Security expert voices concern over Dropbox use

17 Apr 2013

1

Around 50 million Dropbox users might soon need to give a second thought to continuing using the popular file hosting service, thanks to recently uncovered security issues.

Questions have been raised over the service regarding file security in the past, but the convenience it offers seems to have overcome security considerations.

The service is offered by Dropbox Inc which provides cloud storage, file synchronisation, and client software.

With Dropbox users can create a special folder on each of their computers, which it then synchronises so that it appears to be the same folder (with the same contents) on all computers used to view it.

Files in the folder can also be accessed through a website and mobile phone applications.

According to an article in TechRepublic by Michael Kassner, who runs  IT publication consultancy MKassner Net, while perusing this year's Black Hat EU seminar briefing website, he came across a briefing note titled ''DropSmack: How cloud synchronization services render your corporate firewall worthless.''

''The contributions of this presentation are threefold. First, we show how cloud-based synchronization solutions in general, and Dropbox in particular, can be used as a vector for delivering malware to an internal network, '' the note explained.

According to Kessner, the other two contributions were equally eye-opening:

''Show how the Dropbox synchronization service can be used as a Command and Control (C2) channel.''

''Demonstrate how functioning malware is able to use Dropbox to smuggle out data from exploited remote computers.''

The presentation was given by Jake Williams, a highly skilled pen tester and digital forensic scientist employed by CSR Group. According to Kessner Jake's findings would likely give plenty of reasons for Dropbox users to rethink their file storage options.

Williams was performing a ''no holds barred'' penetration test on a corporate network but nothing seemed to work, not even social engineering the employees. He then came across an opening by way of the company CIO. Obtaining a personal email address Jake found a way to spear-phish the CIO.

When the CIO used his work notebook away from the corporation's highly secure network, in a jiffy, Williams was able to gain control of the notebook.

While snooping around on the CIO's computer Williams came across corporate documents stored in a Dropbox synchronisation folder. Williams told Kessner he knew he could use Dropbox as a conduit into the inner corporate sanctuary, but what he did not know was how, given that Dropbox databases were encrypted.

Williams and his cohorts did not have the time to reverse engineer the Dropbox software in order to read the database, but they still managed to find a way in.

Though Dropbox would allow Williams to send files to all the devices associated with the CIO's Dropbox account, he needed something more, a way to infiltrate further into the company network, install malware, and find specific documents as part of the pen-test requirements.

He created a tool called DropSmack to perform the above steps and get it loaded. He realised all he had to do was to get the CIO to open a file infected with DropSmack in his Dropbox folder, and it would install.

He installed the tool by first embedding it in a file synchronised by Dropbox, then adding some macrogoodness to it and finally loading it back on the compromised computer. The file automatically synchronized after which it was a waiting game for opening of the file on the internal network by the victim.

Once a remote machine gets infected with DropSmack, it can be used to perform arbitrary actions on the machine, including pivoting to other machines in the remote network (such as a file server). The PUT command, allows upload of any new tools that might be for the remote machine, while the EXEC command allows for execution those tools.

According to Williams security managers needed to think long and hard before allowing Dropbox or any file-synchronization application, no matter how convenient they are.

It may be important to mention however, according to both Jake and Kessner that Dropbox was by far the most secure of all file synchronisation applications that Jake looked at. Also Williams asked Kessner to make sure and mention that Dropbox was not compromised in order to accomplish his pen-testing goal, it was used only as a conduit.

Williams offered a few more interesting tidbits:

More often than not, Dropbox was loaded on corporate networks no matter whether mostly it was not authorised and it was a good bet that the bad guys knew this technique and were already using it.

Business History Videos

History of hovercraft Part 3...

Today I shall talk a bit more about the military plans for ...

By Kiron Kasbekar | Presenter: Kiron Kasbekar

History of hovercraft Part 2...

In this episode of our history of hovercraft, we shall exam...

By Kiron Kasbekar | Presenter: Kiron Kasbekar

History of Hovercraft Part 1...

If you’ve been a James Bond movie fan, you may recall seein...

By Kiron Kasbekar | Presenter: Kiron Kasbekar

History of Trams in India | ...

The video I am presenting to you is based on a script writt...

By Aniket Gupta | Presenter: Sheetal Gaikwad

view more