Please, Stop using DropBox

[Noxvayl]

Perhaps I'm weird but I'm not bothered by this news... like peterb I accept that cloud storage is inherently insecure, it is just a redundancy to what I already have as back ups and convenience with synchronisation. With regards to increased system vulnerability, I'm already more vulnerable than most in the way I run my computer and don't want to run it more securely because it gives me other problems I'd rather not have, I prefer the flexibility to re-install everything within an hour if something gets compromised rather than have a system that is almost impossible to get into. I think the longest I have run windows without re-installing is 18 months, and I didn't re-instal because of system security.

For me the likelihood of being attacked is far too low to warrant scrutinisation of all my programs to ensure my system is as safe as possible. I've also minimised the possible damage any attack could have by regular backups outside of the computer. Maybe later in my life when I store more sensitive information on my system I'll rethink my current way of using my computer, but until then security is light and my use of the computer will remain agile.

[Lucio]

I don't know if I'm reading the article correctly, but if I am the comments relating to people accepting that cloud storage is insecure are missing the point. As I'm understanding the article the issue is that by not using ASLR, they are introducing a vulnerability into the OS, which can then be exploited to install malicious software on your PC.

So it's not whether or not you risk losing the documents in the cloud, but that your PC is vulnerable to viruses and trojans designed to steal financial information.

Of course, I could be misunderstanding the point, and that it's only your account at risk

[scaryjim]

I don't know if I'm reading the article correctly ...

Yes, you are. By using a DLL without ASLR enabled, the dropbox client makes your PC more vulnerable to buffer overflow attacks and malicious code execution:

Wikipedia page on ASLR.

So whatever you think of the online security of, say, Google, they at least don't require you to install a virus back-door on your computer...

[stilkun]

As Lucio saying and scaryjim pointed about ASLR, the Dropbox desktop client on Windows can be exploited due to not using ASLR therefore making your system vulnerable to viruses and trojans or exploits.

Dropbox is typically installed under appdata\roaming under windows 7 meaning, which I could be wrong, either a program or script can call upon that folder using environment/system variable i.e say %appdata%\dropbox and referencing the dll above in the article could be used for attacks. What the article is saying that you should remove Dropbox desktop client if you do not want to expose you computer to risk and you can still upload and download files from dropbox via browser but it has file size limit on it for files being uploaded.

[TheAnimus]

Little bit mistaken stilkun.

ASLR is a mechanism that provides running programs with some protection if an exploitable bug is found in their code. The most common applications for this are WebBrowsers / Flash / Java. However the R bit means it has randomized the memory, so an attacker can not have a guarantee of being able to make the program run some code (see Buffer overflow exploits).

Now as this is loaded into say FireFox, that means a bug in firefox, which normally wouldn't allow an attacker to do anything because of ASLR, could be exploited, to allow a webpage to execute code, theoretically.

The point is that enabling ALSR is effectively a one line instruction in your build definition. Something any competent programmer would be doing as a matter of course.

It isn't just the fact that DropBox were so inept that they didn't do this. But the fact they ignored the responsible disclosure of this security issue. Let's assume they pay their staff high end London prices (they don't) it shouldn't cost more than £100 of dev time to fix this flaw, then be regression tested as part of the next cycle. To ignore such a threat shows a company that doesn't take security at all seriously.

Myself I stopped using them years ago after their first snafu (allowing other users to read your files) and stayed fully on SkyDrive, which tbh, I find the best out of the bunch anyway.

[stilkun]

Thanks for clearing that up, looks like I misunderstood that part. I primarily used TresorIT now, lucky to snag 50 GB via lifehacker website promotion before it ended in May as I was at that time a bit weary about Dropbox and their security when I was introduce to it last year.

[TheAnimus]

Update

http://www.wncinfosec.com/dropbox-opening-my-docs/

They really are a bunch of morons. This is a company that needs to quickly fade away into obscurity.

So they open and evaluate .docs that are uploaded! Eeek. What a gaping security vector.

[watercooled]

Despicable! I don't buy that de-duplication or malware scanning would trigger those events - dedup shouldn't care what a file is, it would be working on checksums for the entire file. And why would a malware scanner be opening it and executing commands like that?

At the same time, it seems somewhat unlikely it's done entirely manually, surely they'd have far too many to process, but it still smells of epic fail either way.

[mikerr]

Bad Animus doesn't post the dropbox response to this

http://news.idg.no/cw/art.cfm?id=D39...248257D755CD5F

What he was seeing is "automated backend processing that Dropbox does on certain kinds of files.

Dropbox allows users to see previews of some kinds of documents, included ".doc" ones, but it must build a preview of those documents
[so that] users can open Word, PowerPoint, PDF and text files from directly within their browser, "

It isn't some employee browsing your files.

Of course you can use the free boxcryptor to prevent this and other worries for cloud data:
http://www.pcworld.com/article/20402...the-cloud.html

[watercooled]

Why do they need to execute commands in the document to generate previews? At best, it's yet another 'oversight' demonstrating their incompetence.

[scaryjim]

What he was seeing is "automated backend processing that Dropbox does on certain kinds of files.

Doesn't change the fact that sending an http request while generating the preview is an attack vector, which dropbox apparently does nothing to mitigate. A carefully crafted .doc could easily exploit that.

[TheAnimus]

Bad Animus doesn't post the dropbox response to this

I didn't have their response.

But I also don't give a rats ass.

They should not, ever, ever, ever make a request for data to an outside zone based on a file of mine.

This means that code is been executed to perform frequently exploited (historically) functions reading my files. According to a reply on HN they use Libre to do this.

http://www.cvedetails.com/vulnerabil...breoffice.html

That component should be in complete isolation. It should be jailed and firewalled off from everything else. It being able to make public internet calls is a massive attack vector.

They have no security design, no security policy. They can go die, I don't care they hired some guy from Python.

[mikerr]

Doesn't change the fact that sending an http request while generating the preview is an attack vector, which dropbox apparently does nothing to mitigate. A carefully crafted .doc could easily exploit that.

Agreed on that - it should be done behind a firewall/sandboxed at least

[mikeo01]

And this is why I don't really trust "cloud storage". Why should I trust 3rd parties to keep my data safe; especially when News comes out like this. Dropbox has been going on since 2008. Not the best impression.

Trust yourself, keep your own data safe, at least you know what's actually happening with it

[DannyM]

I tried BitTorrent Sync (here) recently, it seemed to work fairly well, the only downside to this is that you potentially always have to have a machine always on to make sure you have the most up to date files. Most of us have servers so it shouldn't be an issue unless you're concerned about security.

It's worth looking into if you do want full control over your files.

[TooNice]

Eww.. and I spent the last 3 days heavily using DB and installing it in all my machines!! :O

I've been very busy moving back to Japan (again) and decided to dump mostly unsorted junks into my Dropbox so that I can sort them out later. I even moved some important private document on DB, but fortunately as a password protected rar file. I was starting to trust DB and didn't think it was necessary, but I guess that I will now be grabbing everything and look for an alternative >.> Is there anything that is fundamentally the same in functions (it does have ease to use on it's side and is, in my experience, pretty fast), but with the security?