Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 16 Aug 2013 03:21:30 +0400
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com
Subject: [openwall-announce] Looking inside the (Drop) box

Hi,

We've just posted online our USENIX WOOT '13 slides and paper entitled
"Looking inside the (Drop) box" (Security Analysis of Dropbox), by Dhiru
Kholia (Openwall and University of British Columbia) and Przemyslaw
Wegrzyn (CodePainters):

http://www.openwall.com/presentations/WOOT13-Security-Analysis-of-Dropbox/

Dhiru presented this material at WOOT in Washington D.C. on August 13.

Also available via a link from the page above is the corresponding
source code (dedrop).

Here's the abstract:

"Dropbox is a cloud based file storage service used by more than 100
million users.  In spite of its widespread popularity, we believe that
Dropbox as a platform hasn't been analyzed extensively enough from a
security standpoint.  Also, the previous work on the security analysis of
Dropbox has been heavily censored.  Moreover, the existing Python
bytecode reversing techniques are not enough for reversing hardened
applications like Dropbox.

This paper presents new and generic techniques, to reverse engineer
frozen Python applications, which are not limited to just the Dropbox
world.  We describe a method to bypass Dropbox's two factor authentication
and hijack Dropbox accounts.  Additionally, generic techniques to
intercept SSL data using code injection techniques and monkey patching
are presented.

We believe that our biggest contribution is to open up the Dropbox
platform to further security analysis and research.  Dropbox will/should
no longer be a black box.  Finally, we describe the design and
implementation of an open-source version of Dropbox client (and yes, it
runs on ARM too)."

Enjoy.

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ