Pwnd2Pwnr Posted November 26, 2012 Posted November 26, 2012 (edited) Well, I have worked out MY own kinks in the dhcp world (two cups of coffee and 4 ibuprofen later). I have never really had too much trust with dropbox; so I don't keep anything in it worth while; but I did find something peculiar; I think Digip has already pointed out that dropbox is easily hacked. I have my fake ap up and running; along with my wireshark and airodump. Going through the packets; I discovered a local packet which was sent out via mon0 (that is what I was sharking) and found 4 packets... no 496 time 18.461144 src 10.0.0.254 dst 10.0.0.255 protocol DB-LSP-DISC length 195 info dropbox no 497 time 18.461551 src 10.0.0.254 dst 10.0.0.255 protocol DB-LSP-DISC length 196 info dropbox no 1368 time 48.796771 src 10.0.0.254 dst 10.0.0.255 protocol DB-LSP-DISC length 195 info dropbox no 1369 time 48.497555 src 10.0.0.254 dst 10.0.0.255 protocol DB-LSP-DISC length 196 info dropbox So, this is within my local address; and I do have an active dropbox sync folder. Is this insecurity widely known about? I do believe it has all of the data I need to access my account... but that is why I ask. Any thoughts? Edited November 26, 2012 by Pwnd2Pwnr Quote
whitehat Posted November 27, 2012 Posted November 27, 2012 DropBox is horrible for security, I agree. It's been an issue for me already because my supervisor snoops on my work comp over the LAN and I had installed a 1TB DropBox for both of us on my dime, which keeps accidentally downloading new stuff in the home dir even w/ Selective Sync. FML. It's f-ing addictive for me though b/c the space seems cheap. I can't get that good of a price on VPS/DPS space. I use SpiderOak too, but it's too expensive for my 2-3TB needs. Quote
digip Posted November 27, 2012 Posted November 27, 2012 (edited) 10.0.0.255 is a broadcast address(depending on you subnet mask). What device on your network owns 10.0.0.254? I assume drop box is syncing data possibly or checking for changes maybe and calling home and there are other packets showing the external Drop Box servers IP somewhere as well? I don't think that list of data is anything to be scared of, or somehow gives anyone insight or access to your home machine or such. Curious what you think the security flaw is in the data you posted though. Other than now telling us you use a 10.x.x.x home network, we knew nothing about your local lan IP range, but other than wireshark showing Drop Box traffic of some kind, what is the security flaw? From what I recall the hacks were web based to reach the end machines from the web side of shared file links, not publicly given to others, which enabled anyone to see the files you had stored in your drop box, so say you had work data stored in your drop box you wanted to reach from your home machine or vice versa, and it was unencrypted, and someone gained access to the drop box, that unencrypted data is now in the public domain when it maybe wasn't meant to be shared with others. Thats one of the flaws that I recall originally that lead to wide spread data leaks by people were using it to share company files, corporate private data, etc. The first one I believe used CSRF to hit people who were logged onto both drop box and gmail, which caused them to submit data to sites on behalf of the attacker. The second was simply reuse of the same password in multiple places, hacked email and password, leads to other hacked accounts if reused. older vuln -> More recent issues -> http://www.informati...iness/240005413 http://security.stackexchange.com/questions/5358/dropbox-vulnerability-details Edited November 27, 2012 by digip Quote
Pwnd2Pwnr Posted November 27, 2012 Author Posted November 27, 2012 I was asking if the protocol itself was safe... and by the looks of it it is... I thought that was being transmitted during my softAP... I assumed it was sent out VIA Alfa... but I can now see what you mean. I deleted my dropbox folder and stopped the sync. Thanks (again, and again for any future insight), you guys... I just don't like the synchronization protocol popping up when I am looking at broadcast signals from mon0... Quote
digip Posted November 29, 2012 Posted November 29, 2012 An interesting take on Cloud services like Dropbox though, and why, if anything should happen like a seizure of Drop box servers, none of your data on there, or any site, server, cloud storage data center, is really safe, sans encryption before uploading - http://guardedrisk.com/security/cloud-data-yours-or-not/ Quote
Pwnd2Pwnr Posted November 29, 2012 Author Posted November 29, 2012 I would steal candy from a criminal to know what you know, Digip... lol Quote
logicalconfusion Posted January 8, 2013 Posted January 8, 2013 so, dropbox is apparently insecure. Who in their right mind would store un-encrypted data on a public service such as dropbox anyway. There's probably a way to program the dropbox to reach for its data outside the network where its actually stored, after its been encrypted by a app like truecrypt. Its hard to believe that it would reveal info to a packet sniffer. I guess they dont pay their developers enough to encrypt and obfuscate network traffic. Quote
Infiltrator Posted January 8, 2013 Posted January 8, 2013 I would steal candy from a criminal to know what you know, Digip... lol Well, it takes time, lots of reading, researching and talking to people to get to the level of where he is now. Not to forget, dedication and patience too. But I would do that same too, steal candy from a criminal. Quote
digip Posted January 8, 2013 Posted January 8, 2013 (edited) Problem with Dropbox is, most often once you know the root file system of someone site, say they share an image or file, you can often google dork for the rest of the files from their Dropbox share if the links have every passed through google or any of their services,including people using older versions of Chrome, which, pretty much tracks everything you did. http://bit.ly/10aqtOg Edited January 8, 2013 by digip Quote
Infiltrator Posted January 8, 2013 Posted January 8, 2013 I've stopped using Dropbox services for a very long time. From now on, I've decided to run my own web-server and mail server from home. You can call me paranoid, but I am very much concerned about my personal information privacy and security integrity. Why should I trust a third party service provider to handle it for me, when I can very well do it myself? Quote
dienalls Posted January 11, 2013 Posted January 11, 2013 you can sync truecrypt containers via dropbox (: Quote
barry99705 Posted January 13, 2013 Posted January 13, 2013 Problem with Dropbox is, most often once you know the root file system of someone site, say they share an image or file, you can often google dork for the rest of the files from their Dropbox share if the links have every passed through google or any of their services,including people using older versions of Chrome, which, pretty much tracks everything you did.http://bit.ly/10aqtOg Wow! Chicks actually keep nude photos of themselves in dropbox! Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.