Why there is no such thing as security

Target, Home Depot, Apple’s iCloud celebrity pictures breach and many other high-profile hacks and attacks have a lot of people worried about security, but is it even possible to be completely secure in this highly-interconnected digital world? I don’t think so.

We have this vision of nests of hackers slumped over patched together computers in some basement located somewhere in Russia or China or wherever. Nefarious computer geeks feverishly working on sophisticated algorithms, worms, bots and malware all geared toward stealing people’s personal information.

Yes I imagine there are groups of hackers like that (although most of them live and work their mischief from widely dispersed locations). And I suppose there are hackers out there who are clever enough to build sophisticated devices that can snoop out passwords from passing smartphones or cars. And there are people who build spy gear that can be secretly inserted into cash machines, credit card processing equipment or even gas pumps.

But most of these cases are rare. What’s more common are simple phishing schemes where they send out thousands of emails disguised as something innocuous hoping that someone will click on the link or open the file and essentially invite the hackers in.

Apple’s recent iCloud breach wasn’t a direct attack on their system but more of a social engineering attack on the celebrities themselves. As far as I know, the attack on Target last year was engineered by using a compromised account belonging to one of Target’s suppliers – not a breach of Target’s servers directly (although Target could have set up their systems a little better to prevent anyone outside the company from accessing their system directly).

And that’s the real problem. Because everything is interconnected these days a breach can happen anywhere. As they used to say a chain is only as strong as the weakest link. Most of the time the weakest link is us, not the servers or the cloud or the encryption, but the Walmart breach wasn’t the fault of the people who used their credit cards to buy things – they weren’t hacked because they used weak passwords or clicked on a suspicious link.

When you think about all the different devices we have and all the ways they are connected in our digital lives you begin to see that it would be nearly impossible to protect everything every step of the way.

Start with our phones. The moment we turn on a new device we’ve already activated an operating system of some sort (and if they were secure they wouldn’t have to keep issuing patches). We connect to a service provider (and they have thousands of possible breach points). We’ve already activated the phone manufacturer’s built-in apps (which may or may not already be compromised since they are the products of dozens if not hundreds of programmers working for dozens of different companies). We hook up to Facebook or Twitter or whatever (thousands more points to attack). We go online, search, browse and even buy things online (relying on encryption algorythms that may or may not be up to date and exposing ourselves to tens of thousands more points). We ask for directions, read the news, check the scores and download apps (all these things depend on thousands of other people keeping their noses clean). And this doesn’t even count the possible spying done by governments or the police.

Within a few minutes we have exposed ourselves to literally thousands of attack points that are completely out of our control. Even if you don’t go online or buy things or download apps you are already vulnerable. Heck, even if you don’t have a smartphone you probably do have a credit card, bank account, driver’s license, health care plan, social security number, pay taxes, have worked for a company that has your records, applied for a loan, went to school somewhere…and all of these things are potential attack points.

From the moment of our birth there is information about us stored somewhere on someone’s computer that we have no control over. And no password is going to protect us completely.

Note: I messed up in the original posting of this story. I said that Walmart was the victim in the hack last year when it was Target. I apologize to Walmart for the mistake.