False Perception of Security

>Even giants such as Apple and Google are not immune to the fact that security technology implementations often have security holes.

Take for example iDict – a tool that was released by a hacker known as “@Pr0x13” to brute force Apple iCloud accounts that use two-factor authentication, one would think immune completely to such attack. A nicely done web-based PHP code, pointed to a local web browser, with hardly 500 passwords, could look as a foolish idea – hardly a high tech hacking. Simple, elegant, and beautiful – it explains why such attacks are so successful, when the passwords are “Princess1”, “P@ssw0rd”, “Anthony1”, “Jessica1” and “loveyou1”.

A number of celebrities could share their password habits and intellectual wisdom of technology use, including Jennifer Lawrence, Kim Kardashian, Vanessa Hudgens, Kristin Dunst, and others. What can be better than some Hollywood wisdom, no price is low for such cybersecurity advice.

Two quick observations:

  • Security professionals like to use strong statements about technology, such as statements of the type: “it has two-factor and biometric features, and cannot be exploited.” We often fool ourselves by believing that someone else or some piece of technology will protect us 100%. Apple could tell if its two-factor authentication is really vulnerable and broken.
  • We like to believe that hacking is very sophisticated, high-talent dark-art. Looking at this brilliant idea of PHP code run in your local browser with 500 word dictionary, one can only agree that hackers release security code with such pride that security companies can hardly ever match. Most of the code from security companies is proprietary, and hopefully they are proud of developing it, and one day even clients could see it.

ICSA Labs, an independent security testing center, provides insight into security product testing. Almost 80% of the products do not even pass the first attempt for certification. We don’t have to pick on Microsoft Windows’ weak security shadow, because more tech companies follow, including Apple and Samsung’s recently implemented biometric vulnerabilities.

We like to pretend that we understand cybersecurity and the various connections between systems, falsely believing that we master it. A very simple test can prove us wrong, where it is not arrogance, just false perception of cybersecurity maturity level and posture knowledge that brings empires like Sony to its knees. And yes, it was not that sophisticated.