Friday 30 August 2013

Security researchers prove Dropbox is hackable

Dropbox logo
Developers have released a paper detailing how to bypass two-factor authentication security in cloud storage service Dropbox.
The paper was released by Openwall's Dhiru Kholia and Code Painters' Przemyslaw Wegrzyn and details techniques to sneak past Dropbox's two-factor authentication to intercept SSL data from the company's servers. The two researchers claim to have discovered the exploit by reverse engineering Dropbox's source code.
"We show how to unpack, decrypt and decompile Dropbox from scratch and in full detail. This paper presents new and generic techniques to reverse engineer frozen Python applications," wrote Kholia and Przemyslaw.
The pair claim to have bypassed Dropbox's security using a custom-built, open-source Dropbox client. They said the technique is fairly basic but dangerous as, if misused, hackers can steal data from Dropbox and hijack unwary users' accounts.
"Our work uses various code-injection techniques and monkey-patching to intercept SSL data in [the] Dropbox client. We have used these techniques successfully to snoop on SSL data in other commercial products as well," read the paper.
Last year Dropbox was forced to add two-factor authentication after millions of its users were spammed following a successful cyber attack on its systems.
A Dropbox spokesperson told to V3 the company is aware of the research, but downplayed its significance, clarifying the exploit only works if the user's main machine is already compromised.
"We appreciate the contributions of these researchers and everyone who helps keep Dropbox safe. However, we believe this research does not present a vulnerability in the Dropbox client. In the case outlined here, the user's computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user's Dropbox, open to attacks across the board," said the spokesperson.

The paper added: "We hope that our work inspires the security community to write an open-source Dropbox client, refine the techniques presented in this paper and conduct research into other cloud-based storage systems."
Kholia and Wegrzyn are two of many to publicly publish exploits on big-name services and technologies in recent weeks. Renowned hackers Charlie Miller and Chris Valasek released tools capable of hijacking control of moving cars to the general public at the Defcon expo in Las Vegas at the beginning of August.

Aberdeen Council fined £100,000 by ICO after children’s data posted online

money-pound-notes2
The Information Commissioner’s Office (ICO) has fined Aberdeen City Council £100,000 after a member of staff inadvertently posted data relating to the care of vulnerable children online.
The incident occurred in November 2011 when a member of staff accessed a batch of documents on their home computer from the council's network. These documents were then automatically uploaded to the web by a program installed on the machine.
The information was subsequently found in February 2012 by a council member who was mentioned in one of the documents that had been uploaded. They informed the council and the data was removed and the ICO informed.
The member of staff responsible told the ICO the software that uploaded the data must have been installed by the previous owner of the computer as she was not aware of what had happened.
“The employee told the data controller that the computer is second hand and that it must have been installed by a previous owner,” the report by the ICO reads.
The report also noted that the council had no relevant home-working policy and no sufficient measures in place to restrict the access of sensitive information from the council’s network.
Ken Macdonald, assistant commissioner for Scotland at the ICO, said the incident should make all social work departments in councils "sit up and take notice" of the issues raised around home working and data protection.
“As more people take the opportunity to work from home, organisations must have adequate measures in place to make sure the personal information being accessed by home workers continues to be kept secure,” he said.
“In this case Aberdeen City Council failed to monitor how personal information was being used and had no guidance to help home workers look after the information.”
Aberdeen City Council said it takes data protection extremely seriously, which is why it reported the matter to the ICO itself when it came to light, and claimed it was making improvements on its policies. The council made no direct comment on the fine.
"A data protection audit report on the City Council by the ICO this summer found that a comprehensive suite of up-to-date data policies are in place, strong arrangements are in place concerning a wide range of routine data-sharing, and the content of data protection and information security training material used by Aberdeen City Council is detailed and thorough."
The fine is the latest of many to be imposed by the ICO against councils for poor data-handling procedures, with Islington Council fined £70,000 for an issue relating to Excel that caused 2,000 residents' details to be leaked online.

Facebook proposes privacy changes to facial recognition and advertising terms

Image of Facebook logo and login screen
Facebook has released its latest raft of changes to its terms and conditions, including a small update to the way the firm makes use of its facial recognition technologies to increase the accuracy of photo-tagging.
It also details updates to clarify the use of user data in advertising following a $20m court settlement last week.
While facial recognition-assisted tagging currently only uses other tagged images to make recommendations, the feature would change to use profile pictures to suggest tags. This update would mean that automatic tags would also be made based on the content of a user's profile picture, whether they are tagged in it or not.
This particular feature, however, will not be available in the EU following recommendations from the Irish Data Protection Commissioner (DPC) in 2011, which saw all EU users' facial-recognition data deleted.
The addition can also be turned off by altering privacy settings. Facebook did however clarify to V3 that facial recognition tagging in the EU is currently being worked on so it adheres to DPC best practices.
Elsewhere in the update, Facebook said it has clarified the way in which users' profile pictures and other data may be used alongside advertisements. "We revised our explanation of how things like your name, profile picture and content may be used in connection with ads or commercial content to make it clear that you are granting Facebook permission for this use when you use our services."
Facebook said that it is implementing this change following a "court case relating to advertising". The case in question was brought about in 2011 when a group of Facebook users took legal action following anger that their profile pictures had been used in adverts without their permission. Facebook proposed a $20m settlement, which was approved by the judge.
The update also included reminders about how third-party applications can use user data.
In a blog post on Facebook's data governance pages, chief privacy officer Erin Egan asked users to provide their feedback on the changes within seven days by leaving comments on the post.

Syrian Electronic Army say Expect Us

Syrian hackers behind recent attacks on the New York Times and Twitter have warned media companies to "expect us".
The Syrian Electronic Army, which supports President Bashar al-Assad, added it had "many surprises" to come.
Interviewed via email following the UK Parliament's vote against military intervention on Thursday, a spokesman told BBC News: "It's the right thing."
He added: "Military intervention in Syria has many consequences and will affect the whole world.
"Our main mission is to spread truth about Syria and what is really happening."
The SEA has targeted various media companies, including the BBC, CNN and the Guardian.
Brian Krebs, a former Washington Post reporter, wrote that clues discovered when the SEA's own website was hacked earlier in the year pointed towards at least one member of the group being based in neighbouring country Turkey.
But the SEA's spokesman dismissed these claims, saying that "they keep publishing names so they can get attention".
"All the media outlets that we targeted were publishing false/fabricated news about the situation in Syria," he told the BBC.
"Our work doesn't need funds. It just needs a computer and internet connection."
Explosion tweet
Until this week's attacks, the SEA's efforts had largely focused on "phishing" social media accounts, tricking users into handing over log-in details.
In one particularly effective attack, the Twitter account of the Associated Press was compromised, and the group posted a tweet saying US President Barack Obama had been hurt in an explosion.
The New York Times attack was more damaging, however, as the hackers were able to redirect people trying to visit the newspaper to the SEA's website instead, albeit briefly.
"Our goal was to deliver our anti-war message on NY Times website - but our server couldn't last for three minutes," the group said.
"The Twitter attack was because of the suspension of our accounts on Twitter by its management.
"We succeeded in our attack as we expected."

Information Warfare, Russia, New Zealand...it is arms race

Information warfare, under this term governments are working to improve their cyber capabilities, last in order of time are Russia and the New Zealand.

Information warfarecyber warfare, are all terms that are becoming familiar for population all over the world. Every government is aware of the risks connected to the exposure to a cyber attack for sabotage or cyber espionage, due this reason military all over the world are creating dedicated cyber units to respond to new needs. The reality is that  almost every government is working on the definition of cyber capabilities (e.g. Creation of a new generation of cyber weapons, development of active defense systems) also for offensive purposes, a cyber conflict has numerous advantage respect traditional offensives. A few days ago the Russian Government announced the creation of a dedicated breach for the Information warfare belonging to the Russian Armed Forces, its purpose is to improve cyber capabilities of the country exactly has many other governments are doing. Official military fonts revealed that the agency’s budget for 2013 is 2.3 billion rubles ($70 million).
“Cyber space is becoming our prioritythe decision to create a cyber-security command and a new branch of the armed forces has already been made,” “We are working on the overall concept of the program to be developed in this area,” “We have reviewed 700 innovative projects so far,”declared Andrei Grigoryev, the head of the recently-created Foundation for Advanced Military Research, in an interview with Echo Moskvy radio.
The Foundation for Advanced Military Research is considered the equivalent of US DARPA (Defense Advanced Research Projects Agency) and was set up in 2012 to boost the improvement of Russian cyber capabilities development of advanced weaponry and help streamline the arms procurement process in Russia. According Andrei Grigoryev, the head of the recently-created Foundation for Advanced Military Research, the new unit will be composed by three main areas of military R&D:
  • Futuristic weaponry
  • Future soldier gear
  • Cyber warfare
Information Warfare
The Russia isn't the unique government that announced recently to boost its cyber structures, a few weeks ago was spread the news that the New Zealand Defense Force planned to spend $469 million for the creation of a new cyber army despite the meaningful cut to defense expense of the last years. The investment is considered important by security analysts, consider that today the Australian Army has no surveillance or reconnaissance systems.
It will be set up a new division under the Network Enabled Army initiative that will be specialized in the development of high technological equipment such as drones and robots as well as sensors that would monitor the location, the health and condition of soldiers and vehicles.
"The goal of the NEA Programme is to enhance the NZDF’s ability to support deployed land forces by improving its battlefield command and control system, communications and intelligence, surveillance and reconnaissance sensor systems."
The Defense Force has invited technology suppliers to a briefing day at its Trentham military base, the Sydney Morning Herald program manager Colonel Phil Collett revealed the spending would be over 20 years.
Governments are getting ready for a new arms race,  the cyberspace is the new battlefield and cyber weapons are entering in their arsenal near conventional weapons. Stuxnet spread has radically changed the perception of Information warfare, a conflict that is fought in the fifth domain, and that is pushing the producing of weaponized software on an industrial scale. This is considerably an historical moment, Information Warfare is assuming a fundamental importance for any government, leading powers are sustaining the arms race followed by many other countries that may be effective in the same way. We are in a situation similar to the one observed when nuclear weapon will ne used for first time ... every government is trying to improve its cyber capabilities, they cannot be left behind!
Cyber weapons can potentially do serious damage to “critical infrastructures”,  and in many cases weaponized tools are also freely available on the internet, cyber terrorists and state-sponsored hackers could exploit them to hit a government or a private business. Due this reason every government is working to the definition of a proper cyber strategy to mitigate cyber threats meanwhile principal organization are working to the definition of rules for the Information Warfare.