Why Everything Is Hackable | The Economist
Getting Beyond Norms: When Violating the Agreement Becomes Customary Practice | Centre for International Governance Innovation
There’s a good chance you — or someone you know — received an email on Wednesday inviting you to edit a document in Google Docs. Phishing attacks and online scams are nothing new, but the massive attack on Google Docs that hit the Internet on May 3rd took phishing to a new level and spread throughout the globe in a matter of minutes. Most of the emails asking to review or open those Google Docs came from known contacts (colleagues, friends, or family members) and many of them included references to local schools, but all were addressed to a strange contact that boasted a whole string of H’s in its name ([email protected]). If you clicked on the link, it asked for some access permissions to your Gmail account, and then spammed everyone in your contacts with a link to a Google Docs file.
What the phishing accomplishes in unknown, but the widespread scam made its way across the Internet incredibly quickly, and the attacker potentially had access to multiple victims’ Google accounts and contacts.
Google promptly responded, disabled offending accounts, and put out multiple social media posts to warn users not to click on those links. While Google estimates that “fewer than 0.1 percent” (or about 1 million) of Google users were impacted and that only contact data was exposed, enough people reported receiving these invites that the hashtag #PhishingScam began trending on Twitter and email inboxes clogged with nearly as many warnings about the scam as instances of the scam itself.
If you were on the receiving end, hopefully you did not click on the malicious link and simply deleted the malicious email. Many of the school districts affected by the phishing
scam asked their employees to change their passwords as a preventive measure and called students and parents warning them not to open emails, change their passwords if they had opened them, and report any of those instances to Google. For those who may have been tricked by the attack and clicked on the phishing link, Google also recommends that you visit their account page at https://myaccount.google.com/secureaccount and remove any apps you don’t recognize.
Cyber threats and phishing attacks are only increasing in scope, volume, velocity, and sophistication. Just in the last quarter of 2016, multiple Internet service providers (ISPs), businesses, and other organizations around the globe were victims of a variety of disruptive and damaging distributed denial of service (DDoS) attacks. In October 2016, a piece of malicious software called “Mirai” was used to turn thousands of insecure Internet-connected devices into remotely controlled “bots,” which were then used to flood the Domain Name System (DNS) infrastructure and Internet provider Dyn in the US, knocking off-line many of its customers, including PayPal, Twitter, Reddit, The New York Times, Spotify, Airbnb, and others. In November 2016, the Mirai software was used again in Europe, knocking nearly 1 million Deutsche Telekom customers off-line. This time, the malicious software attempted to infect routers and thus could have affected a much broader part of the Internet’s infrastructure. The Mirai attacks have highlighted various vulnerabilities and the lack of security of the “Internet of Things” (IoT) and the “smart” devices it comprises. As Melissa Hathaway, former cybersecurity adviser to U.S. Presidents George W. Bush and Barack Obama, explains in her latest piece on the breakdown of international norms of responsible state behaviors in cyberspace: “the Mirai attacks also highlight why the Internet’s security and stability is an international issue. As countries continue to embrace the economic opportunities of becoming more connected to the Internet and adopting and embedding more IoT devices in every part of life, they must also prepare for the misuse of those same ICT-based devices.”
The fact that cybersecurity made the front page of a magazine like The Economist (usually written about making money) is a pretty big deal economically speaking and the gloomy prediction is troubling. The article, headlined “Why everything is hackable,” noted how profitable it is for malicious actors to exploit vulnerabilities and prey on people’s ignorance or ingenuity. With the availability of ransomware and exploit kits readily available on the Dark Web, initial investment is low, and the potential revenue generation is high. The article cleverly pointed out that high tech companies “value growth above almost everything else,” and there is a mentality of “Ship it on Tuesday, fix the security problems next week – maybe.” I sadly have to agree, and fear that this mentality has further disincentivized tech companies from developing well-engineered products with less vulnerabilities and increased redundancies. The Economist recognizes that these and many other cybersecurity issues are a serious problem and, while it might have been excusable to overlook these issues when the Internet was new, this is no longer acceptable or feasible in today’s highly connected world. – Senior Fellow Francesca Spidalieri