People Don’t Care About Security

Someone dumped hundreds of Dropbox uernames and passwords today, with the claim that they are just a small sample of the 7 million hacked accounts. One of the pastebins with this information is located here  http://pastebin.com/Ntgwpf  containing the following intro:

Dropbox Hack third Teaser.

Here is another batch of Hacked Dropbox accounts from the massive hack of 7,000,000 accounts
To see plenty more, just search on pastebin for the term Dropbox hack.

According to Dropbox, most of the credentials shared so far (roughly 400) don’t actually work. Dropbox are also saying they weren’t hacked, but an unrelated service had these credentials stolen instead. That’s actually very likely, but Dropbox themselves don’t have the best track record. In 2012, they were hacked when someone used credentials of Dropbox staff members to gain access. Maybe this has happened again, but you’d hope that they forced two form authentication onto their staff members, rather than making it optional for outside users of their service.

Looking back further to 2011, Dropbox was under heat about their security practises and ability to actually protect data. It was reading that news that first made me very concerned about the company Dropbox, and their ability to protect documents.

Jumping forward to 2013, it was then shown that the two form authentication could be reverse engineered, yet again pointing out Dropbox’s insecurities. This one required access to the victim’s Dropbox client, and if they’ve gotten that far the victim is in a world of trouble anyway.. so not as scary as previous incidents, but not ideal.

Despite this, Dropbox has over 200 million users. It would be an article in itself to see how they got to this stage, but the two main reasons are: They were free, and simple to use. Security is not a consideration for most people, and the general idea that a well known corporate entity should know what they’re doing is more than enough assurance for the general user of their services. The latest breach, regardless of who was at fault, will not see a mass exodus of users from their service.

I believe this comes down to the lack of caring from people. Most out there wouldn’t know that Dropbox ever had an issue. They probably started using it when someone shared a file with them, and seeing how easy it was, they used it to share another file. It is easy, and that’s really all that matters (the free part matters greatly, but really adds to the ‘easy’ label). Dropbox gets used in businesses all the time, by people who just need to get work done. The chance that someone else might read a confidential document doesn’t even cross their minds – they’ve emailed things around for years, so why not upload a document and share it with one person?

For most people reading this, I’ve probably just stated the obvious. My point on this though, is that the mindset of people won’t change anytime soon, possibly ever… so you shouldn’t expect it to. ytplasy Anyone who had a Playstation 3 account in 2011 lost their credentials due to a hacker, but the PS4 is the best selling console of the current generation. Xbox 360/Wii didn’t have this, but people just don’t care about their personal information enough to actually *not* get something they want.

If people found out that the government was actually recording every single phone call made, people would be up in arms. But along with that, would be everyone else still using their phones and not caring. You can be walking down the street and hear someone read out their credit card number over the phone for the same reason.

What is the solution to this lack of caring? For a business, it’s generally enforcing rules. Strong password requirements, RSA tokens, lock down of settings and USB devices on computers – whatever the business can justify to itself to protect it’s own data. In the consumer world though, nobody else is going to protect the consumer’s data without a financial reason to do so. Should a company like Dropbox force two factor authentication upon all their users? If they’d done this from the start, would they be as successful as they are now, or would everyone have signed up to another service that just used a username and password – easier to use?

So, in the consumer space all we have to work with is education. “Don’t use the same password for everything you do” is a simple tip, but again do people actually care enough to follow? Usually not – so something has to change. Maybe it will be government legislation around security and user requirements for services, and put the onus on the companies providing the services to meet these requirements.

Feel free to comment if you disagree or have an amazing solution, and we’ll go halves in selling it to the world. For me, I’m just going to use a fake name and password for everything I do, and add an extra layer to the tin foil hat.

Signing Out,

Mr X

 

4 thoughts on “People Don’t Care About Security

  1. Great article. The issue, in a nutshell, is that people value ease-of-use over security.

    That’s not just in the consumer world either, you wouldn’t believe the amount of push-back we get from the business when we try to implement things like dual-factor authentication for network-level VPN access to a corporate network (to the stage where certain business units where I work have bypassed the official VPN solution and moved to using DirectAccess without a dual-factor authentication process).

    The following is a great article on how username/password pairs CAN be made secure – https://crackstation.net/hashing-security.htm.

    Note that getting it right isn’t necessarily easy – but when there’s literally millions of account credentials at stake, there’s really no excuse for NOT going all the way and doing it right.

    1. Very true and thanks for the feedback – and people can just claim ‘I didn’t know what I was doing’ and wipe their hands of responsibility through their lack of care.

      Honestly, I don’t know how to get this right. I don’t believe it’s actually possible right now!

      1. I think the “I didn’t know” argument is starting to wear thin – more and more, the basic concepts of security are getting pushed down into the market towards “non-technical” users.

        That isn’t to say that they pay attention (they keep choosing ease of use, you only have to look at PayPass/PayWave to see what we REALLY value as a consumer-base) – but the message IS out there if they can be bothered to pay attention to it.

        The flipside of this of course is those of us who understand security need to do a better job of selling it. Given the number of systems over the last few years that have been compromised, it seems that “shock” tactics just won’t work – so the trick for us now is to find a sales pitch that does actually resonate.

        As ever, the technical aspect of the problem is relatively straight forward and well known. The hard part is the human factor.

        One of my favourite cynical sayings is “Social engineering – because there’s no patch for natural stupidity”. Like all generalisations, there’s a strong element of truth to it…

      2. I agree, but this then comes back to the solution providers forcing users to do best, or at least better practise. That’s never going to happen when a kid can create an iOS app in a day and put it on the store.

Leave a Reply