Dropbox Flaws | TechSNAP | 1

Dropbox Flaws | TechSNAP | 1

Get the full details are two major issues with Dropbox, that are simply built into the core of the software/service.

Plus WordPress has undergone a multi-server hack, and Facebook gives away their plans for the ultimate data center!

iTunes & RSS Feeds:

[ad#shownotes]

Show Notes:

WordPress gets hacked:
Story 1
Story 2

-multiple servers got hacked
-facebook and twitter API keys exposed
-non-opensource code and partner code exposed
-they recommend if you use the same password elsewhere you should change it (does this mean they are not doing secure hashes?)

Facebook Topic:
Facebook gives away detailed schematics etc from it’s datacenters under an open license

http://hardware.slashdot.org/story/11/04/07/2125238/Facebook-Opens-Their-Data-Center-Infrastructure
http://hardware.slashdot.org/story/11/04/16/2218232/Photo-Tour-of-Facebooks-Open-Source-Datacenter
-Custom power supply, only one voltage 10.5v
-harddrives (up to 6) powered by the motherboard, BIOS staggers drive start by 5 seconds each to deal with inrush current
-open cases, uses large scale air mover at the rack level instead of a large number of smaller fans per server
-power supplies have an AC feed, and a DC feed from UPS for backup (this is different from googles design, which placed a separate DC battery in each server, directly connected to the motherboard (circumventing the PSU). did this power the drives too? googles design is mostly secret)

Comodo Topic:

-SSL is the only thing standing between you and the eavesdroppers
-SSL makes sure you are talking to the real site
-if an SSL CA is compromised, someone could get a seemingly legitimate certificate for mail.google.com and setup a rouge wireless AP at your local starbucks, now he has not only your password, but all of your emails.
-once they have your email, they can reset your passwords for everything else

Comodo CA issues certs for major domains:

https://www.threatpost.com/en_us/blogs/phony-web-certificates-issued-google-yahoo-skype-others-032311
http://www.infoworld.com/t/authentication/weaknesses-in-ssl-certification-exposed-comodo-security-breach-593?page=0,1

-EFF finds 37,000 SSL certificates issues for unqualified domain names
https://threatpost.com/en_us/blogs/problem-issuing-certs-unqualified-names-040611

-EFF SSL Observatory
https://www.eff.org/observatory

Comodo’s plans to solve the problem:

http://www.scmagazineus.com/two-more-comodo-resellers-owned-in-ssl-hack/article/199620/

Microsoft patch to blacklist certs

http://www.microsoft.com/technet/security/advisory/2524375.mspx

More and more sites are offering SSL, or even doing SSL by default. This can be important if you are accessing things via wifi, especially if it is a public hotspot. This compromise means that it was possible for someone to have a valid certificate for skype and to sniff your credentials right out of the air.

Comodo SSL Article by Allan:

http://appfail.com/read/304/Comodo-SSL-Certificate-Authority-Breach/

[ad#shownotes]

Dropbox security:
Dropbox insecure by design, if you upload one file w/ the app, hacker can access everything, even if you reformat

http://it.slashdot.org/story/11/04/08/1838220/Dropbox-Authentication-Insecure-By-Design

http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/

-problem with the authentication system
-uses only a host_id to authenticate devices. host_id is not related to a hardware hash, or your password.
-host_id is stored as plain text in a config.db SQLite db
-the same host_id can be used on multiple machines/devices
-so if someone copies your config.db, they can access you files without you knowing
-changing your password would not stop someone, as the host_id would still be valid
-because the host_id is not unique per device, you would not notice a new device
-once compromised, even if you reformat and change your passwords, the attacker could still access your files
-the only way to stop the attacker is to realize you have been compromised, and remove the effected device(s) via the dropbox control panel
-easy fix: include the password and some details (system name/type, hardware info) in the seed for the hash that is used as the host_id, automatically invalidate all host_ids when a password is changed.

Second Dropbox Flaw:

http://paranoia.dubfire.net/2011/04/how-dropbox-sacrifices-user-privacy-for.html

-Article mentions Tarsnap, written by Colin Percival, the FreeBSD Security officer. he wrote his own blog entry about a different backup company claiming to use the same encryption as banks and the military, see here: http://www.daemonology.net/blog/2010-03-11-zumodrive-rolls-a-hard-six.html
-Files are encrypted once, using a key controlled by Dropbox. Dropbox policy allows them to decrypt and render your files to law enforcement. A real secure system would not allow Dropbox or law enforcement to access the files.
-AES is approved by the NSA to encrypt classified documents, such as ones classified Restricted, no-forn, confidential, secret, and top secret (top secret requires 256 bit keys, lower classifications only require 128 bit)
-There are US standards covering the use of encryption to protect CONFIDENTIAL, SECRET, and TOP SECRET information; but merely using 256-bit AES is nowhere near enough: The entire encryption system needs to be approved (including block cipher modes, key management, vulnerability to side channel attacks, et cetera), not merely the choice of block encryption algorithm.


Download:

14 Responses to “Dropbox Flaws | TechSNAP | 1”

  1. Anonymous Says:

    Thanks for a great show! I am very interested in these kind of topics (does it mean I’m a geek?). Security usually makes people yawn and roll there eyes, but I find it very interesting. Again, thanks for a great show!

  2. Paul Maidment Says:

    Great stuff, the tech stuff is the main thing I love about JB :)
    This and LAS are excellent.
    Keep up the good work

  3. Confezzor Says:

    hey just going to say that supergenpass has an exploit on it..it’s no 100% safe if you are using it on the website you are creating the password on..you should create the password on a different site to generate the password you want….

  4. ormaaj Says:

    Allan is a genius. Even I don’t have the precise shadow format memorized, that’s way beyond geek. Brilliant first episode! Kudos!

  5. Melroy van den Berg Says:

    When you were talking about Dropbox security issues, I must think of the day I want to delete/remove my Google Account from an Android Tablet. There was NO way to easily “logout”, “delete” or “remove” my Google login details from that Android Tablet device, used to browse in the market and even syncing gmail if that is turned on -,-

    Eventually the only way was seriously reflash the tablet with the same or another ROM….

    PS. It could be me that had a kind of a typo in the IRC (A) I changed the password do not worry. Also I do not use the same password for very important websites like Gmail..

  6. Allan Jude Says:

    Here is a link to an article I wrote on how hashes work: http://geekrt.com/read/91/What-is-a-Hash/

  7. Anonymous Says:

    For your next episode, search for Peter Warden, Alasdair Allan and iPhone. It’s not Linux, but what if it is?

  8. Joe 'lnxr0x' Says:

    Hey guys !! Great first ep !! I know you said you weren’t going for a “security” podcast, but I definitely think you should keep the infosec slant !! There’s always Pauldotcom.com but they have such a corporate sponsored atmosphere it gets really annoying. Exotic Liability looks like they’ve closed shop :( and Security Justice only releases an EP once every 6 months.

    This is a great balance of security, *nix and IT “war” stories. Keep up the great work !!

    -Joe

  9. Mohan Says:

    Awesome first episode, loved it. Oh by the way, Joomla does MD5 hash for it’s password and adds a some salt on top of it to store password. I am surprised WordPress doesn’t do that.

  10. Froilan Irizarry Says:

    Awesome show guys!

    It was well structured and very informative with the JB style.

    Must say I really enjoyed it.

  11. Jonathon Says:

    Damn, you guys are awesome!!!
    I listened to this episode of tehsnap last night, and OMG it was like the best show ever!
    Seriously dont stop this show, i love it as much as the Linux Action Show!!
    lol
     

  12. Glencrow Says:

    Timeless vigilence shared,  that is the hallmark of a civil society.   Each within it in an advisory role   contributes to inform social consciousness.  Your program assist the likes of me in our cognition, insight, initiative, and understanding of the digital industry.  I appreciate your insights into the ways, means, policies, practices, and promises spinning out of this evolving techonology.   Thanks for the shows, insight, and advice on this developing medium’s tools, deployments and advocates. Linux new be with one month experience

  13. Sunny Alexander Says:

    Today, monster
    butterfly by vivienne tam
    is so impressive that has became more
    and more popular among younger generation. the monster beats in ear headphones were definitely designed to
    be noise-canceling. why monster beats is so fantastic for your
    life? Music with monster beats can help you plug in the
    wings of imagination, monster beats is adjustable and feels relatively
    comfy.

     

    The
    Cartier sunglasses In Purple represent the
    most fashionable trend, sunglasses for men
    represents the most fashionable trend. Cartier sunglasses is so fashion a brand
    that have attracted so many fans, The innovative design and bright color makes Cartier sunglasses always in the fashion
    frontier. If you
    were looking for fashion design of Cartier sunglasses, Cartier sunglasses according to Louis.

     

    Saying about snow
    boots
    , the boots go well with the clothes. The easiest way to wear
    your ugg
    boots
    , experience your fashion trip with the ugg
    store
    . The easiest way to wear your ugg
    us
    is with your comfortable skinny jeans and a baggie blouse
    accessorized by a necklace.
     

  14. designer handbags Says:

    There are various styles of Knockoff designer handbags on our online shop,you can wholesale replica handbags with low price and free shipping,our cheap replica handbags are AAA quality and popular styles,enjoy your shopping now!
    we offers large amounts of newest and best fake designer handbags , Each high quality Replica Chanel Handbags comes in a great variety of colors and models. The most amazing thing is the superior quality and the similar design as the replica designer jewelry which help us win many customers’ praises. Moreover, we still take proud in our competitive price and the best service! Created by Thomas Burberry in 1856, Burberry enjoys a long history of fashion. It is one of the oldest designer brands. knockoff handbags represents luxury and it enjoys a strong global recognition. If you want to wholesale replica handbags, undoubtly, the finest knockoff jewelry are the best choice for you! You are surely going to turn many heads by carrying these beautiful replica designer handbags around!

     

Leave a Reply