Thursday, December 15, 2016

Swiss Cheese, Anyone?

I fall for fake phishing attempts all the time.

I post this confession not to jeopardize my job, but to demonstrate that I’m as dumb as many of the people in this New York Times story – people who are supposedly a lot smarter than I am.

I have yet – I think – to fall for a real phishing attempt, though falling for the fake ones the IT department puts out at work is embarrassing enough. I’m trying to become more computer savvy.

I don’t want the next article about computer morons to be about me.

Reading this New York Times telling of alleged Russian cyberattacks against the Democratic National Committee is chilling. Not because I believe they swung the election; there were many factors that led to Hillary Clinton’s defeat by Donald Trump aside from the hacking that revealed DNC schadenfreude. But because this is a precursor to what could be a more devastating attack against, say, financial networks, or communication networks, or electricity grids – attacks that will have a direct effect and be limited in variable only to the fact that somewhere, some dumb cluck like me clicked on the wrong email.

So why call this blog post Swiss Cheese?

Because in the error precursor training we get at work, such cheese is used as a metaphor to explain how dumb things happen. We can have six or seven or eight layers of security, from administrative controls to engineering controls to what have you , meant to protect us from making mistakes – but if the holes line up in those layers like the holes in Swiss cheese, well, accidents will happen.

This is where Sneakers comes in – that invaluable 1992 sleeper film that keeps on proving eerie prescience about our modern world.

In reading this NYT article, the holes in the cheese are clear.

The DNC’s rent-a-cops, to use that line from Sneakers, seemed a tad undertrained. And it boggles the mind – boggles it, mind you – that no one from the FBI thought paying the DNC a visit rather than making a phone call that got routed to a computer help desk would be a better follow-up than continuing to contact the same dude who kept on keeping on by doing nothing.

Then they’re the typo defense. (As a technical writer, I ALWAYS hone in on the typo defense. Because they NEVER work.)
Will Oremus at Slate, by the way, talked to the typo guy, raising the same misgivings I had on the typo when I read the NYT story. Like Oremus, I think I’ll give him the benefit of the doubt that this was an innocent mistake.

Oremus points out, however, that the guy compounded the typo by not being explicit about not clicking on any link in the original email. That additional bit of information would have made the recipient that much more cautious, and likely would have influenced whether or not the recipient used the link to the legitimate password change page, rather than the one provided in the phishing email.

This is also part of trying to avoid such scams – and is my Achilles heel: slowing down. Just slowing down enough because the message in the email is important enough, it’s got to be explicitly clear, not implicitly clear. Had the guy been explicit in his warning, the typo would not have mattered. Since he was not explicit and did not take the thirty seconds necessary to review his message, the typo was a compounding factor.  Per the NYT:

Hundreds of similar phishing emails were being sent to American political targets, including an identical email sent on March 19 to Mr. Podesta, chairman of the Clinton campaign. Given how many emails Mr. Podesta received through this personal email account, several aides also had access to it, and one of them noticed the warning email, sending it to a computer technician to make sure it was legitimate before anyone clicked on the “change password” button.

“This is a legitimate email,” Charles Delavan, a Clinton campaign aide, replied to another of Mr. Podesta’s aides, who had noticed the alert. “John needs to change his password immediately.”

With another click, a decade of emails that Mr. Podesta maintained in his Gmail account — a total of about 60,000 — were unlocked for the Russian hackers. Mr. Delavan, in an interview, said that his bad advice was a result of a typo: He knew this was a phishing attack, as the campaign was getting dozens of them. He said he had meant to type that it was an “illegitimate” email, an error that he said has plagued him ever since.

Why do I fell for these attempts myself (at least, so far, knock on wood, the fake ones? ?Psychology, as Foxy Loxy would say. “Lessee. Who looks nice and stupid?”

I’m schooling myself.

If I get an email saying my password needs to be changed, I go to the offending website or app itself, rather than doing the change via the email.

If I get an email with a weird attachment, or from someone I’m not expecting, I try – and I mean I try – not to open it.

Still, I need heightened vigilance against further attacks.

An aside on this article, tying in with what I wrote earlier about the Russians and Myrna Minkoff: Though the DNC and others fell victim to cyberattacks and subsequently had their dirty laundry aired on WikiLeaks and then the press, this information still should have been reported. And I sincerely believe had it been the RNC with the egg on their faces, the DNC would not sit idly by and say, oh, this should not have been in the papers since the Russians were involved. Anyone who believes that, please stand on your head.

No comments: