Cloud backup solutions, such as Dropbox, provide a convenient way for users to synchronize files between user devices. These services are particularly attractive to users, who always want the most current version of critical files on every device. Many of these applications “install” into the user’s profile directory and the synchronization processes are placed in the user’s registry hive (HKCU). Users without administrative privileges can use these applications without so much as popping a UAC dialog. This freedom makes illicit installations of these applications all the more likely.
Cloud backup providers are marketing directly to corporate executives offering services that will “increase employee productivity” or “provide virtual teaming opportunities.” Offers such as these make it more likely than ever that any given corporate environment has some cloud backup solutions installed.
We released the DropSmack tool at Blackhat EU. This showed enterprise defenders the risks posed by cloud synchronization software and gave pen testers a new toy to play with (you can bet that pen testers weren’t the only ones who noticed). In response to feedback from the original presentation, DropSmack has been improved to deal with some of the unique operational challenges posed by synchronization environments. In particular, we added the ability to work with more synchronization services automatically.
In this talk, we’ll demonstrate how DropSmack v2 works and explain how to deploy it in an operational environment. We’ll look at some of the countermeasures to these attacks, including the encryption of synchronized files by third party software. Additionally, we’ll investigate the potential of using so-called “next generation firewalls” to defeat DropSmack.
You’ll also learn about the issues of credential storage in the context of cloud synchronization services. Several synchronization applications also use insecure authentication methods. We’ll highlight these applications so you know what works, what doesn’t, and what you should run (not walk) away from. You’ll learn about post-exploitation activities you can accomplish when your freshly compromised target is running a cloud synchronization product.
Finally, we’ll demonstrate the steps you need to follow to steal credentials for the products that store them. Why would you want to steal stored credentials for a cloud synchronization service you ask? After all, any files that have been synchronized to the cloud must already on the machine you just compromised, right? Not necessarily. You’ll learn a variety of nasty things you can do with the cloud synchronization service portals that you may never have considered.,/
If you’re a network defender, you’ll leave this talk with a new appreciation of the risks posed by cloud synchronization services (and a nauseous feeling if you have them in your environment). If you are a penetration tester, you’ll leave with a new bag of tricks. Either way, a fun time is sure to be had by all.
Jake Williams, a principal consultant at CSRgroup Computer Security Consultants, has over a decade of experience in secure network design, penetration testing, incident response, forensics, and malware reverse engineering. Prior to joining CSRgroup, he worked with various government agencies in information security roles. Jake has twice won the annual DC3 Digital Forensics Challenge and has spoken at BlackHat, Shmoocon, several regional ISSA meetings, and the DC3 Conference, as well as numerous US government conferences. Jake is currently pursuing a PhD in Computer Science where he is researching new techniques for malware detection. His research interests include protocol analysis, binary analysis, malware RE methods, subverting the security of cloud technologies, and methods for identifying malware Command and Control (C2) techniques.