At the end of August, news broke that two hackers had broken the two-factor security deployed by Dropbox, a cloud storage platform used by millions of people across the globe. The hackers published their methods in order to promote an open-source version of the program that could, they claimed, be safer for users overall. The hack puts cloud providers and users on edge: how safe is SSL?
Dropbox is quoted at Computerworld as saying the method used would actually require a compromised user computer first, using additional hacks. The two programmers, however, stated that they were able to access the Dropbox API itself, tools that the company keeps locked down.
The hackers used code-injection and monkey patching to gain access to user data despite SSL security layers. Monkey patching and code-injection are similar strategies that can be used maliciously to add code at runtime. When users run a program, the additional code sent from the attacking computer is executed or added to the program, allowing root access or modifying the behavior of a program without access to the original source code. These changes can be made in memory instead of on a hard disk or even sent over a network.
Dropbox may wave off the hackers by saying they would require access to user boxes, but that isn't impossible. User machines can be compromised, especially with the rise of BYOD and shadow IT in companies large and small.
There are security methods that can stave off code-injection type attacks, including randomized cyphers in place before the execution of key program functions. In the end, hackers are a real threat to remotely stored data that must be considered on a daily basis. It is only through a combination of security hardening, SSL, and constant audits and/or cloud security monitoring that hacking attempts can be discovered and thwarted.
When a giant like Dropbox is hacked, it puts all cloud providers on their toes. End-user training including anti-malware tools is a necessity, and IT departments must remain vigilant as well. With monitoring from cloud service providers added to these precautions, sensitive company data can be safely stored in the cloud.
Posted By: Joe Kozlowicz