Dropbox security glitch
description
Transcript of Dropbox security glitch
![Page 1: Dropbox security glitch](https://reader035.fdocuments.net/reader035/viewer/2022062411/5681676e550346895ddc577a/html5/thumbnails/1.jpg)
Dropbox security glitchCASE STUDY
Lewis ScaifeSYSM 6309 Advanced Requirements Engineering
Summer 2013Professor – Dr. Lawrence Chung
![Page 2: Dropbox security glitch](https://reader035.fdocuments.net/reader035/viewer/2022062411/5681676e550346895ddc577a/html5/thumbnails/2.jpg)
The Problem/Incident• Internal company action compromised system security.• Software patch/update introduced software bug compromising authentication mechanism.•On June 19, 2011 from 1:54pm PT until 5:46pm PT, all users accounts could be accessed using any password.
![Page 3: Dropbox security glitch](https://reader035.fdocuments.net/reader035/viewer/2022062411/5681676e550346895ddc577a/html5/thumbnails/3.jpg)
Impact•Dropbox had 25 million users at the time of the incident.• Loss in confidence that data is secure within Dropbox infrastructure.• Loss of confidence in cloud community as a whole.
![Page 4: Dropbox security glitch](https://reader035.fdocuments.net/reader035/viewer/2022062411/5681676e550346895ddc577a/html5/thumbnails/4.jpg)
Company ResponseHi Dropboxers, Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner. If you’re concerned about any activity that has occurred in your account, you can contact us at [email protected] should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.-Arash
![Page 5: Dropbox security glitch](https://reader035.fdocuments.net/reader035/viewer/2022062411/5681676e550346895ddc577a/html5/thumbnails/5.jpg)
Process•Were software requirements specified?
•Were quality controls in place during software development?
•Did Dropbox test software patch before deploying it within their production environment.?
![Page 6: Dropbox security glitch](https://reader035.fdocuments.net/reader035/viewer/2022062411/5681676e550346895ddc577a/html5/thumbnails/6.jpg)
Regression Testing•Functionality of existing code should not change when new code is inserted within the program.
•Attempts to find bugs introduced by small changes/updates in a program.
•Test case selection and prioritization.
![Page 7: Dropbox security glitch](https://reader035.fdocuments.net/reader035/viewer/2022062411/5681676e550346895ddc577a/html5/thumbnails/7.jpg)
Goals for Case Study•Develop measures to decrease the probability of a software bug causing authentication vulnerabilities.
•Research testing and validation tools which can be used to verify functionality of code prior to release.
• Present findings.
![Page 8: Dropbox security glitch](https://reader035.fdocuments.net/reader035/viewer/2022062411/5681676e550346895ddc577a/html5/thumbnails/8.jpg)
Deliverable• No data was obtained that identified the segment of code
that caused the error.
• The security glitch was most likely caused by access control or authentication system failures.
• Authentication bypass• Access control check
• Processes and Tools.
![Page 9: Dropbox security glitch](https://reader035.fdocuments.net/reader035/viewer/2022062411/5681676e550346895ddc577a/html5/thumbnails/9.jpg)
ScenarioI need the new
software functionality implemented and
placed in production today!!
Sure thing! I am almost finished. The code update will be
ready today.CODE
#include <time.h>Int = 100a=bcIf a=100do (a=b+c)
Production Server
Boss
Programmer/s
![Page 10: Dropbox security glitch](https://reader035.fdocuments.net/reader035/viewer/2022062411/5681676e550346895ddc577a/html5/thumbnails/10.jpg)
ScenarioHave you all been to
the new Dropbox website? Yes. They made a new
code change. The site looks great!!
I will check it out after lunch.
![Page 11: Dropbox security glitch](https://reader035.fdocuments.net/reader035/viewer/2022062411/5681676e550346895ddc577a/html5/thumbnails/11.jpg)
Scenario
Production Server
www.dropbox.com
![Page 12: Dropbox security glitch](https://reader035.fdocuments.net/reader035/viewer/2022062411/5681676e550346895ddc577a/html5/thumbnails/12.jpg)
Scenario
Production Server
Web User: User X Password: *****
![Page 13: Dropbox security glitch](https://reader035.fdocuments.net/reader035/viewer/2022062411/5681676e550346895ddc577a/html5/thumbnails/13.jpg)
Scenario
Web User: User X Password: *****
Wait! I successfully
logged in with the incorrect
password
![Page 14: Dropbox security glitch](https://reader035.fdocuments.net/reader035/viewer/2022062411/5681676e550346895ddc577a/html5/thumbnails/14.jpg)
Scenario
I want answer!
Customers
DropboxCustomer Service
![Page 15: Dropbox security glitch](https://reader035.fdocuments.net/reader035/viewer/2022062411/5681676e550346895ddc577a/html5/thumbnails/15.jpg)
Scenario
CODE
#include <time.h>Int = 100a=bcIf a=100do (a=b+c)
Fix it NOW!
Right away!
Production Server
Boss
Programmer/s
Corrected Program
![Page 16: Dropbox security glitch](https://reader035.fdocuments.net/reader035/viewer/2022062411/5681676e550346895ddc577a/html5/thumbnails/16.jpg)
Scenario
Web User: User X Password: ***** I am happy
they fixed the authentication issue. I feel
my information is secure again
I will never use
Dropbox again !!!
![Page 17: Dropbox security glitch](https://reader035.fdocuments.net/reader035/viewer/2022062411/5681676e550346895ddc577a/html5/thumbnails/17.jpg)
Solution• Process
• ITIL• Security Audit
![Page 18: Dropbox security glitch](https://reader035.fdocuments.net/reader035/viewer/2022062411/5681676e550346895ddc577a/html5/thumbnails/18.jpg)
Solution• Tools
•Nemesis
•Used to mitigate Authentication and Access Control Vulnerabilities in Web Applications.
![Page 19: Dropbox security glitch](https://reader035.fdocuments.net/reader035/viewer/2022062411/5681676e550346895ddc577a/html5/thumbnails/19.jpg)
Nemesis• How it works….• Shadow authentication system that tracks flow of user
credentials through application’s runtime.
• Dynamic Information Flow Tracking (DIFT).• Relies on some developer input.• Does not rely on correctness of existing code.• Agnostic.• Tracks two bits:
⁻ Credentials⁻ User Input
![Page 20: Dropbox security glitch](https://reader035.fdocuments.net/reader035/viewer/2022062411/5681676e550346895ddc577a/html5/thumbnails/20.jpg)
Nemesis• Provides a system of checks and balances.• It interfaces with the web application authentication systems and verifies all access control and user inputs are satisfied before granting access.
![Page 21: Dropbox security glitch](https://reader035.fdocuments.net/reader035/viewer/2022062411/5681676e550346895ddc577a/html5/thumbnails/21.jpg)
ScenarioI need the new
software functionality implemented and
placed in production today!!
Sure thing! I am almost finished. The code update will be
ready today.
CODE
#include <time.h>Int = 100a=bcIf a=100do (a=b+c)
Boss
Programmer/s
Development Server
Security Audit
PASSFAIL
Production Server
Nemesis
![Page 22: Dropbox security glitch](https://reader035.fdocuments.net/reader035/viewer/2022062411/5681676e550346895ddc577a/html5/thumbnails/22.jpg)
ScenarioHave you all been to
the new Dropbox website? Yes. They made a new
code change. The site looks great!!
I will check it out after lunch.
![Page 23: Dropbox security glitch](https://reader035.fdocuments.net/reader035/viewer/2022062411/5681676e550346895ddc577a/html5/thumbnails/23.jpg)
Scenario
Production Server
www.dropbox.com
![Page 24: Dropbox security glitch](https://reader035.fdocuments.net/reader035/viewer/2022062411/5681676e550346895ddc577a/html5/thumbnails/24.jpg)
Scenario
Production Server
Web User: User X Password: *****
Nemesis
![Page 25: Dropbox security glitch](https://reader035.fdocuments.net/reader035/viewer/2022062411/5681676e550346895ddc577a/html5/thumbnails/25.jpg)
Scenario
Dropbox is the best !!!
![Page 26: Dropbox security glitch](https://reader035.fdocuments.net/reader035/viewer/2022062411/5681676e550346895ddc577a/html5/thumbnails/26.jpg)
Questions
?
![Page 27: Dropbox security glitch](https://reader035.fdocuments.net/reader035/viewer/2022062411/5681676e550346895ddc577a/html5/thumbnails/27.jpg)
References• M. Dalton, C. Kozyrakis, and N. Zeldovich. Nemesis:
Preventing Authentication and Access Control Vulnerabilities in Web Applications. In Proceedings of the USENIX Security Symposium, 2009.
![Page 28: Dropbox security glitch](https://reader035.fdocuments.net/reader035/viewer/2022062411/5681676e550346895ddc577a/html5/thumbnails/28.jpg)