Since i can remember i was delighted by computer security and always wanted to make a career on that field and be like one of those hackers in dark room with a black screen with green letters in front of me while i hacked into government computers in a matter of seconds like we can see in any hollywood movie, but after i started building my career in the field i found out the reality: cracking is not as glorious as hollywood claims. Working on security is harder, more boring and even waaay easier and no-brainer than media, hollywood and basically every non-computer person thinks.
Don't get me wrong, computer security is indeed a hard work and requieres a deep knowledge of the computing stack, starting from the physics that make the energy flow around the computer to make it work to the highest level known as OSI's eight layer (a.k.a. the user) because a bug can be at any part of that: buffer overflows, scam, MITM, phishing, etc...
There are a lot of saying on the matter, the one i like and say the most if always:
"A system is as secure as its weakest link"
This is the most true anyone can get to a saying in security, and guess which is always the weakest link? No clue? Einstein knew:
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
And here i leave you with a j!nx t-shirt:
So back to the topic of security holes and why i say the media is always wrong. I recently confirmed that a bug that i reported a couple of years ago it's fixed, so let me illustrate what i'm saying with the example. A hotspot company offered internet connection on different establishments for an hourly fee, when you got to the network the only place you can go was the company's establishment site and pay the fee or you won't be able to get into the internet, i think everyone has come across one so i won't get into the details. Also the same company on other establishments offered the connection in exchange of you watching some videos or fill a form and that could only be done in some establishments. Until now this is a pretty good and secure system, you get to establishment A, pay the fee, get internet, go to B, watch a video, get internet, you can't watch a video in A because there is no option for that, all good. Well, not quite, once i went from B where i failed to connect and needed to go right before i clicked "watch the video" and then went to A, to my surprise i got access to B's site and the option to watch the video, so i clicked there and got an internet connection. I never "cracked" anything, used a whole of my technical knowledge or anything, just happend to bypass the security of a system by accident. I tested this a couple of times to be sure what was exactly going on, documented it and informed the hotspot company, no awesome hollywood glorious nonsense or hours in front of a computer hacking, just an iPod with the wrong URL open on it to be able to "crack" a system.
Ok, that's just one time, i was lucky, that doesn't prove your point. Well, i have another example, recently i was playing one of those heavily addictive facebook flash-based games where they give you lifes so you don't play all day long, so i run out of lifes after a while and noticed i had a second tab with the game open, when i went to it to closed guess what happened? My lifes where full! Game gifting lifes? Not really, another bug. The AWESOME flash architecture was playing on my side (yes, i hate flash), so once again i tested it to confirm the bug and what's going on. So once you open the game it downloads this game, checks how many lifes you have and let's you play in case you do and doesn't contact the backend until it needs more data or store some more, so what happens here is i can open a few tabs with the game while i have lifes, backend will report i do have lifes and the game will wait for me to do something, so i can play in one tab, run out of lifes, go to the next tab and i have lifes again! Not all of them are playable, because once the game reports that i lose it will answer with the lifes i do have which is 0, but i can play as many times as tabs i have open. Again no-brainer hack, just terrible architecture.
Ok, i believe you, but what does this has to do with the human being the weakest link always and human stupidity, this is just a technical error. Well yes, but then there is this other times when people find that i'm a security guy and ALWAYS asks me about wikileaks and annonymous and how do they hack this awesomely secure government machines, and i always answer with those quotes, i don't have a single doubt about those hackers skills, but it's quite easy to start the hack for one simple reason: it doesn't matter how secure company computers are, there is every time someone that sends the company confidential files to his personal e-mail account to open it later in the family computer that the wife or kids have already infected with malware surfing the web, and bingo, confidential documents in an easy to steal computer, attach the virus to the file, wait for the user to open it in the company network again and you are done, access to the extra secure network for free! (This is the point where you say "yes i do send company files to my personal e-mail account all the time")
It doesn't matter how skilled or not you are, there are always tricks to fool you, if you don't believe me and think you will never get fooled i dare to attend defcon and open your e-mail in the event's wifi (PROTIP: Do it in front of the wall of sheep
and wait :D)
So, in conclusion, don't believe everything the media says, they don't understand computer security so most of the lies are just the result of ignorance, it's not a source to trust. Oh! and no, you didn't won a million dollars in a contest you didn't even signed in, no one is that lucky. And again no, the bank is not asking your personal details over e-mail, they already have them, including your password, why would they ask for information they already have? (This is the point where you go "OMG and what about privacy?" that's for another post, this one is already to long)