[BreachExchange] Dropbox's Layered Approach to Password Security

Audrey McNeil audrey at riskbasedsecurity.com
Tue Oct 11 19:38:30 EDT 2016


http://www.databreachtoday.com/dropboxs-layered-approach-
to-password-security-a-9441

Dropbox has battened down its security hatches. There's good reason: The
company was one of many this year that have faced nightmarish news that
rumors of a password breach were, in fact, true. It's still unclear how
Dropbox and companies including Yahoo, LinkedIn, MySpace and Twitter were
hacked, or why the stolen data only circulated more widely several years
after the intrusions. But the revelations have unnerved web services
companies and spurred a new urgency around securing passwords.

Dropbox's intrusion was isolated to around mid-2012, an era that Rajan
Kapoor, the company's senior manager for trust and security, says was a
very immature time for cloud services. Since then, security has "grown up
quite a bit," he says.

"The industry on the whole has learned a lot of lessons since 2012," Kapoor
says. "Dropbox specifically has matured our security capabilities
tremendously."

The password breach occurred around the same time as another security
incident that became public. An attacker managed to compromise a Dropbox
employee's credentials and stole a project document that contained user
email addresses. Some users began receiving spam in German, English and
Dutch advertising gambling websites.

Dropbox quickly shut down the spam and reset some user accounts after
compromised credentials from other services had been successfully re-used.
Although the circumstances aren't clear, it's possible that the compromised
employee account was used to move laterally through Dropbox's system.

Kapoor says that the attackers eventually reached Dropbox's analytics
tools. It's classic attack methodology: Use one compromised endpoint to
move laterally through a victim's systems in search of sensitive
information. The full scope of the breach did not become clear until four
years later, when it was determined that credentials for 69 million
accounts had been stolen, Dropbox said in August (see Dropbox's Big, Bad,
Belated Breach Notification).

Locked Down Passwords

When the breach occurred, Dropbox was transitioning to stronger password
security. Passwords can't be stored in plaintext, so they're processed with
a one-way deterministic algorithm to produce a hash.

Analysis of the 2012 breach showed that some of Dropbox's passwords had
been hashed with SHA-1, an algorithm that is considered insecure. Other
passwords had been hashed with bcrypt, which is considered much more secure.

In an effort to restore confidence, Dropbox has taken the fairly unusual
step of describing how it now secures passwords. It takes a layered onion
approach that it hopes will mean that even if it experiences another
breach, the information obtained will be useless. The steps were outlined
in a Sept. 21 blog post.

Here's Dropbox's recipe: Plain-text passwords are first hashed with
SHA-512. That result is then run through bcrypt with a per-user salt. Salt
refers to unique values that are added to a cryptographic output that
forces attackers to take more time. Plus, greater computing power is needed
to guess what the hash represents. That value is then encrypted with
AES256. The secret key used for the AES256 encryption - which Dropbox
refers to as a "pepper" - is stored in a separate location.

If a password table was leaked, the information wouldn't be useful without
the pepper, Kapoor says. As an additional defensive measure in the event of
a breach, Dropbox could rotate the pepper and re-encrypt the hashes, which
would block attackers from using the data they obtained, even if they were
able to decrypt it, he says.

The company is already thinking about how to make this system more secure.
It is considering storing the pepper in a hardware security module - a
device designed to provide maximum security to data such as encryption
keys. Plans are also already in the works to increase the strength of its
bcrypt implementation.

Halting Lateral Movement

To prevent an intruder from laterally moving through its systems, Dropbox
has also mandated its employees and engineers use two-factor
authentication. "Just because you've authenticated once in one area, we do
not infer that to mean you are authenticated to access anything else,"
Kapoor says.

Two-factor authentication has the potential to be irritating: Users are
asked to fill in their normal login credentials plus a time-sensitive code.
For engineers moving back and forth between different development and
production systems, asking for that code every time is burdensome. But it's
also essential.

"That can be pretty annoying for engineers," Kapoor says. "If they need to
get into analytics four times in an hour and they've got to supply 2FA code
each time, it's going to slow them down."

To reduce fiction around that process, Dropbox employees are assigned USB
drives that generate the one-time passcodes. Once inserted into a computer,
employees just need to tap a button to deliver the code.

But Dropbox users haven't embraced two-factor authentication as much as the
company would like. Kapoor says a single digit percentage uses two-factor
authentication, a figure that it would like to see increase. In August,
Dropbox broadened its support for two-factor authentication, announcing
compatibility with hardware security keys using the open FIDO Universal 2nd
Factor (U2F) standard.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161011/aeeba810/attachment.html>


More information about the BreachExchange mailing list