I fall for fake phishing attempts all the time.
I post this confession not to jeopardize my job, but to
demonstrate that I’m as dumb as many of the people in this New York Times story
– people who are supposedly a lot smarter than I am.
I have yet – I think – to fall for a real phishing attempt,
though falling for the fake ones the IT department puts out at work is
embarrassing enough. I’m trying to become more computer savvy.
I don’t want the next article about computer morons to be
about me.
Reading this New York Times telling of alleged Russian
cyberattacks against the Democratic National Committee is chilling. Not because
I believe they swung the election; there were many factors that led to Hillary
Clinton’s defeat by Donald Trump aside from the hacking that revealed DNC
schadenfreude. But because this is a precursor to what could be a more
devastating attack against, say, financial networks, or communication networks,
or electricity grids – attacks that will have a direct effect and be limited in
variable only to the fact that somewhere, some dumb cluck like me clicked on
the wrong email.
So why call this blog post Swiss Cheese?
Because in the error precursor training we get at work, such
cheese is used as a metaphor to explain how dumb things happen. We can have six
or seven or eight layers of security, from administrative controls to
engineering controls to what have you , meant to protect us from making
mistakes – but if the holes line up in those layers like the holes in Swiss
cheese, well, accidents will happen.
This is where Sneakers comes in – that invaluable 1992
sleeper film that keeps on proving eerie prescience about our modern world.
In reading this NYT article, the holes in the cheese are
clear.
The DNC’s rent-a-cops, to use that line from Sneakers,
seemed a tad undertrained. And it boggles the mind – boggles it, mind you –
that no one from the FBI thought paying the DNC a visit rather than making a
phone call that got routed to a computer help desk would be a better follow-up
than continuing to contact the same dude who kept on keeping on by doing
nothing.
Then they’re the typo defense. (As a technical writer, I
ALWAYS hone in on the typo defense. Because they NEVER work.)
Will Oremus at Slate, by the way, talked to the typo guy,
raising the same misgivings I had on the typo when I read the NYT story. Like
Oremus, I think I’ll give him the benefit of the doubt that this was an
innocent mistake.
Oremus points out, however, that the guy compounded the typo
by not being explicit about not clicking on any link in the original email.
That additional bit of information would have made the recipient that much more
cautious, and likely would have influenced whether or not the recipient used
the link to the legitimate password change page, rather than the one provided
in the phishing email.
This is also part of trying to avoid such scams – and is my
Achilles heel: slowing down. Just slowing down enough because the message in
the email is important enough, it’s got to be explicitly clear, not implicitly
clear. Had the guy been explicit in his warning, the typo would not have
mattered. Since he was not explicit and did not take the thirty seconds
necessary to review his message, the typo was a compounding factor. Per the NYT:
Hundreds of similar phishing emails were being sent to
American political targets, including an identical email sent on March 19 to
Mr. Podesta, chairman of the Clinton campaign. Given how many emails Mr.
Podesta received through this personal email account, several aides also had
access to it, and one of them noticed the warning email, sending it to a
computer technician to make sure it was legitimate before anyone clicked on the
“change password” button.
“This is a legitimate email,” Charles Delavan, a Clinton campaign aide, replied to another of Mr. Podesta’s aides, who had noticed the alert. “John needs to change his password immediately.”
With another click, a decade of emails that Mr. Podesta maintained in his Gmail account — a total of about 60,000 — were unlocked for the Russian hackers. Mr. Delavan, in an interview, said that his bad advice was a result of a typo: He knew this was a phishing attack, as the campaign was getting dozens of them. He said he had meant to type that it was an “illegitimate” email, an error that he said has plagued him ever since.
“This is a legitimate email,” Charles Delavan, a Clinton campaign aide, replied to another of Mr. Podesta’s aides, who had noticed the alert. “John needs to change his password immediately.”
With another click, a decade of emails that Mr. Podesta maintained in his Gmail account — a total of about 60,000 — were unlocked for the Russian hackers. Mr. Delavan, in an interview, said that his bad advice was a result of a typo: He knew this was a phishing attack, as the campaign was getting dozens of them. He said he had meant to type that it was an “illegitimate” email, an error that he said has plagued him ever since.
Why do I fell for these attempts myself (at least, so far,
knock on wood, the fake ones? ?Psychology, as Foxy Loxy would say. “Lessee. Who
looks nice and stupid?”
I’m schooling myself.
If I get an email saying my password needs to be changed, I
go to the offending website or app itself, rather than doing the change via the
email.
If I get an email with a weird attachment, or from someone
I’m not expecting, I try – and I mean I try – not to open it.
Still, I need heightened vigilance against further attacks.
An aside on this article, tying in with what I wrote earlier
about the Russians and Myrna Minkoff: Though the DNC and others fell victim to
cyberattacks and subsequently had their dirty laundry aired on WikiLeaks and
then the press, this information still should have been reported. And I
sincerely believe had it been the RNC with the egg on their faces, the DNC
would not sit idly by and say, oh, this should not have been in the papers
since the Russians were involved. Anyone who believes that, please stand on
your head.
No comments:
Post a Comment