Two researchers have found they can exploit the Dropbox client in order to access the user’s cloud storage; and the resulting headlines can seem a bit worrying:
Reverse-Engineering Renders Dropbox Vulnerable
This can’t be good for Dropbox for Business
Researchers Reverse Engineer Dropbox Client
Security Vulnerability Allegedly Discovered in Dropbox Client
The effect of this vulnerability, if exploited, can bypass the Dropbox two-factor authentication and give the attacker full access to the user’s stored files. We must therefore once again ask if it is safe to carry on using Dropbox.
The researchers have developed a fairly generic method for reverse engineering the Python code used for the Dropbox client. This shouldn’t be possible, and is consequently a real achievement. Having gained access to the source code they were able to see how the Dropbox client works.
One of reasons Dropbox is so popular – it has more than 100 million users – is because it is easy to use. Turn on your computer and, voila, it’s there ready and waiting. By reversing the code and finding a way to decrypt it, our researchers also discovered how this ‘ease of use’ actually works.
Following registration with Dropbox, each client is given a unique host_id value that is used for all future log-ons. This is stored, encrypted, in the client – but can be retrieved and decrypted. A second value, host_int, is received from the server at log-on.
In fact, knowing host_id and host_int values that are being used by a Dropbox client is enough to access all data from that particular Dropbox account. host_id can be extracted from the encrypted SQLite database or from the target’s memory using various code injection techniques. host_int can be sniffed from Dropbox LAN sync protocol traffic.
Looking inside the (Drop) box
Thus the client is vulnerable; thus the user’s account is vulnerable.
But is it? Technically, yes. But consider… in order to effect this vulnerability, the attacker must have full access to the user’s Dropbox client. And for that to happen, the attacker must have full access to the user’s computer. In other words, the attacker must have already owned the user’s PC – and once that has happened, nothing is safe.
It’s a technical rather than practical vulnerability – and on its own, it shouldn’t deflect users from using Dropbox (for other reasons not to use Dropbox, see Is it safe to carry on using Dropbox (post Prism)? Yes and No: Part III).
In fairness to the researchers, they did not present their findings as a Dropbox vulnerability. Their paper is called Looking inside the (Drop) box, and it says,
We believe that our biggest contribution is to open up the Dropbox platform to further security analysis and research. Dropbox will / should no longer be a black box.
The authors would like to see an open source Dropbox client that can be continuously peer-reviewed by the world’s security researchers. This is really a paper about reverse engineering Python – that’s the big deal.
Good old British compromise wins again. David Miranda’s lawyers sought an injunction to prevent the police from inspecting the content of the equipment confiscated from him at Heathrow on Sunday. Home Secretary Theresa May claimed it was necessary to examine the documents “without delay in the interests of national security”. The police said it was now part of a criminal investigation.
So the judge delivered a curate’s egg where all sides could claim they got the good part: the police can examine the content, but only for national security purposes. But the important question still remains: was David Miranda’s detention a legal and reasonable application of the Terrorism Act?
The first thing we have to do is forget the dictionary definition and everything we think we know of what constitutes terrorism and terrorists. It is defined in the Terrorism Act – and if an Act defines the Pope as a Jewish Muslim, then as far as UK law is concerned, the Pope is a Jewish Muslim and there’s nothing else to it.
So what is terrorism as far as the British law is concerned? For this I am grateful to Amberhawk’s Dr Chris Pounder and Sue Cullen – both formerly from the Pinsent Masons law firm – who write the HawkTalk blog. I won’t go into the details, but recommend their blog: Spot the terrorist? Data protection and the seizure of personal data on laptops at airports.
According to the law, a terrorist is a person “concerned in the commission, preparation or instigation of acts of terrorism”.
According to the law, terrorism exists where the use or threat of action “is designed to influence the government or an international governmental organisation or to intimidate the public or a section of the public,” and “is made for the purpose of advancing a political, religious, racial or ideological cause”; plus any one of the following:
(a) involves serious violence against a person,
(b) involves serious damage to property,
(c) endangers a person’s life, other than that of the person committing the action,
(d) creates a serious risk to the health or safety of the public or a section of the public, or
(e) is designed seriously to interfere with or seriously to disrupt an electronic system.
So, three tests for terrorism. Applying these to David Miranda, and assuming that his laptop contained Snowden documents (which would be reasonable suspicion),
- the stated purpose of the leaks is to influence government
- the stated purpose could be described as both ‘political’ and ‘ideological’
- the effect, according to government, could result in increased terrorist attacks against the UK (that is, “a serious risk to the health or safety of the public”) and is also designed “to interfere with or seriously to disrupt an electronic system” (that is, GCHQ’s Tempora surveillance system).
I think it is quite clear that under the Terrorism Act, David Miranda is a terrorist.
The second part of our question is whether his detention was a reasonable application of the Terrorism Act. This is a red herring. Any legal application of a law is reasonable. The real question is whether the Terrorism Act itself is reasonable. And the answer to this is human rather than legal. How on earth can we tolerate a law in which the police can classify the partner of a journalist as a terrorist when his sole purpose is to deliver documents that are embarrassing to the government? This is a police state in action; and the Terrorism Act is one of its tools.
That really does sound a bit extreme even for a cynic – but it’s a question that is being seriously asked and needs a serious answer. It came to a head earlier this week when Zeit Online published a story suggesting that various federal German agencies had come to the conclusion that Windows 8 is not safe for use by government.
We need to put this into context with two technologies: UEFI and TPM. The Unified Extensible Firmware Interface (UEFI) is a specification that is meant to replace the Basic Input/Output System (BIOS) firmware interface on PCs. It provides many advantages over the original BIOS, but more pertinently here, it can be used to provide ‘secure boot’. Microsoft has come in for some serious criticism over implementing UEFI secure boot on Windows 8 – sufficient criticism for a Spanish open source group, Hispalinux, to level a complaint against Microsoft with the European Union for anti-competitive behaviour. Much of that criticism has died down as it has become clear that serious power users can get round it. However, implemented to its full potential it could enforce an Apple-like walled garden around non-Microsoft manufactured PCs.
TPM – trusted platform module – is a separate issue. This is a chip that controls what can and what cannot run on your computer. It can indeed provide additional security, since if only known good software is allowed to run, then any bad software (viruses and trojans and worms and so on) cannot easily run (never say never!). And there isn’t really an issue, since if you don’t want it, you can just turn it off.
Enter TPM version 2; which is what has upset the German government agencies. Microsoft intends to employ it with Windows 8. Windows 8 will be delivered with TPM 2.0 turned on, and no way to turn it off. But for new versions of Office or completely new Microsoft software, Microsoft clearly needs to be able to bypass TPM – and it has its own key to do so. The user does not have a key to do so.
And this is where the NSA comes in. Given everything we have learned about the NSA over the last few months, does anyone really believe that Microsoft will not willingly or at best under secret coercion be forced to give those same keys to the NSA and probably the FBI as well?
Some of us may even remember the NSAKey discovered in Windows NT by Andrew Fernandes in 1999. At the time, Microsoft denied the key had anything to do with the NSA, but frankly only the gullible believed them, and most people accept that it has been present in every version of Windows ever since. Anybody who believes that Microsoft and the NSA don’t go hand in hand is living in cloud cuckoo land under heavy surveillance.
The problem is that with access to a TPM 2 key that is always on, the NSA or the FBI or both could come and go at will with no-one being any the wiser. Which is exactly how they like to operate.
So how likely is all this? Professor Ross Anderson from Cambridge University wrote back in October 2011,
We’ve also been starting to think about the issues of law enforcement access that arose during the crypto wars and that came to light again with CAs. These issues are even more wicked with trusted boot. If the Turkish government compelled Microsoft to include the Tubitak key in Windows so their intelligence services could do man-in-the-middle attacks on Kurdish MPs’ gmail, then I expect they’ll also tell Microsoft to issue them a UEFI key to authenticate their keylogger malware.
And if the Turkish government can do that, what could the US government do?
I asked him what he thought now, and whether Windows 8 really is dangerous for governments. He said,
Non-US governments had better think carefully about their policy on all this. Until now you could grab the Linux source, go through it, tweak it till you were happy, recompile it and issue it to officials in your ministry of defence. Serious players like China even sent engineers to Redmond to inspect the copy of Windows that would be sold in their country. But most states don’t have enough competent engineers to do that.
Microsoft’s demand that the industry configure all Windows-branded machines so they’ll only boot signed operating systems will make life significantly harder for medium-sized non-aligned governments. And now that Microsoft’s admitted making NSA access easier, the idea of using COTS Windows is not emotionally compatible with the existence of large pampered signals intelligence bureaucracies, even if there isn’t a reasonable engineering alternative.
And so we return to the original question: is Windows 8 an NSA trojan? Yes. Microsoft and the NSA and the Obama administration will, of course, deny it. And the NSA — post Snowden — may never even use it. But that doesn’t alter the fact that the capability exists and could be used. A nuclear weapon is no less a nuclear weapon just because it hasn’t been used. And Windows 8 is an NSA trojan.
McAfee, 2009: Cybercrime costs the world $1 trillion per year.
Obama, 2009: “It’s been estimated that last year alone cyber criminals stole intellectual property from businesses worldwide worth up to $1 trillion… In short, America’s economic prosperity in the 21st century will depend on cybersecurity.”
Keith Alexander, 2012: Cyberattacks are causing “the greatest transfer of wealth in history.” He cited Mcafee’s figures. “That’s our future disappearing in front of us,” he said, urging Congress to pass more cyber laws.
Reuters, Monday: “Top McAfee official named to U.S. Homeland Security cyber post;” that is, “the top cyber official at the U.S. Department of Homeland Security.”
Me, today: “Quelle surprise.”
Nobody likes to admit to any enjoyment in “I told you so.” It is therefore with huge regret and personal pain that I now say, “I told you so.”
On August 7, 2012 – just over a year ago, this blog said: A Microsoft-made tablet? Big mistake. More specifically I added
But Microsoft’s solution is just plain wrong. It is planning to build its own tablet, to compete with the iPad and Android.
This would be a mistake…
Almost exactly one year later, on August 12, 2013, ‘Gail Fialkov, individually and on behalf of all others similarly situated’ filed suit against ‘Microsoft Corporation, Steven A Ballmer, Peter S Klein, Frank H Brod and Tami Reller’ in the US District Court, Massachusetts. The suit claims
What Defendants knew, but failed to disclose to investors, however, was that Microsoft’s foray into the tablet market was an unmitigated disaster, which left it with a large accumulation of excess, over-valued Surface RT inventory.
Despite costly attempts to spur the Surface market (such as a free $100 dollar magnetic cover/keyboard and a 30% discount on the price), ‘nothing generated meaningful sales of Surface RT.’
Then, on July 18, 2013, Microsoft issued a press release announcing that its financial results for the quarter ended June 30, 2013 had been adversely impacted by a $900 million charge related to a write-down in the value of its Surface RT inventory. In truth, however, the value of such inventory was materially impaired by March 31, 2013.
On this news, Microsoft common stock suffered its biggest price decline in more than four years, plunging $4.04 per share, or 11.4%, on very heavy trading volume to close at $31.40 per share. The magnitude of the decline in the price of Microsoft’s stock eviscerated about $34 billion of the company’s market value.
The action is claiming that anyone who purchased Microsoft stock between April 18 2013 (that is, just after the date at which it claims Microsoft was aware of the excess stock) and 18 July 2013 (that is, the date of its announcement of excess stock) suffered a material and unnecessary hit on their investment.
Whether Microsoft will issue a defence based on the public availability of this blog that had earlier warned all and sundry that the Surface was a big mistake and that they therefore had prior knowledge of the inevitability of the unmitigated disaster remains to be seen. But it could be, “Well, he told you so.”
I’ve had a comment on my latest Dropbox post (Is it safe to carry on using Dropbox (post Prism)? Yes and No: Part III) that I have rejected. This is a very heavily moderated blog, but I thought I’d explain why I rejected this one.
The comment started by saying, “As Dropbox stands today on its own, yes, completely agree that there is the *possibility* of your data being “looked in on” by people without your knowledge or permission.” It then added, “However, there are 3rd party services out there like xyznnn (www.xyznnn.com) that are completely tapproof, i.e. YOU hold the keys, not Dropbox or the 3rd party vendor. Meaning that your data cannot be accessed without you knowing about it. Read more in this blog post: xyznnn.”
It was, naturally, submitted by a member of the marketing department of the xyznnn company; so it is absolutely an attempt at advertising to the readers of this blog. That, in itself, is not enough for me to reject it. If such a comment adds value to the subject or will genuinely help the reader, I will still generally allow it.
But this one is flatly wrong. First of all, never trust anyone who says or implies that any security is unbreakable. In fact, if anyone says that, you can begin to distrust their understanding of security. So, rather than helping the readers, I consider claims such as “completely tapproof” and “your data cannot be accessed” to be misleading and potentially dangerous.
I will not knowingly help promote products that make what I consider to be statements verging on hyperbole and are fundamentally inaccurate — there are simply no absolutes in security. And that is why this particular comment was rejected.
As the dust from Edward Snowden’s Prism revelations begins to settle, it’s time to think again about whether it is safe to use Dropbox. In Part I (June 2011) we said:
You don’t need to stop using Dropbox, or any of its competitors, or Google Docs – just never, ever put anything confidential or legally dubious anywhere in the cloud. Just don’t.
Is it safe to carry on using Dropbox? Yes and No
In Part II (August 2012) we said:
Dropbox is registered in the US, and is subject to the PATRIOT Act – the US authorities are able to demand details of you and your account simply because they want them. So Dropbox is just not safe for confidential or incriminating content (and nor, note, is any other US-based cloud company).
Is it safe to carry on using Dropbox? Yes and No: Part II
What we’ve now learnt from Snowden is that not only can the US authorities (in the form of the NSA and the FBI) demand details of you and your account, they do as a matter of course have access to your actual files. We also know that if you encrypt those files, it will be taken as a red flag and they will pay particular attention to the files, and by implication to you as well.
So if we ask the basic question once again — but expand it from Dropbox to ‘any US cloud-based service’ — we actually come to a similar conclusion but with more riders.
The first part of the question is, is it safe? Absolutely, categorically and emphatically, No. It is not safe to use any US cloud service.
Ladar Levison ran a ‘secure’ email service, Lavabit. Last week he suddenly shut it down after ten years. If you read his statement, you see a man of principle:
I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit.
(For the Americans, and especially in this instance, ‘the American people’ is a metaphor for ‘everyone in the world’ — it’s just that it has never legally been a crime for the NSA to spy on non-Americans.) It is clear that he is now subject to a court order from the secretive US FISA court — the one that the NSA and FBI use to justify their surveillance practices — complete with a gag order: that is, you must hand over your customers’ data but you may not tell anyone about it. However, it is Levison’s last comment that is specifically relevant here:
I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.
Kim Dotcom ran the Megaupload website, long since seized — quite possibly illegally — by the US authorities. While fighting extradition from New Zealand to the US he has set up a new and far more secure service, simply called Mega. He has first-hand experience of the reach and practices of the US authorities. His take is this:
Remember, move your Internet business to small nations that are free of conflict and therefore don’t have a massive spy agenda. Look for countries that have robust privacy and human rights laws. Stay out of the US. Don’t even host a single server there.
It looks as if he is preparing to move Mega to Iceland. New Zealand is, after all, one of the Five Eyes global surveillance countries with very close ties to the other four: the US, the UK, Canada and Australia.
But what of the other part of our question: can we carry on using Dropbox (and other US cloud services)? Clearly, we shouldn’t; but can we? As with everything else, it’s a risk-based decision: we have to weigh the risks against the advantages.
Snowden has shown us that the risks are far greater than we thought. The danger, however, is that we will conclude, ‘I’m not doing anything wrong so why should I worry: for me there is no risk.’ Think again. Adam Curtis has shown that the intelligence authorities see a plot behind every shadow: MI5 founded on a lie, maintained on a lie, and still lying today – allegedly. There is no reason to suspect that the NSA and FBI are any different; because if they don’t find the plots they will lose their budget and shrink.
Just because you do no wrong does not mean that they will see no wrong.
So the answer to our question today has to be, technically and possibly, perhaps yes; but realistically, no, no, no. Do not use Dropbox. Do not use Drive. Do not use any US cloud service. And if you are already doing so, get ready to move as early as possible to a non-US service. Don’t trust Europe — it is too closely allied to the US. As Dotcom suggests, Iceland currently looks attractive (at least until it joins the EU and gets caught up in EU subterfuges and becomes just another US and US-business puppet). As things currently stand, quite frankly the only secure solution is do not use cloud.
See also: Is it safe to carry on using Dropbox (client vulnerability)? Yes and No: Part IV, which discusses the latest ‘vulnerability’ in the Dropbox client (31/08/2013)