1 / 28

Dropbox security glitch

Dropbox security glitch. Lewis Scaife SYSM 6309 Advanced Requirements Engineering Summer 2013 Professor – Dr. Lawrence Chung. Case STUDY. The Problem/Incident. Internal company action compromised system security.

rusti
Download Presentation

Dropbox security glitch

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dropbox security glitch Lewis Scaife SYSM 6309 Advanced Requirements Engineering Summer 2013 Professor – Dr. Lawrence Chung Case STUDY

  2. The Problem/Incident • Internal company action compromised system security. • Software patch/update introduced software bug compromising authentication mechanism. • On June 19, 2011 from 1:54pm PT until 5:46pm PT, all users accounts could be accessed using any password.

  3. Impact • Dropbox had 25 million users at the time of the incident. • Loss in confidence that data is secure within Dropbox infrastructure. • Loss of confidence in cloud community as a whole.

  4. Company Response Hi Dropboxers,  Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions. We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner. If you’re concerned about any activity that has occurred in your account, you can contact us at support@dropbox.com. This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again. -Arash

  5. Process • Were software requirements specified? • Were quality controls in place during software development? • Did Dropbox test software patch before deploying it within their production environment.?

  6. Regression Testing • Functionality of existing code should not change when new code is inserted within the program. • Attempts to find bugs introduced by small changes/updates in a program. • Test case selection and prioritization.

  7. Goals for Case Study • Develop measures to decrease the probability of a software bug causing authentication vulnerabilities. • Research testing and validation tools which can be used to verify functionality of code prior to release. • Present findings.

  8. Deliverable • No data was obtained that identified the segment of code that caused the error. • The security glitch was most likely caused by access control or authentication system failures. • Authentication bypass • Access control check • Processes and Tools.

  9. Scenario I need the new software functionality implemented and placed in production today!! Sure thing! I am almost finished. The code update will be ready today. Boss Programmer/s

  10. Scenario Have you all been to the new Dropbox website? Yes. They made a new code change. The site looks great!! I will check it out after lunch.

  11. Scenario www.dropbox.com

  12. Scenario Web User: User X Password: *****

  13. Scenario Wait! I successfully logged in with the incorrect password Web User: User X Password: *****

  14. Scenario I want answer! Dropbox Customer Service Customers

  15. Scenario Fix it NOW! Right away! Boss Corrected Program Programmer/s

  16. Scenario I will never use Dropbox again !!! Web User: User X Password: ***** I am happy they fixed the authentication issue. I feel my information is secure again

  17. Solution • Process • ITIL • Security Audit

  18. Solution • Tools • Nemesis • Used to mitigate Authentication and Access Control Vulnerabilities in Web Applications.

  19. Nemesis • How it works…. • Shadow authentication system that tracks flow of user credentials through application’s runtime. • Dynamic Information Flow Tracking (DIFT). • Relies on some developer input. • Does not rely on correctness of existing code. • Agnostic. • Tracks two bits: • Credentials • User Input

  20. Nemesis • Provides a system of checks and balances. • It interfaces with the web application authentication systems and verifies all access control and user inputs are satisfied before granting access.

  21. Nemesis Scenario I need the new software functionality implemented and placed in production today!! Security Audit PASS Development Server FAIL Sure thing! I am almost finished. The code update will be ready today. Boss Programmer/s

  22. Scenario Have you all been to the new Dropbox website? Yes. They made a new code change. The site looks great!! I will check it out after lunch.

  23. Scenario www.dropbox.com

  24. Nemesis Scenario Web User: User X Password: *****

  25. Scenario Dropbox is the best !!!

  26. Questions ?

  27. References • M. Dalton, C. Kozyrakis, and N. Zeldovich. Nemesis: Preventing Authentication and Access Control Vulnerabilities in Web Applications. In Proceedings of the USENIX Security Symposium, 2009.

More Related