Wednesday, April 24, 2013

A Follow-Up to My Follow-Up

Yesterday I wrote about Sneakers and the AP Twitter hack. Today, some information on how easily AP staffers were phished into granting access to something or whatever that gave hackers access to the aforementioned Twitter account. 

Scary note: Similar successful attacks were carried out at other major news outlets, ranging from Reuters to the BBC. Now, if they’d all occurred in a coordinated way at the same time, well, Niagara Falls, Frankie Angel. . .  

I’m being vague here because the stories here are in of themselves vague. My assumption is that the hackers gained access to AP computer networks through this phising attack. 

First, Slate.com posits the question: Would I, average Joe Sixpack, have clicked on the link that led to a bogus web site from whence the phising attack was launched? Probably. Because the message and the link look innocuous. 

But hold on there a minute, folks. Here’s what Slate leaves out: Once at the linked site, AP staffers were asked to log in. Log in using what I’m not certain, but it appears they were asked to log in with their AP ids – though Romenesko isn’t clear on that point. What is clear that the successful phising attacks continued even after the AP warned its staffers that an attack was underway.

So, yes, I would have clicked on the link. 

Would I have logged in using my work credentials? Hell no. So if that’s how it went down, well then, the AP has got some basic computer security training to do. 

I can’t quite work the logic out here, but it has to be that they were asked for their work credentials, because logging in to an external site (way, into the Washington Post in order to read an article because of a paywall) wouldn’t get hackers access to the AP stuff. So these folks were, in fact, dumb as rocks, thinking they had to log in with their work credentials to read something unrelated to their work. That, I would not do. In fact, when, on occasion, I’m asked to log in with my work credentials in order to access an internal website, I will not do so. I certainly wouldn’t for a site external to my job. So the mind boggles.

No comments: