This November’s edition of The Atlantic: hacked features a fascinating piece by James Fallows, chronicling the hacking of his wife Deborah’s Gmail account. Fallows follows the hack from the moment they first became aware something was awry, through their dealings with Google to handle the invasion, and then, after the loss of all of his wife’s archives and contacts, the struggle to get any of that information back. It’s quite an interesting read, especially given that Fallows is one of the better writers and journalists out there. One of my favorite lines is when Fallows asks about how often these types of attacks occur:
“Probably in the low thousands,” [Bryant Gehring, of Gmail’s consumer-operations team] said. “Per month?,” I asked. “No, per day,” followed by the reassurance that most were short-lived “hijackings,” used to send spam and phishing messages, and caused little or no damage, unlike our full-out attack.
On average, half a dozen accounts are taken over every two or three minutes, round the clock, including now.
Fallows goes on to offer much of the same advice that I’ve been including in many of the media roundup links about password strength and personal awareness of potential malware threats, whether on your computer or your mobile phone.
AT THE END OF MY VISIT to Google, I went by to see Michael Jones, the friend to whom I’d first turned in data-loss despair. I told him what I’d learned, and how I would try to spread the message of shared responsibility, individual and organizational, for security in the cloud age.
“I see that you’ve got it!” he said. “The zeal of the convert. People in the business think about the risks all the time, but normal people don’t, until they’ve gotten a taste of the consequences of failure.”
I have now had that taste and am here to share the experience. As with so many other challenges in modern life, responding with panic or zealotry doesn’t get us anywhere. But a few simple self-protective steps can save a lot of heartache later on.
Ezra Klein, of the Washington Post, notes a recent XKCD comic about password strength in his commentary on Fallows’ piece.
XKCD: Password Strength
But I think the best point that Ezra makes in his post revolves around those who use the same password for multiple sites (and we’re all guilty of it).
But even a good password won’t do much for you if it’s attached to weak sites. If you’re using the same password for everything, one way a hacker can break into your files is to get access to a weak site’s internal databases and then plug the e-mails and passwords he finds there into stronger, more valuable sites like Gmail, or Wells Fargo. “If you have ever used the same password in more than one place, you have reduced your overall safety record to whichever site had the lowest amount of protection,” said Michael Jones, Google’s “Chief Technology Advocate.”
Forty minutes of reading and password reworking now could save you a lot of trouble later.
Too true.
Addendum: Fallows recently made a post about how to be proactive in the fight against phishers and scammers: report them!
Secure messaging with Gryphn’s app:
“Go from unsure to secure in 60 seconds or less — with the ‘year’s most innovative startup for national security‘