“Google Docs” Worm Ransacks Gmail Users’ Contact Lists – What You Need to Know

There are numerous articles filling up RSS feeds and inboxes this morning covering the Google Docs phishing incident that came to light yesterday.  I have personally seen this phish in the wild with a few people and it is quite convincing.  One of the more interesting angles to this story is the possible truth that this was a graduate project and in no way malicious.

Setting that possibility aside, the potential impact of such an effective phish in the hands of a cyber criminal should give all of us pause.  Hoping for the best, we should use this incident as a training mechanism, explaining to users what the implications are of clicking on and/or authorizing access to online information.  Take the time this morning to review your Google permissions and tell a friend to do the same.



No Firewalls, No Problem for Google

This is one of the more intriguing stories I have read coming out of RSA this year, and frankly it is a bit of a “light bulb” moment for me.  As we have seen the growth of cloud-based services drive end users to a more ubiquitous device/app approach for accessing data, it seems obvious that edge defense can and should adjust to this architecture.  Google has simply (easy for me to say) taken the next step and moved all interactions to an open, untrusted network topology.

I am energized by the idea of building security methodologies that focus on trusting the user and the device and less on defending the perimeter.  Culturally, I believe we will be dragged in this direction regardless of our personal philosophies on the subject.


Anatomy of a Chrome for Android bug: the mixed-up world of mobile browsers

These types of compromises associated with minor vulnerabilities and drive-by downloads are difficult to defend against in the absence of awareness training.  Please take the time to educate your users on download best practices.  We cannot continue to allow users to be desensitized to the error messages and warnings that come along with most browsers.

Take the time to properly configure certificates for local machines and properly manage user expectations when browsing.