Feeds

back to article Python regurgitates Dropbox secrets to boffins

A couple of security researchers have set spines shivering in the cloud world by demonstrating that Dropbox's obfuscated code can be reverse-engineered, along the way capturing SSL data from the service's cloud and bypassing the two-factor authentication used to secure user data. However, as is clear from the Usenix research …

COMMENTS

This topic is closed for new posts.

Two factor authentication?

Drop Box's Web site doesn't require two-factor authentication. It requires a user ID and password: one factor.

For a quick refresher, authentication factors can be described very simply as:

1) What you know, e.g. a user ID and password, passphrase, secret question, etc.

2) What you have, e.g. an RSA key, smart card, or other piece of unique hardware.

3) What you are, usually determined biometrically.

Using two factors is great, but people who claim it because they want a user ID *and* password, or because they demand two challenge-response sessions, e.g. a user ID and password followed by a secret question, haven't bothered to learn much about authentication.

2
4

Re: Two factor authentication?

Drop Box's Web site doesn't require two-factor authentication. It requires a user ID and password: one factor.

To enable two-factor authentication for Dropbox, first log into the Dropbox website. Click your name to access the drop-down menu. Click "Settings", then click the "Security" tab. Under "Account sign in", next to "Two-step verification", click "Enable". Click "Get Started", authenticate again, and follow the wizard.

Next time you log in, it'll ask you for a six-digit authentication code after successfully entering your password. Oh hey, what do you know - two factors!

2
2
Stop

Re: Two factor authentication?

@JD - No. The OP is correct. What you describe is two _step_ authentication, not two factor authentication.

1
4
FAIL

Re: Two factor authentication?

Sorry, Nicho, but your pedantry is misplaced here. What I described is indeed a second factor - what the user has, a time-based disconnected token using a supplied secret for code generation. It is the same sort of two-factor authentication as used by Google. In fact, Google's Authenticator app is completely compatible.

4
1
Bronze badge
FAIL

Re: Two factor authentication?

Or, what they call it on The Daily WTF: "Wish It Was Two Factor" authentication.

If they sent you a hardware token like a Yubikey or RSA device, then it'd be two factor.

If they sent a code out-of-band to a mobile phone via SMS, that'd be poor man's two factor (you'd need access to the phone which mimics the "token", or be able to intercept the SMS message en route).

If they just ask you another question to test what you know, that's still only one factor.

1
4
FAIL

Re: Two factor authentication?

@JD - <facepalm>It's not pedantry. Two Factor is a technical term describing authentication that meets specific characteristics. You don't get to alter the definition to suit yourself </facepalm>

3
2

Re: Two factor authentication?

I didn't alter the definition. I used the term exactly as defined. Their system requires a password (something the user knows) and a token that generates time-based codes or sends a code via SMS (something the user has). Those are two factors. Period.

Yes, I know the client apparently doesn't use 2FA, revealed in the article, but I was describing the website itself. If you were at all familiar with their implementation, you would know that the website does indeed use it. I'm not arguing about the quality of their implementation, but it is in fact 2FA. That said, you seem to be commenting on a system (theirs, in particular) with which you appear to have no familiarity.

4
0
Anonymous Coward

Re: Two factor authentication?

@JD. Fair point. My Bad(tm) ..soz..

2
0
Anonymous Coward

Re: Two factor authentication?

@Nicho,

IIRC DropBox uses SMS, which means it is actually two-factor authentication :-)

Of course, if you lose your mobile, you're... ahem... buggered.

0
0

This post has been deleted by its author

what do you know?

As long as the second factor (what you have) is something complex enough so that you cannot know or memorize it (including notes), nearly anything goes. Any 3 digit code like written on a credit card or some PIN is still knowing. But Dropbox uses TOTP and also support SMS based sending: stuff you need to have. Definately two factors!

0
0
Bronze badge

Factor Shmactor

The only factor that matters is that access to your machine is required for it to work. Would it not be trivial to MITM you for any future use of the service through the compromised device, and any half-wit attacker could then change your settings for the "2nd" factor and email while plundering the files?

Or is that too movie plot? If my wild and uninformed speculation (don't use cloud storage) is correct, would that be Null Factor Authentication?

1
0
Anonymous Coward

Re: Factor Shmactor

Null Factor Authentication: Get it wrong 3 times in a row and everything goes into /dev/null

Well at least your data would be safe from eyes.. prying or otherwise.

1
0
Bronze badge

Re: /dev/null

Once I looked up /dev/null I LOLed. I guess we could take it further by having an SQL write to blackhole just to make sure! Have a useless upvote.

1
0
Bronze badge

Leaving n-factor authentication aside for a moment...

... let's look at how unsafe Dropbox is following these revelations. As pointed out by El Reg, to get the stored secret that enables decryption, the attacker has to have physical access to the machine which is registered with Dropbox. At that point, instead of injecting code and whatever, wouldn't it be easier to do

$ cp -a ~/Dropbox /media/SwagDevice && umount /media/SwagDevice

and run away before the victim returns to the keyboard?

IMO, the real reason you wouldn't rely on Dropbox for important security is that the cloud storage end is not proven to be hard enough. I put the same things into Dropbox that I send via gmail or blueyonder, i.e. nothing that I would be too distressed to see published.

0
0

Re: Leaving n-factor authentication aside for a moment...

You could even add a couple of extra commands that will keep the copying running in the background after logging out of the console. Something to do with "nohup" or something like that I think... it's one of the BOFH stories.

0
0
Pirate

YAP

"As Dropbox puts it: “In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user's Dropbox, open to attacks across the board.” (More on this in a minute.) "

Heh do we really have a minute anymore? A minute is about all it takes on most poorly protected home computers, less if your compromising multiple PC's on the same network (after the initial compromise of course... that point in the pen test when they you notify the client's security team "it's game over man").

The point here is just because you have to pwn the box first is not a barrier for anyone who wants to get your data, and once pwned this becomes just yet another pivot (YAP) to get that juicy delicious data (yum)... IMHO this is just like pivoting to attack the file server at this point just without all that extra logging and "security features" to deal with. Which is probably where that data belongs in the first place...

A win for pen testers and bad guys, yet another headache for corporate security teams to deal with in the age of BYOD.

1
1
This topic is closed for new posts.