[Info-vax] Cloud Security - 68M accounts hacked on Dropbox

johnwallace4 at yahoo.co.uk johnwallace4 at yahoo.co.uk
Sat Sep 3 05:38:33 EDT 2016 

On Saturday, 3 September 2016 10:04:21 UTC+1, Paul Sture  wrote:
> On 2016-09-02, MG <marcogbNO at SPAMxs4all.nl> wrote:
> > Op 1-sep-2016 om 22:00 schreef Kerry Main:
> >> As a follow-on note to this - 68M account passwords hacked on Dropbox.
> >> https://www.theguardian.com/technology/2016/aug/31/dropbox-hack-passwords-68m-data-breach
> >> https://blogs.dropbox.com/dropbox/2016/08/resetting-passwords-to-keep-your-files-safe/
> >>
> >> While security is always a concern, the big issue with public cloud
> >> offerings is loss of control over security policy.  Some companies
> >> even have a policy that states storing any company information on
> >> Dropbox or other similar Internet file sharing offerings is
> >> potentially a company termination offense.
> >
> > For this reason I never wanted to use anything from "the Cloud"
> > or "Cloud-based".  (Hasn't anyone also learned anything from
> > the iCloud debacle?)
> 
> But if you point it out, many will try to shout you down.
> 
> Here's another gem for you:
> 
> <http://www.zdnet.com/article/google-wont-fix-login-page-flaw-can-lead-to-malware-download/>
> 
> ----
>     Google has said it will not fix a potential security flaw that could
>     trick a user into downloading malware from its login window.  But
>     Google said that the redirect page has to fall within "*google.com"
>     domains, limiting its impact.
> 
>     The problem, said Woods, is that malware hosted on
>     "drive.google.com" or "docs.google.com" which fall within the Google
>     subdomain parameters could still be used to serve up malware, and
>     hide it as a genuine Google login page.
> ----
> 
> The above article comes to you courtesy of Risks Digest, a good read but
> sometimes quite depressing.
> 
> Yesterday's issue:
> 
> <http://catless.ncl.ac.uk/Risks/29.74>
> 
> Risks Digest is also published on the comp.risks newsgroup
> 
> -- 
> It was untidy, so got unplugged.
> It was unplugged, so got thrown away.

And this is the company that some people are pointing to as an
example of the way things should be done.

Even the recently linked whitepaper [1] on how Google no longer
distinguish between internal and external access to their data,
apps, etc ended with a throwaway paragraph equivalent to "this
works for our DIY stuff but we haven't tried it with any real
world use cases."

[1] Sorry, URL forgotten already.

More information about the Info-vax mailing list