The Hackers Are Winning

After almost two decades online, I have never been more paranoid about my security, identity and theft.

Since the start of 2013, the following has happened:

That's just my personal journey for the first two and a half months of the year. I am not alone. Millions of Internet users have been affected by security breaches so far in 2013. Even the big companies of the Internet have seen breaches. Apple, Facebook and Microsoft have all admitted to being penetrated in one form or another. High profile Twitter accounts have been hacked, like those of Burger King and Jeep.

It's time to admit it. The hackers are winning. 

Are They, Really?

Assaying blame for hacks is a difficult endeavor. On one hand, people say we need to rebuild the Internet to make it more secure by default. Their theory is that the Web is, by its very nature, a hodge-podge mix of vulnerable nodes and standards that is aging and easy to exploit. This is largely true. Hackers hoard zero-day vulnerabilities like squirrels preparing for winter, and a motivated hacker can basically bust through anything.

On the other, many security experts argue that security starts with the individual. If you get hacked, you are basically at fault for violating basic security protocols -- for instance, by failing to change your passwords or by clicking on suspicious links. 

“There’s no simple answer to this question,” Catalin Cosoi of antivirus company BitDefender wrote in an email to ReadWrite. He continued:

Hackers, scammers and malware writers have two main advantages: they have access to a lot of money (either by sponsorship or classic fraud) and they don’t have to obey any software practice (their “software” doesn’t have to be properly tested, it can have bugs, doesn’t have to work on any operating system and it really doesn’t matter if it crashes a few machines). However, no one wants to complicate their lives more than needed or pay more that it actually makes, so if the hack gets very complicated, they will simply move to someone else.

Reactive Measures & The Myth Of The Impenetrable Fortress

Antivirus companies like Bitdefender are, by their own admission, highly reactive. They wait for a new virus to show itself on the Internet and then create a way to inoculate against it. This reactive approach has been going on for almost 20 years and it is increasingly becoming an untenable model.

“It works the same way human medicine responds to illness: once you identified the stream or the behavior, you can create vaccine for it,” Cosoi said. “But we can’t find a cure for an illness that doesn’t currently exist –- at least not without significant costs. What we can do, though, is find ways to boost the immune system to make it less prone to future infections. In the security industry, we call this raising the cost of the attack.”

Spammers and malicious hackers have the stereotype of being inherently lazy. Like any stereotype, this is both true and false.

When it comes to getting people’s money, most spammers prefer the path of least resistance. This leads to the quantity-over-quality approaches such as hacking Yahoo email accounts and spamming every contact from the user’s address book. The easy route is to just get one person on the hook and then spread the virus through them, multiplying the scale of the attack with each successful infection.

When Cosoi talks about “raising the cost of the attack,” he means that if it was harder to perform these types of attacks, they would slow to a trickle. The fact that they are so easy for spammers means they will continue. 

On the other hand, it is nearly impossible to keep a motivated hacker from getting something he or she really wants. These types of black hats are fewer and further in between but are infinitely more dangerous than your average spam-net. They usually don't target average users. Instead, they target the enterprise behind the user, which can lead to widespread breaches that affect everybody. 

As security researcher Graham Cluley at Sophos put it to me via email:

Regular Joe User isn't being targeted, and don't have to follow any different rules than the ones they should have been following for some years now to deal with the approximately 100,000 new unique samples of malware we see each day.

Is It Your Fault?

Some in the security industry think that breaches (both enterprise and individual) are inherently preventable. Just be smart and you’ll be fine, right?

“The sky is not falling,” said Cluley. “Burger King, Jeep and others who have had their Twitter accounts hacked have probably fallen victim because of human weakness. Chances are that they followed poor password practices, like using the same password in multiple places or choosing a password that was easy to crack.”

I can half believe that sentiment. It's very easy to imagine some intern manning the Burger King Twitter account might have a poor password or has been clicking on linkbait spam. That doesn't negate the fact that Twitter itself was hacked, exposing the passwords of some of its more popular and influential users.

I'm highly aware of suspicious links and attempts to spearphish me (a tactic where a specialized message with a poisoned link is sent to an individual as opposed to spammed to the masses). I don't click on links that might be malware.

Caution Only Gets You So Far

And yet, my caution hasn't protected me. For instance, I was not spammed or phished on Yahoo. I hardly use the account and only became aware of the hack when my Yahoo email started spamming my Google email (oh, the irony). This hack was on the Yahoo side, not the fault of an individual. Same goes for my password compromises on Evernote and Twitter. 

Unless I'm completely missing something, these breaches were not my fault. I was a victim caught in a larger game of cat-and-mouse between the hackers, security companies and susceptible enterprises. 

“There are no shortage of attackers with the necessary skill, motivation and financial resources to break into a given enterprise and steal data,” said Michael Sutton VP of security research at Zscaler, a company that focuses on detecting breaches. “When companies such as Twitter, Apple and Facebook, with sophisticated security teams and more than adequate means to attract the very best talent cannot stop every attack, we must accept that the goal of building an impenetrable fortress is unachievable.”

Security Starts With The Individual (Who Can Still Be A Victim)

Researchers like Cluley have long advocated that security starts and ends with the individual.

“The takeaway from all these security stories is that each of us has a part to play in the fight against the bad guys -- whether it's on our home computers (ensuring they don't get hijacked into a botnet) or in the workplace,” Cluley said. “Report suspicious activity, think before clicking on unsolicited attachments or links, keep your OS, your PDF reader, your anti-virus up-to-date with the latest security patches.”

The argument is a sound one and similar to how entities like the World Health Organization have gone about fighting outbreaks of epidemic disease: educate people to take care of themselves. Sometimes though, it doesn't matter how much you know or how assiduously you take care of yourself -- you are going to get sick (or hacked) and there is nothing you can do about it.

So, are the hackers winning? When people still do everything right and still become victims, you tell me.