Archive for March, 2014

Is it safe to carry on using Dropbox following the DMCA takedown revelations?

March 31, 2014 2 comments

Over the weekend, Darrell Whitelaw tweeted a Dropbox error message that said certain files could not be shared due to a DMCA takedown request.




The immediate concern was that perhaps Dropbox files are neither as safe nor private as its users had thought — how could Dropbox take down files if it did not scan the users’ folders?

In fact, Dropbox is being rather clever. Its problem is this: Dropbox is primarily used as a file syncing system, allowing users to transfer files from one personal device to another personal device. If the user owns or has licensed the files in question, this is not generally a problem.

In fact, from 1 June 2014, UK copyright law will be changed to explicitly allow consumers to make additional copies of copyrighted works for personal use — so transferring music from the tablet you used for downloading, via Dropbox, to the PC you will use to burn CD for playing on your music centre will be perfectly legal.

But as a US company, Dropbox is also subject to the peculiar effects of the DMCA. Under this law, rightsholders can simply demand that copyrighted materials should be taken down. While the service provider can challenge this, failure to respond to a valid takedown demand can prove very expensive. As a result, in many cases the receipt of a DMCA takedown request automatically triggers its takedown without any further query.

It is in trying to balance these apparently contradictory pressures that Dropbox has developed a rather sophisticated solution. If we look more closely at the error message wording, we can see it says that ‘certain files can’t be shared’ because of a valid DMCA takedown request. But it also says that the folder is empty.

The files themselves have not been taken down; it’s just that public sharing has been blocked — that is, this folder is empty for this user, but not for the owner. In other words, Dropbox does not takedown legally owned or licensed files; but it does prevent them being illegally shared to other people.

This just leaves the second concern: how does Dropbox know what is in the folder unless it scans it?

In fact, it doesn’t know — or at least it doesn’t necessarily know. When files are first uploaded by the user, they are hashed. This is automatic and doesn’t require Dropbox to know anything about the file itself. The hash algorithm generates unique fixed length outputs from variable length inputs. Dropbox stores these hashes.

Elsewhere is a separate database of different hashes produced from files that have been subject to successful DMCA takedowns. Whenever a user publicly shares a file that has been uploaded, Dropbox compares its own hash to that on the takedown list. If there is a match, Dropbox blocks the public sharing. It doesn’t need to scan the folder, nor even know what the file is.

Dropbox is thus using best efforts to comply with US copyright laws, accommodate European laws, and maintain user privacy. It’s not foolproof, of course, because the user could encrypt the file locally before uploading it. The resulting hash would then not match any other hash.

Well, that’s the theory, anyway. In reality, Dropbox will know many of the files stored by users via the separate database of hashes. But this then provides the potential for different privacy abuses — user profiling based on music and video tastes, for example.

At the same time, repeated encryption of movie-length files prior to uploading could act like a red-flag and draw the attention of The Eye. That in itself would probably be enough to trigger a Patriot Act NSL demanding the user’s details without allowing Dropbox to tell anyone about it.

So, basically, as we always say about Dropbox… is it safe to use? Yes… and no.

Categories: All, Security Issues

Philips SmartTV susceptible to hack and hijack

March 31, 2014 Leave a comment

A firmware update to the Philips SmartTV delivered last December introduced a vulnerability that leaves it open to hackers. The problem lies in a feature called Miracast. Miracast allows other devices to connect to the TV via wifi.

The problem, however, is that it uses a default hard-coded password that the user cannot change: miracast.

Maltese researchers ReVuln published a video on how to exploit the vulnerability.




In a short associated note, they added,

The impact is that anyone in the range of the TV WiFi adapter can easily connect to it and abuse of all the nice features offered by these SmartTV models like:

  • accessing the system and configuration files located on the TV
  • accessing the files located on the attached USB devices
  • transmitting video, audio and images to the TV
  • controlling the TV
  • stealing the browser’s cookies for accessing the websites used by the user

In short this vulnerability could provide access to a user’s current email session for anyone within range of the wifi signal. It would also allow pranksters to hijack the TV and play inappropriate content to inappropriate viewers at inappropriate times — or perform phishing scams/adverts direct to the screen.

In reality it will not be difficult for Philips to get rid of the Miracast flaw with another firmware update doing away with the hard-coded fixed password (although a directory traversal flaw also needs to be fixed), but it should serve as a reality check for the future of the internet of things. As more and more devices in both the home and office become interconnected and interdependent, the volume of these vulnerabilities will increase. And with the flaws will come the criminals.

Manufacturers who have never had to consider infosecurity in the past, must now start considering it at the design phase. “What these vendors do not realise,” said Lancope CTO, TK Keanini in an emailed comment, “is that if they don’t build in automatic updating they are not going to succeed and worse, they will be making their consumers’ networks more insecure as updating and patching these flaws post purchase is incredibly difficult, even for the most tech savvy household. The first vendor to deliver devices that can automatically update and adapt to the changing threat environment will be the leader.”

Categories: All, Security Issues

Android malware is no longer just about premium rate calls

March 31, 2014 Leave a comment

Experts have been warning for some time about the increasing sophistication of mobile malware. Now FireEye has discovered a new variant of Android.MisoSMS — which was already an advanced information-stealing Android Trojan.

Like the original version of the malware, the new variant sends copies of users’ text messages to servers in China. But the newest rendition adds a few features that make it harder to detect, including a new disguise, encrypted transmissions, and command-and-control (CnC) communications that are handled natively rather than over email.
FireEye — Android.MisoSMS : Its back! Now with XTEA

The latest variant seeks to communicate with its C&C server — still located in China — via a selection of hardcoded public DNS servers. This helps defeat sandbox detection and analysis since sandboxes “typically use internal DNS servers and cut off access to outside networks,” explains FireEye. “If the malware cannot access the hard-coded DNS servers, it does nothing and is therefore not detected.”

A further new sophistication is the use of encryption — a variant of the XTEA encryption algorithm — in communication with the C&C server. It is clear that it is malware designed to infiltrate and persist.


It suggests, warns FireEye, “that cyber attackers are increasingly eyeing mobile devices — and the valuable information they store — as targets. It also serves as a vivid reminder of how crucial protecting this threat vector is in today’s mobile environment.”

Categories: All, Security Issues

Let’s not forget Assange

March 31, 2014 2 comments

(From a translation of a television interview broadcast in Sweden between Eva Joly and Malou von Sivers; available here.)

Eva Joly, a French-Norwegian prosecutor — famous in France for spending 8 years on a corruption case that ultimately convicted 33 of 36 people involved in a massive petrochemical corruption case — is in Sweden to see if she can break the deadlock over Julian Assange. Her concern is neither to prove his innocence nor prove his guilt; only that the current impasse is broken and that the case is either tried or dropped.

It has to be said that she is being met by a judicial brick wall.

Her position is that there is no need for the current situation — Assange could easily be interviewed in London, and even tried while he remains in London.

I’ve been in precisely this situation: I have a suspect who is in another country and doesn’t want to return to France to be questioned. So then I travel with the assistance of the country he’s in and question him there. This is a very common situation. What I think is uncommon is that the prosecution authority in Sweden refuses to use this opportunity, especially after 2000 when we have very good judicial cooperation in Europe. So to travel and question Julian Assange at Ecuador’s embassy in London is no big deal.

But the Swedish prosecutor refuses to do this — and you have to wonder why.

So? Where is the risk to Assange in going back to Sweden to face trial? After all, the Swedish prosecutor Marianne Ny has said there is no chance of Assange being extradited to the US.

When Marianne Ny says he won’t be turned over to the US, she is talking about things where she has no competence. She knows nothing about this.

The reality is that since the year 2000 there has not been a single incidence of Sweden refusing to act on a US extradition request. Assange would be a big catch for the US, and Joly has little doubt over what would happen.

Do you remember how Snowden fled to Moscow? And Eva Morales was in Russia and he traveled back to Bolivia. There were rumours that Snowden was on board his airplane. And what happened then? All the countries of Europe closed their airspace. France closed her airspace, and Morales’ airplane was forced down in Austria. The plane was searched to see if Snowden was on board. There you can see what resistance the countries of Europe have against the US. We were the victims of the surveillance Snowden revealed, we know that French politicians were being spied on, Angela Merkel was being spied on, and still and all France, a nuclear power, who can stand up to the US, they lay down flat for the US demand to get Snowden. Now what do you think would happen if that demand were about Assange? I don’t think there’d be much resistance.

So Joly is in Sweden — an experienced European prosecutor seeking to expedite a fair trial for Assange, because she wants “the case to move along because it is a human right to be tried in a reasonable time.” She has the knowledge of European law and the understanding of an experienced European prosecutor to show how this could be achieved — so you would expect the Swedish authorities to be keen to talk. But no.

I asked to meet with the Minister for Justice, she didn’t have time, I asked to meet with the Prosecutor-General, he referred me to Marianne Ny… and she didn’t want to meet with me. So I haven’t had any luck with the justice system. But that’s OK. Those are their decisions. Now I’m going to speak with the leader of the Parliamentary Judicial Committee, the leader of the Swedish Bar Association, because this is truly an issue of human rights, and I think this situation, which the Swedish judicial system is today responsible for, this hurts Sweden’s reputation.

Quite frankly, if Sweden wishes to prosecute Julian Assange and there are ample ways this can be done while recognising his legal right to asylum in Ecuador, and yet Sweden absolutely refuses to do this, then you have to assume that there is more to this than just a simple accusation of rape. There can be no doubt that Julian Assange’s fears are absolutely correct, and that the accusations against him are being manipulated by a Swedish/American conspiracy to get him extradited to the US for trial on espionage charges.

Categories: All, Politics

The threat of the petroruble

March 30, 2014 Leave a comment

Little snowballs at the top of a hill start so small — but if left to roll unfettered, over time they can grow large enough to flatten anything in their path. Putin has pushed a little snowball off the top of the hill.

One bank in Russia has decoupled itself from the dollar. It started with US sanctions over Crimea; but it has allowed Putin to enforce all trading via the Rossiya bank to be conducted in rubles — from consumables to oil. Did I say oil? I’m afraid I did — and this could be the beginnings of the petroruble.

It is the petrodollar that has kept the US — which consistently spends more than it earns — afloat for years. So long as the world’s oil is traded in dollars and world demand for dollars is maintained for that purpose, then the US can simply keep printing more money to pay for whatever it wants. Without that demand, the US economy would be in serious trouble.

So serious, in fact, that when Iraq (with the second largest oil reserves in the world) threatened to stop trading its oil in dollars and start using the Euro, the Bush response was to invade Iraq and impose a more friendly regime.

Russia, like Iraq, is an energy country.

The petroleum industry in Russia is one of the largest in the world. Russia has the largest reserves, and is the largest exporter, of natural gas. It has the second largest coal reserves, the eighth largest oil reserves, and is the largest producer of oil.

If the rest of Russia follows the Rossiya bank and switches to all energy trades in rubles, then that’s a serious issue for America. If other oil companies aligned with Russia (for example, Iran and Venezuela) also dump the dollar for the ruble for oil trades, it escalates beyond serious. It could be catastrophic.

Let us all hope that the US response to the threat of Russia abandoning the dollar is not the same response it had for Iraq’s threat to abandon the dollar.

Categories: All, Politics

Phoenix-like, Full Disclosure returns

March 30, 2014 Leave a comment

When the Full Disclosure mailing list suddenly closed down just over a week ago it took most people by surprise. The precise cause — although undoubtedly known to some — remains a mystery. It appears to have been just one problem too many for list moderator John Cartwright; made all the more unbearable because it came from within the research fraternity rather than from vendors.

Be that as it may, full disclosure has been and remains one of the longest-running contentious issues in security. If you discover a vulnerability, do you tell everyone (full disclosure); tell no-one (non-disclosure); or just tell the vendor (so-called ‘responsible’ disclosure).

There are strong and strongly-held arguments for all options. Graham Cluley and I differ, for example; although perhaps more in degree than absolutes. “For my money, it’s always been more responsible to inform the vendor concerned that there is a security weakness in their product, and work with them to get it fixed rather than get the glory of an early public disclosure that could endanger internet users,” he told me when the mailing list shut down.

Graham’s view is that we should do nothing that might help criminals break into innocent users’ computers. So far we agree: always tell the vendors first, so that they can fix flaws before they become widely known. But what next? What if the vendor does nothing or takes a ridiculously long time to fix it?

Graham sticks to his basic principle. You still don’t go public. Instead, you could, for example, go to the press “and demonstrate the flaw to them (to apply pressure to the vendor) rather than make the intimate details of how to exploit a weakness public.”

There are ample examples to prove his point. When you combine full disclosure with the ‘full exploitation’ of Metasploit, all done before the vendor can fix it, then the bad guys have a ready-made crime-kit — and the general public has no defence.

The basic principle behind responsible disclosure is that if you don’t go public, the vulnerability is less likely to be exploited. But that’s my problem: ‘less likely’ is no defence. If the researcher has discovered the vulnerability, how many criminals have also already discovered the same vulnerability — and are already using it, or are ready to use it in earnest? To know about a vulnerability and not do everything possible to force the vendor to fix it is, in my opinion, irresponsible rather than responsible behaviour.

But, as Graham added, “it’s a religious debate, frankly, with strongly held opinions on both sides.”

So it will be with a mixed reception that we now learn that like the Phoenix, the Full Disclosure mailing list is reborn, courtesy of Seclists‘ Fyodor.

Upon hearing the bad news, I immediately wrote to John offering help. He said he was through with the list, but suggested: “you don’t need me. If you want to start a replacement, go for it.” After some soul searching about how much I personally miss the list (despite all its flaws), I’ve decided to do so! I’m already quite familiar with handling legal threats and removal demands (usually by ignoring them) since I run, which has long been the most popular archive for Full Disclosure and many other great security lists. I already maintain mail servers and Mailman software because I run various other large lists including Nmap Dev and Nmap Announce.
Full Disclosure Mailing List: A Fresh Start

I for one welcome its return. Full Disclosure is, to my mind, an essential part of the security landscape. You can sign up here.

Categories: All, Security Issues

Update on the Target/Trustwave suit: Trustwave will vigorously defend its corner

March 30, 2014 Leave a comment

On Friday I reported on the complaint against Trustwave over the Target breach. I criticised Trustwave for both assessing and then monitoring Target. This was an assumption based on the court documents, which state:

Trustwave scanned Target’s computer systems on Sept. 20, 2013, and told Target that there were no vulnerabilities in Target’s computer systems. Trustwave also provided round-the-clock monitoring services to Target, which monitoring was intended to detect intrusions into Target’s systems and compromises of PII or other sensitive data. In fact, however, the data breach continued for nearly three weeks on Trustwave’s watch.

In fact Trustwave did not monitor Target’s networks. CEO Robert J. McCullen yesterday issued an open letter to customers. He said that the lawsuit is without merit, and “we look forward to vigorously defending ourselves in court against these baseless allegations.”

Contrary to the misstated allegations in the plaintiffs’ complaints, Target did not outsource its data security or IT obligations to Trustwave. Trustwave did not monitor Target’s network, nor did Trustwave process cardholder data for Target.
A Letter To Our Valued Customers — Robert McCullen

Categories: All, Security Issues