Two security researchers blew by Dropbox’s security features, gained access to private user files and published a paper that explained how they did it.
Their goal was to get Dropbox to create an open source version of itself, which means that anyone could look at its code and verify that the service is secure.
“Dropbox will/should no longer be a black box,” the researchers, Dhiru Kholia of Openwall and Przemysław Wegrzyn of CodePainters, wrote in their research paper.
There’s a few interesting things about this Dropbox take-down. One is that, after Dropbox was hacked about a year ago, it added security features to protect users and make Dropbox more appealing to paying customers like enterprises.
For instance, it added encryption and something called “two-factor authentication” which makes users take extra steps to log into a Dropbox account.
The researchers disabled both of those protections.
More importantly, they “reverse engineered” the portion of Dropbox that runs on a user’s computer. That means they looked at Dropbox’s programming code. They shouldn’t have been able to do that. Dropbox was written in Python using techniques that prevent reverse engineering.
There are a lot of cloud services using Python and these same techniques. This means they a! ll could be at risk.
Ultimately, the researchers want to make Dropbox safer. They are hoping others will help them build a secure, open source method for using Dropbox. This would be freely available for Dropbox to adopt, if it wanted to.
Dropbox says that this research doesn’t really put anyone’s accounts at risk. A spokesperson gave us this statement:
“We appreciate the contributions of these researchers and everyone who helps keep Dropbox safe. However, we believe this research does not present a vulnerability in the Dropbox client. In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user’s Dropbox, open to attacks across the board.”
Snapchat really broke the mold with this whole single-serve messaging feature. Send a friend a sexy pic without the risk of anybody else seeing it? What genius! Of course some enterprising app developer was going to come along and ruin it.
Here’s a look at some of the biggest film budgets of the past three years and the differences in how they fared opening weekend:
As you can see, sometimes the risk pays off. “The Avengers” and “The Dark Knight Rises” grossed more than $2.5 billion combined.
So far this year, seven films are estimated to have larger-than-life budgets:
Most people are happy to give their neighbours a spare house key in case of emergencies, but you probably wouldn’t want to give them your digital passwords. Now security researchers have shown that you may not have a choice, at least when it comes to cloud computing.
Cloud servers let users run simulations of an ordinary computer, called virtual machines (VMs), on remote hardware. A VM performs exactly as an ordinary computer would, but because it is entirely software-based, many of them can run on a single hardware base. Yinqian Zhang of the University of North Carolina, Chapel Hill, and colleagues have discovered that it is possible for one VM to steal cryptographic keys – used to keep your data secure – from another running on the same physical hardware, potentially putting cloud-computing users at risk.
The attack exploits the fact that both VMs share the same hardware cache, a memory component that stores data for use by the computer’s processor. The attacking VM fills the cache in such a way that the target VM, which is processing a cryptographic key, is likely to overwrite some of the attacker’s data. By looking at which parts of the cache are changed, the attacking VM can learn something about the key in use.
Zhang and team did not test the attack in the cloud for real, but used hardware similar to that employed by Amazon’s cloud service to try stealing a decryption key. They were able to reconstruct a 4096-bit key in just a few hours, as reported in a paper presented at the Computer and Communications Security conference in Raleigh, North Carolina, last month.
This attack won’t apply in all situations, as an attacker would have to establish a VM on the same hardware as yours, which isn’t always possible. What’s more, an attack would not work on hardware running more than two VMs. Still, those looking to use cloud services for high-security applications may want to reconsider.
Image by David Malan/Getty
New Scientist reports, explores and interprets the results of human endeavour set in the context of society and culture, providing comprehensive coverage of science and technology news.
The FAA has approved American Airlines to be the first commercial airline to have its pilots use iPads in “all phases of flight,” rather than the 35lb paper reference manuals they’re used to.
Based on current fuel prices, The Next Web estimates that this will save the airline some $1.2M annually, across all of its aircraft. This month, AA’s 777 fleet will be the first to get the technological upgrade; by the end of this year, all fleet types are expected to have approval for the switch and the paper manuals will cease to be revised.
This is a huge environmentally friendly move for AA: not only will the ligher tablets save fuel, based on the weight carried by the planes, but they will also save paper, for ever manual printed and revised, company-wide.
This would also seem to confirm what we’ve all long suspected: there is really no real risk to having a tablet turned on during take-off. [TNW]
Images by Nickolay Lamm/Inventhelp
After decades of sustained growth in the PC market (with the exception of 2001), growth is slowing to a halt. Overall PC shipments grew 4 percent last year, down from 14 percent the year before, and the lowest growth rate since 2001.
There are a few reasons for this. The global economy has been choppy since the downturn of 2008, depressing both business and consumer spending. The business PC upgrade cycle has gotten longer — Microsoft says that about two-thirds of all businesses are still using Windows Vista (which is more than five years old) or Windows XP (almost 11 years old). The introduction of the iPad in spring 2010 sucked the air out of the market for cheap tiny laptops called “netbooks,” which had been driving a lot of PC growth for the previous few years.
The release of Windows 8 later this year may drive a new wave of consumer adoption, although there’s a real risk that many consumers will find the huge design changes confusing and stick with Windows 7 or switch to Apple products instead. After that, the end of life for Windows XP in April 2014 could spur a big business upgrade cycle.
But for now, the PC market looks flat and mature.
Global Payments, a major credit card processing company, has reportedly been hacked. That means each of the four major credit card companies, and according to reports, as many as 10 million customers are at risk.
The story has been developing throughout the morning. Right now, it goes like this: Hackers gained access to an administrative-privileged account at a New York City taxi company and, over the course of several months, stole 10 million credit card numbers. They’ve been sitting on them, waiting to spend all at once to maximize the time before they’re shut down.
The Wall Street Journal puts the number of compromised accounts around 50,000, which is a far cry from 10 million. The massive number had originally been sourced to a post from a Gartner analyst, and while it seems a little far fetched that a cab company would have millions of numbers, we’d still err to caution.
Visa and Mastercard have both issued statements explaining the breach, but stressed that their networks were not specifically breached. Though that doesn’t really matter if you’re affected by the hack of “third-party processor” Global Payments. No word yet from American Express or Discover, but both are accepted by official NYC cabs.
Third-party processors like Global Payments or PayPal simplify accepting credit cards for small or spread out merchants. So a cab using GP is about the same as an eBay seller using PayPal, and this hack affects users the same way a PayPal hack would. Which is to say, very seriously.
Everyone seems to be scrambling to figure out what’s going on here, including credit card companies. What we’re going on right now is that this is probably based out of New York, and probably confined to those who’ve paid for a cab with a credit card. If you fit that description, think about preemptively checking in with your card company to protect yourself. [Gartner, PhysOrg, CNN, WSJ]
Update: Bank of America and Chase have apparently been alerting their customers about this breach for weeks, but not providing specifics beyond their individual accounts. And in some cases, alerted customers received fraudulent charges even after a card had supposedly been shut down.
Thanks Lauren & iomegaman5
Dr. Augustine Fou is Digital Consigliere to marketing executives, advising them on digital strategy and Unified Marketing(tm). Dr Fou has over 17 years of in-the-trenches, hands-on experience, which enables him to provide objective, in-depth assessments of their current marketing programs and recommendations for improving business impact and ROI using digital insights.
Collaborators – Digital Profs
- Netflix vs Blockbuster - Perfect example of an industry replaced by a more efficient version of itself
- Marketing Costs Normalized to CPM Basis for Comparison
- Social Logins in Q4: Google Gains on Facebook; LinkedIn Takes B2B Lead
- The Grand Unified Theory of Marketing(tm) - Digital String Theory
- HP Mini 311 Nvidia ION Netbook Hackintosh'ed
- Facebook advertising metrics and benchmarks
- Are You Paying for Bots? Why, YES!
- drag2share: Amazon
- Samsung 52 inch HDTV $9.99 at BestBuy - purchase receipt below (6:21a eastern time August 12, 2009)
- Brand Advertisers: Escaping an Ecosystem of Digital Advertising Fraud
- #SESNY: Toward a Performance Mindset for All Advertising
- Tips for Marketers Selecting a Digital Agency
- Context Is Not King or Queen; It's Just Necessary
- 2013 New Year's Digital Marketing Resolutions
- The Good, Bad, and Ugly of Online Campaign Ratings and eGRPs
- Why You Should Banish the Net Promoter Score Immediately
- Digital Strategy To-MAY-to vs. To-MAH-to
- The Agency-Client Relationship is Forever Changed
- Targeting vs. Privacy - Who Will Win?
- January 2015 (75)
- December 2014 (69)
- November 2014 (98)
- October 2014 (150)
- September 2014 (109)
- August 2014 (44)
- July 2014 (92)
- June 2014 (118)
- May 2014 (173)
- April 2014 (130)
- March 2014 (247)
- February 2014 (167)
- January 2014 (222)
- December 2013 (167)
- November 2013 (111)
- October 2013 (116)
- September 2013 (214)
- August 2013 (210)
- July 2013 (200)
- June 2013 (87)
- May 2013 (87)
- April 2013 (70)
- March 2013 (114)
- February 2013 (89)
- January 2013 (136)
- December 2012 (96)
- November 2012 (130)
- October 2012 (147)
- September 2012 (93)
- August 2012 (93)
- July 2012 (112)
- June 2012 (71)
- May 2012 (82)
- April 2012 (80)
- March 2012 (122)
- February 2012 (114)
- January 2012 (129)
- December 2011 (60)
- November 2011 (54)
- October 2011 (29)
- September 2011 (17)
- August 2011 (30)
- July 2011 (18)
- June 2011 (19)
- May 2011 (23)
- April 2011 (23)
- March 2011 (52)
- February 2011 (69)
- January 2011 (108)
- December 2010 (82)
- November 2010 (67)
- October 2010 (68)
- September 2010 (44)
- August 2010 (101)
- July 2010 (61)
- June 2010 (28)
- May 2010 (28)
- April 2010 (26)
- March 2010 (33)
- February 2010 (21)
- January 2010 (13)
- December 2009 (4)
- November 2009 (2)
- October 2009 (14)
- September 2009 (6)
- August 2009 (19)
- July 2009 (34)
- June 2009 (11)
- May 2009 (4)
- April 2009 (6)
- March 2009 (13)
- February 2009 (32)
- January 2009 (25)
- December 2008 (1)
- October 2008 (1)
- June 2008 (1)
- November 2007 (1)