Tag Archives: identity

The curious case of Dropbox security

The Dropbox logoAfter the disclosure of the host_id authentication issues that plagued the popular Dropbox service last week, a new issue came up with the fact that Dropbox can detect whether the files you are trying to upload to their cloud already exist there, and “save you the bandwidth” of uploading it if they already have a copy in hand.

So – the Dropbox client probably checks for the hash of the file being uploaded against a list of hashes of existing files that are already stored on the cloud. It may also be that the files stored online are encrypted. So… what’s the big deal?

One has to remember that when using a service such as Dropbox (and I’m an avid user myself), you clearly do not have full control over the material you upload, and the online encryption is only a fraction of the protection you may be seeking. There is no key management visible to the user. There is no way that each client you use has its own key, nor they share keys, and if they do, Dropbox is managing your keys. This also gives them the ability to decrypt your data at any given time. Subsequently, it also gives them the ability to provide you with the file of another user if you tried to upload it yourself (hence saving you the bandwidth) – for example, when you may want to access it from a client which does not have the synched copy of your account (or through the web interface). They just decrypt the other user’s file, and serve it back to you. After all – you have the same one back on your home/work/whatever PC (remember that you showed “proof” by providing the hash before).

Which brings us back to reality – what are we really exposed to here in terms of risk?

  1. Dropbox has the ability to access the contents of my files.
  2. If I can come up with a hash of a file that I know someone else has, and that file may be confidential in some way, I can potentially claim to upload the same file, and then download the real one (as I don’t really have the original) from another client or through the web interface.

Clearly, the media attention to point 1 is important – but still not really interesting as people should have had a clue when they send their files to the “cloud”.

However, point 2 makes a more interesting argument… It would be interesting to see when the first “hack” will come along which will start “uploading” files (by hacking the client protocol – hint: start here, here, and here) just based on hashes, and then downloading them as if from another client to see what you get (if they were “cached” already on the Dropbox cloud). Now that would be an interesting little experiment…

Happy hacking!

Tying up loose ends before Vegas (scammer closure)

Instead of updating the post in question (again), I figured I’ll post all the new info here and call this a wrap.

So, we all know about the security scammer now, and the different ways he is working to defraud innocent users and steal their data and money. It has been quite an experience tracking this scam down and getting all the facts right (from the technical aspect of inspecting the keylogger and binaries used to sniff your data, to actually communicating with the scammer and getting his take on things).

Nevertheless, I must say that I appreciate the consistency in which our scammer (I’ll call him Fadzil Mahfodh as that’s his real name) has been trying to mask his wrongdoings. From trying to go around the facts and divert us to other software:

To “bragging” about his skills and the fact that his scripts are “leet” enough to get past some people:

And finally to the obvious – throwing a fit and trolling – initially by threatning to post my picture and CV on adult websites (what would my CV be good for on an adult site anyway??? must be a Malaysian thing 🙂 ):

All of which has been accompanied by adding my picture to his website (wow! I’m famous now!):

Getting it removed by the Google Blogger DMCA team, opening up a new blog site to accompany the specific “hack wpa without a dic” post along with my picture, and making some cosmetic changes to the site, removing the FBI log (which has been replaced with a larger DHS logo), and adding a disclaimer at his website stating that this is all a mistake, that I have been trying to pressure him into criminal actions, and that he has all our communications logged and will be happy to use it to prosecute. Too bad this has been removed from his site before I had a chance to document it – but trust me it was there! Pure epicness!

Now, I know – it’s not really fair to pick on these guys that hard. That’s why I’m leaving this to the Malaysia CERT (as you may have noticed, 1337 Fadzil forgot to proxy his connections to this blog and his IP has been logged on all comments and relevant hits on the site), to figure out how to handle. I truly hope that his suggestion to use the details provided on his paypal account and bank account will actually yield some results, and wish our friend the best of luck in his endeavors in the security business (although I highly doubt he’ll be at DefCon later this week).

Below are attached some of the additional supporting materials for the sake of fully disclosing all the communications with Fadzil.

Apache-access-log_FILTERED, Fadzil-chat, karma-decoded.sh, bg2-decoded.sh

8/18/2010 – Last update (I really hope)

All right, so it seems that the good guys actually win sometimes, so I had to post this quick update just to fill everyone in on what has been going on:

  1. The original site (yeah – the bad design, background music, scam outright) has been brought down. Not sure if it was the Google DMCA team that kept bugging Fadzil on removing my pics, or the Malaysia CERT that came down on him for the malicious and scamming techniques.
  2. The replacement site (chikiabu.blogspot.com) which has been originally set up just to host the infringing materials after Google rained down on Fadzil, is now actually the main site, and SURPRISE – it does not have the scamming software anymore!!! 2 points for the good guys.
  3. The new site still has some “security” software. I have been getting some questions from readers who saw it and didn’t know whether to use it or not. So I had a few minutes to spare today, and have analyzed the “software” provided on it (namely – the famous fi.sh script which is the pinnacle of our subject’s programming skills). Long story short – still scripting with no real software in it. The fi.sh code is (again) a compiles shell script, and… here it is: fi.sh (the decompiled version of course). Funny thing is – obviously there’s no real coding here, just a bunch of “infconfig”, “iwconfig”, “airodump-ng” and “aircrack-ng”. One thing to note though, is that Fadzil makes it look as if each version of the script is designed for a specific wireless adapter – this of course can be achiever by correctly configuring your wireless adapter when running BT. Additionally, the posts on his website still entice users to send him their capture files (although at some point he makes the spelling error of saving a capture file as “.cab” – freudian?), and I’m guessing that he’s going to be asking for some “donation” to keep his site running. Don’t be tempted again kids…

That’s all there is to it I guess. Again – good guys win, site cleaned (and hopefully bad guy learned his lesson). Keep your eyes open out there, and until next time (September in Barcelona and Brussles) bye!

Identity crisis

Here’s a common question I get asked a lot: “What technology should I use to secure my server/network/[some technology]?”

wpid-IdentityCrisis-2010-06-7-14-11.jpgThe question is usually presented by someone who’s in charge of “Security” in an organization. Now, I wouldn’t have had a problem with this if this was a technician, or a pen-tester of sorts, but I get really nervous when the CISO/CIO/Security manager is the one asking.

I think that this question is highly inappropriate for two reasons:

  1. You should not be looking for “technology”. Buying a product is not going to make you more secure or less secure.
  2. You should not be trying to protect a technology. Your servers, networks, routers, PCs, etc… are not the focus of information security. The information is…

Having been working with senior management – sometimes as an advisor/consultant, and sometimes as a “virtual CISO”, I know that this is not what we expect the CISO or security manager to ask. We expect business savvy, we expect an understanding of what the information assets are, what are the information critical paths, who owns the information and what is the impact of every asset on the business. We expect that the understanding of how each assets fits into the grand scheme of things would be clear to whoever is in charge of securing it, and we expect them to take into account what is the potential damage related to each of these assets (in terms of losing it, having it fall into the wrong hands, etc…).
For me (or us when talking as management) this is the only way to approach security. Funny how things get a little unclear when all you thought you needed to know was which vendor/product fits where in your topology, huh?

What strikes me as most peculiar is the fact that a lot of these security “professionals” find themselves in a self proclaimed identity crisis, having to deal with business requirements and financial understanding of how the business operates. and the weirdest thing is that they often choose to get back to what then “know” best – the technology side of things. Definitely not the way to make a move…

wpid-risk-blocks-2010-06-7-14-11.jpgI’m really hoping that all this preaching of “know thyself before you know your enemy” would help somehow, because right now unfortunately the situation at hand only brings us more business (not that I’m complaining). But seriously now – technology is fine and cool, but having the aptitude to know where it fits, not on an architectural level, but from a business perspective is the key to what we do. Get back to the drawing board, erase the network topology and start drawing the business one!

Who owns your online identity? Facebook squatters on the rise

I have just read a couple of excellent posts (on SquaredPeg, and InsideFacebook) that talk about something I have been preaching for a while – your online identity and how easily it can be manipulated (or falsely created). The posts talk about Facebook groups and accounts that have been created for the class of 2013 for quite a few colleges in the US. While in fact none appeared to be legitimately affiliated with the incoming class at any of the colleges

Motive? In this incident, it’s mostly marketing – getting ahead start on the right audience can go a long way nowadays.

This is not the last of it. In what may have been the first more publicly exposed online identity “squatting” (remember the domain name cyber squatters of the 90s…) I do expect a lot more to come on that front. So , if you haven’t got a Facebook/LinkedIn/MySpace/ Bebo account yet,  you probably want to make sure you get one soon enough. You’d never know who may be creating an online persona of yourself now. The implications are grave; just thinking of what kind of damage someone could do if he was to create an account for me, connect to my friends and business partners, and start communicating on my behalf is mind-boggling.

So don’t just be safe out there. Be out there!, that is to say, knowing what’s out there under your name is the first step in protecting your online identity.

Update (12/24/08): As noted to me by my colleague Andrew Lindell, this is also true for your real identity as it is manifested online in other means. For example – online banking, bill payments, and online credit card management. If you do not have an account for these – get one now! It’s overly simple to obtain a bank statement or a bill, and use it to set up online banking on your behalf. Even if you don’t plan to use online banking – get an account, put a decent passowrd on it and tuck it away. That way you can be sure that noone can create that account for you using some old banking statement!