Dropbox Flaws | TechSNAP | 1

Dropbox Flaws | TechSNAP | 1

Get the full details are two major issues with Dropbox, that are simply built into the core of the software/service.

Plus WordPress has undergone a multi-server hack, and Facebook gives away their plans for the ultimate data center!

iTunes & RSS Feeds:

[ad#shownotes]

Show Notes:

WordPress gets hacked:
Story 1
Story 2

-multiple servers got hacked
-facebook and twitter API keys exposed
-non-opensource code and partner code exposed
-they recommend if you use the same password elsewhere you should change it (does this mean they are not doing secure hashes?)

Facebook Topic:
Facebook gives away detailed schematics etc from it’s datacenters under an open license

http://hardware.slashdot.org/story/11/04/07/2125238/Facebook-Opens-Their-Data-Center-Infrastructure
http://hardware.slashdot.org/story/11/04/16/2218232/Photo-Tour-of-Facebooks-Open-Source-Datacenter
-Custom power supply, only one voltage 10.5v
-harddrives (up to 6) powered by the motherboard, BIOS staggers drive start by 5 seconds each to deal with inrush current
-open cases, uses large scale air mover at the rack level instead of a large number of smaller fans per server
-power supplies have an AC feed, and a DC feed from UPS for backup (this is different from googles design, which placed a separate DC battery in each server, directly connected to the motherboard (circumventing the PSU). did this power the drives too? googles design is mostly secret)

Comodo Topic:

-SSL is the only thing standing between you and the eavesdroppers
-SSL makes sure you are talking to the real site
-if an SSL CA is compromised, someone could get a seemingly legitimate certificate for mail.google.com and setup a rouge wireless AP at your local starbucks, now he has not only your password, but all of your emails.
-once they have your email, they can reset your passwords for everything else

Comodo CA issues certs for major domains:

https://www.threatpost.com/en_us/blogs/phony-web-certificates-issued-google-yahoo-skype-others-032311
http://www.infoworld.com/t/authentication/weaknesses-in-ssl-certification-exposed-comodo-security-breach-593?page=0,1

-EFF finds 37,000 SSL certificates issues for unqualified domain names
https://threatpost.com/en_us/blogs/problem-issuing-certs-unqualified-names-040611

-EFF SSL Observatory
https://www.eff.org/observatory

Comodo’s plans to solve the problem:

http://www.scmagazineus.com/two-more-comodo-resellers-owned-in-ssl-hack/article/199620/

Microsoft patch to blacklist certs

http://www.microsoft.com/technet/security/advisory/2524375.mspx

More and more sites are offering SSL, or even doing SSL by default. This can be important if you are accessing things via wifi, especially if it is a public hotspot. This compromise means that it was possible for someone to have a valid certificate for skype and to sniff your credentials right out of the air.

Comodo SSL Article by Allan:

http://appfail.com/read/304/Comodo-SSL-Certificate-Authority-Breach/

[ad#shownotes]

Dropbox security:
Dropbox insecure by design, if you upload one file w/ the app, hacker can access everything, even if you reformat

http://it.slashdot.org/story/11/04/08/1838220/Dropbox-Authentication-Insecure-By-Design

http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/

-problem with the authentication system
-uses only a host_id to authenticate devices. host_id is not related to a hardware hash, or your password.
-host_id is stored as plain text in a config.db SQLite db
-the same host_id can be used on multiple machines/devices
-so if someone copies your config.db, they can access you files without you knowing
-changing your password would not stop someone, as the host_id would still be valid
-because the host_id is not unique per device, you would not notice a new device
-once compromised, even if you reformat and change your passwords, the attacker could still access your files
-the only way to stop the attacker is to realize you have been compromised, and remove the effected device(s) via the dropbox control panel
-easy fix: include the password and some details (system name/type, hardware info) in the seed for the hash that is used as the host_id, automatically invalidate all host_ids when a password is changed.

Second Dropbox Flaw:

http://paranoia.dubfire.net/2011/04/how-dropbox-sacrifices-user-privacy-for.html

-Article mentions Tarsnap, written by Colin Percival, the FreeBSD Security officer. he wrote his own blog entry about a different backup company claiming to use the same encryption as banks and the military, see here: http://www.daemonology.net/blog/2010-03-11-zumodrive-rolls-a-hard-six.html
-Files are encrypted once, using a key controlled by Dropbox. Dropbox policy allows them to decrypt and render your files to law enforcement. A real secure system would not allow Dropbox or law enforcement to access the files.
-AES is approved by the NSA to encrypt classified documents, such as ones classified Restricted, no-forn, confidential, secret, and top secret (top secret requires 256 bit keys, lower classifications only require 128 bit)
-There are US standards covering the use of encryption to protect CONFIDENTIAL, SECRET, and TOP SECRET information; but merely using 256-bit AES is nowhere near enough: The entire encryption system needs to be approved (including block cipher modes, key management, vulnerability to side channel attacks, et cetera), not merely the choice of block encryption algorithm.


Download:

Question? Comments? Contact us here!