Breach Brief: Hundreds of Dropbox accounts leaked after third-party hack

A thread recently surfaced on Reddit that contained links to files containing hundreds of Dropbox usernames and passwords in plain text, while at this point, its origins remain unclear. Supposedly, hackers are threatening a major breach in Dropbox security, claiming to have stolen the log-in credentials of nearly 7 million users. If their Bitcoin ransom is paid, the cyber criminals are promising to release more password details.

How many victims? The log-in details for 400 email addresses, each one starting with the letter B, have been labeled as a “first teaser… just to get things going.” In what may appear to be part of a much larger-scale Dropbox hack, the hackers claim to have accessed details from 6,937,081 individual accounts.

What information was breached? It remains uncertain as to how the account details were accessed and of course, whether or not they are actually valid. However, the hackers are believed to be in possession of various user photos, videos and other files.

When did it happen? An entry on Pastebin was posted on October 13 at 4:10pm CDT with a link to the list of emails and matching plain text passwords.

What they’re saying: Dropbox has issued a statement on its blog emphasizing that the passwords were stolen from “unrelated services.”

Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.

Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling two-step certification to your account.

Despite its legitimacy, this incident highlights the increasingly common way hackers are using to gain access to identity credentials, such as usernames, passwords and other personal information. With the number of breaches on the rise and security at our core, learn how Atmel has you covered.

Video: Hacking quadcopters with Arduino

A Maker by the name of Dzl recently reverse engineered the communication protocol of an inexpensive quadcopter to work with an Atmel-powered Arduino board.

According to the HackADayCrew, Dzl kicked off his hack by cracking open the quadcopter’s accompanying control handset to determine which transceiver it used.

“[He] then found the relevant datasheet and worked out all the pin configuration involved in the SPI communication. Flying data is transmitted as 8 byte packets sent every 20 mS, controlling the throttle, yaw, pitch and roll,” wrote HackADay’s John Marsh.

“[Dzl] took the build a step further, writing an Arduino library (direct Dropbox download link) that should catch you up to speed and allow you to skip straight to the fun part: hacking and experimenting.”

Dzl offers additional quadcopter hack details on his blog. More specifically, he used an Atmel-powered Arduino UNO (ATmega328) to eavesdrop on the communication between the handset and ‘copter. The annotated list of the initialization sequence is as follows:

* Quadcopter activated.
* Handset broadcast a unique network address or ID.
* Quadcopter receives broadcast, acknowledges, starts listening to data from specific ID.
* Transmitting flying data packet every 20 mS.

“Multible Quadcopters can be controlled simultaneously by assigning them different addresses,” Dzl confirmed. “The passing of ID is done on one fixed radio channel and flying data is sent on one of about 12 random radio channels. The quadrotors seem to auto scan the radio channels until they find data.”

Interested in learning more? You can check out Dzl’s official project page here.

Wayne Yamaguchi on file storage and project management

I had lunch with my buddy Wayne Yamaguchi last week. He showed me the latest upgrades on an Atmel-powered nightlight he has designed. I met Wayne when I was consulting at HP in the late ‘90s. He took an interest in LEDs and left Agilent when he started making more money selling kits to convert your Maglite into an LED flashlight. Wayne was the guy that got me on OrCAD 7, and I still use OrCAD 9.2. Love those free vias.

Wayne Yamaguchi holds his prototype LED nightlight at the Pho Kim Long restaurant in San Jose.

Anyway, Wayne wrote me an email about how he stores files and manages all his projects. He was the guy that told me about 1Password as well. Wayne writes:

I stick with Microsoft Windows PCs and laptops.  I find most engineering-related tools run under this environment. Other people seem to know every word of every datasheet they read.  But I need a way to handle large volume of data, notes, documents, images, PDFs, and everything else related to a project or task.

I use Dropbox for key data storage and sharing.  I have access to all my design files from any system or laptop I use.  In conjunction with Dropbox I use Evernote and my primary note/task/organizational tool.  There are many cloud storage solutions like box.com, Google Drive, and others.  But, Dropbox and Evernote work together. With Evernote configured correctly I have all my projects documentation, notes and current status in Evernote.  I can easily start or stop a project, and I can resume a project with the minimal effort.

I can access Dropbox files or Evernote from any pc, notebook, cellphone or tablet that I have.  I rarely use a USB stick to carry data or project info from one PC to another. That goes for my Orcad schematic and layout files, Solidworks design files, spreadsheet, pdfs and everything else related to a project. I keep them either in Dropbox (schematic, PCB, Solidworks) or in Evernote (notes, status, links, web site clips).

Once you have one or two tablets and a desktop you should have a central location for data. If you don’t do hardware or software development this is still important.  It makes sense to store files of extreme importance it so they are accessible on more than computer.

This has helped my writing Atmel code in the house while simulating and testing it in the garage.  When I am ready I can walk out to the garage, fire up the laptop, and burn and debug with the same files without having to transfer them in any way.  By the time I re-compile inside the house and walk into the garage the new files are already synced and ready to burn by the time I get to the garage laptop.

The same is true for my CNC mill.  I can edit my 3D file and generate new G-code and then have direct access to them on the PC that drives the CNC mill.  No transferring of files manually.  It’s all automatically synced.

Now as for me, I am a lot more scared of keeping my stuff in the cloud. I tend to side with GNU founder Richard Stallman, who says cloud computing is a trap. With the recent relations about PRISM, and the fact that the next world war will be a cyberwar, with foreign countries stealing our data and files, well, have a slightly more paranoid data storage method. I keep everything on a mirrored NAS (network-attached storage). I use Synchromagic to duplicate the data on my CAD machine, my audio-video production machine, and my home-theater laptop.

I also duplicate the one terabyte of my life’s work on a little USB hard drive. I keep one hidden at home and one in my safety deposit box in case the house burns down. I update them once a month. I don’t try to synchronize the files; I just use the program to make sure all the copies are coherent with the NAS. I keep my Thunderbird email profile on the NAS, so that I can read email from any of my home computers. I tried to do that with my Firefox profile, but it is a pain since the upgrade status can be different and then you break the profile. So I just keep a “master” Firefox on the NAS and copy the latest bookmarks and such to it.

And back to passwords, I asked one pal what he does, and he advises to just make an encrypted USB stick. He makes different 15-digit passwords for everything he has, and keeps them all on the USB stick. He then plugs it in and does a cut-and-paste into the applications, with another cut and paste of anything handy to push the password out of the buffer.

I really like the YubiKey, a 2-factor hardware system that my FastMail email service supports. With this type of system, the user needs to be in physical possession of the USB key, and he has to go to the bank website or application that supports it. Then when you press the button on the YubiKey, it sends a one-time password, that changes every time, to the website taking your password. Even if someone is key-logging you, they can’t get in using the same password.