Developers Hack Dropbox

Two developers have penetrated Dropbox’s security, even intercepting SSL data from its servers and bypassing the cloud storage provider’s two-factor authentication, according to a paper they published at USENIX 2013.

“These techniques are generic enough and we believe would aid in future software development, testing and security research,” the paper says in its abstract.

Dropbox, which claims more than 100 million users upload more than a billion files daily, said the research didn’t actually represent a vulnerability in its servers.

“We appreciate the contributions of these researchers and everyone who helps keep Dropbox safe,” a spokesperson said in an email to Computerworld. “In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user’s Dropbox, open to attacks across the board.”

The two developers, Dhiru Kholia, with the Openwall open source project , and Przemyslaw Wegrzyn, with CodePainters, said they reverse-engineered Dropbox, an application written in Python.

“Our work reveals the internal API used by Dropbox client and makes it straightforward to write a portable open-source Dropbox client,” the paper states. “Additionally, we show how to bypass Dropbox’s two-factor authentication and gain access to users’ data.”

The paper presents “new and generic techniques to reverse engineer frozen Python applications, which are not limited to just the Dropbox world,” the developers wrote.

The researchers described in detail how they were able to unpack, decrypt and decompile Dropbox from scratch. And, once someone has de-compiled its source code, how “it is possible to study how Dropbox works in detail.

“We describe a method to bypass Dropbox’s two-factor authentication and hijack Dropbox accounts. Additionally, generic techniques to intercept SSL data using code injection techniques and monkey patching are presented,” the developers wrote in the paper.

The process they used included various code injection techniques and monkey-patching to intercept SSL data in a Dropbox client. They also used the techniques successfully to snoop on SSL data in other commercial products as well, they said.

The developers are hoping their white hat hacking prompts Dropbox to open source its platform so that it is no longer a “black box.”

Source

Hackers Dupe Apple

Apple’s security was once again made a laughing stock as a team of researchers demonstrated how it is possible to sneak apps past Apple’s test regime. A group of researchers presenting at Usenix were able to spreading malicious chunks of code through an apparently-innocuous app for activation later.

According to their paper the Georgia Tech team wanted to create code that could be rearranged after it had passed AppStore’s tests. The code would look innocuous running in the test environment, be approved and signed, and would later be turned into a malicious app.

They created an app that operated as a Georgia Tech “news” feed but had malicious code was distributed throughout the app as “code gadgets” that were idle until the app received the instruction to rearrange them. After the app passes the App Review and lands on the end user device, the attacker can remotely exploit the planted vulnerabilities and assemble the malicious logic at runtime by chaining the code gadgets together.

The instructions for reassembly of the app arrive through a phone-home after the app is installed.

The app will run inside the iOS sandbox, but can successfully perform many malicious tasks, such as stealthily posting tweets, taking photos, stealing device identity information, sending email and SMS, attacking other apps, and even exploiting kernel vulnerabilities.

Source

Will The FBI Ditch Blackberry?

Samsung Electronics Co Ltd is close to signing a deal to sell its popular line of Galaxy devices to the U.S. Federal Bureau of Investigation, sources familiar with the situation said late last  Friday.

The deal would be a boost for Samsung, which is increasingly seeking to cater to the needs of government agencies, a niche long dominated by Canadian smartphone maker BlackBerry Ltd.

The FBI, with more than 35,000 employees, at present uses mainly BlackBerry devices. It is unclear whether the agency plans to replace all BlackBerry equipment with Galaxy models or whether it will use hardware from both companies.

A spokeswoman for the FBI declined to comment on the matter, saying that the selection of its new smartphones is part of an active acquisition process and any current discussions are proprietary to the government.

The imminent deal was initially reported by the Wall Street Journal late on Thursday. The WSJ also said Samsung is close to signing a smaller order for its devices with the U.S. Navy, citing people familiar with the matter.

Representatives of BlackBerry and Samsung declined to comment. BlackBerry emphasized, however, that it regards its operating system as the best in the market in terms of security features.

“The security of mobile devices is more important now than it has ever been before,” BlackBerry’s chief legal officer, Steve Zipperstein, said in an interview. “It is fair to ask why in this context anyone would consider moving from the gold standard in security, which is the BlackBerry platform.”

In May, the U.S. Pentagon cleared Samsung’s Android mobile devices and a new line of BlackBerry devices powered by the BB10 operating system for use on Defense Department networks.

Samsung has been pushing hard to convince government agencies and corporate clients that its Galaxy devices, powered by Google Inc’s Android operating system, can meet their stringent security needs.

The South Korean company hopes that the Pentagon clearance and the imminent deal with the FBI will help boost sales to security-conscious clients including banks and law firms.

Some analysts remain skeptical about whether Android can meet all security requirements of such clients, and note that the FBI itself has highlighted some vulnerabilities of the platform.

“The Android operating system hasn’t been secured properly,” said Rob Enderle, principal analyst with Enderle Group, noting that Samsung has layered technology on top of the operating system in an attempt to make its Galaxy devices safer.

Source

Oracle Wants More Money From SAP

Oracle is appealing the damages awarded from SAP that it was granted and is pushing for more.

The news has disappointed SAP, according to a German newspaper, and the firm is worried that the appeal will draw out the five year long legal battle even longer.

“We are disappointed that the lawsuit Oracle pulls further out,” said a SAP spokesman to the German newspaper Mannheimer Morgen.

“We had agreed on a sensible arrangement, because we believe that this case has gone on long enough. We remain committed to bring this dispute to an end.”

Neither firm has commented yet, but the appeal follows SAP’s admission of liability in the Tomorrownow affair.

SAP pleaded guilty last year and acknowledged that its Tomorrownow subsidiary had done wrong. Tomorrownow was accused of downloading information belonging to Oracle, including software and customer information related to Peoplesoft users.

Oracle was initially awarded $1.3bn in damages but this was knocked down to $306m by a judge who told it that it had two options, accept that sum or take SAP back to court.

Source…

Remote Access Tools Threatens Smartphones

Malware tools that allow attackers to gain complete remote control of smartphones have become a major threat to owners around the world, security researchers say.

In a demonstration at the RSA Conference 2012 here Wednesday, former McAfee executives George Kurtz and Dmitri Alperovitch, who recently founded security firm CrowdStrike, installed a remote access tool on an Android 2.2-powered smartphone by taking advantage of an unpatched flaw in WebKit, the default browser in the OS.

The researchers showed an overflow audience how the malware can be delivered on a smartphone via an innocuous looking SMS message and then be used to intercept and record phone conversations, capture video, steal text messages, track dialed numbers and pinpoint a user’s physical location.

The tools used in the attack were obtained from easily available underground sources, Kurtz said. The WebKit bug, for instance, was one of 20 tools purchased from hackers for a collective $1,400.

The remote access Trojan used in the attack was a modified version of Nickispy a well-known Chinese malware tool.

Learning how to exploit the WebKit vulnerability and to modify the Trojan for the attack, was harder than expected, said Kurtz. He estimated that CrowdStrike spent about $14,000 in all to develop the attack.

But the key issue is that similar attacks are possible against any smartphone, not just those running Android, he said.

WebKit for instance, is widely used as a default browser in other mobile operating systems including Apple’s iOS and the BlackBerry Tablet OS. WebKit is also is used in Apple’s Safari and Google’s Chrome browsers.

Several mobile remote access Trojans are already openly available from companies pitching them as tools that can be used to surreptitiously keep tabs on others.

Source…

Apple Has A Hole In MAC OS X

Apple has failed to fix a bug in its Mac OS X operating system that allows processes to bypass the sandbox protection in place.

The flaw was discovered by Anibal Sacco and Matias Eissler from Core Security Technologies. They let Apple know about the problem on 20 September, and while Apple acknowledged their submission, it said that it did not see any security threat, forcing the Core Security Technologies team to publish the report to the public this month.

The problem appears to be with the use of Apple events in several default profiles, including the no-network and no-internet ones. When Apple events are dispatched a process can escape the sandbox, which could be exploited by hackers.

The vulnerability could lead to a compromised application restricted by the use of the no-network profile gaining access to network resources through the use of Apple events to execute other applications that are not restricted by the sandbox, making it a significant security threat.

Only the more recent versions of Mac OS X are vulnerable to this bug, including 10.5.x, 10.6.x, and 10.7.x. Those using 10.4.x are safe from the exploit.

Source…

« Previous Page