Sunday, July 3, 2011

Security is about accepting risks

Not long time ago, Dropbox made a terrible mistake : they let the door open on data of all of their users during 4 hours.

A friend of mine, as well as thousands of people were screaming at Dropbox and how much it was unacceptable and crazy to store data here.

I'm a developer, and by no way I defend dropbox about their mistake, but I want to put things into perspective : some of the worse security breach are your own habit and they are way more dangerous than dropbox's mistake.

So the problem is : a developer of the DropBox's team made a mistake, and removed authentication on the service during 4 hours. Everybody who known the email I used in dropbox during that time span could access my data.

I have my bank account and passwords stored inside dropbox, so what are the chance to get my money stolen ?

  • A skilled hacker need to be aware of the security breach in a 4 hours time span

  • He needs to create a program to dump all files of all dropbox accounts

  • He needs to know my email account and put in his lists(these were not leaked)

  • He need to find the file where I store my passwords (more than 100 000 files are stored in my account)

  • If he finds the file, he needs to find to which service each password belongs to.

A skilled hacker would earn more money by using some of the worse security breach in the world: the coffee time.

You have way more chance that someone in your work place will use your computer when you are away without locking your session.
By accessing your unlocked computer he can :

  • Check your emails, and resetting your gmail account password to look at them at home

  • He can reset all passwords of website you are logged in your current session, and use them on your behalf

  • He can install spy

And how about the email/password you use in every website in the web ?
A little math here, imagine that you use the same password and email on every site (In fact, same password is enough because we can always find other logins you by searching in google, and looking at what you leave on the web -blog, forum posts, social website-.)
Imagine that each site have 1% chance to be hacked.
After 20 registrations on different websites you have 1-0,99^20 = 20% chance that your password will be stolen. (Yes, maybe less if the site only store a hash of your password in database, but it's not often the case, and even if it is, cloud technologies permit hackers to buy considerable computing power to brute force for cheap a lot of hash).

Your habits are the worse security breach : it does not take skills, and the target of the attack is precisely defined. (it's you)

Good security is not about having a castle to protect your data.
Good security is about accepting the risk and be aware about the biggest ones and how to fix -or at least minimize- them.

No comments:

Post a Comment