A couple of security researchers have set spines shivering in the cloud world by demonstrating that Dropbox's obfuscated code can be reverse-engineered, along the way capturing SSL data from the service's cloud and bypassing the two-factor authentication used to secure user data. However, as is clear from the Usenix research …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Wednesday 28th August 2013 23:52 GMT RLWatkins

Two factor authentication?

Drop Box's Web site doesn't require two-factor authentication. It requires a user ID and password: one factor.

For a quick refresher, authentication factors can be described very simply as:

1) What you know, e.g. a user ID and password, passphrase, secret question, etc.

2) What you have, e.g. an RSA key, smart card, or other piece of unique hardware.

3) What you are, usually determined biometrically.

Using two factors is great, but people who claim it because they want a user ID *and* password, or because they demand two challenge-response sessions, e.g. a user ID and password followed by a secret question, haven't bothered to learn much about authentication.

2 4
1. Thursday 29th August 2013 01:11 GMT Jordan Davenport
  
  Re: Two factor authentication?
  
  Drop Box's Web site doesn't require two-factor authentication. It requires a user ID and password: one factor.
  
  To enable two-factor authentication for Dropbox, first log into the Dropbox website. Click your name to access the drop-down menu. Click "Settings", then click the "Security" tab. Under "Account sign in", next to "Two-step verification", click "Enable". Click "Get Started", authenticate again, and follow the wizard.
  
  Next time you log in, it'll ask you for a six-digit authentication code after successfully entering your password. Oh hey, what do you know - two factors!
  
  2 2
  1. Thursday 29th August 2013 01:56 GMT Anonymous Coward
    
    Re: Two factor authentication?
    
    @JD - No. The OP is correct. What you describe is two _step_ authentication, not two factor authentication.
    
    1 4
    1. Thursday 29th August 2013 02:19 GMT Jordan Davenport
      
      Re: Two factor authentication?
      
      Sorry, Nicho, but your pedantry is misplaced here. What I described is indeed a second factor - what the user has, a time-based disconnected token using a supplied secret for code generation. It is the same sort of two-factor authentication as used by Google. In fact, Google's Authenticator app is completely compatible.
      
      4 1
      1. Thursday 29th August 2013 03:24 GMT Anonymous Coward
        
        Re: Two factor authentication?
        
        @JD - <facepalm>It's not pedantry. Two Factor is a technical term describing authentication that meets specific characteristics. You don't get to alter the definition to suit yourself </facepalm>
        
        3 2
        
        Thursday 29th August 2013 05:51 GMT Jordan Davenport
        
        Re: Two factor authentication?
        
        I didn't alter the definition. I used the term exactly as defined. Their system requires a password (something the user knows) and a token that generates time-based codes or sends a code via SMS (something the user has). Those are two factors. Period.
        
        Yes, I know the client apparently doesn't use 2FA, revealed in the article, but I was describing the website itself. If you were at all familiar with their implementation, you would know that the website does indeed use it. I'm not arguing about the quality of their implementation, but it is in fact 2FA. That said, you seem to be commenting on a system (theirs, in particular) with which you appear to have no familiarity.
        
        4 0
        
        Thursday 29th August 2013 07:42 GMT Anonymous Coward
        
        Re: Two factor authentication?
        
        @JD. Fair point. My Bad(tm) ..soz..
        
        2 0
    2. Thursday 29th August 2013 02:21 GMT Anonymous Coward
      
      Re: Two factor authentication?
      
      Or, what they call it on The Daily WTF: "Wish It Was Two Factor" authentication.
      
      If they sent you a hardware token like a Yubikey or RSA device, then it'd be two factor.
      
      If they sent a code out-of-band to a mobile phone via SMS, that'd be poor man's two factor (you'd need access to the phone which mimics the "token", or be able to intercept the SMS message en route).
      
      If they just ask you another question to test what you know, that's still only one factor.
      
      1 4
    3. Thursday 29th August 2013 10:11 GMT Anonymous Coward
      
      Re: Two factor authentication?
      
      @Nicho,
      
      IIRC DropBox uses SMS, which means it is actually two-factor authentication :-)
      
      Of course, if you lose your mobile, you're... ahem... buggered.
      
      0 0
This post has been deleted by its author
Thursday 29th August 2013 06:43 GMT John Deeb

what do you know?

As long as the second factor (what you have) is something complex enough so that you cannot know or memorize it (including notes), nearly anything goes. Any 3 digit code like written on a credit card or some PIN is still knowing. But Dropbox uses TOTP and also support SMS based sending: stuff you need to have. Definately two factors!

0 0
Thursday 29th August 2013 07:02 GMT oolor

Factor Shmactor

The only factor that matters is that access to your machine is required for it to work. Would it not be trivial to MITM you for any future use of the service through the compromised device, and any half-wit attacker could then change your settings for the "2nd" factor and email while plundering the files?

Or is that too movie plot? If my wild and uninformed speculation (don't use cloud storage) is correct, would that be Null Factor Authentication?

1 0
1. Thursday 29th August 2013 08:58 GMT Anonymous Coward
  
  Re: Factor Shmactor
  
  Null Factor Authentication: Get it wrong 3 times in a row and everything goes into /dev/null
  
  Well at least your data would be safe from eyes.. prying or otherwise.
  
  1 0
  1. Thursday 29th August 2013 21:46 GMT oolor
    
    Re: /dev/null
    
    Once I looked up /dev/null I LOLed. I guess we could take it further by having an SQL write to blackhole just to make sure! Have a useless upvote.
    
    1 0
Thursday 29th August 2013 11:37 GMT Jonathan Richards 1

Leaving n-factor authentication aside for a moment...

... let's look at how unsafe Dropbox is following these revelations. As pointed out by El Reg, to get the stored secret that enables decryption, the attacker has to have physical access to the machine which is registered with Dropbox. At that point, instead of injecting code and whatever, wouldn't it be easier to do

$ cp -a ~/Dropbox /media/SwagDevice && umount /media/SwagDevice

and run away before the victim returns to the keyboard?

IMO, the real reason you wouldn't rely on Dropbox for important security is that the cloud storage end is not proven to be hard enough. I put the same things into Dropbox that I send via gmail or blueyonder, i.e. nothing that I would be too distressed to see published.

0 0
1. Friday 30th August 2013 07:47 GMT davidp231
  
  Re: Leaving n-factor authentication aside for a moment...
  
  You could even add a couple of extra commands that will keep the copying running in the background after logging out of the console. Something to do with "nohup" or something like that I think... it's one of the BOFH stories.
  
  0 0
Thursday 29th August 2013 11:58 GMT Jerren

YAP

"As Dropbox puts it: “In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user's Dropbox, open to attacks across the board.” (More on this in a minute.) "

Heh do we really have a minute anymore? A minute is about all it takes on most poorly protected home computers, less if your compromising multiple PC's on the same network (after the initial compromise of course... that point in the pen test when they you notify the client's security team "it's game over man").

The point here is just because you have to pwn the box first is not a barrier for anyone who wants to get your data, and once pwned this becomes just yet another pivot (YAP) to get that juicy delicious data (yum)... IMHO this is just like pivoting to attack the file server at this point just without all that extra logging and "security features" to deal with. Which is probably where that data belongs in the first place...

A win for pen testers and bad guys, yet another headache for corporate security teams to deal with in the age of BYOD.

1 1