Archive
Is it safe to carry on using Dropbox (client vulnerability)? Yes and No: Part IV
Two researchers have found they can exploit the Dropbox client in order to access the user’s cloud storage; and the resulting headlines can seem a bit worrying:
Reverse-Engineering Renders Dropbox Vulnerable
This can’t be good for Dropbox for Business
Researchers Reverse Engineer Dropbox Client
Security Vulnerability Allegedly Discovered in Dropbox Client
The effect of this vulnerability, if exploited, can bypass the Dropbox two-factor authentication and give the attacker full access to the user’s stored files. We must therefore once again ask if it is safe to carry on using Dropbox.
The researchers have developed a fairly generic method for reverse engineering the Python code used for the Dropbox client. This shouldn’t be possible, and is consequently a real achievement. Having gained access to the source code they were able to see how the Dropbox client works.
One of reasons Dropbox is so popular – it has more than 100 million users – is because it is easy to use. Turn on your computer and, voila, it’s there ready and waiting. By reversing the code and finding a way to decrypt it, our researchers also discovered how this ‘ease of use’ actually works.
Following registration with Dropbox, each client is given a unique host_id value that is used for all future log-ons. This is stored, encrypted, in the client – but can be retrieved and decrypted. A second value, host_int, is received from the server at log-on.
In fact, knowing host_id and host_int values that are being used by a Dropbox client is enough to access all data from that particular Dropbox account. host_id can be extracted from the encrypted SQLite database or from the target’s memory using various code injection techniques. host_int can be sniffed from Dropbox LAN sync protocol traffic.
Looking inside the (Drop) box
Thus the client is vulnerable; thus the user’s account is vulnerable.
But is it? Technically, yes. But consider… in order to effect this vulnerability, the attacker must have full access to the user’s Dropbox client. And for that to happen, the attacker must have full access to the user’s computer. In other words, the attacker must have already owned the user’s PC – and once that has happened, nothing is safe.
It’s a technical rather than practical vulnerability – and on its own, it shouldn’t deflect users from using Dropbox (for other reasons not to use Dropbox, see Is it safe to carry on using Dropbox (post Prism)? Yes and No: Part III).
In fairness to the researchers, they did not present their findings as a Dropbox vulnerability. Their paper is called Looking inside the (Drop) box, and it says,
We believe that our biggest contribution is to open up the Dropbox platform to further security analysis and research. Dropbox will / should no longer be a black box.
The authors would like to see an open source Dropbox client that can be continuously peer-reviewed by the world’s security researchers. This is really a paper about reverse engineering Python – that’s the big deal.
Was David Miranda’s detention a legal and reasonable application of the Terrorism Act?
Good old British compromise wins again. David Miranda’s lawyers sought an injunction to prevent the police from inspecting the content of the equipment confiscated from him at Heathrow on Sunday. Home Secretary Theresa May claimed it was necessary to examine the documents “without delay in the interests of national security”. The police said it was now part of a criminal investigation.
So the judge delivered a curate’s egg where all sides could claim they got the good part: the police can examine the content, but only for national security purposes. But the important question still remains: was David Miranda’s detention a legal and reasonable application of the Terrorism Act?
The first thing we have to do is forget the dictionary definition and everything we think we know of what constitutes terrorism and terrorists. It is defined in the Terrorism Act – and if an Act defines the Pope as a Jewish Muslim, then as far as UK law is concerned, the Pope is a Jewish Muslim and there’s nothing else to it.
So what is terrorism as far as the British law is concerned? For this I am grateful to Amberhawk’s Dr Chris Pounder and Sue Cullen – both formerly from the Pinsent Masons law firm – who write the HawkTalk blog. I won’t go into the details, but recommend their blog: Spot the terrorist? Data protection and the seizure of personal data on laptops at airports.
According to the law, a terrorist is a person “concerned in the commission, preparation or instigation of acts of terrorism”.
According to the law, terrorism exists where the use or threat of action “is designed to influence the government or an international governmental organisation or to intimidate the public or a section of the public,” and “is made for the purpose of advancing a political, religious, racial or ideological cause”; plus any one of the following:
(a) involves serious violence against a person,
(b) involves serious damage to property,
(c) endangers a person’s life, other than that of the person committing the action,
(d) creates a serious risk to the health or safety of the public or a section of the public, or
(e) is designed seriously to interfere with or seriously to disrupt an electronic system.
So, three tests for terrorism. Applying these to David Miranda, and assuming that his laptop contained Snowden documents (which would be reasonable suspicion),
- the stated purpose of the leaks is to influence government
- the stated purpose could be described as both ‘political’ and ‘ideological’
- the effect, according to government, could result in increased terrorist attacks against the UK (that is, “a serious risk to the health or safety of the public”) and is also designed “to interfere with or seriously to disrupt an electronic system” (that is, GCHQ’s Tempora surveillance system).
I think it is quite clear that under the Terrorism Act, David Miranda is a terrorist.
The second part of our question is whether his detention was a reasonable application of the Terrorism Act. This is a red herring. Any legal application of a law is reasonable. The real question is whether the Terrorism Act itself is reasonable. And the answer to this is human rather than legal. How on earth can we tolerate a law in which the police can classify the partner of a journalist as a terrorist when his sole purpose is to deliver documents that are embarrassing to the government? This is a police state in action; and the Terrorism Act is one of its tools.
Is Windows 8 an NSA trojan?
That really does sound a bit extreme even for a cynic – but it’s a question that is being seriously asked and needs a serious answer. It came to a head earlier this week when Zeit Online published a story suggesting that various federal German agencies had come to the conclusion that Windows 8 is not safe for use by government.
We need to put this into context with two technologies: UEFI and TPM. The Unified Extensible Firmware Interface (UEFI) is a specification that is meant to replace the Basic Input/Output System (BIOS) firmware interface on PCs. It provides many advantages over the original BIOS, but more pertinently here, it can be used to provide ‘secure boot’. Microsoft has come in for some serious criticism over implementing UEFI secure boot on Windows 8 – sufficient criticism for a Spanish open source group, Hispalinux, to level a complaint against Microsoft with the European Union for anti-competitive behaviour. Much of that criticism has died down as it has become clear that serious power users can get round it. However, implemented to its full potential it could enforce an Apple-like walled garden around non-Microsoft manufactured PCs.
TPM – trusted platform module – is a separate issue. This is a chip that controls what can and what cannot run on your computer. It can indeed provide additional security, since if only known good software is allowed to run, then any bad software (viruses and trojans and worms and so on) cannot easily run (never say never!). And there isn’t really an issue, since if you don’t want it, you can just turn it off.
Enter TPM version 2; which is what has upset the German government agencies. Microsoft intends to employ it with Windows 8. Windows 8 will be delivered with TPM 2.0 turned on, and no way to turn it off. But for new versions of Office or completely new Microsoft software, Microsoft clearly needs to be able to bypass TPM – and it has its own key to do so. The user does not have a key to do so.
And this is where the NSA comes in. Given everything we have learned about the NSA over the last few months, does anyone really believe that Microsoft will not willingly or at best under secret coercion be forced to give those same keys to the NSA and probably the FBI as well?
Some of us may even remember the NSAKey discovered in Windows NT by Andrew Fernandes in 1999. At the time, Microsoft denied the key had anything to do with the NSA, but frankly only the gullible believed them, and most people accept that it has been present in every version of Windows ever since. Anybody who believes that Microsoft and the NSA don’t go hand in hand is living in cloud cuckoo land under heavy surveillance.
The problem is that with access to a TPM 2 key that is always on, the NSA or the FBI or both could come and go at will with no-one being any the wiser. Which is exactly how they like to operate.
Ross Anderson, Professor of Security Engineering at the Computer Laboratory, Cambridge University.
So how likely is all this? Professor Ross Anderson from Cambridge University wrote back in October 2011,
We’ve also been starting to think about the issues of law enforcement access that arose during the crypto wars and that came to light again with CAs. These issues are even more wicked with trusted boot. If the Turkish government compelled Microsoft to include the Tubitak key in Windows so their intelligence services could do man-in-the-middle attacks on Kurdish MPs’ gmail, then I expect they’ll also tell Microsoft to issue them a UEFI key to authenticate their keylogger malware.
And if the Turkish government can do that, what could the US government do?
I asked him what he thought now, and whether Windows 8 really is dangerous for governments. He said,
Non-US governments had better think carefully about their policy on all this. Until now you could grab the Linux source, go through it, tweak it till you were happy, recompile it and issue it to officials in your ministry of defence. Serious players like China even sent engineers to Redmond to inspect the copy of Windows that would be sold in their country. But most states don’t have enough competent engineers to do that.
Microsoft’s demand that the industry configure all Windows-branded machines so they’ll only boot signed operating systems will make life significantly harder for medium-sized non-aligned governments. And now that Microsoft’s admitted making NSA access easier, the idea of using COTS Windows is not emotionally compatible with the existence of large pampered signals intelligence bureaucracies, even if there isn’t a reasonable engineering alternative.
And so we return to the original question: is Windows 8 an NSA trojan? Yes. Microsoft and the NSA and the Obama administration will, of course, deny it. And the NSA — post Snowden — may never even use it. But that doesn’t alter the fact that the capability exists and could be used. A nuclear weapon is no less a nuclear weapon just because it hasn’t been used. And Windows 8 is an NSA trojan.
Quelle surprise!
McAfee, 2009: Cybercrime costs the world $1 trillion per year.
Obama, 2009: “It’s been estimated that last year alone cyber criminals stole intellectual property from businesses worldwide worth up to $1 trillion… In short, America’s economic prosperity in the 21st century will depend on cybersecurity.”
Keith Alexander, 2012: Cyberattacks are causing “the greatest transfer of wealth in history.” He cited Mcafee’s figures. “That’s our future disappearing in front of us,” he said, urging Congress to pass more cyber laws.
Reuters, Monday: “Top McAfee official named to U.S. Homeland Security cyber post;” that is, “the top cyber official at the U.S. Department of Homeland Security.”
Me, today: “Quelle surprise.”
Microsoft Surface RT – an unmitigated disaster
Nobody likes to admit to any enjoyment in “I told you so.” It is therefore with huge regret and personal pain that I now say, “I told you so.”
On August 7, 2012 – just over a year ago, this blog said: A Microsoft-made tablet? Big mistake. More specifically I added
But Microsoft’s solution is just plain wrong. It is planning to build its own tablet, to compete with the iPad and Android.
This would be a mistake…
Almost exactly one year later, on August 12, 2013, ‘Gail Fialkov, individually and on behalf of all others similarly situated’ filed suit against ‘Microsoft Corporation, Steven A Ballmer, Peter S Klein, Frank H Brod and Tami Reller’ in the US District Court, Massachusetts. The suit claims
What Defendants knew, but failed to disclose to investors, however, was that Microsoft’s foray into the tablet market was an unmitigated disaster, which left it with a large accumulation of excess, over-valued Surface RT inventory.
Despite costly attempts to spur the Surface market (such as a free $100 dollar magnetic cover/keyboard and a 30% discount on the price), ‘nothing generated meaningful sales of Surface RT.’
Then, on July 18, 2013, Microsoft issued a press release announcing that its financial results for the quarter ended June 30, 2013 had been adversely impacted by a $900 million charge related to a write-down in the value of its Surface RT inventory. In truth, however, the value of such inventory was materially impaired by March 31, 2013.
On this news, Microsoft common stock suffered its biggest price decline in more than four years, plunging $4.04 per share, or 11.4%, on very heavy trading volume to close at $31.40 per share. The magnitude of the decline in the price of Microsoft’s stock eviscerated about $34 billion of the company’s market value.
The action is claiming that anyone who purchased Microsoft stock between April 18 2013 (that is, just after the date at which it claims Microsoft was aware of the excess stock) and 18 July 2013 (that is, the date of its announcement of excess stock) suffered a material and unnecessary hit on their investment.
Whether Microsoft will issue a defence based on the public availability of this blog that had earlier warned all and sundry that the Surface was a big mistake and that they therefore had prior knowledge of the inevitability of the unmitigated disaster remains to be seen. But it could be, “Well, he told you so.”
Is it safe to carry on using Dropbox (post Prism)? Yes and No: Part III
As the dust from Edward Snowden’s Prism revelations begins to settle, it’s time to think again about whether it is safe to use Dropbox. In Part I (June 2011) we said:
You don’t need to stop using Dropbox, or any of its competitors, or Google Docs – just never, ever put anything confidential or legally dubious anywhere in the cloud. Just don’t.
Is it safe to carry on using Dropbox? Yes and No
In Part II (August 2012) we said:
Dropbox is registered in the US, and is subject to the PATRIOT Act – the US authorities are able to demand details of you and your account simply because they want them. So Dropbox is just not safe for confidential or incriminating content (and nor, note, is any other US-based cloud company).
Is it safe to carry on using Dropbox? Yes and No: Part II
What we’ve now learnt from Snowden is that not only can the US authorities (in the form of the NSA and the FBI) demand details of you and your account, they do as a matter of course have access to your actual files. We also know that if you encrypt those files, it will be taken as a red flag and they will pay particular attention to the files, and by implication to you as well.
So if we ask the basic question once again — but expand it from Dropbox to ‘any US cloud-based service’ — we actually come to a similar conclusion but with more riders.
The first part of the question is, is it safe? Absolutely, categorically and emphatically, No. It is not safe to use any US cloud service.
Ladar Levison ran a ‘secure’ email service, Lavabit. Last week he suddenly shut it down after ten years. If you read his statement, you see a man of principle:
I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit.
(For the Americans, and especially in this instance, ‘the American people’ is a metaphor for ‘everyone in the world’ — it’s just that it has never legally been a crime for the NSA to spy on non-Americans.) It is clear that he is now subject to a court order from the secretive US FISA court — the one that the NSA and FBI use to justify their surveillance practices — complete with a gag order: that is, you must hand over your customers’ data but you may not tell anyone about it. However, it is Levison’s last comment that is specifically relevant here:
I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.
Kim Dotcom ran the Megaupload website, long since seized — quite possibly illegally — by the US authorities. While fighting extradition from New Zealand to the US he has set up a new and far more secure service, simply called Mega. He has first-hand experience of the reach and practices of the US authorities. His take is this:
Remember, move your Internet business to small nations that are free of conflict and therefore don’t have a massive spy agenda. Look for countries that have robust privacy and human rights laws. Stay out of the US. Don’t even host a single server there.
It looks as if he is preparing to move Mega to Iceland. New Zealand is, after all, one of the Five Eyes global surveillance countries with very close ties to the other four: the US, the UK, Canada and Australia.
But what of the other part of our question: can we carry on using Dropbox (and other US cloud services)? Clearly, we shouldn’t; but can we? As with everything else, it’s a risk-based decision: we have to weigh the risks against the advantages.
Snowden has shown us that the risks are far greater than we thought. The danger, however, is that we will conclude, ‘I’m not doing anything wrong so why should I worry: for me there is no risk.’ Think again. Adam Curtis has shown that the intelligence authorities see a plot behind every shadow: MI5 founded on a lie, maintained on a lie, and still lying today – allegedly. There is no reason to suspect that the NSA and FBI are any different; because if they don’t find the plots they will lose their budget and shrink.
Just because you do no wrong does not mean that they will see no wrong.
So the answer to our question today has to be, technically and possibly, perhaps yes; but realistically, no, no, no. Do not use Dropbox. Do not use Drive. Do not use any US cloud service. And if you are already doing so, get ready to move as early as possible to a non-US service. Don’t trust Europe — it is too closely allied to the US. As Dotcom suggests, Iceland currently looks attractive (at least until it joins the EU and gets caught up in EU subterfuges and becomes just another US and US-business puppet). As things currently stand, quite frankly the only secure solution is do not use cloud.
See also: Is it safe to carry on using Dropbox (client vulnerability)? Yes and No: Part IV, which discusses the latest ‘vulnerability’ in the Dropbox client (31/08/2013)
The Next Web says everybody else is wrong; but guess what…
Usually I like The Next Web. But this is a bit strange. It says that news reports give the wrong weight to something Google lawyers argue in a motion to dismiss a class action. TNW’s headline is, No, Google did not say that there is no privacy in Gmail.
Excuse me? That is, conceptually, exactly what Google said — and TNW proves it by reproducing the content:
Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based email today cannot be surprised if their communications are processed by the recipient’s ECS provider in the course of delivery. Indeed, “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” Smith v. Maryland, 442 U.S. 735, 743-44 (1979).
TNW misses off the legal reference, but then helpfully explains it. TNW then adds:
It’s technically accurate that Google used the quote in its legal defense, but using that fact to claim that Google has completely given up on user privacy is both sensational and disingenuous. The company is, after all, bound to its own privacy policy.
Whether Google is bound by its privacy policy or not doesn’t change the reports on what it said. And to accuse others of being disingenuous is a bit rich when TNW then omits Google’s next paragraph, which starts,
The same is true of email sent through an ECS provider…
So, TNW, I’m afraid you’ve got it wrong — that’s exactly what Google said, and exactly what Google meant.
MI5 founded on a lie, maintained on a lie, and still lying today – allegedly
If ever the term ‘secret services’ frightened you, stop worrying. Or maybe start worrying. Either way, BUGGER by Adam Curtis will give you a good laugh. It lays bare the fallacy that the spies we employ through our taxes and who spend more time spying on us than anyone else, know what they’re doing. Or are competent enough to do what they think they are doing.
It’s a series of stories about MI5, “and the very strange people who worked there. They are often funny, sometimes rather sad – but always very odd.”
It all started more than 100 years ago when a Franco/Brit called Le Queux wrote a fiction about a German invasion. I’m guessing it didn’t sell too well, because he took it to the Daily Mail. Lord Northcliffe ran the story as “‘The Invasion of 1910’ and it described how the Germans landed in East Anglia and marched on London.”
Thousands of Daily Mail readers wrote in, saying they had seen suspicious people – obviously German spies. Instantly, well rapidly, Britain’s spy service of one man and two assistants morphed into MI5, “created in large part by the dreams of a socially excluded novelist, and the paranoid imaginings of the readers of the Daily Mail.”
In other words, MI5 was born on the back of a lie (probably standing on the backs of four elephants on a turtle – pure comic fantasy). But it has carried on lying ever since. One such lie is the apprehension of a huge German spy ring in 1914. Historian Nicholas Hiley says,
One of the most famous successes of the British Security Service was its great spy round-up of August 1914. The event is still celebrated by MI5, but a careful study of the recently-opened records show it to be a complete fabrication – MI5 created and perpetuated this remarkable lie.
The great spy round-up of August 1914 never took place – as it was a complete fabrication designed to protect MO5(G) from the interference of politicians or bureaucrats.
The claim made next day that all but one had been arrested was false, and its constant repetition by Kell and Holt-Wilson [director and deputy director) was a lie.
And MI5 hasn’t stopped lying. Perhaps the biggest continuing lie is that it catches spies. “The terrible truth,” writes Curtis, “truth that began to dawn in the 1980s was that MI5 – whose job it was to catch spies that threatened Britain – had never by its own devices caught a spy in its entire history.”
There was one spy called Geoffrey Prime. He actually worked for GCHQ and sold secrets to the Russians. And he was caught – not by MI5 or GCHQ, but by the Cheltenham police.
And so it goes on. WMD in Iraq anyone? The whole war on terror, perhaps? It’s certainly true that after the end of the Cold War with Russia, MI5 should have contracted. It didn’t though, because along came the war on terror that forced it, for the sake of national security, to expand and expand and expand.
So why do we need to worry about such ineptitude? It is simply this: MI5 and GCHQ are spying on all of us, and are pressuring the government to give them even greater surveillance powers. The phrase that it and the government always throw out is, “if you haven’t done anything wrong you have nothing to worry about.”
Really? With this lot? It seems to me, on the basis of Adam Curtis’ potted history, if you haven’t done anything wrong you’ve got everything to worry about. It’s only by being a genuine threat that you will avoid the myopic gaze of the British intelligence services.
BUGGER, by Adam Curtis. Go read. Go laugh. Go cry.
Kevin Townsend 
There are no absolutes in security
I’ve had a comment on my latest Dropbox post (Is it safe to carry on using Dropbox (post Prism)? Yes and No: Part III) that I have rejected. This is a very heavily moderated blog, but I thought I’d explain why I rejected this one.
The comment started by saying, “As Dropbox stands today on its own, yes, completely agree that there is the *possibility* of your data being “looked in on” by people without your knowledge or permission.” It then added, “However, there are 3rd party services out there like xyznnn (www.xyznnn.com) that are completely tapproof, i.e. YOU hold the keys, not Dropbox or the 3rd party vendor. Meaning that your data cannot be accessed without you knowing about it. Read more in this blog post: xyznnn.”
It was, naturally, submitted by a member of the marketing department of the xyznnn company; so it is absolutely an attempt at advertising to the readers of this blog. That, in itself, is not enough for me to reject it. If such a comment adds value to the subject or will genuinely help the reader, I will still generally allow it.
But this one is flatly wrong. First of all, never trust anyone who says or implies that any security is unbreakable. In fact, if anyone says that, you can begin to distrust their understanding of security. So, rather than helping the readers, I consider claims such as “completely tapproof” and “your data cannot be accessed” to be misleading and potentially dangerous.
I will not knowingly help promote products that make what I consider to be statements verging on hyperbole and are fundamentally inaccurate — there are simply no absolutes in security. And that is why this particular comment was rejected.