Dropbox Breach, Cloud Security, Apple Updates Lead Week's Security News

ov_logo_blueonWhite
by || 06/26/2011

The week began with the news that online file storage provider Dropbox had accidentally disabled passwords on all its user accounts, potentially allowing anyone to wander in and access other people’s files.

While Dropbox fixed the issue, which was the result of a “code update,” the accounts were unprotected for four hours. The company claimed only a small fraction of accounts had been accessed during that time period and that it didn’t seem as if anyone had acted maliciously.

Many irate customers threatened to take their files to other competing services, reigniting the debate over the security benefits of server-side encryption, which Dropbox uses, and client-side encryption, favored by several other cloud-storage companies.

Speaking of the cloud, Jim Reavis, of the Cloud Security Alliance, pointed out that companies are taking the outsourcing mentality when it comes to moving applications to the cloud and not thinking about the underlying architecture. Organizations need to take a measured approach to make sure they are covering all the key points, such as security, business continuity and disaster recovery, Reavis said.

Law enforcement has been busy this week, as British police, with assistance from the Federal Bureau of Investigation, arrested a 19-year old hacker and charged him with attacking the United Kingdom’s Serious Organized Crime Agency’s Website.

In a series of coordinated raids around the globe, the FBI broke up two cyber-crime gangs that had racked up nearly $74 million distributing scareware and fake antivirus software to more than a million users.

Two studies painted a bleak picture of enterprise security, with one finding that organizations are almost certainly to be attacked, and the other showing that security professionals consider regular malware a bigger threat to their organizations’ networks than advanced threats.

The Ponemon Institute reported 90 percent of surveyed businesses had at least one IT security breach over the past 12 months, and more than half expected to be hit in the next 12 months. Over half, or 55 percent, of IT security professionals surveyed by eEye Digital said mass malware was a “very large” or “large” threat to the enterprise.

It was the week to pick on end-users for poor security practices, as well. An analysis of user passwords from the Sony breach revealed that users are not picking strong passwords and two studies found that users were not being careful when surfing online. If that wasn’t enough, scammers are taking advantage of the intense interest around Apple’s forthcoming iCloud platform to hijack search-engine results to distribute fake antivirus software to end-users.

Apple rolled out what may be the last major security update before it releases Mac OS X 10.7 “Lion” this summer, perhaps in July. Apple doesn’t schedule updates like Microsoft or other vendors do for their software.

So it’s not entirely out of the question for the company to squeeze in another update for “Snow Leopard” before the big launch. However, this update is “Lion-ready,” in that the Mac App Store was updated to make the upgrade process easier.