Cloud services are here to stay. This poses a big challenge for information security professionals, because we cannot longer restrict mobility and thus we need to implement controls to ensure that mobility services does not pose a threat to any information security asset of the company. Bad guys tend to steal critical information from the company and takes it out using e-mails, chat file transfers and could file storage services. The first two are being monitored in most companies, but not all companies have the technical controls available to regulate usage on the third one. There are two big services here: Skydrive and Dropbox. Skydrive does not announce to the network and so the only way to detect it is to monitor outgoing traffic for the file transfer protocol used, which is MS-FSSHTTP (File Synchronization via SOAP over HTTP Protocol). For example, if anyone is saving a file to http://Example/Shared%20Documents/test1.docx, the request sent would be:
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Body>
<RequestVersion Version="2" MinorVersion="0"
xmlns="http://schemas.microsoft.com/sharepoint/soap/"/>
<RequestCollection CorrelationId="{83E78EC0-5BAE-4BC2-9517-E2747382569B}"
xmlns="http://schemas.microsoft.com/sharepoint/soap/">
<Request Url="http://Example/Shared%20Documents/test1.docx" RequestToken="1">
<SubRequest Type="Coauth" SubRequestToken="1">
<SubRequestData CoauthRequestType="RefreshCoauthoring"
SchemaLockID=" 29358EC1-E813-4793-8E70-ED0344E7B73C"
ClientID="{BE07F85A-0CD1-4862-BDFC-F6CC3C8588A4}" Timeout="3600"/>
</SubRequest>
<SubRequest Type="SchemaLock" SubRequestToken="2" DependsOn="1"
DependencyType="OnNotSupported">
<SubRequestData SchemaLockRequestType="RefreshLock"
SchemaLockID=" 29358EC1-E813-4793-8E70-ED0344E7B73C"
ClientID="{BE07F85A-0CD1-4862-BDFC-F6CC3C8588A4}" Timeout="3600"/>
</SubRequest>
<SubRequest Type="Cell" SubRequestToken="3" DependsOn="2"
DependencyType="OnSuccessOrNotSupported">
<SubRequestData Coalesce="true" CoauthVersioning="true"
BypassLockID="29358EC1-E813-4793-8E70-ED0344E7B73C"
SchemaLockID="29358EC1-E813-4793-8E70-ED0344E7B73C" BinaryDataSize="17485">
<i:Include xmlns:i="http://www.w3.org/2004/08/xop/include"
href="cid:b2c67b53-be27-4370-b214-6be0a48da399-0@tempuri.org"/>
</SubRequestData>
</SubRequest>
</Request>
</RequestCollection>
</s:Body>
</s:Envelope>
And the response would be:
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"> The following table resumes all possible subrequest operations and their descriptions.
This protocol can be easily detected and tracked using IPS signatures or, if you have a layer 7 firewall, you can use their functionality to detect this protocol application and stop it. Checkpoint can do it with its software blade for 5052 applications as of today. Dropbox can be easily detected on the network. It sends every 30 seconds a packet announcing the client for possible LAN Sync operations. Those packets are like the following one:
If you want to detect those packets, you can use wireshark and look for them using the filter udp.port==17500 or performing the following command using nmap:
This command performs portscan to all the IP address where the Dropbox listener was detected. The nmap script shown in the last figure has the following options:
How can we provide this kind of services to our users without having their mobility ability affected? Skydrive Pro can be used with Sharepoint Online or local Sharepoint Server 2013. If you don't have servers inside, you can use Dropbox for business, which is now able to integrate with your local active directory.
Manuel Humberto Santander Peláez |
Manuel Humberto Santander Pelaacuteez 195 Posts ISC Handler Aug 7th 2013 |
||||||||||||||||||||
Thread locked Subscribe |
Aug 7th 2013 8 years ago |
||||||||||||||||||||
" e-mails, chat file transfers and could file storage services. "
You mean 'cloud', right? |
Anonymous |
||||||||||||||||||||
Quote |
Aug 8th 2013 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!