There are numerous articles filling up RSS feeds and inboxes this morning covering the Google Docs phishing incident that came to light yesterday. I have personally seen this phish in the wild with a few people and it is quite convincing. One of the more interesting angles to this story is the possible truth that this was a graduate project and in no way malicious.
Setting that possibility aside, the potential impact of such an effective phish in the hands of a cyber criminal should give all of us pause. Hoping for the best, we should use this incident as a training mechanism, explaining to users what the implications are of clicking on and/or authorizing access to online information. Take the time this morning to review your Google permissions and tell a friend to do the same.
Please take the time to review your patching options for your Android devices and patch as soon as these updates are available from your carrier.
Yet another example that size does not matter – even the big boy tech companies are susceptible to phishing and cyber theft.
This is one of the more intriguing stories I have read coming out of RSA this year, and frankly it is a bit of a “light bulb” moment for me. As we have seen the growth of cloud-based services drive end users to a more ubiquitous device/app approach for accessing data, it seems obvious that edge defense can and should adjust to this architecture. Google has simply (easy for me to say) taken the next step and moved all interactions to an open, untrusted network topology.
I am energized by the idea of building security methodologies that focus on trusting the user and the device and less on defending the perimeter. Culturally, I believe we will be dragged in this direction regardless of our personal philosophies on the subject.
This is an interesting read from Brian Krebs concerning the ordeal he and his website went through while combating a DDOS attack and his subsequent transition to Google’s Project Shield.
The writing has been on the wall for some time with Flash, but this announcement means the transition away from Flash has kicked into high gear. Many people, myself included, have been blocking Flash for some time, but this will be a new experience for many. Take note and prepare.
These types of compromises associated with minor vulnerabilities and drive-by downloads are difficult to defend against in the absence of awareness training. Please take the time to educate your users on download best practices. We cannot continue to allow users to be desensitized to the error messages and warnings that come along with most browsers.
Take the time to properly configure certificates for local machines and properly manage user expectations when browsing.
The explanation of the compromises is fairly straightforward and in no way unexpected. The advice at the end of the article is just as straightforward and very sound. Two-factor authentication and end user awareness and education can resolve many of these problems.