Snapchat and other online services need to tighten security

Regardless of the fact that some data leaks weren't the result of direct server hacks, Internet service companies need to do a better job of educating their users and offering stronger security measures.

In recent weeks, there have been data breaches involving passwords and email addresses from JP Morgan Chase, celebrity nude photos from Apple's iCloud, more than 70,000 images from Snapchat and now a new alleged hack at Dropbox -- a claim it denies.

Many of those hacks didn't involve a security breach of the company's own servers but were instead the result of brute-force password attacks, customers' use of third-party apps not authorized for use on the original service, or names and passwords collected from websites not related to the cloud service that hackers claimed to have broken into.

This week on code-sharing site Pastebin, an anonymous poster claimed nearly seven million Dropbox accounts had been hacked. The poster then published 100 of them and threatened to reveal them all if not offered a Bitcoin reward.

Dropbox security engineer Anton Mityagin insisted the company's servers had not been hacked, saying in a blog post, "Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the Internet, including Dropbox."

Responses to many of the recent attacks have been similar to Dropbox's. Chase says there's no need to change PIN numbers or passwords or replace credit and debit cards; Apple claims its iCloud is secure and Snapchat denies any wrongdoing on its part.

Experts, however, argue that online companies are not doing enough watch their networks and identify nefarious activity, as well as encrypt data prior to it being stored.

"Service providers can block brute-force attacks. For example, if you see the same IP address logging in 100 times, that's something you should check," said Engin Kirda, a professor at the College of Computer and Information Science at Northeastern University and co-founder of Lastline Inc., a maker of security and malware protection software.

Snapchat's breach this week, which involved a third-party app collecting user photos for years, comes five months after the company settled a suit with the Federal Trade Commission (FTC) over charges that it deceived consumers with promises about the disappearing nature of messages sent through the service.

The need for greater visibility

According to the FTC's complaint, Snapchat made multiple misrepresentations to consumers about its product that stood in stark contrast to how the app actually worked.

For example, the FTC alleged that Snapchat stored video snaps unencrypted on the recipient's device in a location outside the app's "sandbox," meaning that the videos remained accessible to recipients through a device file directory.

Snapchat's terms of use explicitly forbids the use of third-party apps to share messages and photos by interfacing with its API, yet a third-party app responsible for the leak,, had been in use for years.

SnapSaved took responsibility for what has been called "The Snappening," where around 70,000 Snapchat photos or videos were shared on an anonymous website. SnapSaved said most of the photos that were exposed came from Swedish, Norwegian and American users.

In a post on its Facebook page, SnapSaved apologized and explained its "dictionary index" database had been hacked.

"As soon as we discovered the breach in our systems, we immediately deleted the entire website and the database associated with it. As far as we can tell, the breach has effected 500MB of images, and 0 personal information from our database," the company stated.

Also according to the SnapSaved post, the hacker's claims that there was sufficient data to create a searchable database of Snapchat images were false.

Third-party applications for Snapchat, Twitter, Facebook and other social media sites can be found throughout Apple's iTunes and Google Apps services.

However, users are often unaware of the risk they're taking when they download an app, even one vetted by big-name vendors, according to John Kindervag, a security analyst at Forrester Research.

Hacks not new, but social media is growing them

Kindervag said three things have contributed to the flood of recent privacy breaches: The fact that security and net neutrality are opposite goals; the rise of popularity in social media, and poor security often results from a company assuming bad things happen only outside their network.

"Look at brute-force attacks, those have always been happening. The idea that SnapChat had another proxy involved that saved all their stuff, yeah that has always been happening too," Kindervag said. "Now everyone's upset."

"As I like to say, there are no suburbs on the Internet. We all live in the same bad neighborhood," he added.

SnapChat's biggest failure, Kindervag said, is that they weren't more closely monitoring the third-party apps using its API. He also said using an encryption algorithm would have made it more difficult to gather the photos in the first place.

"You should always plan for a systemic failure, whether its one in your network things or someone else's," Kindervag said.

Users, of course, also have a responsibility to understand that once something is uploaded to a cloud service, the risk of exposure greatly increases regardless of whatever security measures are taken.

For their part, users either have to be responsible in the content they create, or understand there are steps they must take to increase the security around the content.

Northeastern's Kirda recommends people use free services such as KeePassX, an open-source password management utility that works with most OSes. KeePassX stores usernames and passwords in an encrypted database, and gives the user the specific password or key file to use on every website they visit with a login.

While user education is important, and includes measures such as choosing robust passwords and not reusing them on multiple sites, the onus can't be entirely on the customer to protect his or her own data when it's been entrusted to a service.

"Basically, I think anyone that relies on passwords for security has to be kidding themselves," said Gartner security analyst Avivah Litan. She suggests biometric security measures instead. For example, behavioral biometrics applications can track how users of a website typically act, and if that activity changes dramatically, the company can be alerted and take action.

"The idea is you can maintain customer convenience and strengthen consumer security without imposing things on them," Litan said. "That's even better for security because many intelligent security folks believe we need to forget about prevention and focus on detection and containment."

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleSnapChatdropboxsecuritydata privacyPastebinprivacy

More about AppleDropboxFacebookFederal Trade CommissionForrester ResearchFTCGartnerGoogleInc.JP MorganMorgan

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucas Mearian

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place