People Don’t Care About Security

Someone dumped hundreds of Dropbox uernames and passwords today, with the claim that they are just a small sample of the 7 million hacked accounts. One of the pastebins with this information is located here  http://pastebin.com/Ntgwpf  containing the following intro:

Dropbox Hack third Teaser.

Here is another batch of Hacked Dropbox accounts from the massive hack of 7,000,000 accounts
To see plenty more, just search on pastebin for the term Dropbox hack.

According to Dropbox, most of the credentials shared so far (roughly 400) don’t actually work. Dropbox are also saying they weren’t hacked, but an unrelated service had these credentials stolen instead. That’s actually very likely, but Dropbox themselves don’t have the best track record. In 2012, they were hacked when someone used credentials of Dropbox staff members to gain access. Maybe this has happened again, but you’d hope that they forced two form authentication onto their staff members, rather than making it optional for outside users of their service.

Looking back further to 2011, Dropbox was under heat about their security practises and ability to actually protect data. It was reading that news that first made me very concerned about the company Dropbox, and their ability to protect documents.

Jumping forward to 2013, it was then shown that the two form authentication could be reverse engineered, yet again pointing out Dropbox’s insecurities. This one required access to the victim’s Dropbox client, and if they’ve gotten that far the victim is in a world of trouble anyway.. so not as scary as previous incidents, but not ideal.

Despite this, Dropbox has over 200 million users. It would be an article in itself to see how they got to this stage, but the two main reasons are: They were free, and simple to use. Security is not a consideration for most people, and the general idea that a well known corporate entity should know what they’re doing is more than enough assurance for the general user of their services. The latest breach, regardless of who was at fault, will not see a mass exodus of users from their service.

I believe this comes down to the lack of caring from people. Most out there wouldn’t know that Dropbox ever had an issue. They probably started using it when someone shared a file with them, and seeing how easy it was, they used it to share another file. It is easy, and that’s really all that matters (the free part matters greatly, but really adds to the ‘easy’ label). Dropbox gets used in businesses all the time, by people who just need to get work done. The chance that someone else might read a confidential document doesn’t even cross their minds – they’ve emailed things around for years, so why not upload a document and share it with one person?

For most people reading this, I’ve probably just stated the obvious. My point on this though, is that the mindset of people won’t change anytime soon, possibly ever… so you shouldn’t expect it to. ytplasy Anyone who had a Playstation 3 account in 2011 lost their credentials due to a hacker, but the PS4 is the best selling console of the current generation. Xbox 360/Wii didn’t have this, but people just don’t care about their personal information enough to actually *not* get something they want.

If people found out that the government was actually recording every single phone call made, people would be up in arms. But along with that, would be everyone else still using their phones and not caring. You can be walking down the street and hear someone read out their credit card number over the phone for the same reason.

What is the solution to this lack of caring? For a business, it’s generally enforcing rules. Strong password requirements, RSA tokens, lock down of settings and USB devices on computers – whatever the business can justify to itself to protect it’s own data. In the consumer world though, nobody else is going to protect the consumer’s data without a financial reason to do so. Should a company like Dropbox force two factor authentication upon all their users? If they’d done this from the start, would they be as successful as they are now, or would everyone have signed up to another service that just used a username and password – easier to use?

So, in the consumer space all we have to work with is education. “Don’t use the same password for everything you do” is a simple tip, but again do people actually care enough to follow? Usually not – so something has to change. Maybe it will be government legislation around security and user requirements for services, and put the onus on the companies providing the services to meet these requirements.

Feel free to comment if you disagree or have an amazing solution, and we’ll go halves in selling it to the world. For me, I’m just going to use a fake name and password for everything I do, and add an extra layer to the tin foil hat.

Signing Out,

Mr X