Scary note: Similar successful attacks were carried out at
other major news outlets, ranging from Reuters to the BBC. Now, if they’d all
occurred in a coordinated way at the same time, well, Niagara Falls, Frankie
Angel. . .
I’m being vague here because the stories here are in of
themselves vague. My assumption is that the hackers gained access to AP
computer networks through this phising attack.
First, Slate.com posits the question: Would I, average Joe
Sixpack, have clicked on the link that led to a bogus web site from whence the
phising attack was launched? Probably. Because the message and the link look
innocuous.
But hold on there a minute, folks. Here’s what Slate leaves
out: Once at the linked site, AP staffers were asked to log in. Log in using
what I’m not certain, but it appears they were asked to log in with their AP
ids – though Romenesko isn’t clear on that point. What is clear that the successful phising attacks continued even after the AP warned its staffers that an attack was underway.
So, yes, I would have clicked on the link.
Would I have logged in using my work credentials? Hell no.
So if that’s how it went down, well then, the AP has got some basic computer
security training to do.
I can’t quite work the logic out here, but it has to be that
they were asked for their work credentials, because logging in to an external
site (way, into the Washington Post in order to read an article because of a
paywall) wouldn’t get hackers access to the AP stuff. So these folks were, in
fact, dumb as rocks, thinking they had to log in with their work credentials to
read something unrelated to their work. That, I would not do. In fact, when, on
occasion, I’m asked to log in with my work credentials in order to access an
internal website, I will not do so. I certainly wouldn’t for a site external to
my job. So the mind boggles.
No comments:
Post a Comment