Security professionals and consumers often feel that they understand cybersecurity just by using words and technical descriptions of product labels, vendors’ marketing campaigns, and manuals. Especially when knowing that we bet on the “right horse” and entrusted our data to well-known companies, including Google, Apple, Microsoft, and others. Right?
Not exactly. While there are many arguably great benefits that come with using technology and services from tech giants such as the ones mentioned above, some common issues tend to plague complex systems. The complexity of the system in and of itself generally makes it more difficult to secure every aspect of it. There might be more resources available for increasing the security of the system, but the belief that the infrastructure tech giants offer is more secure is simply a false perception of security. Even giants have security holes.
Take, for example, the tool called iDict, a simple hacking tool that allows practically anyone to attempt to gain unauthorized access to any Apple iCloud account. If you think that you would be safe because you have the two-factor authentication enabled, I have some bad news for you. This tool was able to circumvent that two-factor authentication altogether. It then used a simple dictionary of a mere 500 most common passwords to “brute-force” its way in. It could seem like a foolish idea, but the tool was highly effective.
A number of celebrities could talk about their password habits and intellectual wisdom of technology - including Jennifer Lawrence, and others. Nothing is better than some Hollywood wisdom — no price is low for such cybersecurity advice.
Here are two quick observations:
- Security professionals often use strong claims about security, such as: “it has two-factor and biometric features, and it cannot be exploited.” Surely, Apple could tell if its two-factor authentication is vulnerable and broken, but, believing that any technology is completely secure is simply naïve.
- We like to believe that hacking is a sophisticated, highly-talented dark art. In some cases, that is surely true. Looking at this brilliant idea of PHP code run in your local browser with a 500-word dictionary, however, one can only agree that hackers release security code with such pride that security companies can hardly ever match. Most of the code from security companies is proprietary, and we can only hope they are proud of developing it, and one day even clients could see it.
ICSA Labs, an independent security testing organization, provides insight into security product testing. Nearly 80 percent of security products fail to perform as intended and do not pass the tests needed to obtain the certification on the first try. We don’t need to pick on Microsoft Windows’ weak security shadow, because other tech giant companies follow, including Apple and Samsung’s recently implemented biometric vulnerabilities.
We like to pretend that we understand cybersecurity and the various connections between systems, falsely believing that we master it. A simple test can prove us wrong: where it is not arrogance, just a false perception of cybersecurity maturity level and posture that brings empires like Sony to its knees. And yes, it was not that sophisticated.