SlideShare ist ein Scribd-Unternehmen logo
1 von 30
Downloaden Sie, um offline zu lesen
THE (IN)SECURITY OF
            FILE HOSTING SERVICES
                 Nick Nikiforakis, Marco Balduzzi
        Steven Van Acker, Wouter Joosen, Davide Balzarotti




6th July 2011          OWASP Netherland Chapter Meeting
Sharing is caring
    Internet expanding
       More users
       More Web services

       More Web technologies

    Users need to share files
       P2P is not always the answer
       Emails?
Sharing Services
  Broad selection of services with a wide variety of
   applications
  Accessible through the Web from anywhere

  No software-bloating for users

  More free software due

     to a different way of
     making profit
Bad news…
     A user’s data is now located somewhere else:
        Privacy

        Availability

        Integrity


•  Sad story (T-Mobile & Microsoft):
      –  2009: “personal information stored
         on your device--such as contacts,
         calendar entries, to-do lists or
         photos--that is no longer on your
         Sidekick almost certainly has been
         lost as a result of a server failure
         at Microsoft/Danger”
File Hosting Services
  Cloud-storage for the masses
  Share files with other users

  Security through obscurity access-control

  Sharing personal documents as well as pirated files
Lifecycle of a file
  Alice decides to shares some digital content (file)
   through a FHS
  FHS received the file, stores it on its Cloud and
   generates an identifier which it:
     i.     binds with the uploaded file
     ii.    returns to the user in a URI form:
            http://www.easy-share.com/1916472551/
            noctambus.pdf
     URI is shared depending on the nature of the
      uploaded file
File Identifier & Privacy
    The identifier (ID) is used to enforce access-control in
     a security-through-obscurity way
       ID   == access to file


    FHS are typically not-searchable
       ID acts as a shared secret between a FHS and each
        user’s files
       Non-owners should not be able to “guess” this secret
100 FHSs: How many privacy-aware?

    We studied 100 FHSs to discover, among others, the
     way they generate unique “secret” identifiers
       Uploading   files, recording the given ID and comparing
    Removed 12 that had search/browse capabilities
Sequential IDs
    34/88 FHS were generating sequential identifiers
       numeric,   or alphanumerical
    20/34 did not append any other non-guessable
     information
       e.g.   filename or secondary ID
    E.g.
       http://vulnerable.com/9996

       http://vulnerable.com/9997

       http://vulnerable.com/9998
Sequential IDs
  Designed a crawler for the 20 sequential FHS
  Run for 30 days

       Random  delays to limit bandwidth and blacklisting
       Scraping only the filenames and sizes (privacy)

    Results:
       >   310,000 file records
Finding private files…
  Depending on the nature of a file, it will be shared
   in different ways
  Exploit the ubiquity of search-engine crawlers to
   characterize a file as private or public.
  Given a filename

       0   search results -> Private
Private Files Results
    Using Bing:
       54.16%  of files returned 0 search results
       Rough approximation of private files due to close pirate
        communities
            Filetype                   #Private documents
            Images (JPG, GIF, BMP)     27,711
            Archives (ZIP)             13,354
            Portable Document Format   7,137
            MS Office Word             3,686
            MS Office Excel Sheets     1,182
            MS Office PowerPoint       967
Identifiers of 100 FHSs (summary)
Non-Sequential IDs
  54 FHSs adopt non-sequential identifiers
  len(ID)
Non-Sequential IDs
  54 FHSs adopt non-sequential identifiers
  len(C_SET)
Random but short
    Brute-force short random identifiers

        Length     Charset        #Tries    #Files Found
        6          Numeric        617,169   728
        6          Alphanumeric   526,650   586
        8          Numeric        920,631   332
Design & Implementation errors
    Security audit of a popular FHS software product
       Used  in 13% of FHSs
       Directory traversal vulnerability

       De-randomization attack for deletion code
         Report-link
                    contained the first 10 characters of the 14-
         charater delete code
               16^14 -> 16^4 combinations
Status…
    File hosting services are not privacy-aware
       Sequential  identifiers
       Weak non-sequential identifiers

       Bugs in their source code

    Do attackers know about this?
       How   do we found out?
Honeypot experiment
    Honeyfiles promising valuable content
       Phished_paypal_details.html!
       Paypal_account_gen.exe!
       Sniffed_email1.doc!


    Each file connects back to our monitor server when
     opened
       <img/>   in HTML files
       embedded HTML in doc files
       TCP socket in executables
       Attempt to open page in pdf files
Carding forum
    One of the decoy files contained valid credentials
     for our fake forum
           card3rz_reg_details.html!

    Fake underground carding community
       card3rz.co.cc

    Reasons:
     i.       Hide our monitors
     ii.      Do attackers use data that they find in illegally
              obtained files?
NOW
Honeypot experiment: results
    Monitoring sequential FHSs for 30 days

  275 honeyfiles accesses
  More than 80 unique IP addresses

  7 different sequential FHSs

       1 had a catalogue functionality
       2 had a search functionality

       4 had neither!

    Accesses from all around the world
Geo-location of the bad-guys
HoneyFiles results
    Download ratio of each file:

          Claimed content                        Download ratio
          Credentials to PayPal accounts         40.36%
          Credentials for card3rz.co.cc          21.81%
          PayPal account Generator               17.45%
          Leaked customer list                   9.09%
          Sniffed email                          6.81%
          List of emails for spamming purposes   5.09%
card3rz.co.cc results
    93 successful logins
       43different IP addresses
       32% came back at a later time

    Attacks against the monitor and the login-form
       SQL-injection   & file-inclusion attacks


    Attackers do in-fact use data from illegally
     obtained files
Status…
    File hosting services are vulnerable
       Sequential  identifiers
       Weak non-sequential identifiers

       Bugs in their source code

    Attackers are abusing them
       They   are using the data found in other user’s files
SecureFS
  A client must protect himself
  Encryption is a good way

       Do   people know how to?
       If they do know, does their OS assist them?



    SecureFS
       Encryption
                 to protect a user’s data
       Steganography to mislead potential attackers


    Project site: http://www.securitee.org/sfs/
SecureFS

  Browser-plugin monitoring uploads and downloads
  Protects uploads on-the-fly


                            important.doc

           SFS_HDR   ENC(important.doc,RND_KEY)   ZIP(FAKE)


  Browser-plugin monitoring uploads and downloads
  Rewrites download links to include the random key

       http://unsafefhs.com/12345

       http://unsafefhs.com/12345/sfs_key/[RND_KEY]
Conclusion
    Large percentage of FHSs fail to provide the user
     with adequate privacy
       Hundreds   of thousands of files ready to be misused
  Attackers know & exploit this fact
  A user must protect himself:

       SecureFS
Questions

Weitere ähnliche Inhalte

Was ist angesagt?

Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanningamiable_indian
 
Decoy documents: Baiting an Insider
Decoy documents: Baiting an InsiderDecoy documents: Baiting an Insider
Decoy documents: Baiting an InsiderD Dastagiri
 
cyberlaws and cyberforensics,biometrics
cyberlaws and cyberforensics,biometricscyberlaws and cyberforensics,biometrics
cyberlaws and cyberforensics,biometricsMayank Diwakar
 
why security is needed
why security is neededwhy security is needed
why security is neededsourov_das
 
Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)Wail Hassan
 
Combating cyber security through forensic investigation tools
Combating cyber security through forensic investigation toolsCombating cyber security through forensic investigation tools
Combating cyber security through forensic investigation toolsVenkata Sreeram
 
Module 20 (buffer overflows)
Module 20 (buffer overflows)Module 20 (buffer overflows)
Module 20 (buffer overflows)Wail Hassan
 
Introduction to Web Server Security
Introduction to Web Server SecurityIntroduction to Web Server Security
Introduction to Web Server SecurityJITENDRA KUMAR PATEL
 
Module 18 (linux hacking)
Module 18 (linux hacking)Module 18 (linux hacking)
Module 18 (linux hacking)Wail Hassan
 
Web Server Security Guidelines
Web Server Security GuidelinesWeb Server Security Guidelines
Web Server Security Guidelineswebhostingguy
 
Hunting malware via memory forensics
Hunting malware via memory forensicsHunting malware via memory forensics
Hunting malware via memory forensicsSriram Krishnan
 
A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...RSIS International
 
Comparative Study of Fileless Ransomware
Comparative Study of Fileless RansomwareComparative Study of Fileless Ransomware
Comparative Study of Fileless Ransomwareijtsrd
 

Was ist angesagt? (19)

Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanning
 
Decoy documents: Baiting an Insider
Decoy documents: Baiting an InsiderDecoy documents: Baiting an Insider
Decoy documents: Baiting an Insider
 
Decoy documents
Decoy documentsDecoy documents
Decoy documents
 
cyberlaws and cyberforensics,biometrics
cyberlaws and cyberforensics,biometricscyberlaws and cyberforensics,biometrics
cyberlaws and cyberforensics,biometrics
 
Network security
Network securityNetwork security
Network security
 
why security is needed
why security is neededwhy security is needed
why security is needed
 
information security and backup system
information security and backup systeminformation security and backup system
information security and backup system
 
Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)
 
Combating cyber security through forensic investigation tools
Combating cyber security through forensic investigation toolsCombating cyber security through forensic investigation tools
Combating cyber security through forensic investigation tools
 
Module 20 (buffer overflows)
Module 20 (buffer overflows)Module 20 (buffer overflows)
Module 20 (buffer overflows)
 
Introduction to Web Server Security
Introduction to Web Server SecurityIntroduction to Web Server Security
Introduction to Web Server Security
 
Computer security
Computer securityComputer security
Computer security
 
Module 18 (linux hacking)
Module 18 (linux hacking)Module 18 (linux hacking)
Module 18 (linux hacking)
 
Web Server Security Guidelines
Web Server Security GuidelinesWeb Server Security Guidelines
Web Server Security Guidelines
 
IT forensic
IT forensicIT forensic
IT forensic
 
Network security
Network securityNetwork security
Network security
 
Hunting malware via memory forensics
Hunting malware via memory forensicsHunting malware via memory forensics
Hunting malware via memory forensics
 
A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...
 
Comparative Study of Fileless Ransomware
Comparative Study of Fileless RansomwareComparative Study of Fileless Ransomware
Comparative Study of Fileless Ransomware
 

Andere mochten auch

Riak MapReduce: A Story In Three Acts
Riak MapReduce: A Story In Three ActsRiak MapReduce: A Story In Three Acts
Riak MapReduce: A Story In Three ActsKevin Smith
 
CQRS recipes or how to cook your architecture
CQRS recipes or how to cook your architectureCQRS recipes or how to cook your architecture
CQRS recipes or how to cook your architectureThomas Jaskula
 
ОО" Шоола Кол" презентация Результаты поиска Санкт-Петербург 14 октября
ОО" Шоола Кол" презентация  Результаты поиска Санкт-Петербург  14 октябряОО" Шоола Кол" презентация  Результаты поиска Санкт-Петербург  14 октября
ОО" Шоола Кол" презентация Результаты поиска Санкт-Петербург 14 октябряАсылбек Айтматов
 
Cctk support for setting hdd password
Cctk support for setting hdd passwordCctk support for setting hdd password
Cctk support for setting hdd passwordartisriva
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)Marco Balduzzi
 
чынгыз айтматов Small
чынгыз айтматов Smallчынгыз айтматов Small
чынгыз айтматов SmallKamchibekova Rakia
 
Cloud computing security policy framework for mitigating denial of service at...
Cloud computing security policy framework for mitigating denial of service at...Cloud computing security policy framework for mitigating denial of service at...
Cloud computing security policy framework for mitigating denial of service at...Venkatesh Prabhu
 
Softworx Enterprise Asset Management 101 - Presentation Template
Softworx Enterprise Asset Management 101 - Presentation TemplateSoftworx Enterprise Asset Management 101 - Presentation Template
Softworx Enterprise Asset Management 101 - Presentation TemplateEnterprise Softworx Solutions
 
TUGAS PTI MOTHERBOARD DAN MODEM
TUGAS PTI MOTHERBOARD DAN MODEMTUGAS PTI MOTHERBOARD DAN MODEM
TUGAS PTI MOTHERBOARD DAN MODEMika aprilia
 
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
 HTTP(S)-Based Clustering for Assisted Cybercrime Investigations HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime InvestigationsMarco Balduzzi
 
Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)Marco Balduzzi
 

Andere mochten auch (20)

Riak MapReduce: A Story In Three Acts
Riak MapReduce: A Story In Three ActsRiak MapReduce: A Story In Three Acts
Riak MapReduce: A Story In Three Acts
 
Led lighting australia
Led lighting australiaLed lighting australia
Led lighting australia
 
CQRS recipes or how to cook your architecture
CQRS recipes or how to cook your architectureCQRS recipes or how to cook your architecture
CQRS recipes or how to cook your architecture
 
ОО" Шоола Кол" презентация Результаты поиска Санкт-Петербург 14 октября
ОО" Шоола Кол" презентация  Результаты поиска Санкт-Петербург  14 октябряОО" Шоола Кол" презентация  Результаты поиска Санкт-Петербург  14 октября
ОО" Шоола Кол" презентация Результаты поиска Санкт-Петербург 14 октября
 
Cctk support for setting hdd password
Cctk support for setting hdd passwordCctk support for setting hdd password
Cctk support for setting hdd password
 
Personal informatic
Personal informaticPersonal informatic
Personal informatic
 
Christmas
ChristmasChristmas
Christmas
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
 
AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)
 
Family tree
Family treeFamily tree
Family tree
 
чынгыз айтматов Small
чынгыз айтматов Smallчынгыз айтматов Small
чынгыз айтматов Small
 
Possessive adjectives
Possessive adjectivesPossessive adjectives
Possessive adjectives
 
Cloud computing security policy framework for mitigating denial of service at...
Cloud computing security policy framework for mitigating denial of service at...Cloud computing security policy framework for mitigating denial of service at...
Cloud computing security policy framework for mitigating denial of service at...
 
Presentation1
Presentation1Presentation1
Presentation1
 
Why AIS is not always enough
Why AIS is not always enoughWhy AIS is not always enough
Why AIS is not always enough
 
Softworx Enterprise Asset Management 101 - Presentation Template
Softworx Enterprise Asset Management 101 - Presentation TemplateSoftworx Enterprise Asset Management 101 - Presentation Template
Softworx Enterprise Asset Management 101 - Presentation Template
 
TUGAS PTI MOTHERBOARD DAN MODEM
TUGAS PTI MOTHERBOARD DAN MODEMTUGAS PTI MOTHERBOARD DAN MODEM
TUGAS PTI MOTHERBOARD DAN MODEM
 
Adauga un text
Adauga un textAdauga un text
Adauga un text
 
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
 HTTP(S)-Based Clustering for Assisted Cybercrime Investigations HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
 
Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)
 

Ähnlich wie The (in)security of File Hosting Services

01-intro-thompson.ppt
01-intro-thompson.ppt01-intro-thompson.ppt
01-intro-thompson.pptSadiaMuqaddas
 
Computer and Network Security
Computer and Network SecurityComputer and Network Security
Computer and Network SecurityAsif Raza
 
01-intro-thompson.ppt
01-intro-thompson.ppt01-intro-thompson.ppt
01-intro-thompson.pptROHITCHHOKER3
 
Event - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security PerimetersEvent - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security PerimetersSomyos U.
 
Splunk for Security Workshop
Splunk for Security WorkshopSplunk for Security Workshop
Splunk for Security WorkshopSplunk
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Managementipspat
 
Computer Systems Security
Computer Systems SecurityComputer Systems Security
Computer Systems Securitydrkelleher
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Sourcehack33
 
Disrupt Hackers With Robust User Authentication
Disrupt Hackers With Robust User AuthenticationDisrupt Hackers With Robust User Authentication
Disrupt Hackers With Robust User AuthenticationIntel IT Center
 
Ransomware: Hard to Stop for Enterprises, Highly Profitable for Criminals
Ransomware: Hard to Stop for Enterprises, Highly Profitable for CriminalsRansomware: Hard to Stop for Enterprises, Highly Profitable for Criminals
Ransomware: Hard to Stop for Enterprises, Highly Profitable for CriminalsExtraHop Networks
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshortVincent Ohprecio
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Ch04 Footprinting and Social Engineering
Ch04 Footprinting and Social EngineeringCh04 Footprinting and Social Engineering
Ch04 Footprinting and Social Engineeringphanleson
 
Security communication
Security communicationSecurity communication
Security communicationSay Shyong
 
Ch14 Desktop Protection
Ch14 Desktop ProtectionCh14 Desktop Protection
Ch14 Desktop Protectionphanleson
 

Ähnlich wie The (in)security of File Hosting Services (20)

01-intro-thompson.ppt
01-intro-thompson.ppt01-intro-thompson.ppt
01-intro-thompson.ppt
 
Computer and Network Security
Computer and Network SecurityComputer and Network Security
Computer and Network Security
 
01-intro-thompson.ppt
01-intro-thompson.ppt01-intro-thompson.ppt
01-intro-thompson.ppt
 
01-intro-thompson.ppt
01-intro-thompson.ppt01-intro-thompson.ppt
01-intro-thompson.ppt
 
Event - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security PerimetersEvent - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security Perimeters
 
Splunk for Security Workshop
Splunk for Security WorkshopSplunk for Security Workshop
Splunk for Security Workshop
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
Computer Systems Security
Computer Systems SecurityComputer Systems Security
Computer Systems Security
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Source
 
Disrupt Hackers With Robust User Authentication
Disrupt Hackers With Robust User AuthenticationDisrupt Hackers With Robust User Authentication
Disrupt Hackers With Robust User Authentication
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
Ransomware: Hard to Stop for Enterprises, Highly Profitable for Criminals
Ransomware: Hard to Stop for Enterprises, Highly Profitable for CriminalsRansomware: Hard to Stop for Enterprises, Highly Profitable for Criminals
Ransomware: Hard to Stop for Enterprises, Highly Profitable for Criminals
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshort
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Ch04 Footprinting and Social Engineering
Ch04 Footprinting and Social EngineeringCh04 Footprinting and Social Engineering
Ch04 Footprinting and Social Engineering
 
The Rise of Ransomware
The Rise of RansomwareThe Rise of Ransomware
The Rise of Ransomware
 
Security communication
Security communicationSecurity communication
Security communication
 
Ch14 Desktop Protection
Ch14 Desktop ProtectionCh14 Desktop Protection
Ch14 Desktop Protection
 

Mehr von Marco Balduzzi

Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Marco Balduzzi
 
CTS @ HWIO2020 Awards Cerimony
CTS @ HWIO2020 Awards CerimonyCTS @ HWIO2020 Awards Cerimony
CTS @ HWIO2020 Awards CerimonyMarco Balduzzi
 
SCSD 2020 - Security Risk Assessment of Radio-Enabled Technologies
SCSD 2020 - Security Risk Assessment of Radio-Enabled TechnologiesSCSD 2020 - Security Risk Assessment of Radio-Enabled Technologies
SCSD 2020 - Security Risk Assessment of Radio-Enabled TechnologiesMarco Balduzzi
 
Attacking Industrial Remote Controllers (HITB AMS 2019)
Attacking Industrial Remote Controllers (HITB AMS 2019)Attacking Industrial Remote Controllers (HITB AMS 2019)
Attacking Industrial Remote Controllers (HITB AMS 2019)Marco Balduzzi
 
Using Machine-Learning to Investigate Web Campaigns at Large - HITB 2018
Using Machine-Learning to Investigate Web Campaigns at Large - HITB 2018Using Machine-Learning to Investigate Web Campaigns at Large - HITB 2018
Using Machine-Learning to Investigate Web Campaigns at Large - HITB 2018Marco Balduzzi
 
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Marco Balduzzi
 
Plead APT @ EECTF 2016
Plead APT @ EECTF 2016Plead APT @ EECTF 2016
Plead APT @ EECTF 2016Marco Balduzzi
 
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)Marco Balduzzi
 
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...Marco Balduzzi
 
Attacking the Privacy of Social Network users (HITB 2011)
Attacking the Privacy of Social Network users (HITB 2011)Attacking the Privacy of Social Network users (HITB 2011)
Attacking the Privacy of Social Network users (HITB 2011)Marco Balduzzi
 
Automated Detection of HPP Vulnerabilities in Web Applications Version 0.3, B...
Automated Detection of HPP Vulnerabilities in Web Applications Version 0.3, B...Automated Detection of HPP Vulnerabilities in Web Applications Version 0.3, B...
Automated Detection of HPP Vulnerabilities in Web Applications Version 0.3, B...Marco Balduzzi
 
Abusing Social Networks for Automated User Profiling
Abusing Social Networks for Automated User ProfilingAbusing Social Networks for Automated User Profiling
Abusing Social Networks for Automated User ProfilingMarco Balduzzi
 
Stealthy, Resilient and Cost-Effective Botnet Using Skype
Stealthy, Resilient and Cost-Effective Botnet Using SkypeStealthy, Resilient and Cost-Effective Botnet Using Skype
Stealthy, Resilient and Cost-Effective Botnet Using SkypeMarco Balduzzi
 
New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into ClickjackingMarco Balduzzi
 
Paper: A Solution for the Automated Detection of Clickjacking Attacks
Paper: A Solution for the Automated Detection of Clickjacking AttacksPaper: A Solution for the Automated Detection of Clickjacking Attacks
Paper: A Solution for the Automated Detection of Clickjacking AttacksMarco Balduzzi
 

Mehr von Marco Balduzzi (15)

Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
 
CTS @ HWIO2020 Awards Cerimony
CTS @ HWIO2020 Awards CerimonyCTS @ HWIO2020 Awards Cerimony
CTS @ HWIO2020 Awards Cerimony
 
SCSD 2020 - Security Risk Assessment of Radio-Enabled Technologies
SCSD 2020 - Security Risk Assessment of Radio-Enabled TechnologiesSCSD 2020 - Security Risk Assessment of Radio-Enabled Technologies
SCSD 2020 - Security Risk Assessment of Radio-Enabled Technologies
 
Attacking Industrial Remote Controllers (HITB AMS 2019)
Attacking Industrial Remote Controllers (HITB AMS 2019)Attacking Industrial Remote Controllers (HITB AMS 2019)
Attacking Industrial Remote Controllers (HITB AMS 2019)
 
Using Machine-Learning to Investigate Web Campaigns at Large - HITB 2018
Using Machine-Learning to Investigate Web Campaigns at Large - HITB 2018Using Machine-Learning to Investigate Web Campaigns at Large - HITB 2018
Using Machine-Learning to Investigate Web Campaigns at Large - HITB 2018
 
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
 
Plead APT @ EECTF 2016
Plead APT @ EECTF 2016Plead APT @ EECTF 2016
Plead APT @ EECTF 2016
 
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
 
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
 
Attacking the Privacy of Social Network users (HITB 2011)
Attacking the Privacy of Social Network users (HITB 2011)Attacking the Privacy of Social Network users (HITB 2011)
Attacking the Privacy of Social Network users (HITB 2011)
 
Automated Detection of HPP Vulnerabilities in Web Applications Version 0.3, B...
Automated Detection of HPP Vulnerabilities in Web Applications Version 0.3, B...Automated Detection of HPP Vulnerabilities in Web Applications Version 0.3, B...
Automated Detection of HPP Vulnerabilities in Web Applications Version 0.3, B...
 
Abusing Social Networks for Automated User Profiling
Abusing Social Networks for Automated User ProfilingAbusing Social Networks for Automated User Profiling
Abusing Social Networks for Automated User Profiling
 
Stealthy, Resilient and Cost-Effective Botnet Using Skype
Stealthy, Resilient and Cost-Effective Botnet Using SkypeStealthy, Resilient and Cost-Effective Botnet Using Skype
Stealthy, Resilient and Cost-Effective Botnet Using Skype
 
New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into Clickjacking
 
Paper: A Solution for the Automated Detection of Clickjacking Attacks
Paper: A Solution for the Automated Detection of Clickjacking AttacksPaper: A Solution for the Automated Detection of Clickjacking Attacks
Paper: A Solution for the Automated Detection of Clickjacking Attacks
 

Kürzlich hochgeladen

Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxYounusS2
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIUdaiappa Ramachandran
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 

Kürzlich hochgeladen (20)

Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptx
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AI
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 

The (in)security of File Hosting Services

  • 1. THE (IN)SECURITY OF FILE HOSTING SERVICES Nick Nikiforakis, Marco Balduzzi Steven Van Acker, Wouter Joosen, Davide Balzarotti 6th July 2011 OWASP Netherland Chapter Meeting
  • 2. Sharing is caring   Internet expanding   More users   More Web services   More Web technologies   Users need to share files   P2P is not always the answer   Emails?
  • 3. Sharing Services   Broad selection of services with a wide variety of applications   Accessible through the Web from anywhere   No software-bloating for users   More free software due to a different way of making profit
  • 4. Bad news…   A user’s data is now located somewhere else:   Privacy   Availability   Integrity •  Sad story (T-Mobile & Microsoft): –  2009: “personal information stored on your device--such as contacts, calendar entries, to-do lists or photos--that is no longer on your Sidekick almost certainly has been lost as a result of a server failure at Microsoft/Danger”
  • 5. File Hosting Services   Cloud-storage for the masses   Share files with other users   Security through obscurity access-control   Sharing personal documents as well as pirated files
  • 6. Lifecycle of a file   Alice decides to shares some digital content (file) through a FHS   FHS received the file, stores it on its Cloud and generates an identifier which it: i.  binds with the uploaded file ii.  returns to the user in a URI form: http://www.easy-share.com/1916472551/ noctambus.pdf   URI is shared depending on the nature of the uploaded file
  • 7. File Identifier & Privacy   The identifier (ID) is used to enforce access-control in a security-through-obscurity way   ID == access to file   FHS are typically not-searchable   ID acts as a shared secret between a FHS and each user’s files   Non-owners should not be able to “guess” this secret
  • 8. 100 FHSs: How many privacy-aware?   We studied 100 FHSs to discover, among others, the way they generate unique “secret” identifiers   Uploading files, recording the given ID and comparing   Removed 12 that had search/browse capabilities
  • 9. Sequential IDs   34/88 FHS were generating sequential identifiers   numeric, or alphanumerical   20/34 did not append any other non-guessable information   e.g. filename or secondary ID   E.g.   http://vulnerable.com/9996   http://vulnerable.com/9997   http://vulnerable.com/9998
  • 10. Sequential IDs   Designed a crawler for the 20 sequential FHS   Run for 30 days   Random delays to limit bandwidth and blacklisting   Scraping only the filenames and sizes (privacy)   Results:   > 310,000 file records
  • 11. Finding private files…   Depending on the nature of a file, it will be shared in different ways   Exploit the ubiquity of search-engine crawlers to characterize a file as private or public.   Given a filename   0 search results -> Private
  • 12. Private Files Results   Using Bing:   54.16% of files returned 0 search results   Rough approximation of private files due to close pirate communities Filetype #Private documents Images (JPG, GIF, BMP) 27,711 Archives (ZIP) 13,354 Portable Document Format 7,137 MS Office Word 3,686 MS Office Excel Sheets 1,182 MS Office PowerPoint 967
  • 13. Identifiers of 100 FHSs (summary)
  • 14. Non-Sequential IDs   54 FHSs adopt non-sequential identifiers   len(ID)
  • 15. Non-Sequential IDs   54 FHSs adopt non-sequential identifiers   len(C_SET)
  • 16. Random but short   Brute-force short random identifiers Length Charset #Tries #Files Found 6 Numeric 617,169 728 6 Alphanumeric 526,650 586 8 Numeric 920,631 332
  • 17. Design & Implementation errors   Security audit of a popular FHS software product   Used in 13% of FHSs   Directory traversal vulnerability   De-randomization attack for deletion code   Report-link contained the first 10 characters of the 14- charater delete code   16^14 -> 16^4 combinations
  • 18. Status…   File hosting services are not privacy-aware   Sequential identifiers   Weak non-sequential identifiers   Bugs in their source code   Do attackers know about this?   How do we found out?
  • 19. Honeypot experiment   Honeyfiles promising valuable content   Phished_paypal_details.html!   Paypal_account_gen.exe!   Sniffed_email1.doc!   Each file connects back to our monitor server when opened   <img/> in HTML files   embedded HTML in doc files   TCP socket in executables   Attempt to open page in pdf files
  • 20. Carding forum   One of the decoy files contained valid credentials for our fake forum   card3rz_reg_details.html!   Fake underground carding community   card3rz.co.cc   Reasons: i.  Hide our monitors ii.  Do attackers use data that they find in illegally obtained files?
  • 21. NOW
  • 22. Honeypot experiment: results   Monitoring sequential FHSs for 30 days   275 honeyfiles accesses   More than 80 unique IP addresses   7 different sequential FHSs   1 had a catalogue functionality   2 had a search functionality   4 had neither!   Accesses from all around the world
  • 24. HoneyFiles results   Download ratio of each file: Claimed content Download ratio Credentials to PayPal accounts 40.36% Credentials for card3rz.co.cc 21.81% PayPal account Generator 17.45% Leaked customer list 9.09% Sniffed email 6.81% List of emails for spamming purposes 5.09%
  • 25. card3rz.co.cc results   93 successful logins   43different IP addresses   32% came back at a later time   Attacks against the monitor and the login-form   SQL-injection & file-inclusion attacks   Attackers do in-fact use data from illegally obtained files
  • 26. Status…   File hosting services are vulnerable   Sequential identifiers   Weak non-sequential identifiers   Bugs in their source code   Attackers are abusing them   They are using the data found in other user’s files
  • 27. SecureFS   A client must protect himself   Encryption is a good way   Do people know how to?   If they do know, does their OS assist them?   SecureFS   Encryption to protect a user’s data   Steganography to mislead potential attackers   Project site: http://www.securitee.org/sfs/
  • 28. SecureFS   Browser-plugin monitoring uploads and downloads   Protects uploads on-the-fly important.doc SFS_HDR ENC(important.doc,RND_KEY) ZIP(FAKE)   Browser-plugin monitoring uploads and downloads   Rewrites download links to include the random key   http://unsafefhs.com/12345   http://unsafefhs.com/12345/sfs_key/[RND_KEY]
  • 29. Conclusion   Large percentage of FHSs fail to provide the user with adequate privacy   Hundreds of thousands of files ready to be misused   Attackers know & exploit this fact   A user must protect himself:   SecureFS