The Cyber Chronicles | Episode 5 – Cloudy With a Chance of Breach

Navigating ‘the Cloud’

Let’s talk about “the Cloud.” You know the Cloud, right? It’s a place to store your information on a bunch of other people’s computers that you don’t control. Oh, and you also have no control over whether your information is stored on the same hard drive as that of a Russian hacker, or a NSA toolkit, or perhaps just some company’s data, maybe like LinkedIn’s user database, or some other valuable information that makes the server where your data also happens to reside a frequently targeted environment.

AWARE

Let’s talk about how awesome the Cloud is … you don’t have to pay the electricity bill, you don’t have to upgrade the OS, you don’t have to do any administration at all, in fact. You just drag and drop your data and, presto, you’re using the Cloud!

Of course, you also have no way to confirm the OS is properly patched and upgraded, but we can certainly trust all these major corporations to be doing things right. Right? Hello? Ferris?

Anyone

If you’re an observant reader, you might be sensing that I’m suspicious of the Cloud. Well, yes, a little bit, but I’m trying to get you to be suspicious of the Cloud, because right now most of us spray data out into the Internet like I spray my kids with a hose on a 105-degree day – without a second thought! And with data, we don’t know where it’s going, whether it’s private or whether you can effectively get it back. I can delete a file today, but if you copied it yesterday, you still have my data. I bet Jennifer Lawrence wishes she had thought about that pesky reality.

There are so many issues with the Cloud I had a hard time deciding what to talk about. But true to form, I decided to tell you a story. It was a bit difficult to put together the pieces because they go back to 2011 — the Mesozoic era of the Internet. (That works out to 66 million Internet years … I’m not quite clear on the math, but why are you distracting me?)

I can delete a file today, but if you copied it yesterday, you still have my data.

CARE

So … back in 2012, Dropbox announced they were investigating a strange increase in spam being received by Dropbox users. Dropbox even hired third-party experts to check it out. Reassuringly (at least back when you could trust people on the Internet … wait, you used to trust people on the Internet?), they found no evidence of a security breach.

Dropbox posted the following on its customer forums:

Untitled 2

Now those would have been reassuring words, except that slightly less than a year previously Dropbox had to admit that it had accidentally published code to the company’s live, public site that allowed anyone to sign in to any Dropbox account without a password. (I imagine right about now you’re feeling really good about storing your tax returns on Dropbox.)

But let’s return to 2012. Dropbox had an outside party investigating the strange amount of spam, and that outside party concluded: “Move along! Nothing to see here …”

Except that on July 31, 2012, Dropbox sheepishly announced:

“We’ve been working hard to get to the bottom of this …”

And you probably know how this ends. Instead of “no intrusions and no unauthorized activity,” as previously announced, it turns out: “Our investigation found that usernames and passwords recently stolen from other websites [always pass the buck – it can’t be your fault] were used to sign in to a small number of Dropbox accounts” (emphasis and words in [brackets] are mine).

Fast forward to 2016, when it was revealed that the “small number” of Dropbox usernames and passwords stolen turned out to be 68,680,741. (Just to confirm, that’s 68.7 million.) Guess how we found that out? Four years later, someone posted them for sale online. Oh, minor point: That’s how Dropbox found out too.

PREPARE

So, full confession: I’m a Dropbox customer. It’s just so darned convenient. However, I take several precautions, which I’ll share with you in a moment here. Before we go there, I want to make sure you know I’m not picking on Dropbox (well, maybe a little), because I could have chosen any of several Cloud companies, and they would have looked equally bad. It’s just seeing the details of reality all up close like this that smacks us in the face. We could have focused on Cloud companies’ data utilization policies, their basically non-existent privacy policies or what happens to your data when a fledgling Cloud storage company goes out of business (who wipes those repurposed servers?), but I had to pick something, and this story wasn’t writing itself.

What should you do to keep your data safe in the Cloud?

  1. Never store anything online that you wouldn’t want your next-door neighbor to read.
  2. Always use a lengthy, complex password.
  3. Never use a password that you’ve ever used anywhere else. (Read this cautionary tale for a reminder of the “why.“)

Let’s give some specific examples:

  • Don’t back up your Quicken (or any other financial software) data to the Cloud
  • Don’t put your W2, your tax returns, your budget spreadsheet or any other financial information in the Cloud.
  • Don’t back up an entire old hard drive to the Cloud. Do you really remember everything you had stored on there?
  • Don’t put a list of passwords in the Cloud.
  • Remember when you had to scan in your driver’s license and upload it to someone? Don’t store that in the Cloud.

I think you get the picture. We’re all going to use the Cloud – that’s inevitable, but you’d better be paranoid about what you put up there. Information is a valuable commodity in this digital age, and the Cloud is really just a digital neighborhood with glass walls.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s