SoylentNews is people
SoylentNews
File synchronization services, used to accommodate roaming employees inside organizations, can also be a weak point that attackers could exploit to remain undetected inside compromised networks.
Researchers from security firm Imperva found that attackers could easily hijack user accounts for services from Dropbox, Google Drive, Microsoft OneDrive and Box if they gain limited access to computers where such programs run -- without actually stealing user names and passwords.
Once the accounts are hijacked, attackers could use them to grab the data stored in them, and to remotely control the compromised computers without using any malware programs that could be detected by antivirus and other security products.
The Imperva researchers found that all of the file synchronization applications they looked at provide continued access to users' cloud storage accounts via access tokens that are generated after users log in for the first time. These tokens are stored on users' computers in special files, in the Windows registry or in the Windows Credential Manager, depending on the application.
The researchers developed a simple tool they dubbed Switcher, whose role is to perform what they call a "double-switch" attack.
Switcher can be deployed on the system through a malicious email attachment or a drive-by download exploit that takes advantage of a vulnerability in a browser plug-in. If an exploit is used, the program doesn't even have to be written to disk. It can be loaded directly into the computer's memory and doesn't need high-level privileges to execute its routine.
The Switcher first makes a copy of the user's access token for the targeted file synchronization app and replaces it with one that corresponds to an account controlled by the attacker. It then restarts the application so that it synchronizes with the attacker's account.
The previously saved user token is copied to the synchronized folder so that the attacker receives a copy and then the Switcher app restores it back, forcing the app to be linked back to the user's real account -- hence the double-switch name.
However, since the attacker now has a copy of the user's access token, he can use the Switcher on his own computer and synchronize it with the user's real account, getting a copy of all of the files stored in it.
The attack can be taken to the next step by having the Switcher create a scheduled task or a Windows Management Instrumentation (WMI) event that would be triggered when a specific file appears in the synchronized folder. That file could be created by the attacker and could contain commands to be executed by the scheduled task.
This mechanism would give the attacker persistent remote access to the computer even after Switcher deletes itself or is removed from memory. After executing a command and saving its output to the synchronized folder, the attacker could delete it, as well as the trigger file in order to cover his tracks.
(Score: 2, Interesting) by Hyperturtle on Friday August 07 2015, @08:29PM
The cloud is as secure as the... wait why is it more secure just because it's online somewhere else?
Two factor authentication with a decent grade of encryption, such as a VPN client (IPSEC or I guess SSL.. but SSL seems to have its own share of issues) is more secure, but is incredibly less convenient.
Some genies are hard to stuff back into the bottle; businesses using a sync product are often locked in and find it difficult to get it all back if they wish to bring it in house. Employees can be their worst enemies when convenience is at stake.
(Score: 1) by Hyperturtle on Friday August 07 2015, @08:35PM
I wanted to comment on myself -- I wanted to be a bit more clear.
I am making reference to the means of isolating the files from not being available on a public facing server or device that could then be used to exploit things as described in the article.
It appears that a common denominator is not that a file share that is syncing is used, it's that a file share sync token is specifically the problem and can be replayed or presented back to the public facing connectivity of the file sharing service.
Using encryption won't help you nor two factor in that case, if you are already authenticated, what have you.
The issue is that if your file share was secured locally, then there would be no easy way for an attacker to provide the false identity to it -- without first having to break into your network where the server was stored.
My statement above may have made it look like ipsec or ssl or two factor authentication was the solution -- it's not. A local, non-internet facing depository that is accessed via any myriad of secure methods would be more secure than a public website with a lock icon that anyone in the world can try to access as many times as they like. At those places--you know the files are there.
At a file share on a local network reachable only via a secured VPN connection, the VPN target need not even have a DNS name, and can go entirely unnoticed if someone scanned for low hanging fruit against the corporate public IP addressing.
(Score: 2) by skullz on Friday August 07 2015, @08:48PM
Yup, I don't store sensitive info (or at least I hope I don't!) on Teh Cloud but I do have a lot of pictures, notes, PDF books, etc. I find it very convenient. My concern is ransomware that encrypts my could drive and I have to delete it all. Not really bad but a pain and not something I could recover from if I don't have an offline copy somewhere (which I have been neglecting).
It is shocking, shocking I tell you that this hack is literally just picking up the keys which were left open on the disk and opening up a new door, one that can't be closed by changing the password. All without Window's sudo.