Dropbox Lied About Data Security: Christopher Soghoian

Security researcher Christopher Soghoian has filed a complaint with the Federal Trade Commission alleging that online file storage service provider Dropbox has been making false claims to customers about the company’s protocols for securely storing data.

The crux of the complaint centers around statements made by Dropbox that lead customers to believe data submitted to the service for storage is always in an encrypted state, and only accessible in an unencrypted state by the client.

Soghoian has demonstrated that the company uses a process that leaves the data in an unencrypted form, making the information susceptible to examination by Dropbox employees, as well as government and court ordered searches for copyright infringements.

Soghoian wants the company to further revise advertising and onsite statements to more accurately reflect the security and encryption protocols used by Dropbox.

According to the complaint filed by Soghoian with the FTC:

 1. Dropbox has prominently advertised the security of its “cloud” backup, sync and file sharing service, which is now used by more than 25 million consumers, many of whom “rely on Dropbox to take care of their most important information.”12. Dropbox does not employ industry best practices regarding the use of encryption technology. Specifically, Dropbox’s employees have the ability to access its customers’ unencrypted files.3. Dropbox has and continues to make deceptive statements to consumers regarding the extent to which it protects and encrypts their data.

4. Dropbox’s customers face an increased risk of data breach and identity theft because their data is not encrypted according to industry best practices.

5. If Dropbox disclosed the full details regarding its data security practices, some of its customers might switch to competing cloud based services that do deploy industry best practices regarding encryption, protect their own data with 3rd party encryption tools, or decide against cloud based backups completely.

6. Dropbox’s misrepresentations are a Deceptive Trade Practice, subject to review by the Federal Trade Commission (the “Commission”) under section 5 of The Federal Trade Commission Act.

Dropbox officials have dismissed Soghoian’s accusations and maintain that no misrepresentations have been made to customers.

“We believe this complaint is without merit, and raises old issues that were addressed in our blog post on April 21, 2011. Millions of people depend on our service every day and we work hard to keep their data safe, secure, and private,” said company spokeswoman Julie Supan to Wired.com.

Nonetheless, multiple changes have been made in the wording the company uses on their website to explain security protocols, and Supan stipulates that some of Soghoian’s accusations have taken company statements out of context.

“In our help article we stated ‘Dropbox employees aren’t able to access user files.’ That means that we prevent such access via access controls on our backend as well as strict policy prohibitions. That statement didn’t say anything about who holds encryption keys or what mechanisms prevent access to the data. We updated our help article and security overview to be explicit about this. Also, to clarify we’ve never stated we don’t have access to encryption keys. We’ve made quite a few posts in our public forums over the years about this very fact and we are quite open with our community…” Supan stated.

Soghoian maintains that the language Dropbox uses is still a misrepresentation of the actual level of security employed by the company, and that the statements are no only confusing to consumers, but to security experts as well, noting a tweet by encryption expert Jon Callas which states:

“I deleted my Dropbox account. It turns out that they lied and don’t actually encrypt your files and will hand them over to anyone who asks.”

Ceridian and Lookout Services promise better security after exposing 65,000 users’ data

Two companies that maintain large amounts of sensitive information about the employees of their business customers, including Social Security numbers, have agreed to settle US Federal Trade Commission charges that they failed to employ reasonable and appropriate security measures to protect the data, in violation of federal law. Among other things, the settlement orders require the companies to implement comprehensive information security programs and to obtain independent audits of the programs every other year.

The settlements with Ceridian Corporation and Lookout Services are part of the FTC’s ongoing efforts to ensure that companies secure the sensitive consumer information they maintain. In complaints filed against the companies, the FTC charged that both Ceridian and Lookout claimed they would take reasonable measures to secure the consumer data they maintained, including Social Security numbers, but failed to do so. These flaws were exposed when security breaches at both companies put the personal information of thousands of consumers at risk. The FTC challenged the companies’ security practices as unfair and deceptive.

According to the FTC’s complaint against Ceridian, a provider to businesses of payroll and other human resource services, the company claimed, among other things, that it maintained “Worry-free Safety and Reliability . . . Our comprehensive security program is designed in accordance with ISO 27000 series standards, industry best practices and federal, state and local regulatory requirements.” However, the complaint alleges that Ceridian’s security was inadequate. Among other things, the company did not adequately protect its network from reasonably foreseeable attacks and stored personal information in clear, readable text indefinitely on its network without a business need. These security lapses enabled an intruder to breach one of Ceridian’s web-based payroll processing applications in December 2009, and compromise the personal information – including Social Security numbers and direct deposit information – of approximately 28,000 employees of Ceridian’s small business customers.

The other company, Lookout Services, Inc., markets a product that allows employers to comply with federal immigration laws. It stores information such as names, addresses, dates of birth and Social Security Numbers. According to the FTC’s complaint against Lookout, despite the company’s claims that its system kept data reasonably secure from unauthorized access, it did not in fact provide adequate security. For example, unauthorized access to sensitive employee information allegedly could be gained without the need to enter a username or password, simply by typing a relatively simple URL into a web browser. In addition, the complaint charged that Lookout failed to require strong user passwords, failed to require periodic changes of such passwords, and failed to provide adequate employee training. As a result of these and other failures, an employee of one of Lookout’s customers was able to access sensitive information maintained in the company’s database, including the Social Security numbers of about 37,000 consumers.

The settlement orders bar misrepresentations, including misleading claims about the privacy, confidentiality, or integrity of any personal information collected from or about consumers. They require the companies to implement a comprehensive information security program and to obtain independent, third party security audits every other year for 20 years.

New software creates privacy mode for Android phones

Researchers at North Carolina State University have developed software that helps Android smartphone users prevent their personal information from being stolen by hackers.

“There are a lot of concerns about potential leaks of personal information from smartphones,” says Dr. Xuxian Jiang, an assistant professor of computer science at NC State and co-author of a paper describing the research. “We have developed software that creates a privacy mode for Android systems, giving users flexible control over what personal information is available to various applications.” The privacy software is called Taming Information-Stealing Smartphone Applications (TISSA).

TISSA works by creating a privacy setting manager that allows users to customize the level of information each smartphone application can access. Those settings can be adjusted any time that the relevant applications are being run – not just when the applications are installed.

The TISSA prototype includes four possible privacy settings for each application. These settings are Trusted, Anonymized, Bogus and Empty. If an application is listed as Trusted, TISSA does not impose additional information access restrictions. If the user selects Anonymized, TISSA provides the application with generalized information that allows the application to run, without providing access to detailed personal information. The Bogus setting provides an application with fake results when it requests personal information. The Empty setting responds to information requests by saying the relevant information does not exist or is unavailable.

Jiang says TISSA could be easily modified to incorporate additional settings that would allow more fine-grained control of access to personal information. “These settings may be further specialized for different types of information, such as your contact list or your location,” Jiang says. “The settings can also be specialized for different applications.”

For example, a user may install a weather application that requires location data in order to provide the user with the local weather forecast. Rather than telling the application exactly where the user is, TISSA could be programmed to give the application generalized location data – such as a random location within a 10-mile radius of the user. This would allow the weather application to provide the local weather forecast information, but would ensure that the application couldn’t be used to track the user’s movements.

The researchers are currently exploring how to make this software available to Android users. “The software modification is relatively minor,” Jiang says, “and could be incorporated through an over-the-air update.”

The paper, “Taming Information-Stealing Smartphone Applications (on Android),” was co-authored by Jiang; Yajin Zhou, a Ph.D. student at NC State; Dr. Vincent Freeh, an associate professor of computer science at NC State; and Dr. Xinwen Zhang of Huawei America Research Center. The paper will be presented in June at the 4th International Conference on Trust and Trustworthy Computing, in Pittsburgh, Pa. The research was supported by the National Science Foundation and NC State’s Secure Open Systems Initiative, which receives funding from the U.S. Army Research Office.

Drop your privacy with Dropbox

Just how vendors compromise on user privacy to save costs is startling. Dropbox, a popular cloud backup service that allows users to store their files on the cloud to share with friends and across devices doesn’t encrypt user data, according to a cyber security researcher Christopher Soghoian.

In order to reduce cost, Dropbox uses a technology called deduplication, which basically makes sure that only a single copy of a particular file is saved on the server despite of it being shared with any number of users.

The problem is, offering free storage space to users can be quite expensive, at least once you gain millions of users. In what is  suspected was a price-motivated design decision, Dropbox deduplicates the data uploaded by its users. What this means is that if two users backup the same file, Dropbox only stores a single copy of it. The file still appears in both users’ accounts, but the company doesn’t consume storage space nor upload bandwidth on a second copy of the file.

The company claims that it users AES-256 encryption standard that is regarded as highly secure encryption technology used by various banks and military organisations. Soghoian, however, claims that the company has access to unencrypted user data since otherwise it wouldn’t be able to detect duplicate data across different accounts.

The computersecurity researcher advices, “If you value your privacy or are worried about what might happen if Dropbox were compelled by a court order to disclose which of its users have stored a particular file, you should encrypt your data yourself with a tool like truecrypt or switch to one of several cloud based backup services that encrypt data with a key only known to the user.”

Another security researcher, Ashkan Soltani was able to verify the deduplication for himself a couple weeks ago. It took just a few minutes with a packet sniffer. A new randomly generated 6.8MB file uploaded to dropbox lead to 7.4MB of network traffic, while a 6.4MB file that had been previously uploaded to a different dropbox account lead to just 16KB in network traffic.

There are long standing privacy and security concerns with storing data in the cloud, and so Dropbox has a helpful page on their website which attempts to address these:

Your files are actually safer while stored in your Dropbox than on your computer in some cases. We use the same secure methods as banks and the military to send and store your data.

Dropbox takes the security of your files and of our software very seriously. We use the best tools and engineering practices available to build our software, and we have smart people making sure that Dropbox remains secure. Your files are backed-up, stored securely, and password-protected.

Dropbox uses modern encryption methods to both transfer and store your data…

All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password

“Reading through this document, it would be easy for anyone but a crypto expert to get the false impression that Dropbox does in fact protect the security and privacy of users’ data. Many users and even the technology press will not realize that AES-256 is useless against many attacks if the encryption key isn’t kept private,” commented Soghoian.

“What is missing from the firm’s website is a statement regarding how the company is using encryption, and in particular, what kinds of keys are used and who has access to them,” he pointed out.

Explaining the problem with the mix between encryption and deduplication, Soghoian says that encryption and deduplication are two technologies that generally don’t mix well. If the encryption is done correctly, it should not be possible to detect what files a user has stored (or even if they have stored the same file as someone else), and so deduplication will not be possible.

But if this was possible, as claimed by Dropbox, what this means, is that from the comfort of their desks, law enforcement agencies or copyright trolls can upload contraband files to Dropbox, watch the amount of bandwidth consumed, and then obtain a court order if the amount of data transferred is smaller than the size of the file.

On April 1, 2011, Marcia Hofmann at the Electronic Frontier Foundation contacted Dropbox to let them know about the flaw, and that a researcher would be publishing the information on April 12th. “There are plenty of horror stories of security researchers getting threatened by companies, and so I hoped that by keeping my identity a secret, and having an EFF attorney notify the company about the flaw, that I would reduce my risk of trouble,” Soghoian opined.

At 6:15PM west coast time on April 11th, an attorney from Fenwick & West retained by Dropbox left Marcia a voicemail message, in which he reveled that: “the company is updating their privacy policy and security overview that is on the website to add further detail.”

Marcia spoke with the company’s attorney this morning, and was told that the company will be updating its privacy policy and security overview to clarify that if Dropbox receives a warrant, it has the ability to remove its own encryption to provide data to law enforcement.

It is unlikely that the millions of existing Dropbox users will stumble across the new privacy policy in their regular web browsing. As such, the company should send out an email to its users to let them know about this flaw, and advise them of the steps they can take if they are concerned about the privacy of their data.

Govt of India finalizes data privacy policies

The Information Technology (Amendment) Act, 2008 was notified on October 27, 2009 alongwith the rules in respect of certain important sections in respect of information, blocking of information from public access, rules & regulations for the Chairman and Members of the Cyber Appellate Tribunal and constitution of Indian Computer Emergency Response Team. The rules in respect of section 43A pertaining to protection of sensitive personal data and implementation of best security practices by body corproates, Section 79 – Safeguards and due diligence to be observed by service providers and other intermediaries and e-Governance public private partnership – service charges have been framed and were put on the website on February 05, 2011 and public comments were invited upto March 15, 2011. The draft rules were widely covered by media and lots of comments were received.  These comments have been incorporated and the rules have been finalized.  These rules aim to provide rules for protection of sensitive personal information and help in promotion of services being provided by the service providers.

A set of three manuals for creating basic awareness and standard procedures for seizure, acquisition and analysis of digital evidence during investigation of Cyber Crimes have been prepared.  The manuals adequately address the various legal provisions, Dos and Don’ts and best practices.  The manuals have been evolved in a generic tool specific manner and the content is presented in a simple format so that it can be used primarily by Law Enforcement Officers and Computer Forensic Scientists who would be doing the investigation in the field.  The manuals can also be used by Lawyers, Prosecutors and Judges who are making efforts to become more familiar with technical, legal and evidential aspects of investigating and prosecuting cyber crimes.  The copies of the manuals would be made available to all Police Stations, Central and State Forensic Labs and Courts.