NOT another IT Question!

Joi Phillips said:

I keep a lot of my files in dropbox because I bring work home sometimes (all of the time!). I do not like using a USB because I keep losing them. My question is, is this secure? How do I make sure it is not being accessed by anyone? Is there like a record that I can look at to make sure that no one else have access to my files?

Click to expand...

#1: Don't bring work home. It rarely pays off unless you are working for yourself.
#2: The techies will tell you, but very few things are totally secure, from what I have read/seen.
#3: By USB, do you mean a thumb drive or some other portable storage device?

Not a techie

Off the top of my head, the safest bet--especially if it's for work items--is to use a VPN (virtual private network) provided by the company. Otherwise, if you get a third-party VPN, the free ones aren't secure (obviously).

Another idea is to keep a sharp eye on timestamps. If you access Dropbox via a web browser, you can click on Events on the left side to see when and which files have been moved/added. However, if you're looking for a "last viewed" option or something similar, assuming you have the Dropbox program downloaded to your computer, you can open the folder containing the file to see details such as "last viewed/opened/modified/etc." This would work for both Windows (Windows Explorer) or Macs (Finder).

This last idea is sort of a hassle, but you could download third-party software that adds passwords since I think Windows 7 and only has an encrypt method.

That's all I can think of for now!

T Robinson said:

#2: The techies will tell you, but very few things are totally secure, from what I have read/seen.

Click to expand...

As far as online storage services are considered, "very few" may as well be "none." Dropbox has been hacked repeatedly. As has Google Drive, OneDrive, iCloud, Amazon S3, and a lot of other services most people have never even heard of. But there's good news here: hackers like to target places like Dropbox because actually getting into your Dropbox account is a secondary benefit. The primary thing they want is your username and password. That's because most people use the same login and password for everything. So, once they can get into your Dropbox, they're in your bank account too. That secondary benefit is the off-chance that you might have something in your Dropbox which could be valuable to them: anything from private photos to personal information. But what writers would use Dropbox for is of little interest to them. They generally don't care about your WIP.

The good news is that you can mitigate this problem with password storage services such as LastPass (paid service) and KeePass (open-source free service). The idea is that you can keep your one simple phrase-based password in order to open your password database, and then let the program create incredibly complex passwords for you. 24 totally random characters is more difficult to crack than passwords based on phrases (yes, even with number/letter substitutions). It's like having a keychain in your pocket. It's just the tiniest bit of a pain in the ass when you have to sign in from a device you don't own, and therefore must painstakingly copy your password letter by letter from your database. The bonus is that this way, you can easily keep different login/password pairs for every site that has any of your sensitive personal information (SSN, DL#, payment types, etc), and then change them regularly (you should do this).

Look at it like it was your keychain. You wouldn't want the same key that opens your car to also open the front door to your house, your safety deposit box, or your home safe. You want your keys to be complicated and hard to duplicate. And you want to be able to occasionally change the locks, especially if you're in a bad neighborhood.

Keep in mind that for places like these wonderful forums aren't something that you have to engage this super-high-paranoid mode for. But confidential work information or things that could help attackers commit credit card or identity fraud definitely deserve the best security you can manage.

I don't use dropbox so I can't comment on that, but I do use google drive, which is connected to your gmail account. The great thing about that is you can ask for a notification of there is any suspicious activity on your account, you can check who has accessed your account and can also create a double layer of protection, where anyone who logs into your account from an untrusted source will then have to type in a code that is SMSed to your phone. Without the unique code they cannot access your account. As a bonus it integrates nicely with Google's own online software (Google docs) that will allow you to edit your documents, and eliminate the problems associated with potentially outdated software sitting on your PC.
If you decide to go this route, we'll have to walk you through setting up the extra security, but it's worth it for your peace of mind. At the end of the day, nothing digital is completely secure, not even a flash drive, but you can do things to minimize your risk.

The Dropbox desktop client has a exploit for viruses, but using it web only (just drag and drop, no program running on your desktop) plus encrypting your work into a file, with truecrypt or similar is safe.
Some will tell you truecrypt isn't safe because a header encryption yada yada, well, that's true if you use a short password, use a long one and that won't be a problem.

From an enterprise perspective, personal accounts at services like DropBox are terrible.

It really is not about the actual security. It's about documenting that *only* the intended people have access. Personal accounts don't have good auditing for this.

Locke said:

As far as online storage services are considered, "very few" may as well be "none." Dropbox has been hacked repeatedly. As has Google Drive, OneDrive, iCloud, Amazon S3, and a lot of other services most people have never even heard of.

Click to expand...

This. If you have confidential information, never put it online. Anywhere. Even having it stored on a computer connected to the internet is a risk, but usually that is an acceptable one.

If you frequently forget or misplace your USB drive, get one that attaches to your key chain. You don't forget or lose your keys, do you?

robjvargas said:

From an enterprise perspective, personal accounts at services like DropBox are terrible.

It really is not about the actual security. It's about documenting that *only* the intended people have access. Personal accounts don't have good auditing for this.

Click to expand...

Many corporations have strict policies against these kinds of accounts. A variety of laws come into play, particularly if you have any patient medical data or student records involved, and insurance agencies often require certain security policies to give businesses good rates.

This also means many corporations will restrict your ability to take personal USB devices to and from work. Often because of data security concerns, but almost always because of the fear that employees will bring a virus-infected thumb drive from home to work and spread the virus across the company's internal network, which often lacks (for monetary reasons) the security of the outward facing network.

Alina T. said:

Off the top of my head, the safest bet--especially if it's for work items--is to use a VPN (virtual private network) provided by the company. Otherwise, if you get a third-party VPN, the free ones aren't secure (obviously).

Click to expand...

This is the way to go. If your business requires you to take work home, demand a VPN be set up for you. If they refuse, tell them you'll have to bring it home by far less secure methods and see what they say. If they don't care, get it in writing. Any data loss at that point becomes their cross to bear.

If they don't require you to take work home but you want to (for some strange reason), you can still request a VPN. Otherwise, attach a USB drive to your key chain and if still concerned, encrypt the whole drive.

One alternative to a USB drive that you may already have with you is a cellphone or tablet. If either has the capability to copy files over USB (Android does, don't know about iPhone), all you need is the cable. Plus, the cables are cheap, so you can just buy a spare and keep it at your desk.

Joi Phillips said:

...since I work in a company that is starting to embrace technology

Click to expand...

*puts on dayjob hat*

Step one is protecting you. The best way to do this is whichever way your company says to, in writing.

Step two is PLEASE, do not mix work and personal stuff. Don't send work to/from personal emails, saved on personal hardware, including USB drives.

As you indicate, your company is "embracing" technology. They will make mistakes. Most do. Lawsuits are practically a form letter a person can file on line. So are FOIA requests. If you mix business and personal data, the wording of the FOIA and a good lawyer can have whoever is taking legal action against the company in the middle of your personal business.

Protect you.

> I keep a lot of my files in dropbox because I bring work
> home sometimes (all of the time!)

Just adding my voice to the "don't use personal equipment for business".

-- corporate laptops --

Ask your IT department to either buy you a laptop or swap the desktop machine you have for a laptop + docking station. Having the company pay and deal with maintaining the laptop puts the legal monkey squarely on their shoulders. THEY gets you the proper office software, corporate license and all. THEY deal with viruses and other nasties. THEY do the maintenance, software upgrades, et al.

And more importantly, THEY provide the procedure, tools (backups + corporate data protection), and policies for you to work outside your office. If THEY don't want you to work home or don't provide you with the proper means, just don't do it.

-cb

Locke said:

One alternative to a USB drive that you may already have with you is a cellphone or tablet. If either has the capability to copy files over USB (Android does, don't know about iPhone), all you need is the cable. Plus, the cables are cheap, so you can just buy a spare and keep it at your desk.

Click to expand...

In any practical sense, this is no different than a USB drive. Except that it can now be directly accessed via cellular data networks.

robjvargas said:

In any practical sense, this is no different than a USB drive. Except that it can now be directly accessed via cellular data networks.

Click to expand...

Except that it's not a common vector for hacking attacks. On an encrypted device, you'd have to first defeat or work around the cellular network and then defeat the device security in order to get in from the outside. Though I do suppose it's technically possible, if the user allows some sort of malware in, to get a program to expose the device from the outside, which is fairly simple to protect against. It's no less secure than connecting a USB drive to a computer that's connected to the internet in any way.

This also assumes that the device is connected to cellular networks. Many tablets are not. I was simply giving an option to have portable storage without fear of losing a USB drive.

Locke said:

Except that it's not a common vector for hacking attacks. On an encrypted device, you'd have to first defeat or work around the cellular network and then defeat the device security in order to get in from the outside. Though I do suppose it's technically possible, if the user allows some sort of malware in, to get a program to expose the device from the outside, which is fairly simple to protect against. It's no less secure than connecting a USB drive to a computer that's connected to the internet in any way.

This also assumes that the device is connected to cellular networks. Many tablets are not. I was simply giving an option to have portable storage without fear of losing a USB drive.

Click to expand...

This was also a question about security, though. These are simply bigger USB storage devices. But with an operating system that is subject to exploit.

That's not so much a given. According to one article:

“The Masque bug in iOS and the corresponding WireLurker malware targeting iOS devices via Apple and Windows port-machines, had a lot of experts saying that the age of Apple malware is finally upon us,” says Kaspersky, although it also points out that this is still most likely to affect people who’ve jailbroken their devices.

Click to expand...

You can only get so paranoid until you're wearing a literal pair of tinfoil pants on your head, though.

Joi Phillips said:

What I am doing right now is for sensitive files, I also have PWs for my MS Office files like word and ppt. So, I have a PW for some of my files and a PW for dropbox itself.

Click to expand...

Microsoft warns that password protection in MS Office is NOT real encryption. The password itself isn't all that strongly hashed, and the encoding isn't hard to reverse engineer. There are all kinds of programs out there that recover PW-protected Office files for exactly this reason.