How to stop the next Google Docs freakout
Enough is enough. This week’s giant Google Docs phishing attack, which led to the compromise of millions of Gmail accounts is a wake-up call that we need a solution to the hacking epidemic. And I think I have one.
First, though, let’s recap what happened: A canny hacker sent an email saying a contact wanted them to view a Google Docs document. People who clicked on a “Open in Docs” link were then asked for access to their account. The whole thing looked pretty convincing, and a lot of people fell for it (ThreatPost has a full breakdown of all the details). And while Google quickly took steps to mitigate the attack, the hackers were able to access a large number of accounts.
In the wake of this, it’s tempting to do one of two things: blame Google for allowing this to happen, or shake your head at those poor fools who didn’t know any better and clicked the link. Both responses are reasonable. As SwiftonSecurity notes, an oversight by Google helped the hacker make the scam look convincing. But at the same time, the attack was suspicious enough that those with a passing knowledge of phishing and computer security knew enough to stay away.
But such finger pointing won’t do anything to avoid the next big phishing attack, which will no doubt be zipping around the Internet before long. Instead, the solution I propose is a life-skills style education campaign aimed at high school students, and then at everyone else.
I asked my partner, who is an educator in a New York City school, if such a thing exists. To my surprise, she said no. Instead, computer education is aimed at those who already have a passion for computers (and would be the least likely to fall for a phishing scheme.) There is no computer safety course for the general student population. Nor, as far as I know, is there such a thing for colleges or entry level jobs.
And this is my point. Just as schools help young people to read maps or make a budget or cook or sew, it’s time for them to explain the Internet’s architecture and where the dangers lie. A decade ago, it was enough to warn kids about creeps on Craigslist. These days, the threats are infinitely more subtle, and the time has come to train kids to avoid them. Hacking is now a public safety issue. We should respond accordingly.
Jeff John Roberts
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
Le hackers meddle with Macron. Just two days before France votes for a new President, the campaign of frontrunner Emmanuel Macron has been hit with a “massive and coordinated” hacking attack. The hackers reportedly duped campaign staff with phishing attempts and fake websites, and have now dumped reams of emails and accounting statements onto the Internet. Once again, it appears Russia is behind the attacks, seeking to disrupt and destabilize another democracy. (New York Times)
So long security blanket. 2FA is compromised. We’ve long talked up the virtues of two-factor authentication (2FA) as an easy and effective way to keep the hackers out. Looks like we spoke too soon. In recent months, hackers figured out a way around 2FA via a vulnerability in a mobile data protocol used for cell phone roaming. The upshot is that criminals are getting hold of SMS codes—which serve as the second factor in many 2FA system—and draining bank accounts. It’s unclear how or when banks and Internet companies will address this. (Ars Technica)
Censorship in the age of Facebook: Fears over online censorship typically turn on autocrats shutting down the Internet. But now governments don’t even have to do that because they can rely on a new and more subtle tactic: Drowning dissidents out with distraction and fake information. That’s one of the big ideas shared by noted tech scholars Zeynep Tufekci and Tim Wu, who talked about the future of the networked world during a First Amendment event at Columbia University. (Fortune)
It’s not just Chipotle. The data breach reported at down-on-its-luck Chipotle appears to be part of a systemic campaign to phish U.S. restaurant chains and bilk them with fake invoices. The campaign is reportedly being run by a sophisticated Eastern European gang and has successfully hacked more than 20 U.S.-based hospitality companies, using booby-trapped attachments to install malware. Samples of the malware suggest victims may also include Ruby Tuesdays and Baja Fresh. (CyberScoop)
The Dark Overlord lacks people skills. What a surprise—the hacker who goes by “The Dark Overlord,” who last week published stolen Netflix shows, comes across a juvenile, publicity-hungry jerk in a profile piece. ‘”You’ll be publishing something?’ The Dark Overlord incessantly asked,” according to the profile. (Motherboard)
Share today’s Data Sheet with a friend:
Looking for previous Data Sheets? Click here.
I don’t usually laugh when I read Fortune, but this Q&A about ICOs (“Initial Coin Offerings”) is hilarious—and damn helpful too. In it, my colleague Robert Hackett breaks down the finer points of blockchain and digital currency to Erin Griffith, who writes Term Sheet. Fin-tech insiders will chuckle (really) as Erin gets her head around ICOs, while normal folks will learn useful things about one of the hottest niches in finance.
EG: So, why would a company want its stock to be made up of cryptocurrency rather than real money currency?
RH: “Real” money? HAVE I TAUGHT YOU NOTHING.
EG: Okay! Why would a company want its stock to be made up of cryptocurrency rather than fiat currency? Read more on Fortune.com.
Here’s What’s Disturbing About Comey’s Comments on Wikileaks by Mathew Ingram
Bitcoin is Soaring to Another All-time High by Fortune/Reuters
Coinbase Adds Litecoin and Prices Soar by Jeff John Roberts
FireEye Reports Surprise Rise in Sales by Fortune/Reuters
Hacker Leaks “Orange is the New Black” After Blackmail Attempt by Jeff John Roberts
ONE MORE THING
Tell Facebook your favorite concerts—and a hacker will tell you your password. That social media meme that’s going around, which invites you to share things like your 10 favorite concerts, could serve as a way for bad guys to obtain your security questions. Well, that’s what one security guy thinks. Sounds a little unlikely to us but, hey, another reason not to overshare. (New York Times)