Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

26 comments on “6 Reasons There Are Still So Many Security Breaches”

  1. I read Kevin Mitnick’s book on hacking and several news articles on hacks, and most of them have one thing in common: the PEBCAK, the problem existing between keyboard and chair (the user). It seems most hacking is done through human engineering. Getting people to run a program containing malware, give a hacker a password or other access to a machine etc. This isn’t to deny that there are real vulnerability hacks, but the biggest vulnerability is the human using the computer.

    Reply
  2. We do our best, but as Leo wrote (so many years ago!) that is really all we can do.

    We are so careful, but somehow Adware got on our computer. Not the end of the world in the scheme of things, but it showed us we were not as careful as we need to be.

    I guess we trusted PC Matic and their white list thingy too much! Their scan did not find the adware (SpyBot did) and PC Matic response when asked what we had done wrong was to direct us to Malwarebytes to remove it. MB did not find it either and I had a fun week tracking down how I could get rid of it, eventually realizing I could stop it reappearing after deletion in the registry by instead deleting all permissions. All good today, first complete day, but we will see how smart the dang thing is soon enough.

    But Leo is so right, we do want bang up to date, yet still want our 10 year old stuff to work also.

    Thanks to Leo and Mark, I only recently came across this site and it helps me with many things I did not know I needed to know!

    Reply
  3. I’m retired Navy. When I was on active duty back in the 80’s there was a popular saying that had more than a little truth to it that applies equally well to the tech world.
    “You can make things waterproof, rustproof, dirt proof, and drip proof; but you can’t make anything sailor proof.”
    Engineers did what they could and we did out best to train our people, but there was always one sailor who found a new way to break something.
    It’s why I subscribe and try to keep up with best practices on the family machines so I can be prepared when that “sailor” does something unexpected.

    Reply
  4. I’m saving this article as I work in regulations related to medical device cybersecurity, and what you show here is why there is still a problem, and why regulators (e.g. the FDA) keep issuing guidances that many find unreasonable, but may be necessary to ensure the devices are safe.

    Reply
  5. You forgot the most important reason why security measures fail: Bad guys, usually motivated by money. No matter how smart a programmer is there is always someone smarter out there. Besides, exploiting bugs and complexity is much easier than closing security holes. Whack-A-Mole.

    Reply
  6. So, 4 options:
    – Throw out all your digital stuff
    – Continue playing whack-a-mole
    – Change the whole basis of humanity’s inter-communication methodology
    – Develop an all-seeing AI

    Wow – my window isn’t big enough to throw it all out!

    Reply
  7. Part of the problem as I see it is the fact that we use operating systems (a necessary evil) so before you do anything, you’re potentially vulnerable (if I were an astronaut I think I’d insist no OS – I’m thinking Apollo 13 here!) Oh & we connect to a “public” network (the internet which was never designed for this – it was almost a private system to begin with) – just bits added on for security. Then you have PEBCAK as has already been described. We don’t help ourselves though. There is no password manager that can work well with web based systems because so many of them do not adhere to early loose standards that existed at the beginning of the WWW & also so much is developed with programming toolkits to speed up development (in my day it was 4GL & 5GLs that were rapid development tools). Maybe Quantum Mechanics will come to the rescue!

    Reply
  8. Please check out SCION. The basic internet transmission protocol does not support end-to-end transmission of the identity of the person/org sending a message. The Swiss Banking system and several other country banking systems are implementing SCION. It makes it very hard to spoof.
    Our basic problem is that with current internet architecture it is extremely easy to lie about who is sending the message.
    Of course, many phishing attempts do not rely on anything that sophisticated. I get masses of fake emails via Comcast that are easily detected by just reading the email address.

    Reply
  9. We’re still babies in our cribs trying to figure out the structure of the universe!
    Wait until you can publicly use Quantum computing in your home… that’s when the fun will really start!

    Reply
  10. Many of the security problems happen because all the testing time is spent getting the #*+% software to work. Somebody comes up with an idea and sells it to management. Then they build the software. Testing is always about how to get the software to work, never about how to break it. Then you have that the employees have to be able to have access. If an employee can look at the data, that is a hole that can be exploited if a hacker or data thief gets an employee access. And as soon as you include access to your customers to some form of data, you create another hole.
    In one of my jobs, I had access to every customer’s credit card number that they used to pay the bills with. That data was stored unencrypted for some time, then we encrypted it. But I still needed access to the numbers to do my job. They built in a program that would unencrypt the numbers for me and load them into an Excel spreadsheet. But that created a hole if a hacker found that, or if I was an upset employee. I also never had a job that prevented an employee from downloading the data available to a disk or USB stick. Once you were an employee you were trusted, until you were not and fired.

    Reply
  11. No, you can’t protect yourself 100% against hacks and malware unless you revert to pencil and paper for all your communications (even then, somebody can rob your mailbox). You can mitigate the damage, however.

    First, ditch Windows and change to a more secure OS. I’ve used Linux Mint for years and have never experienced a “virus” or any other malware. Linux’s relative invulnerability is largely due to its inherent security and open architecture but also due to its obscurity. Why write malware for Linux when 90% of the world uses Windows? There’s a reason nobody offers AV programs for Linux. Nobody. I’m talking abut Linux for desktop/laptop, not for servers. A majority of the world’s servers run on Linux, plus ALL the world’s supercomputers, and hackers expend a lot of effort to breach them, but that’s a different kettle of fish.

    Second, BACK UP, EVERYTHING, both your entire system (bare metal) and your data (separately and daily) to more than one destination. Do it regularly and automate the operation so you don’t forget to do it. In addition make a manual full backup periodically to an external destination that’s connected to your system solely for the purpose and then disconnected, physically, until the next session. If your backup scheme includes a cloud based backup service, a good idea in case of disaster like burglary or fire, select one that offers end-to-end encryption. I use MegaSync which offers both E-to-E encryption and versioning

    Third, subscribe to and use a good, reputable VPN service, NOT a free one. Most good VPN’s have a “Kill Switch” function. which kills the internet connection unless the VPN is working. Use it. I use Private Internet Access (PIA) mainly because it’s full-featured and has a killer Linux GIU desktop app.

    Fourth, by all means use a password manager and let it choose a long, unique, secure password for anything that requires a password. Use 2FA where it’s offered INCLUDING for the password manager itself. I recommend Authy for 2FA for its cross-system synchronization capabilities. For the Password Manager’s Master Password/Passphrase use something that’s both easy to remember and LONG. For instance a memorable line from the Bible, Koran or Talmud (use old versions for the obsolete language) or a line from an obscure poem with which you’re familiar; caps, spaces and all to your preference.

    Reply
    • Many thanks, Mr St John. I’ve copied/pasted your advice into a Word document and will later review it line by line. The parts I understood, I knew and liked, making me think the rest I didn’t is on target, too.

      Except for a few dollars in the credit union to pay the bills, almost all my life savings are in a few Vanguard funds. My fear has long been, what if Vanguard gets hacked. Is that rational? Or does a company as large as Vanguard have such a good security team that my worrying should be better spent on other things?

      Reply
  12. Uhm, shouldn’t that be PEBCAC…?

    (Since when does the word “chair” begin with a “K” — at least, in English?)

    Reply
  13. All great advice, Leo, especially “Control what you can and prepare for what you can’t.”

    I’m definitely anal about PC security. The first thing I do before a web session is update my anti-virus and anti-malware programs to the latest available engine and fingerprints. Then I proceed with brain engaged. Never had a breach (as far as I know) but no matter how careful we are a merchant or financial institution can create chaos if their system is compromised. A simple, FREE defense for that is to lock all your credit bureau files. No one can take out credit in your name with your file locked. You can unlock it for a specific time period, in some cases for a specific creditor, in order to take out a loan, apply for a credit card, etc. Just ask the creditor which bureau they use and open that one briefly. Also, use only credit cards (not debit cards) on-line because Federal law limits your liability for credit card fraud to essentially zero. But for debit cards you’re at the mercy of the issuer and any loss may be entirely your problem.

    Finally, THANKS for teaching us about the importance of full image backups. I just made another.

    Reply
  14. One of the problems, I think, with Windows is that it evolved from bad beginnings and was forced to carry bad design decisions along to future generations in the name of backwards compatibility. Because if its size and complexity the project was split into separate projects leading to duplication of effort, and likely proliferation of bugs. Aside from Linux, which was not originally designed as a commercial package, I can recall only TriPOS (the basis of the Amiga OS) which was designed, not for sale, but as an academic exercise. The pressure was not to rush it to market but to make it small, functional, and elegant.

    Reply
  15. RE: Testing: I used to sing with an a capella chorus. Someone once explained to be the difference between an amateur and a professional singer

    The amateur practices until he gets it right. The professional practices until he can’t get it wrong.

    The same applies to programmers. An amateur will debug/test until he gets it working. A professional should keep testing until he can’t break it. At least in an ideal world. Still, I have seen more than one application that showed bugs within several minutes of use.

    Reply
  16. Mark said:
    “Vanguard is the largest mutual funds company in the world with a value greater than some small countries. If they pose a hacking risk, nobody is safe from hacking.”

    Indeed! You’d think the same for the major credit bureaus, but it’s happened.

    Reply
  17. Leo, there seems to be a problem with the comments section, starting today. I can’t reply to an individual post. Selecting “Reply” does nothing. The only way to post is through the reply box at the end of the comments section. Or has my old age and addled brain caused me to forget how to do something?

    Reply
  18. I can relate to Mark H., some people can tear up a Steel Ball. Thanks, Leo for the Windows 9.x-NT path analogy. I’m old school DOS. What a wonderful learning tool. In the days before VoIP, there was always the “Loose Nut” behind the Dial Pad., followed by of course the “PICNIC” (problem in chair, not computer). In our training classes, the instructor always referred to the statement: Read the Mighty Fine Question. There’s always human error, and misplaced logic when under the gun, and the sleep-deprived. I try to use common sense, but we are human. And, always the Salesman selling the customer the moon. And some folks, would believe you if you told them that the Sun will rise in the West tomorrow morning. Sure enough, they’d be there at up at sun-up, looking to the west. In our manuals, it told us that if there is Toll Fraud, it’s because there was always the guy trying to defeat the programming. Add in the Hacks. If ever there was an animal to kill, that’s “The ONE!”

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.