Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

How Much of a Security Threat is Dropbox?

March 6, 2012

Last month, I posted about a law firm data breach where a former partner allegedly used Dropbox to purloin tens of thousands of law firm files before breaking away to start a new law firm. This got me thinking about Dropbox as a security threat generally.

I received a thoughtful e-mail from Frank McClain and I am remiss in not posting it sooner. Here is a portion of what he wrote:

Sharon,

Thank you for Ride the Lightning, I always enjoy it. Your down-to-earth insight into the technical realm of eDiscovery and computer forensics is always interesting. I just read your 2/15/12 post, "Another Law Firm Breach – This Time By An Ex-Partner???" and wanted to respond to you directly.

Late in 2009, I started research into Dropbox, and for this very reason – I could see the potential for abuse. I finally finished up an article for Forensic Focus this past June, and have some other posts on my blog as well as on SANS. I worked a case somewhat similar to that you referred to in your post, where some partners split from a firm; leading up to that they backed up data to cloud services (not Dropbox, but similar). A friend recently had a case where Dropbox was central to it as well.

From a more traditional Information Security standpoint, these types of services could be used by an external attacker to get information out of a network, but I think the greater threat is the insider. I've expanded my research from Dropbox into other cloud backup and synchronization services, to help shed greater light into this area, and am starting on a presentation to share that with the larger community.

And you're right, Dropbox is not a spy application, and cannot remotely control a system by itself. I guess it's conceivable that spyware could be introduced through it, depending on what you've set it up to synchronize, but you've still got the question of execution (built in timer, maybe?). I've included a link to my blog below, as it has links to the rest of my public research, in case you're interested.

Regards,

Frank McClain

http://forensicaliente.blogspot.com/2011/07/dropbox-forensics-follow-up.html

Thanks for writing Frank. I'm glad you agree that Dropbox and similar services pose more hazards than we once realized. Keep up that research – the day doesn't go by without a new threat!

E-mail: Phone: 703-359-0700

www.senseient.com

http://twitter.com/sharonnelsonesq

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

How Much of a Security Threat is Dropbox?

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer