye. Thanks for listening.
---
More stories and tech updates at:
Don't miss an episode from Craig. Subscribe and give us a rating:
Message Input:
Message #techtalk
Follow me on Twitter for the latest in tech at:
For questions, call or text:
855-385-5553