E-Siber.com
M. Mekin Pesen
Sitede 1775 okunmaya değer yazı var.

Dropbox Accesses All The Files in Your PC (Not Just Sync Folder) and Then?

I've heard a lot about Dropbox until now. They were not so interesting but a little controversial. But now, I have discovered something quite striking. Dropbox syncs not only its own folder but also everything in local drive (C:) without any user consent or permission. I caught it red-handed while working with my DLP (data loss prevention) endpoint agent that I adjust DLP system to work properly on production environment.

 

PLEASE NOTE: You can see new updates at the end of the article.

 

DLP endpoint agent monitors real-time traffic of user activities inside applications/programs, such as the cut/copy/paste, print, and print screen operations. Also it supply forensic monitoring that allows full visibility of content traffic. Of course by using DLP agent, you can monitor which program accesses a file that triggers predefined DLP rule. From this point on, I'm telling you step by step how that event happened. And all the things that I mention is DLP agent's catching illegal movements of Dropbox program according to custumized DLP policies.

 

1.) Dropbox Installation Directory and Configurations

I have connected Dropbox to "C:/Users/Mekin.pesen/Dropbox". Normally, Dropbox installs itself on "C:/Users/ABC/AppData/Roaming/Dropbox" directory. As you see below, Dropbox says that "only checked folders will sync to this computer":

 

2.) Customizing a Security Policy and a Rule

At this point you should enable defaut policies and rules to catch something or make a new policy from scratch. You can also enable any regulatory compliance standards such as PCI DSS, HIPAA, SOX or PII (Personally Identifiable Information) which is social security number, government ID card number etc. According to your rule, if any of this predefined information or activity conditions match a DLP policy rule, it triggers an alert.

 

3.) Making New Tricky Files That Can Trigger an Alert

I made some tricky Word (DOCX) and RAR files so that all of them can get caught by a predefined rule. I put them into directories that are NOT surely my Dropbox sync folders (C:/Users/Mekin.pesen/Dropbox) . I put files under:

  • "C://" drive directory
  • "C:/users/mekin.pesen/desktop"
  • Recycle Bin: "c:/$recycle.bin/" (yes, I'm serious!)

 

4.) Bewildering Results

Consequently, all my tricky files was accessed by Dropbox immediately, although I didn't put them into original sync folder (C:/Users/Mekin.pesen/Dropbox):

 

The file "c:/catch-drop-the-box.rar" was accessed by "Dropbox"


Please click on the image to see full log image.

 

The file "c:/users/mekin.pesen/desktop/catch-drop-the-box.rar" was accessed by "Dropbox"


Please click on the image to see full log image.

 

The file "c:/$recycle.bin/s-1-5-21-......../$rx0kysg.docx" was accessed by "Dropbox"


Please click on the image to see full log image.

 

At the same time, I looked at the firewall log too. And I saw someting taken out from my computer in silence:

 

All the firewall logs showed Dropbox movements. The logs also showed me a number of Amazon AWS destinations. But I was not sure whether they belonged to Dropbox services. Then I searched all addresses that belonged to Dropbox and found these IP ranges:

NetRange:       199.47.216.0 - 199.47.219.255
CIDR:           199.47.216.0/22
NetName:        DROPBOX
NetHandle:      NET-199-47-216-0-1
Parent:         NET199 (NET-199-0-0-0-0)
NetType:        Direct Assignment
OriginAS:       AS19679
Organization:   Dropbox, Inc. (DROPB)
RegDate:        2010-10-15
Updated:        2013-11-19
Ref:            http://whois.arin.net/rest/net/NET-199-47-216-0-1

NetRange:       108.160.160.0 - 108.160.175.255
CIDR:           108.160.160.0/20
NetName:        DROPBOX
NetHandle:      NET-108-160-160-0-1
Parent:         NET108 (NET-108-0-0-0-0)
NetType:        Direct Assignment
OriginAS:       AS19679
Organization:   Dropbox, Inc. (DROPB)
RegDate:        2011-10-12
Updated:        2012-03-02
Ref:            http://whois.arin.net/rest/net/NET-108-160-160-0-1

 

All the things I have explained up to here shows us that Dropbox moves through your computer illegally. And it never limits itself to the original sync folder. All these is a proof of an untrustworthy or fraudulent way/behaviour.

 

Keep in touch and follow updates:

&

M. Mekin PESEN
Information Security Specialist

 

ALL UPDATES

Thank you very much, folks! There are lot of comments about the article. I have not enough time to reply all comments. Thank you for your understanding, my apologies. I will share any claim, proof or other things coming from you:

 

1.) There are lot of valuable and informative comments at:

 

2.)

 

3.) Darren P Meyer has new claims and suggestions about my article. You may read it to satisfy your curiosity and to learn how to test his suggestions. But his claims neither prove nor guarantee exactly that Dropbox does not access/steal/collect your files which is not in your sync folder. Because you could not monitor Dropbox traffic every time! https://one.darrenpmeyer.com/blog/dropbox-is-problably-not-stealing-all-your-files.html

 

4.)


5.)  Dropbox and security of your files in Linux http://maciej.lasyk.info/2015/Mar/03/dropbox-and-security-of-your-files-in-linux/. In the conlusion it says "So we're safe. Dropbox does not read all the file contents on Linux.  But once again - start using Linux Security Modules!"

 


· ·
Yazan: | 02.03.2015 | 117342 kez okundu.

Yazılar E-Posta Kutunuza Gelsin:

Bu yazıyı izinsiz olarak alıp başka herhangi bir yerde yayınlayamazsınız (Bkz "dijital at hırsızı" kimdir?). Yazıların başka yerlerde yayınlanmasına ücreti mukabili izin veriyoruz. Yazıları izinsiz olarak başka bir yerde yayınlamanız, her türlü hukuki sonucu kabul ettiğiniz manasına gelir. Yazıları izin almak ve kaynak göstermek kaydıyla sadece kamu kurumları ve akademik araştırmacılar ücretsiz olarak kullanabilir. Bunların dışında kalan herkes ücret öder. Detaylar için bize ulaşın.

Yorum altyapısı: Disqus

Yukarı Çık

M. MEKİN PESEN
© 2007-2015 E-SİBER BİLGİ-İLETİŞİM TEKNOLOJİLERİ
E-Siber.com | E-Siber.net | ESiber.com | ESiber.net | RSS | Facebook | Twitter | E-Posta Aboneliği
IP: 54.81.72.72 | Yüklenme: 0.265 saniye. | Hakkımızda | İletişim | Reklam Verin | Site Politikaları | Atıflar