Earlier this month, security researchers working for Swisscom, Switzerland’s main telecom provider, were able to gain access to confidential data belonging Box.com’s cloud storage customers. What makes this particular vulnerability unique is how they did so – through popular public search engines such as Google, Bing, and others.
Because of how Box is designed, invitations issued by its users to friends and co-workers automatically generated a URL for accessing a shared folder, along with a public landing page. As users collaborated with one another, some of those landing pages received enough hits to be indexed by search engines. And as Box’s default permissions give users full permission not just to view and download files, but also upload, edit and rename them, attackers could access confidential information, but also modify and delete documents or upload malicious content/malware.All from a simple Google search.
Although no company has yet reported any malicious actions resulting from the vulnerability, several major companies were identified as potential victims by security blog Threatpost, including Dell Technologies, broadcaster Discovery Communications, and biotech firm, Illumina.
When Security Isn’t Job One
“From an attacker’s perspective, this is great,” Swisscom Threat Intelligence manager Markus Neis, who originally uncovered the vulnerability, said to ThreatPost. “As well as gaining access to sensitive information, this opens the door to social engineering attacks. Attackers can upload their own malware into a project, identify employee phishing targets by email addresses, and simply host malware and share the link.”
Box has taken measures to address the vulnerability, while defending the way it handled invite links as “feature rather than a flaw.” That, and other public statements, essentially blamed its customers’ “poor privacy practices” for the vulnerabilities, according to UK tech publication CloudPro.
Don’t get me wrong, both Box.com and Dropbox – which revealed last summer that hackers had stolen 60 million user passwords – are very good at what they do. But Box’s consumer-oriented legacy and its inadequate attention to content controls caused a massive security flaw. That’s what happens when you’re not designed from the ground up for enterprises – and incidents like this drive that point home.
Let’s look at what would have happened if Box.com’s customers were using BlackBerry Workspaces (formerly WatchDox), instead. Built from the ground-up for secure enterprise file sharing and synchronization, Workspaces is a closed-loop system. This means that there is no publicly-available landing page – the Workspaces sharing process generates no components or content that can be indexed by a search engine like Google or accessed by non-authorized users.
That isn’t the only security feature that sets Workspaces apart from platforms like Box.com:
Every user who wishes to access Workspaces content must first be authenticated by someone with the permissions to do so, even if they have an invite URL.
Workspaces offers file-level authentication. Even if a bad actor did somehow gain access to a folder or other repository, they’d be unable to access the files it contained since they would lack access rights.
Workspaces administrators, which include both IT and regular employees, have complete control over who can access folders and files, and what they can do once they have them. This includes viewing, downloading, editing, printing, and sharing.
Access to a Workspaces file can be revoked at any time, even after a file has been downloaded onto a user’s PC or mobile device.
Finally, Workspaces event tracking logs allow administrators and users to track everything that happens to a protected file – who accessed it, where they accessed it, what device they used, and what they did. This makes it much easier to identify potential intrusions, particularly when coupled with SIEM (Security Information and Event Management) software.
Cloud sharing services like Box.com and Dropbox have their place – but it isn’t in enterprise. While they’re incredibly valuable for non-business use, they simply aren’t architected for the level of security required to protect data such as intellectual property or medical information. Pretending otherwise puts your business’s critical data at risk – and could even let any Google user find and download it with no recourse.