Description: Cloud backup solutions, such as Dropbox, provide a convenient way for users to synchronize files between user devices. These services are particularly attractive to users, who always want the most current version of critical files in each location. Many of these applications "install" into the user's profile directory and the synchronization processes are placed in the user's registry hive (HKCU). Users without administrative privileges can use these applications without so much as popping a UAC dialog. This freedom makes illicit installations of these applications all the more likely.
Cloud backup providers are marketing directly to corporate executives offering services that will "increase employee productivity" or "provide virtual teaming opportunities." Offers such as these make it more likely than ever that any given corporate environment has some cloud backup solutions installed.
Some theoretical research papers have previously identified the possible risk that cloud backup solutions may pose for data exfiltration. These applications pose serious risks for Data Loss Prevention (DLP) applications since normal channels monitored by DLP are bypassed. It is far more difficult for DLP to detect files written to the user profile than files being attached in the browser to a web based email or files being moved to a removable drive.
The contributions of this presentation are threefold. First, we show how cloud based synchronization solutions in general, and Dropbox in particular, can be used as a vector for delivering malware to an internal network. We do this by examining a case study from a penetration test. Second, we show how specially developed malware can use the synchronization service as a Command and Control (C2) channel. Given an active C2 channel via Dropbox, an attacker can determine how to establish a more traditional C2 channel out of a network on the compromised host. Finally, we demonstrate functioning malware that uses Dropbox to exfiltrate data en-masse from the network. While the idea of using cloud synchronization technologies for data exfiltration is not new, we are not aware of any functioning tools designed to exfiltrate data from a network via Dropbox.
In our experience, people tend to take potential vulnerabilities more seriously after proof of concept code is publicly available. By releasing this tool, we hope to stir up some real conversation about whether synchronization software is appropriate for all corporate environments (and if so, under what controls).
For More Information please visit : - http://www.blackhat.com/eu-13/briefings.html
Tags: securitytube , hacking , hackers , information security , convention , computer security , blackhat-eu-2013 ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.