Have you ever sent an email that omitted the word “not,” so that your message said the opposite of what you intended? I’ve done it more times than I care to remember. I have also received messages with missing “nots” that have at least given me pause and sometimes sent me down the wrong path altogether.
A case of a missing “not” came to light last week, and this one had disastrous consequences. Will Oremus, writing for Slate, and following up on a news story in the New York Times, interviewed the man whose mistake led to the hacking of the Democratic National Committee emails before the election. John Podesta received an email message purporting to be from Google that said someone had used his password. The message offered a link he should follow to change it. Podesta’s chief of staff forwarded the message to their IT guy, who saw it for the phishing attempt that it was, and sent it back to tell Podesta not to respond. He thought he typed “This is not a legitimate email,” but what he actually typed was “This is a legitimate email.” The rest, as they say, is history.
What the story illustrates to me is that security is more a human problem than a technical one. Human beings, even well trained and highly competent ones, make mistakes. From time to time, one of those mistakes will be fatal. This is a mistake that I myself have made, so I don’t want to second-guess the Democratic National Committee. And I don’t want to get into the question of who was behind the hacks, other than to say there are always bad guys about. But I want to note that in this one instance there were three people in a position to protect the DNC’s network — Podesta, his chief of staff, and the IT guy. Two of them deferred to the judgment of the third. It pays, I think, to strengthen the judgment and confidence of everybody and thereby increase the chances your organization will resist the next phishing attempt. Logical Operations, of course, can help. Our CyberSAFE program is designed to help you make sure everybody in your organization is on alert.
Just to underscore the human dimension of security. Here’s an eye-opening video that appeared on the Real Future site via BoingBoing. In it, Kevin Roose, the host of Real Future, dared some hackers to obtain his personal information. In a remarkable demonstration that involved no coding whatever, Jessica Clark made a “vishing" call to Roose’s cell phone provider. She got his email address and took control of his cell phone account in under three minutes. During the call, she posed as Roose’s wife, saying she couldn’t remember the email account she and Roose had used to open the cell phone account. To add to the urgency of the situation, she played audio of a baby crying in the background. The only thing she did that was in any sense technical was to spoof Roose’s cell phone number. Otherwise, it was two and a half minutes of deft social engineering.
I have written before about how criminals can be effective at taking advantage of people’s natural desire to help. Go watch the video at BoingBoing and then understand that it’s not enough to simply tell your employees to stay alert. You need to teach them to be alert even while they are being helpful. It’s a tall order, but that’s life in the 21st century.