Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 16 Aug 2013 03:21:30 +0400
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com
Subject: [openwall-announce] Looking inside the (Drop) box

Hi,

We've just posted online our USENIX WOOT '13 slides and paper entitled
"Looking inside the (Drop) box" (Security Analysis of Dropbox), by Dhiru
Kholia (Openwall and University of British Columbia) and Przemyslaw
Wegrzyn (CodePainters):

http://www.openwall.com/presentations/WOOT13-Security-Analysis-of-Dropbox/

Dhiru presented this material at WOOT in Washington D.C. on August 13.

Also available via a link from the page above is the corresponding
source code (dedrop).

Here's the abstract:

"Dropbox is a cloud based file storage service used by more than 100
million users.  In spite of its widespread popularity, we believe that
Dropbox as a platform hasn't been analyzed extensively enough from a
security standpoint.  Also, the previous work on the security analysis of
Dropbox has been heavily censored.  Moreover, the existing Python
bytecode reversing techniques are not enough for reversing hardened
applications like Dropbox.

This paper presents new and generic techniques, to reverse engineer
frozen Python applications, which are not limited to just the Dropbox
world.  We describe a method to bypass Dropbox's two factor authentication
and hijack Dropbox accounts.  Additionally, generic techniques to
intercept SSL data using code injection techniques and monkey patching
are presented.

We believe that our biggest contribution is to open up the Dropbox
platform to further security analysis and research.  Dropbox will/should
no longer be a black box.  Finally, we describe the design and
implementation of an open-source version of Dropbox client (and yes, it
runs on ARM too)."

Enjoy.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.