Security → Dropbox and Similar Services Can Sync Malware

MIT Technology Review

quote:

---

Dropbox and similar services have exploded in popularity in recent years because users find it so convenient to simply drag files to an icon that puts that data in the cloud, shares it with others, and automatically syncs new versions across multiple devices.

But ease of use and insecurity often go hand in hand, and now researchers are revealing an uncomfortable truth: if a computer with Dropbox functionality is compromised, the synching feature allows any malware installed by the attacker to reach other machines and networks using the service.

---

Stuff like this is why many of us avoid the cloud. It's good in theory, but you're still at the mercy of those nifty features.

I do use Dropbox occasionally to share files. That said I only upload/download via their webpage (no installed software on my boxes). Also the files I share aren't personal data (mine or others).

It's like druggies sharing needles. Folks used to share floppies and get cross-infected... now they can share files across the cloud - with similar results. The rule of thumb is still: user beware.

So, what's it going to be like with Windows 8.1 where Skydrive is totally integrated into the OS? Even if you never set up a Microsoft account for signin, and use only a local account, you still have Skydrive and it cannot be uninstalled. Will this create vulnerabilities? I've read that in 8.1 the ONLY way to access Windows Store is via a Microsoft account signin which automatically turns on default settings for Skydrive.

The standard is to have your A/V scan what ever files are accessible by your PC. Has that changed? Files from the internet are scanned, floppies are scanned, thumb drives are scanned, etc. Is this any different?

Someone's trying to make a mountain of a molehill.

The importance of a new attack vector is determined by the amount of vulnerable machines it covers.
An attack vector that's as widely distributed by Dropbox et al isn't a molehill, IMO.

Anyway, that's a huge leap of faith you place on your AV.

I have to have some faith in my a/v. It's been scanning work and school network shares for the last 10 years. It was scanning email attachments and portable drives for years before that.

It happened to catch 3 viruses on a thumb drive somebody wanted files on just last week. The last virus I caught was a network infection of Nimda...

Dropbox is just another way to share files and any new few should be scanned.

Yes, running an up to date real time protection AV is better than not running one.
My point was that in a battle of malware vs AV, the malware is going to win a few.
Since this particular attack vector doesn't require a user to actively download the malware it takes your knowledge of what's been downloaded to your machine out of the equation.

This attack vector still requires the user to run the malware which is it's weak point but even at that I wouldn't call it a molehill attack just because of the sheer number of potential victim machines.

My point is this isn't a new attack vector. Network attached storage and shared drives that auto sync between multiple users have been around for many years. They are very common in school and work settings. Most A/Vs handle them just fine.

With the internet and media rich web pages most people don't realize or have knowledge of most of the files downloaded to their machines anyway, tons of stuff winds up in caches, temp files, memory, and other locations all over the average PC but the A/Vs scan the majority of it as it comes in by default.

The exploit isn't talking about "caches, temp files, memory,etc..., areas that wouldn't normally be accessed by a user.
Presumably, were talking about a Dropbox etc... folder that would be accessed in the normal course of daily activity.

It's not lost on me that you're confident of your defensive strategy but an analysis of the exploit needs to look at the larger picture before claiming it's a molehill.

i don't know about "dropbox" but i think that google-chrome's "sync" IS a problem..

A sync function wouldn't be any different if it is in the cloud or in the network I would think.
Auto-sync would make it one more step closer.
The cloud also accesses a web page or utilizes port 80 or what ever port the tool utilizes, theoretically allowing extra concerns, it is not an internal protected network, nor a VPN etc, at least for the general user.

Everyone says a layered security approach helps security, so the oppisite allowing more doors to sync between computers would erode such security if the correct precautions weren't adhered to.

Does a cloud provider have to scan all the traffic it transmits for the end-user/s?
I'd think not, it would be like asking the ISP to filter all your internet traffic.

If I share a file, I generally pass on the link, confirm it is downloaded and then delete the link via a file share site, or just delete it after a week or use a site that deletes after a week for resource reasons.
Nothing would stop me from sending a malware to another person if in a password zipped file, or enough to stop A/V scanners from accessing it.

If an exploit wanted to have code specific to a sync function I can't see it being that much different to any other malware, just specific to it's design.

If the cloud host became infected, I would think sync would create a concern, but so would an infected ad or web site.
I'm just having a hard time understanding why this is different to any other network already in place, in general layman's terms, maybe someone can help with specifics?

I don't really see what's new here.

Yes, accessing a file with multiple users to multiple PCs can spread malware. Hardly news, and always a reason to be careful when doing so.

But this was accomplished easily enough long before the "cloud". I remember the company I was with getting the "I Love You Virus". Enough nitwits clicked on the attachment over Msmail that it ground our network to a a halt and took hours to clean up.

I don't quite follow?

> if a computer with Dropbox functionality is compromised, the synching feature
> allows any malware installed by the attacker to reach other machines and
> networks using the service

OK.
So are we to expect different?

And if you have a Windows computer, most likely Windows has made a backup of this same malware, stored in System Restore.

And if you restore your system, guess what.

So.

> many of us avoid the cloud

And just what is the "cloud".

Lets expand the cloud to THE INTERNET.

Well, golly gee, if you disconnect a computer from the Internet...

The "clould" isn't some magical place where bad stuff takes place. It isn't like you can use the Internet, safely, without fear, but the, oh, "cloud" you had better watch out for. The "cloud" had to get its bad stuff from somewhere. It doesn't just drop from the, clouds. It's the Internet.

You use it, I use it.

So a firm uses a service that allows traffic through its firewalls. And that traffic is what? Can do what? Is it unexpected that if you allow something...

I'm about to post this message, on the Internet, or in the cloud, if you will, & if I were able to do something malicious with this post, & you opened, read this post, well guess what.

quote:

---

The Wizard is ... the ruler of the Land ... highly venerated ... the only man capable of solving their problems ... the Wizard appears in a different form ... as a giant head ... as a beautiful fairy ... as a ball of fire ... as a horrible monster ... a disembodied voice.

Eventually, it is revealed that Oz is actually none of these things, but rather a kind, ordinary man from Omaha, Nebraska, who has been using a lot of elaborate magic tricks and props to make himself seem "great and powerful".

---

Oh, & from my take on the article, it is not like having malware in "the cloud" automatically causes it to infect all other users of the cloud, it only has the possibility to infect those who access the shared files. So because I have malware in my dropbox, it is contained to me & those who may access my share. And if I have not shared it, then it is contained to me, solely.

(Now if I uploaded malware & it propagated to ALL other dropbox users, that is an entirely different situation.)

Or good.

The issue, IMO, is the marketing surrounding "the cloud". Most people, including many in marketing, have no idea what "the cloud" is. Then again if you tell them it's a bunch of geographically dispersed servers that appear as one they don't understand that either.

IMO the bigger issue is the whole idea that one should upload and store all their personal data online. Sooner or later one is going to regret doing that.

However since we live in an age where "convenience" is king (trumps security and privacy) the ability to automatically sync devices is a must have for many.

I've just come across this and thought it worth adding to this discussion.

»codeinsecurity.wordpress ··· gnId=793ASLR:
»en.wikipedia.org/wiki/Ad ··· mization
»www.microsoft.com/securi ··· tion_3_3

Very interesting comments when added to the question of sync as well.
Anyone using Dropbox may want to deploy EMET or similar to help protect themselves if they have to run the software.

You are making the marketing people who invented the cloud cry