Many sites have very poor security even in this day and age. Hackers pour over all security vulnerabilities and find exploits - that’s their job. Software is complex and often has poorly thought out security.
Usually they start by getting someone’s password. After that it’s easy.
A lot of the recent attacks, especially Sony, it’s suspected that someone inside the company either assisted or directed the attack- and that’s basically impossible to protect against since they have legitimate physical and software access.
Outside of that, however, the main disadvantage for these companies is their size. They have lots of offices, all over the globe, tons of often not computer savvy employees, and network security is always going to get thrown out the window if someone important can’t do what they wanted to do. Effective security involves keeping employees and their equipment locked down or off of the networks entirely- and managers don’t want to brag about how disconnected and disempowered they are.
Used to be the most common password was “password”
There’s a big difference between cracking an encrypted file and breaking into a server/web site. Encryption software is pretty simple and depends almost entirely on the security of the encryption algorithm. Good encryption algorithms undergo intense scrutiny by the best minds in cryptography before (and while) they’re used. Successful attacks on the algorithms themselves require deep knowledge of the underlying mathematics. This almost never happens. On the other hand, a web site typically runs a huge amount of software, many hundreds or thousands of times more than in an encryption program, written by many different people and organizations. One bug anywhere in that mess can allow an intrusion. That’s why server software gets an unending stream of “security patches”, often on a weekly basis. Large hacker organizations (like the NSA or probably even Anonymous) maintain a list of “first day attacks”, bugs they’ve found in server software that they do not report to the maintainer, but hold on to, ready to be used when needed.
–Mark
Finding flaws in software is hard – hard enough that it’s a massive industry. Once a flaw is found, exploiting it is sometimes trivially easy. The vendor will release a patch, and often times that’s the first time the flaw becomes public. Hackers will reverse engineer the patch, figure out what the original flaw was, and then write an exploit.
It may seem silly to write an exploit for a flaw that’s been fixed, but therein lies the success rate of Anonymous – even if 99% of computers on the internet get the patch (which is a hopelessly optimistic number, the reality is that major flaws might hope to be 70% patched in 30 days), that still leaves an ungodly number of vulnerable computers.
If you go to a hacking group with an offer of $1 million for them to try and hack 1 website, there’s a good chance they’ll fail completely. The site my be fully patched and well written and they’ll have to resort to social engineering and/or brute force, which doesn’t always work. But if you offer them $1 each to try and hack 1 million websites, they’re going to find a couple hundred thousand that they can break.
Most vulnerable sites never get hacked because nobody cares about them, and most sites that people care about get probed on an hourly basis. It’s rare when the two intersect, which is when it will make the news. And usually the specific hack involved was not sophisticated, it was just some hacker had the good fortune of finding an unpatched system that he could dust off an old exploit for.
No, you cannot be charged with obstruction for refusing to tell the police where the diamonds are hidden. In fact, there is virtually zero upside to telling the police where the diamonds are hidden, except that they might do slightly less damage to your house while looking for them. If you tell them where they are, that makes it easier for the prosecution to establish the mens rea elements of the crimes you’ll ultimately be charged with (most prominently possession of stolen property, or the local equivalent). That is not to say that the police might not offer to “go easy on you” if you tell them, but their offer is not binding on the prosecuting authority anyway.