Working as a Security Consultant, I’m always on the road between several customers sites. Some customers allow a limited access from remote locations to perform maintenance tasks or investigations via secure accesses.

I always scare myself how it is easy to send data outside of a security perimeter! But don’t shoot me:

• I’m not trying to steal data nor to send confidential data into the wild Internet;
• I’ve permission to access the data;
• When I need to grab data, they are always sent encrypted (the data itself or the connection).

A good example? When I’m requested to update an open ticket by sending information located on another site. I don’t “hack” the remote site, I’ve always at least one entry points (VPN, SSH tunnels, etc). Once logged on a server or appliance, I simply have to jump on another one. I can use SSH tunnels or any other remote control protocol. There are plenty of tools and ways to access the needed data.

It makes me scary: Once successfully connected on a server, it should be a piece of cake for a “bad guy” to steal data in so many environments! And if it’s so easy, can you imagine from the internal network? What’s your company point of view regarding data leaks? Prevention and awareness are key words!

Internet is full of very useful free applications which are designed to help you in your daily life. DropBox is a good example. Dropbox is a software that synchronizes your files online and across computers. From the website: “Put your files into your Dropbox on one computer, and they’ll be instantly available on any of your other computers that you’ve installed Dropbox on (Windows, Mac, and Linux too!) Because a copy of your files are stored on Dropbox’s secure servers, you can also access them from any computer or mobile device using the Dropbox website.”
Sweet!

But what about confidential data? DropBox announces on the website: “Nobody can see your private files in Dropbox unless you deliberately invite them or put them in your Public folder. Everything in your Public folder is, by definition, accessible to anyone. Otherwise, the only way to access the files in your Dropbox online is with your username and password.“. Let’s assume that Drobox is indeed safe. It’s tempting for a company employee to use Dropbox to transfer files between his office computer and a home computer. From his point of view, there are good reasons to do this (example: working on a project during the weekend). Even if the file transfer is secured and files are safely stored by Dropbox, the weak point is the home computer of the employee. It can be stolen, other people can access to sensitive files etc. What about a major vulnerability affecting the Dropbox services? What if a user could access other users’ files?

On a networking point of view, Dropbox uses standard HTTP(S) traffic (via the ports 80 & 443). It’s easy to bypass the local control to send files outside the security perimeter. Once the software has been installed, no specific network configuration is required. Dropbox works perfectly through proxies.

How to protect your users? First, users access must be restricted and prevent them to install applications on the desktop. But using protective (and aggressive) measures is not sufficient. Ask yourself why did your users try to export files outside your security perimeter. If was maybe for a legitimate reason. Don’t forget: security measures must protect the users but not prevent them to perform their regular job! Today, the security perimeter is more and more “open”. It’s maybe time to deploy official solutions to let your users access files from remote places.

To conclude this post, Dropbox was just used as an example to warn about the potential security issue that may arise from this kind of tool. Dropbox is a nice tool but you have to use it in the right way!