[Info-vax] Cloud Security - 68M accounts hacked on Dropbox

IanD iloveopenvms at gmail.com
Thu Sep 1 19:12:31 EDT 2016


On Friday, September 2, 2016 at 6:05:06 AM UTC+10, Kerry Main wrote:
> > -----Original Message-----
> > From: Kerry Main [mailto:kemain.nospam at gmail.com]
> > Sent: 30-Aug-16 10:31 PM
> > To: 'comp.os.vms to email gateway' <info-
> > vax at rbnsn.com>
> > Subject: RE: [Info-vax] Should VSI create a security bug
> > bounty program for VMS ?
> > 
> 
> [snip]
> 
> > 
> > One only has to look at the recent US Elections hacking
> > sagas to understand that the hacking world is rapidly
> > getting out of control. News tonight was FBI is launching
> > formal investigation into whether foreign govt's are trying
> > to manipulate US election voting.
> > 
> > 
> 
> As a follow-on note to this - 68M account passwords hacked on Dropbox.
> https://www.theguardian.com/technology/2016/aug/31/dropbox-hack-passwords-68m-data-breach
> https://blogs.dropbox.com/dropbox/2016/08/resetting-passwords-to-keep-your-files-safe/ 
> 
> While security is always a concern, the big issue with public cloud offerings is loss of control over security policy.  Some companies even have a policy that states storing any company information on Dropbox or other similar Internet file sharing offerings is potentially a company termination offense.
> 
> Regards,
> 
> Kerry Main
> Kerry dot main at starkgaming dot com

/Start of Story...

BUSINESS: IT department, we want to implement a new system, it's cloud based

IT: We should review the security aspects of it

BUSINESS: No need, the vendor says it uses the latest security measures

IT: You do realise that there is no such thing as a secure system right?. We did a quick preliminary look and are concerned around certain areas of the software

BUSINESS: How long will it take and what will it cost to perform the review?

IT: abc weeks and $ xyz

BUSINESS: That will put us behind in project implementation and we have no budgeted for security, no we will go with what the vendor says, after all they are the experts

IT: ok

BUSINESS: Oh and btw, your being outsourced in 2 months time anyhow and all the systems will be moved to a new cloud based system, we will save millions! Our competitors are already there, we need to catch up with them on cost reductions and we can tell our customers we are cloud ready too. It's nothing personal you understand but the world has moved on from managing all this infrastructure in-house...

IT: Hmmmm

3 months later...

News Flash: Massive security exploit found in qwe's software offering, businesses hacked, customer data stolen, business hit with millions in lost productivity losses

BUSINESS: I want a review of this software, get in a consultancy company

CONSULTANCY Co.: We did a review and found several exploits, some of which would have been fairly obvious at first look. Didn't your internal IT department notice these things? 

BUSINESS: No, we let them go (slowly removes preliminary IT report on security and hides it in a folder marked 'to be shredded')

CONSULTANCY Co.: If your serious about security, we recommend pulling all your confidential based information onto locally managed systems you directly control and assigning proper skilled resources to monitor for ongoing threats and exploits

BUSINESS: ok, we will do that, it doesn't matter about the cost, loss of data and credibility in the public eye we simply cannot afford...

Rinse and repeat around the globe...

/End of story ;-)



More information about the Info-vax mailing list