The files are stored by the solution providers.  Usually the files stored in the cloud can be accessed via a web browser or by installing a client application.

Some of the most well known cloud storage solutions are Dropbox, Windows Live SkyDrive and Google Apps.

One of the easiest and most effective solutions of this kind is Dropbox.

After installing the Dropbox client application on a machine, a folder will be monitored by the application and the content will be automatically synchronized with the online storage. Thus, any file change performed in that folder (e.g. adding a file, changing a file) will be mirrored across all of the computers where the client is installed.

Similar to a USB flash drive, this solution can allow:

• data leaks and theft
• introduction of malicious and other unauthorized software to the network

How can I Detect and/or Filter Dropbox Network Traffic?

The Dropbox client communicates with the Dropbox servers via HTTPS.
In order to detect usage of Dropbox in your network, monitor network traffic to *.getdropbox.com and *.dropbox.com domains.
In order to block Dropbox, make the DNS lookup not work correctly for *.getdropbox.com and *.dropbox.com domains or block network traffic to and from *.getdropbox.com and *.dropbox.com domains.

How can I Detect the Dropbox Application using GFI LANguard 9?

From the GFI LANguard Scanning Profiles Editor select the current profile and add the application named “Dropbox” as a not authorized application. In order to also detect the Windows Live SkyDrive client application, add the applications “Windows Live Upload Tool” and “SkyDrive Explorer” as not authorized.
After changing the scanning profile, perform a security scan using that profile. High security vulnerability warnings will be generated.

In Figure 1, the Microsoft patch “Security Update for Microsoft Visual Studio 2008 (KB972221)” left behind a folder named D:\d707465963f1f97d0d9e8ad0d33066cd.

Figure 1 KB972221

These folders are temporary folders (e.g. uncompressed archives) created by the patch installation mechanism and deleted once a patch is successfully installed. If the patch installation does not finish (e.g. if the computer is restarted while installing the patch) these folders might remain on the file system.

Note: please be cautious when deleting folders. Do not delete folders that you are not certain that they are not needed anymore. Do not delete folders for patch installations that are currently running. Make sure that you have usable backups of the deleted folders before deleting them.

Administrators cannot delete these folders.

Figure 2 Deleting folder

This is because the owner of the folders is the user SYSTEM and the group Administrators does not have permissions to delete them.

Figure 3 Folder permissions

How can I Delete these Folders?

In order to delete these folders you need to change the owner of the folder to your current user and then you need to grant the necessary permissions to the new owner.

In order to do these changes you can use either Windows Explorer or the command line.

The commands to use from the command line are:

takeown /f <FolderName> /r /d y

icacls <FolderName><UserName>:F /t

E.g.

C:\>takeown /f D:\d707465963f1f97d0d9e8ad0d33066cd /r /d y

SUCCESS: The file (or folder): "D:\d707465963f1f97d0d9e8ad0d33066cd" now owned by user "PC\Administrator".

...

C:\>icacls D:\d707465963f1f97d0d9e8ad0d33066cd /grant administrator:F /t

processed file: D:\d707465963f1f97d0d9e8ad0d33066cd

Successfully processed x files; Failed processing 0 files

• Any web browser (ActiveX add-on, Java plugin client, Firefox plugin)
• Windows or iPhone or BlackBerry Storm  application (LogMeIn Ignition)

How can I detect and/or filter LogMeIn Network Traffic?

The machine where LogMeIn is installed initiates and maintains a constant HTTPS connection to the LogMeIn, Inc servers; the firewalls treat this as an outgoing connection as if a user is navigating to an HTTPS site.

Below is a Wireshark capture of the network traffic to and from the LogMeIn application installed on the host computer.

<localhost>   35641  <DNSServer>   53     DNS    Standard query A secure.logmein.com

<DNSServer>   53     <localhost>   35641  DNS    Standard query response CNAME secure.logmein.com.akadns.net A 77.242.192.193

<localhost>   2474   77.242.192.193       80     TCP    2474 > http [SYN]

77.242.192.193       80     <localhost>   2474   TCP    http > 2474 [SYN, ACK]

<localhost>   2474   77.242.192.193       80     TCP    2474 > http [ACK]

<localhost>   2474   77.242.192.193       80     TCP    [TCP segment of a reassembled PDU]

<localhost>   53211  <DNSServer>   53     DNS    Standard query A control.app105.logmein.com

<DNSServer>   53     <localhost>   53211  DNS    Standard query response CNAME app105.logmein.com A 77.242.193.145

<localhost>   2475   77.242.193.145       443    TCP    2475 > https [SYN]

77.242.193.145       443    <localhost>   2475   TCP    https > 2475 [SYN, ACK]

The above capture shows all of the types of traffic done by the LogMeIn application. The application connects via HTTP to secure.logmein.com to and receives a web page that contains the host name of a LogMeIn gateway. Then, the application connects via HTTPS to the received host name.

In order to detect LogMeIn applications in your network, monitor network traffic to *.logmein.com domain.

In order to block LogMeIn applications, make the DNS lookup not work correctly for *.logmein.com domain or block network traffic to and from  *.logmein.com domain.

How can I detect LogMeIn using GFI LANguard 9?

From the GFI LANguard Scanning Profiles Editor select the current profile and add the application named “LogMeIn” as shown in the screen shot below.

After changing the scanning profile, perform a security scan using that profile. A high security vulnerability warning will be generated.