The Cloud is Not Safe. Check.
Last Monday, my Gmail account was hacked. It wasn’t scraped or spoofed. I did not get a computer virus and there was not spyware in my browser. My password was not “password”; it was a random bunch of characters. Some entity broke into my account and used it to send spam messages to every single person in my contacts list. Over 500 outgoing messages were in my sent folder, each containing a single link to a Viagra purveyor.
Of course I immediately Googled my situation. When I Tweeted about it, a friend sent me a NY Times article about a Google cyberattack that had come out that very same day. The attack is said to have hit Gmail’s password system back in December, and it’s unclear how much data was compromised. The day after I was attacked, this very helpful PC World article came out describing exactly what happened to me. I contacted Google with all the details and my spam message headers. As I expected, I haven’t heard a peep back from them.
Professional techies tend to have a decent awareness of how to avoid being hacked or getting a virus. Though I don’t use antivirus software, I haven’t had a problem with spyware, viruses or spam in years. Part of why I’ve been so successful is that I moved all of my email to the cloud—via free Google Apps at my org, and I run all my personal email through Gmail. I’ve grown complacent over time knowing I have the best spam filters in the world. Additionally, when you don’t download email onto your computer, it’s a lot harder to slip up and get a virus.
Last week was a good reminder that the Internet is never safe, and that the cloud is indeed very vulnerable. Many of the 500 recipients of the spam link from my spam attack opened the link because they trust mail from me. This was pretty embarrassing, as many of the spam emails went to colleagues and others with whom I do business. There were a range of responses, too. Dozens of well-meaning “Hey, you got hacked! Do you know about it? You have a virus!” Then there were these: “OMG I CLICKED ON THE LINK OMG DO I HAVE A VIRUS HELP ME TELL ME WHAT TO DO!!!!” My favorite response was from my neighbor, also a techie: “I think you got hacked… or… were you trying to tell me something with that Viagra link? <wink emoticon>"
The hack made for an ugly Monday, and my inbox was flooded with emails from concerned spam recipients and automated bounce messages for the rest of the week. I ended up setting up an auto-responder that ran for several days. “Yes, I know I was hacked. It was just a link, not a virus. Your computer is fine. I really need to get back to work. Have a nice day.”
In the last hour, I just received a spam message from a good friend who uses Yahoo mail. It looks exactly like the messages that were sent from my account. I wonder if the hack is spreading. Giant sigh.
Trackback URL for this post:
Subscribe to This Blog
Recent blog posts
- Latest and Greatest: New Articles for January 2012
- Lies Your Printer Tells You
- Blackbaud, Convio, and the Nonprofit Software Market
- The Day the Web Went Dark
- Is Facebook Doomed to Die?
- There's No Such Thing As a Technology Funder
- Best Of Idealware: 2011 Edition
- The case of the missing (project) manager...
- My Foray Into Personal Fundraising
- The Best Free Resource You're Not Yet Taking Advantage Of
Monthly archive
- January 2012 (8)
- December 2011 (4)
- November 2011 (4)
- October 2011 (8)
- September 2011 (10)
- August 2011 (9)
- July 2011 (11)
- June 2011 (6)
- May 2011 (8)
- April 2011 (8)
Comments
Whaat!?! You don't use antivirus software?
I am not sure who consulted with you to not use anti-virus software, but they should seriously consider finding work outside of information technology. As I am sure you are aware, or perhaps you are not aware, just because you don't see any symptoms of a virus, trojan, bot, or spyware attack on your system does not mean the attack isn't happening or hasn't already happened and that you are then not infected.
I have been in the information technology business for 16 years, and I grew up on the Apple IIe and the first online expericence I had was with Compuserve dial-up. No viruses back then. However, as time has progressed I have learned two things - first, we can never be 100% secure unless your computer is unplugged - no, I don't mean unplugged from the Internet, I mean unplugged from the power socket. Second, if you sincerely believe you do not have a virus or are not somehow infected by some malicious software after you have been connected to the Internet for a year or more, you are probably wrong.
I am certainly very paranoid, and for good reason. In this case, I do indeed believe that everyone is out to get me - and you, and everyone else - in order to use your CPU cycles to attack other systems when you aren't looking. They don't necessarily want to steal your identity, or delete files from your hard drive - they want your computer to hum along nicely without any evidence of failure or mishap because if your computer isn't working, then their bot net isn't working. This goes for Windows, Mac, Linux, Solaris, BeOS, Android, Blackberry, Windows Mobile or any other operating system you are using out there. CPU cycles are worth money and there are nefarious people out there that want yours.
I tend to wipe my computer system and reinstall it every three months. This is not practical for everyone, and is very time consuming if you don't have the tools in place to manage it. In those cases where people believe my paranoid dogma and they want to be more secure, I recommend they use virtual machines with snapshots running on a single-purpose locked down host system. That way, if the virtual machine they are using gets infected, they can simply revert back to the snapshot.
I have talked to CIA, FBI, local law enforcement, SANS personnel and NIST personnel, and the conclusions I have come to about how I manage my systems stems from extensive experience and research. I sound like a frothing at the mouth Internet zealot that lives in fear of his shadow - but I am not; if you want your systems as secure as they can be, from the seat that I sit in I am just practical.