The Dropbox Hack, proudly alive since 2012!

hacker-threat

“You don’t know the power of the Dark Side.”

(Darth Vader)

 

One of these days, I found myself listing the different threats that would end up in a website security being compromised. It’s a big list as you can imagine…

 

Being in the business for over a decade, I’ve had my fair share of close encounters with DDos, Brute Force attacks, malware and spammers.

 

On all of this, there is one reasoning that usually made me feel a little safer by the end of every day: the concept that a hacking would involve some kind of deceptive move, followed by some form of attack to try to:

 

  • Gain access to sensitive information such as your credit card details, user id and passwords, etc.
  • Run some type of program that will damage your files or terminal, just for the sake of it!
  • Take control of your terminal and use it for a wrong act of some kind, making it part of a botnet or zombie army if you will.

 

Those are the most common, not the only ones of course. Moreover, on my mind I was preset to believe that hackers would act only this way. The truth of the matter is different do.

 

Strategy is a big part of any competitive game, and the more competitive the industry, the better your strategy should be.

 

The web environment is THE zillion dollars game! And online strategy is of the utmost importance.

 

A lot of business nowadays depend directly or indirectly of its web presence. The bigger the company, the higher its chance of an important cut of revenue coming straight from its online presence. There resides the hacking strategy also:

 

Instead of running to attack using the newly found breach, in some cases, for a hacker or cracker, it pays to play strategically and wait.

 

strategy-play

Chess is war over the board. The object is to crush the opponents mind”
(Bobby Fischer)

 

How, step by step:

  • Plant a small exploit on a fairly decent software, preferably something that will solve a critical management problem on a fast growing industry/service vertical.
  • Wait for the software to be implemented in several hundreds or thousands of companies;
  • Monitor software patching to make sure the exploit stays active and healthy;
  • When the pot his big enough (being that data, privilege escalation or DOS attack), the exploit is activated;

 

In 2012 Dropbox (a cloud based storage service) was hacked. The breach exposed around 68M accounts, with user names & passwords now leaking online on a daily basis. This was 4 years ago, and there lays the problem… (we won’t bother discussing the security issues that lead to this, that’s for another day).

 

For roughly 4 years, that data was very probably traded in the black web, to other hackers, crackers and scripters. If it weren’t spotted, it would probably still be there live & kicking, being used and abused by whoever.

 

 

Why is this really bad?

By definition, people are lazy. This probably includes you and me too. We do not like to memorize new passwords every time we sign-up for a new web app, online news service, social network, etc. By the way, this is also valid for the originality and length of your passwords.

 

By having your user and password for one service, hackers can access other services you use; such has email accounts, social network accounts and much more. This way, they can gather your personal information that will render then a very interesting knowledge of your persona.

 

Paypall accounts, bank accounts, hosting services, website admin, nothing is truly safe after that. Not to mention that it is possible to infect one of the above services with a key logger or a spyware to gain further access and privileges.

 

 

What now?

Guessing back what other services you use that can also be compromised?

Best here is to go there and replace your old passwords for new stronger passwords. More on how to do it and how to remember them here.

Also, get a good security suite for your devices (don’t leave your phone out). Find good honest reviews here.

 

Hope this helps and please remember:

  • If you are an individual, keep your personal passwords BIG and hard to CRACK.
  • If you are a company, enforce safety proceedings on your staff.

 

Just my two cents.

If you have anything to comment, go ahead!

 

Regards,

Rui

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.