Friday, September 13, 2013

Three Reasons Why Dropbox Previews Are Security & Privacy Nightmares

This is a follow up from my last post Who's That Peeking in My Dropbox. I also want to say that I love the Dropbox service and use it daily. This post is from a pure security perspective.

So the short story is every time you upload Word Documents (.DOC) to Dropbox they open the files in LibreOffice. This was discovered by Daniel McCauley who used our HoneyDocs.com service and noticed the behavior. Daniel wrote a blog post that went viral.

In my blog post yesterday I was less suspicious and suspected that this may have been a security feature to scan for malicious documents. I was wrong and Dropbox's response brought up more security and privacy concerns which I address below.



1. Robo-Phishing


I'm not sure if the term Robo-phishing exists but it is the best way to describe it. Since Dropbox processes every document that is uploaded an attacker could embed LibreOffice exploits that could result in remote code execution. Since Dropbox has automated this process and attacker could use Dropbox's API to upload malicious files and compromise dozens of Dropbox's systems. Normally you would have to trick someone into opening phish documents, but it is automated at Dropbox.


2. Privacy Concerns


Most people that use Dropbox assume that keeps their documents in some sort of secure virtual drive in the cloud. This is certainly not true and the fact that they generate previews probably means that your data (most of your text) is copied and shoved into a huge database with everyone else's data.

This means that if a system which has access to that database is compromised they can potentially read everyone's data. This also means that the data is not immediately encrypted as some think because the documents must be passed around in clear text for programs such as LibreOffice to use them.

Since at least portions of your document's text are stored in a common database it means that your data is index and searchable on a massive scale. If Dropbox has that capability and intruder could also do the same if they compromise Dropbox.

3. Theoretical DDoS

 I saw in this thread https://news.ycombinator.com/item?id=6377712 at Hacker News that Dropbox's (Security Team Lead) Andrew Bortz admits the process is a theoretical DDoS vulnerability. Even better they are temporarily disabling the process.
Hi everyone, this is Andrew from Dropbox. 
We do use LibreOffice to render previews of Office documents for viewing in a browser, and have permitted external resource loading to make those previews as accurate as possible. While this could theoretically be used for DDoS, we haven’t seen any such behavior. However, just to be extra cautious we’ve temporarily disabled external resource loading while we explore alternatives.
In that same thread username 'helium' offers my sentiments exactly:
Hi Andrew, thanks for the explanation. 
Could Dropbox perhaps let me disable this feature? I almost never use the web interface so I wouldn't miss it and I prefer that my documents are not opened after being synched. 

Thursday, September 12, 2013

Who's That Peeking in My Dropbox


A few weeks ago I unveiled a new website HoneyDocs.com which is a web application that fuses classical network honeypots with documents. HoneyDocs contain an image tag that calls back to the HoneyDocs site for example:

<img src="https://honeydocs.herokuapp.com/img/doc/03aeeddd790efffb2d019c54327776be.gif">

You can deploy HoneyDocs on servers, laptops, and even in email. If your HoneyDocs are opened it could mean an unauthorized user is snooping where they shouldn't be.


What Just Happened


Yesterday one of my buddies/HoneyDocs user Daniel McCauley reached out and told me that he received buzz from his private Dropbox account a few minutes after he uploaded HoneyDocs.

All the captures are from Daniel.  


Image 1 - Daniel's Dropbox folder

Image 2 - Buzz from Dropbox/Amazon S3 related IP addresses

Image 3 - Buzz details with LibreOffice as the User Agent

Image 4 - Geolocation from the IP Address in Seattle (Amazon Data Center)
 

Image 5 - Daniel reproduces the results with buzz from different Amazon data centers by uploading additional HoneyDocs

My Conclusion


Initially I was really paranoid. The way HoneyDocs work is that someone or something has to render the documents into a view. This means someone or something at Dropbox or Amazon was opening the documents. I was able to reproduce this behavior on my own HoneyDocs account.

After contemplating all the possibilities I really think this is the result of automated process such as malware sandboxing. It looks like Dropbox must have virtual environments set up with LibreOffice opening up .DOC files as a part of scanning documents for malware. This would explain the LibreOffice User Agent. This would also explain how subsequent attempts that Daniel and I made which resulted in an immediate buzz from the HoneyDocs.

There are a ton of other questions that spring to mind after discovering this behavior. I'd love to know what you think in the comments.

The cool thing for me is knowing that HoneyDocs do their job. If you haven't checked out HoneyDocs yet go to www.honeydocs.com to check the service out.

Wednesday, August 7, 2013

Ruby Programming for Information Security Professionals

I'm pleased to offer our first online course, Ruby Programming for Information Security Professionals. This course features a full day of essential Ruby Programming Language that will have you writing your own Ruby programs and Metasploit modules by the days end.
This course will be taught by Marcus J. Carey live via GoToWebinar on Saturday, August 17th and 24th. Attendees can decide which day they attend or both. If you ever wanted to start writing your own scripts or Metasploit modules but didn't have a coach, here is the chance.
Dates:
August 17th and 24th
Cost:
$125.00 USD
For more information on the course visit https://www.threatagent.com/training 

Tuesday, July 30, 2013

Hack More. Worry Less.

I read a book over the weekend that I'd like to recommend to everyone. The book was How to Stop Worrying and Start Living by Dale Carnegie which is an excellent read for anyone dealing with Information Technology and Security.

In a nutshell the book talks about dealing with worrying by assuming the worst and then working to improve the situation from there. Security professionals should definitely heed this advice.

Organizations must determine what is the worst case scenario that can happen in their organization by allowing third party full-scope penetration tests and regular self assessments.  This is the only way to identify the low hanging fruit and the impact of compromises. The elephant in the room is that every organization will get compromised no matter what anyone says.

Once in the doomsday mindset, organizations can put real countermeasures in place, prepare incident response, and get those press releases ready. If you have already have accepted the worst you can go on with life with far less worry if everyone is on the same page. This means users and management all the way to the top must be aware of the prognosis. When an organization is compromised they can roll with their game plan instead of panicking and worrying about their jobs.

In the real world you wouldn't fire a bank teller if they were a victim of an armed robbery. Everyone should be safe unless there is some sort of extreme negligence that caused the compromise. So employees need to be trained to follow procedure in case of compromises without fear of losing their jobs. Training requires someone to play the bad guy so employees can learn from live fire.

Instead of constant worrying about getting compromised, we should hack more and worry less.

This book and its approach. had such an impact on me that our new motto is, "Hack more. Worry less.". I will use this principle to make software, write, and teaching people to hack all the things so they can take control of their worries.

Wednesday, July 24, 2013

Threat Agent Pro 2.0 with Phishable Released

Today I’m announcing the immediate availability of Threat Agent 2.0. This release allows security professionals to use Threat Agent as a primary security assessment tool. I created ThreatAgent.com to help all security professionals do their job faster and more efficient. The addition of Phishable and Pwnxy allow us to go from reconnaissance to attack mode in a few clicks. This helps penetration testers and security teams bootstrap their assessments with lightning speed.

For the next couple of days, I’m offering Threat Agent Pro for $300 for one-year access. This deal will be available until Friday, July 26, 2013. This is insane value!! You get 120 Drone Missions per month, and unlimited Phishable campaigns.

Phishable Released

Phishable is available to all Threat Agent Pro users. Phishable is fully integrated with Drone and Pwnxy which makes for an awesome, interwoven campaign set.

The Phishing Problem

Both penetration testers or network defenders know that, since it targets humans, phishing is the one of the most successful attack vector. We needed a way to quickly test the human factor. That’s exactly why I wrote Phishable.

Phishable for Network Defenders

Phishable allows network defenders to run phishing campaigns, which will allow them to identify, and train individuals who are easily susceptible to phishing attacks.

Phishable for Penetration Testers

I wrote Phishable to allow security professionals, like myself, to be able perform effective phishing campaigns in our penetration test engagements.

Drone 2.0

I rewrote most of Drone over the last couple of weeks. You’ll notice that your old Drone missions are gone, that’s because they were incompatible with Phishable. Drone 2.0 will give you more information on your targets. Many of you will benefit from some extra missions since I wiped the slate clean. Feel free to email if you need help related to this change.

Encoding

I’ve added encoding improvements to Drone 2.0 which will result in better international support. Previously drone only supported a small set of characters, mainly from English speaking countries. I’ve updated Drone to force the encoding for UTF-8 support, which helps bring more international support.

Email Wizard

I also added an email wizard that provides possible email permutations based on LinkedIn results and commonly used email formats. You can export your email list as a mailing list for Phishable.

Twitter

I added more social networking with Twitter. Facebook integration should be added shortly.

Edit LinkedIn Profiles

I added the ability to edit LinkedIn profiles which allows you to remove false positives and edit names.

DNS Enumeration

DNS Enumeration has been approved with the addition of a 1,000 sub-domain wordlist which will in many cases help expand the results found by Drone. The side effect is that with the new overhead the mission runtime has been increased, but the improved results pay off depending on the target organization.

Focus on Offense

I’ve made the decision that the Threat Agent site will only include offensive tools. The primary use case is to help penetration testers and defenders be able to simulate real world attacks, this means Breachbot is being removed for now. I’m up in the air about the future of Breachbot, but I’ll give an update on the future of it soon.

Whois Information

Network and domain Whois information has been added.

Thursday, July 11, 2013

Introducing Threat Agent Pwnxy

Our latest web application release is Threat Agent Pwnxy which is a proxy for information security assessments. Pwnxy allows penetration testers to proxy any websites, inject code, and automatically steals most form submissions before forwarding the victim to the real site.

As usual I made it super simple to setup and run. You only need to enter name, description, and any code snippets to get running.



And you are done! Here's what the configuration looks like. 




I include a couple of example links for you to test. Simply replace the 'u' parameter on the URL to proxy any site.


Once the victim clicks on a link delivered most likely through spear phishing the page looks legit of course.


When victims fill out the form the data is submitted to your log as it happens.
You can preview any hit or view the "Live Log" feed.





Tuesday, July 2, 2013

ThreatAgent.com Revamped User Interface

Over the weekend I overhauled the ThreatAgent.com UI. The big difference is there is a consistent look throughout all of the toolset. I integrated more Bootstrap and AJAX all over the place. This is a bit different because before there was step by step click-throughs to run the tools.

The big thing is that the site is more scalable and ready for new tools from a design and development perspective. Stay tuned for a major tool addition here in the next couple of days.

1. General layout with toolset drop down menu.


2. Added modals for user input. This makes using the tools even easier.


As always would love to hear you feedback in the comment section or on Twitter @threatagent.