Below is a rush transcript of this segment, it might contain errors.

Airing date: 04/11/2019

Dangers Of Using Box Dropbox

Craig Peterson 0:05
Hey, good morning, everybody, Craig Peterson here. And of course, it’s time for our It’s Security Thing. Man, I have been so busy the last few weeks delivering on my cyber security course. I have to apologize because I was looking in the logs and it’s been like two or three weeks since I got a security thing podcast out. So sorry about that, everybody. But today, we are going to be talking about a real danger that many businesses are facing when it comes to using software as a service. You know, it has been kind of build as a panacea for everybody that, hey, listen, you don’t have to worry about your servers, your file servers, your employees, etc. Just use this cloud service. That’s what software as a service is. Instead of buying some software and having to run it yourself, all you have to do is stick it up in the cloud. And once it’s up in the cloud, my goodness, then you got professionals who know what they’re doing that are going to keep all of your data safe, and hopefully keep your data backed up and keep the software up to date. Right? It’s just wonderful. In reality, that’s not the case. And there’s a great article that I put up on my website this week, that’s talking about security professionals, IT professionals saying the biggest threat that they have is, drumroll please, internal users. And the reason they’re saying its own user basis and biggest threat is because they just are not educated enough. And you know, they’re not IT professionals. Well, even if you are an IT professional, what we’re going to talk about right now is a problem that dozens, probably hundreds of companies. But now this researcher found dozens, it’s called Adversus is the cybersecurity firm, found dozens of companies that had misconfigured their Box account. Now Box is used by many companies, we use it ourselves, we use it for communicating with clients, we haven’t set up for other clients. Now, we’ve kind of switched from Box to Dropbox because I like the integration better. But still, some of our clients are using Box. And these security researchers found that many people who are part of these corporate accounts on Box, Box calls them their enterprise accounts, have been sharing files. Well, you know, isn’t that part of the purpose of using Dropbox or Box to be able to share files with other people within the organization and outside of the organization? That I do it all of the time? And the answer is yes. Obviously, that’s one of the purposes of using Box.

Craig 2:58
But by default. What are your settings when you create this link to share? Because once you’ve created this link, if you use default settings, that link can be used by anyone inside or outside your company to be able to access the information. So what you have to do and this is true in Google Docs, have you noticed this before? If you have a Google document or a file in Google Drive, and you share it, you do have the option to change the default. So by default, it’s anyone with the link can view for instance, in Google Docs, and you can change it to they can they can edit it. I think that there’s a third option to remember what it is right now. But you can change those settings. But by default, it’s view. Well, in the case of Box here, and they may be changing this, but they have found that the default in Box allows anyone to be able to view the data that is shared with the link, which is not terrible, right. But here’s your problem. We’ve got now Singapore Airlines that we found online a link to their Box account, and you’re able to get in there change reservations that were booked with Amadeus. Apple, with several folders exposed containing what appeared to be non sensitive internal data such as logs and regional price lists.

Craig 4:33
Oh that’s not sensitive right?

Craig 4:35
Reading from the article here that you can find on my website down on TechCrunch where it originated. Discovery Network had more than a dozen folders, Edelman. I’ve worked with them many times it booked many guests on my radio show hundreds. That’s a big public relations firm had an entire project proposal for working with New York City mass transit divisions, including all of their detailed proposal plans more than a dozen resumes, a potential staff for the project, including their names, email address, phone numbers, etc. Herbalife left several folders exposed continuing files and spreadsheets on about 100,000 customers, including names email addresses, phone numbers. Opportunity International, this is a nonprofit, exposed a massive spreadsheet list of donor names, addresses and account information amount given. Schneider Electric Pointe Claire, United Tissue Network, I’m not going to go through all of these will just kind of stop there. But my goodness gracious.

Craig 5:38
So how do you stop this from happening because you do want to be able to share, that’s part of the purpose of these things like Box and Dropbox? Well, there is a default setting for your business. When you’re in there. Make sure the default setting is to share with internal company users by default. So that someone if they want to share it outside of the company has to purposely change the setting to share that file or that folder with someone outside of your company’s account, your Box account or Dropbox account. Now this actually now reveals another potential security problem and that is that you could have someone for instance, I’ve seen this before. A sales guy, I hate to keep picking on sales guys, but sales guy who shared a whole folder of all of the company’s customers, all of their contact information, all of their purchases, payment records, everything, he shared it with his personal email address, and then ended up leaving the company within about I think was a week. Isn’t that surprising. Well, isn’t that special. And so now he had all of the company’s information, of course, he ended up getting sued over this whole thing, that company figured out what it happened. Which means, again, if you’re an IT professional, make sure these sharing sites are configured to only share by default internally. Make sure also you audit what’s being shared and with whom, because the enterprise additions from Box and Dropbox both give you that option. You might even want to tie it in with an API into an internal database where you record the logs, you save them and you analyze them. And then make sure you educate your internal user base about some of the risks of sharing these files. And for everyone out there, remember that just because it’s software as a service, and it’s a cloud service, whether it’s Microsoft, Google, or in this case Box, remember that they are maybe professionals, but their number one concern and priority is not your data. And if you don’t get in high enough level of service with them, you might be completely out of luck. And this is something I see all of the time. You know, we’ll put a proposal and say okay, here’s what we’re going to do for you going to provide you because you want to move to the cloud, we can provide you with Microsoft email and, and the Office 365. So you can run all the Office apps on all your devices and link it together. And they come back and they said no, thanks. We’re all set. And then we find out later on, they just went and bought a regular subscription to Office 365. And it wasn’t doing backups. And it didn’t have data locked down. It didn’t have restrictions on it. And it didn’t have the right kind of filters and they ended up getting compromised because they didn’t know what they were doing. And Microsoft just doesn’t care about you, frankly, they just don’t. You are a number to them. And you think when they’re billing you 20 bucks a month, they’re going to pay me much attention to you. The answer is No. Of course not.

Craig 9:04
So anyhow, keep an eye out. Be careful out there. Software as a Service, Cloud Services is not a panacea. And most IT department surveyed in this country say that it is right now their number one concern. So take care, pay attention.

Craig 9:24
You know, It’s a Security Thing. And I’ll probably be back tomorrow I think I’m going to be able to carve out a little time to do recording for you for Friday, because every day there’s another security breach. This is another recent one by the way, eighth of March this came out. So about a month old.

Craig 9:40
Take care everybody. Bye Bye. Thanks for listening.