Dropbox waits almost six months to fix a flaw that probably took less than a day

Security expert Graham Cluley

Graham Cluley is a much respected security expert – but we don’t always agree. Full disclosure – the early public disclosure of a vulnerability whether or not the vendor has a fix available – is an example.

I believe that vendors should be notified when a flaw is discovered, and then given 7 days to fix it. After that, whether the fix has been made or not, the flaw should be made public.

Graham does not believe a flaw should ever be made public before the fix is ready. When I asked him, back in March this year, “What if the vendor does nothing or takes a ridiculously long time to fix it?…”

Graham sticks to his basic principle. You still don’t go public. Instead, you could, for example, go to the press “and demonstrate the flaw to them (to apply pressure to the vendor) rather than make the intimate details of how to exploit a weakness public.”
Phoenix-like, Full Disclosure returns

This is exactly what happened with the newly disclosed and fixed Dropbox vulnerability. This flaw (not in the coding, but in the way the system works) allowed third parties to view privately shared, and sometimes confidential and sensitive documents. There were two separate but related problems. The first would occur if a user put a shared URL into a search box rather than the browser URL box. In this instance, the owner of the search engine would receive the shared link as part of the referring URL.

The second problem occurred

if a document stored on Dropbox contains a clickable link to a third-party site, guess what happens if someone clicks on the link within Dropbox’s web-based preview of the document?

The Dropbox Share Link to that document will be included in the referring URL sent to the third-party site.

On 5 May 2014, Dropbox blogged:

We wanted to let you know about a web vulnerability that impacted shared links to files containing hyperlinks. We’ve taken steps to address this issue and you don’t need to take any further action.
Web vulnerability affecting shared links

On 6 May 2014 (actually on the same day if you take time differences into account), IntraLinks (who ‘found’ the flaw), the BBC and Graham Cluley all wrote about it:

• IntraLinks: Your Sensitive Information Could Be at Risk: File Sync and Share Security Issue
• BBC: Warning over unintentional file leak from storage sites
• Graham Cluley: Dropbox users leak tax returns, mortgage applications and more

But each of them talk as if they had prior knowledge of the issue and at greater depth than that revealed by Dropbox. So what exactly is the history of this disclosure?

From the IntraLinks blog we learn:

We notified Dropbox about this issue when we first uncovered files, back in November 2013, to give them time to respond and deal with the problem. They sent a short response saying, “we do not believe this is a vulnerability.”

So for almost six months Dropbox knew about this flaw but did nothing about it. Graham explained by email how it came to a head, and Dropbox was forced to respond:

Intralinks told Dropbox and Box back in November last year.

Intralinks told me a few weeks ago. My advice was to get a big media outlet interested. They went to the BBC.

The BBC spoke to me on Monday (the 5th) and contacted Dropbox. The BBC were due to publish their story that day, but Dropbox convinced them to wait until the following day (presumably they were responding).

Dropbox then published their blog in the hours before the BBC and I published our articles (Tuesday morning).

This seems to be the perfect vindication of Graham’s preferred disclosure route: use the media to force the vendor’s hand before public disclosure of a vulnerability.

But just to keep the argument going, it also vindicates my own position. Dropbox users were exposed to this vulnerability for more than four months longer than they need have been. There is simply no way of knowing whether criminals were already aware of and using the flaw, and we consequently have no way of knowing how many Dropbox users may have had sensitive information compromised during those four months. After all, the NSA knew about Heartbleed, and were most likely using it, for two years before it was disclosed and fixed.

MS issues out-of-band patch as IE attacks increase

FireEye reported last week (26 Apr 2014) on a newly discovered Internet Explorer vulnerability that is already being exploited in the wild. The vulnerability affects all IE versions from 6 through 11; but was at the time only being exploited in version 9-11 in Win 7 and 8.

Two things have since happened. Firstly the attacks have widened. FireEye reported May 1 on

a newly uncovered version of the attack that specifically targets out-of-life Windows XP machines running IE 8. This means that live attacks exploiting CVE-2014-1776 are now occurring against users of IE 8 through 11 and Windows XP, 7 and 8.
“Operation Clandestine Fox” Now Attacking Windows XP Using Recently Discovered IE Vulnerability

To make this worse, FireEye also noted that multiple actors are now involved in these attacks:

…new threat actors are now using the exploit in attacks and have expanded the industries they are targeting. In addition to previously observed attacks against the Defense and Financial sectors, organization in the Government- and Energy-sector are now also facing attack.

The second new development is that Microsoft has reacted with remarkable speed, and has already released an out-of-band patch for the vulnerability. Users with automatic updates should not need to do anything – all others should make sure that they avail themselves of this update as soon as possible (details here). Interestingly, even though XP is no longer supported, an XP fix is included.

Jerome Segura, senior security researcher at Malwarebytes

(As an aside, I find this an interesting situation. Microsoft will be continuing to support XP for private customers – such as the UK government. It will therefore have the fixes. So, does Microsoft ignore the rest of the XP market even though it can keep it safe, and even though compromised unsupported XP systems could be used to attack the critical infrastructure? Jerome Segura, senior security researcher at Malwarebytes, thinks not. “Microsoft’s decision to patch XP through the automatic update channels may shoot itself in the foot by encouraging users to stick with it awhile longer,” he suggests. “Offering support for Windows XP should really be a last resort scenario because this is an aging operating system that does not meet today’s security and performance standards.”)

I have two questions on the latest developments: why do zero-day vulnerabilities spread to multiple actors so quickly; and is there an added threat from the vast numbers of unpatched, pirated and subsequently compromised XP computers. I asked FireEye’s threat intelligence manager, Darien Kindlund, for his views on these.

Darien Kindlund, threat intelligence manager at FireEye

His answer to the latter is relatively simple: we don’t know. “We know that the number of pirated copies of Windows XP is still quite large; however, we do not have updated statistics on legal vs. pirated copies,” he said.

Although pirated software can still get Microsoft’s security patches, it is quite likely that the pirates will avoid doing so for fear of being discovered. So even if Microsoft continues to release security patches for XP, good people who don’t patch and bad people who won’t patch will leave potentially millions of XP targets that could be turned to the dark side.

On the spread of 0-day attacks I wondered if the original bad actors sell on the vulnerability to other groups once the attacks have been discovered. The initial targets in this instance (defence and finance) could suggest organized crime if not state-affiliated attackers. Such targets could be expected to patch rapidly – so the value of the vulnerability would quickly lessen once its use is discovered and mitigation steps are put in place. Selling on to other actors would maximize the financial return from it when it becomes less effective.

Kindlund, however, offered a simpler explanation. “It is believed,” he said, “the original threat group using this vulnerability passed the exploit onto other groups, in order to make it harder for attribution analysis.”

But this all leaves one major problem for users. This vulnerability was in active use before it was discovered by the good guys. Then followed a period in which mitigation steps were available, but no formal patch. Now we are in the period in which sys admins will be trying to schedule in their updates, and wondering just how urgent it might be. The question is, however, how many users have already been unknowingly compromised?

Cisco has come up with some help. It has analysed an exploit and found a selection of attack indicators.

Due to active exploitation uncovered among our customer base, we are releasing the following indicators about the exploit so that anyone can investigate their own environments and protect themselves:

We’ve associated the following subjects with this campaign so far:

• Welcome to Projectmates!
• Refinance Report
• What’s ahead for Senior Care M&A
• UPDATED GALLERY for 2014 Calendar Submissions

Associated domains so far:

• profile.sweeneyphotos.com
• web.neonbilisim.com
• web.usamultimeters.com
• inform.bedircati.com

Anatomy of an exploit: CVE-2014-1776

Sys admins should therefore look to their logs. If they find any of these indicators, they have been attacked and may already be compromised. Either way, the patch should be applied as early as is feasible.

Today’s stories on Infosecurity Mag (Apple breach, SIMs rooted and Ubuntu Forum hacked)

SIM Cards Cracked; Hundreds of Millions of Phones Vulnerable
I love this one — it looks so easy (I’m sure it isn’t) that it’s surprising that it hasn’t been done before. But it’s strange how many vulnerabilities / bugs / flaws get found just before Black Hat.

Ubuntu Forum Hacked; 1.8 Million Accounts Compromised
The worry here is that users who are no longer active on the site might not realise their passwords have been compromised — and if they use the same password elsewhere, well…

Apple Developer Site Breached
Or was it? Ibrahim Balic says it wasn’t, but it could have been. Apple, in typical ‘say nothing’ mode is giving very little away. But if Balic is right, the price of his publicity could be a nasty lawsuit from Apple (remember, they once sued a grocer for selling apples too much like their own).

Is Trend Micro correct in its #OpIsrael ‘Botnets Involved in Anonymous DDoS Attacks’

OpIsrael DDoS spike: 7 April

Trend has done an analysis of #OpIsrael attacks on April 7. It notes that on that particular day, traffic to one particular website, normally around 90% Israeli, became 90% international due to the botnet DDoS attacks.

This increase in non-Israeli traffic was well distributed, with users from 27 countries (beside Israel itself) accessing the target site.

This is factual and we can take it at face value from a company like Trend. The next comments, however, start with fact but end in interpretation:

[fact] Examining the IP addresses that had accessed the target site, we noticed that some of these were known to be parts of various botnets under the control of cybercriminals. In addition, further investigation revealed that these IP addresses had been previously identified as victims of other attacks like FAKEAV, ransomware, and exploit kits.

[opinion] These findings highlight how major DDoS attacks are, at least in part, not just carried out by hacker groups like Anonymous but by cybercriminals as well. These attacks are not nearly as “harmless” as some would think.

The interpretation is that because a particular PC is known to be infected with a bot, participation in the DDoS attack against Israel was necessarily under the direction of the botherder criminal. But an alternative interpretation could be that the PC owner, entirely independently, decided to take part in the protest. (This is unlikely given the need to hide the source IP during such a protest.) Another possibility, however, could be that an activist protester, not otherwise a criminal, could have hired a botnet from a criminal, not otherwise an activist.

My point is that the final comment (“major DDoS attacks are, at least in part, not just carried out by hacker groups like Anonymous but by cybercriminals as well”) is a non-sequitur from the preceding argument. Trend may be right; but should not be making such a bald statement without further ‘proof’.

It highlights a danger we all face as we shift our news intake from traditional newspapers to blogs: the automatic acceptance of an opinion as fact. Blogs, for their part, should draw a distinction between fact and opinion – and the conclusion of this particular blog should be clearly labelled ‘opinion’.

JASH – just another Saturday hack

Evernote (announced it) got hacked on Saturday – joining an illustrious 2013 line-up. New York Times, Wall Street Journal, Washington Post, Twitter, Facebook and Bank of America just off the top of my head.

These are all major companies holding vast amounts of our data – companies you would hope to be hack-proof. Clearly they aren’t, which lends weight to the idea that once you’re targeted, you will be breached.

But if that’s the case, what’s happening with the banks (not counting BofA, of course) and our financial accounts? Are they not being targeted, or is there a cost level to genuine security that the banks achieve, but hardly anyone else?

Are ‘free’ services like Evernote, Twitter, Facebook and the newspapers simply not viable if they have to provide genuine security? Have we reached the stage where ‘free’ means ‘insecure’?

Or are the banks getting breached but just not telling us?

 

Microsoft: if it needs to be said, it’s said here first

Ahem… I refer my honourable friends to my earlier post last year.

In which, I said,

So Microsoft’s new strategy could be to own both hardware and software – starting with its own tablet but moving into phones (perhaps by buying Nokia?) and desktops (perhaps by buying Dell or Acer, or even building new from scratch?)…
Toward a new strategy for Microsoft

Yesterday, Reuters reported,

Microsoft Corp is in discussions to invest between $1 billion and $3 billion of mezzanine financing in a buyout of Dell Inc, CNBC cited unidentified sources as saying on Tuesday.
Microsoft in talks to invest up to $3 billion in Dell

Keep up, chaps.

eWeek ate my hamster

Last summer I interviewed Space Rogue and did a story on his history of security hype: A cyber terrorist ate my hamster.

I must now report that the process is alive and well, courtesy of eWeek.

Over the last couple of days the media has been full of a story about two virus outbreaks in US scada installations. eWeek is clear in its own story USB Storage Drive Loaded With Malware Shuts Down Power Plant:

The U.S. Computer Emergency Readiness Team reports that a U.S.-based power generating facility was shut down after a contract employee introduced malware into the turbine control systems and into engineering workstations. The contractor routinely used his USB drive to perform updates on control systems as well as workstations in the power plant.

I would just like to point out, very politely, that this is what is known in polite circles as a ‘lie’. ICS CERT did not say that.

I covered this story in Infosecurity Magazine way back on January 4: The lessons of Shamoon and Stuxnet ignored: US ICS still vulnerable in the same way.

The truth is less dramatic than eWeek suggests – although dramatic enough. The virus was discovered while the system was in a scheduled shutdown. It delayed its restart, it did not cause its shutdown. But that’s far less dramatic and far less worrying…

The next stage in the security hype process is for politicians to seize on the eWeek story to justify the need of the next draconian piece of anti-terrorist cyber legislation, or the next exponential increase in some LEA’s budget request. Journalists really should read what they talk about before they talk about what they haven’t properly read.

Is your computer photochromatic?

Earlier this year Google showed off its prototype for the long-awaited Google Glass, described as “a stamp-sized electronic screen mounted on the left side of a pair of eyeglass frames which can record video, access email and messages, and retrieve information from the Web.” The glasses apparently contain a wireless networking chip and essentially all the other technology found inside a typical smartphone.

But is Google about to be left at the starting gate with the latest development in memristors? Memristors are ‘resistive RAM’. They differ from traditional flash RAM by storing data based on electrical resistance rather than an electrical charge, and are approaching commercialization based on indium gallium zinc oxide.

However, the latest research shows that they can also be based on zinc tin oxide – which is much cheaper than indium gallium zinc oxide. “Products using this approach could become even smaller, faster and cheaper than the silicon transistors that have revolutionized modern electronics – and transparent as well,” reports phys.org.

Transparent electronics, continues the report, “offer[s] potential for innovative products that don’t yet exist, like information displayed on an automobile windshield, or surfing the web on the glass top of a coffee table.” Or, dare we say, an entire PC in a pair of glasses.

You may wonder what a computer in a pair of glasses has to do with security – but we used to wonder the same about a telephone. And glasses are just as easily lost, and more easily broken.

After Samsung, Apple turns its big patent guns on… a Polish grocer

Cult of Android, the online antidote to the online Cult of Mac, announced on 13 September, “Ladies and gentlemen, I wish I was making this up, but unfortunately I’m not… They’ve actually filed a lawsuit against an online Polish grocery site…”

Cult of Android’s Vincent Messina was, of course, writing about Apple Inc. Fresh from a colossal victory against rival mobile colossus Samsung, it was reported that Apple’s lawyers had now targeted an online Polish grocer called A.pl. ‘A’ is the first letter of the alphabet. .pl is the web suffix for Poland. A marketing argument is thus that A.pl will appear very near the top of any alphabetic listing of online grocers in Poland.

The problem, however, seems to be that A.pl sells apples; and that’s getting perilously close to trading off. But worse than that, A.pl has (had, it seems to have removed it), a picture of an apple; and A.pl’s apple looks too similar to Apple’s apple for Apple’s lawyers.

Two days earlier, Reuters had summarized the argument. “‘Apple brand is widely recognized and the company says that A.pl, by using the name that sounds similar, is using Apple’s reputation,’ patent office spokesman Adam Taukert said.”

“A.pl chief executive Radoslaw Celinski said: ‘The accusation is ludicrous’.”

Apple co-founder Steve Wozniak, who is famous for having a different and more liberal attitude towards patents, said, “I hate it.” He was, however, talking about Apple’s victory over Samsung. His views on Apple Vs A.pl are not yet known.

In deep space, no-one can see you surf

The web is often described as cyberspace. Hold that image, and then travel into deep space – the dark web. You might see what looks like Saturn, surrounded by rings. But look closer and you’ll find it’s a black hole protected by onion rings.

This is possibly the next step in the evolution of botnets. Blackhole is the cybercriminals’ exploit kit of choice. Botnets are used to drive victims to infected sites that host Blackhole. But botnet communications can be monitored and their controlling (C&C) servers located and taken down by the authorities – the Nitol botnet, taken down by Microsoft, is the latest example.

Enter Tor (the name is an acronym for ‘the onion ring’). It was developed to allow users to surf the internet in privacy, making it very, very hard for third parties – including law enforcement agencies – to monitor where you go.

There’s a logic behind criminals using Tor to protect themselves. Hence the blackhole surrounded by onion rings.

Now G-Data claims to have found an example. “The botnet owners placed their C&C server, which uses the common IRC protocol, as a hidden service inside of the Tor network.”

This has several advantages for the criminal. The service is anonymous, so even if the C&C server is found, it won’t reveal its owner – nor can it easily be taken down. And since the traffic itself is encrypted, it isn’t easily blocked by intrusion detection systems. The main disadvantage is that the problems inherent to Tor itself (latency and a degree of unreliability) are introduced to the botnet. But since the FBI has already said that it cannot track the deep space of the dark net, we may soon see, or not see, more of these hidden botnets.