So I'm leaving for vacation this weekend, and was at the laundromat doing some laundry so I can have the freshest of clothes on vacation. It was later in the evening about 9:45pm, I was tired and the as the drying cycle was going on my clothes I was just hoping it would end soon as I've been trying to get some sleep before a super early (3am) flight 2 days later.
I get back to my apartment about 10:05 and I'm really looking forward to just crawling into bed and passing out... and my wife calls my name from the other room saying her dad (obviously my father in law) wants to ask me a question. She says it's a 'computer question' so I'm thinking, 2 minutes and I'll be off the phone and in bed, probably just a question about the printer not working or something... right? Wrong. He starts by saying he thinks my mother in law's Gmail account has been hacked... so here we go...
The details of the actual hack remain a bit cloudy (no pun intended) but what was clear was that there was actually a legitimate chance that someone had gained access to her Gmail - or at least Google thought it was possible. It appeared she had fallen for some sort of phishing scam which means that her Gmail password was compromised. My immediate advice was, well, make sure you changed her password, and possibly contact Google to see if they have anything to say about it. Then he dropped an A-Bomb on me...
1. The a- bomb
The A-Bomb he dropped on me was this: In her Google account (which is connected to your Gmail and all Google services) she had a document in Google Drive (a cloud based document creation/storage solution based essentially on Microsoft Office products) that contained all of her usernames and passwords to all of her different accounts. What kind of accounts you ask? Well over 50 different online accounts total many of which are crucial to the business she is running. The kind that could really give you a headache should others gain access to.
So you can imagine that this struck a son-in-law that works in digital security as a major 'no-no' - and one that I can't have my in laws making. I spent the next 20-30 minutes asking them questions about how it happened, why it happened, etc. Not a great conversation for someone about to go on vacation.
2. the biggest security risk on the cloud is you
More and more in the tech news these days we hear about data-breaches, cyber crime, and hacks. More specifically, we hear about a new level of sophistication in these attacks. Advanced malware, keystroke tracking and various other methods show cyber criminals have really stepped up their game. It's absolutely imperative that we in the digital security field step up our game as well, and I will admit, it's seems that we are a step or 2 behind.
There are many different things the digital security community can do to keep individuals and companies safe from cyber attack, however, one thing it seems we will never be able to keep people safe from is themselves. Think about the situation with my mother-in-law. She probably received a fairly standard phishing email, something that was made to look legit but probably carried all the usual signs of a scam email. There is nothing anyone in the field can do to prevent her from clicking that email - she did it, and no one could stop that. She was her own worst enemy.
One thing is clear the deeper you get into what type of breaches and hacks are most common and that seems to be that the common denominator is usually the user. Weak passwords, clicked phishing emails, opened malware attachments - you name it, it usually involves someone making a mistake at the user level rather than some advanced piece of malware or software getting into the server on its own. The biggest risk when it comes to cloud security, well, is you.
The saga continues...
Once again, I will lead with the disclaimer I've received this story from the perspective of two people that know very little about online scams, security, etc. I spent 30 minutes on the phone trying to diagnose, treat, and clean the wound with no actual evidence (the phising email for example) or any other sort of information that would assist. This is what it is.
At this point we had to assume that her Google Account credentials were hacked. She claimed she had received some sort of email from Google saying that there was a good chance her account credentials were compromised, so at this point we had to assume that was true. It's always better to be safe than sorry in this situation, changing a password isn't a big deal. It's the next step that wasn't so fun. It's one thing to convince your mother in law to change one password, but 50? Yeah... Good luck, this is going to take some time and some convincing and even then who knows! The fact remains however, if the hacker had access to her gmail account, the had access to her Google drive, and if they had access to that they had access to her 'password worksheet'. Not good.
3. Don't ever put passwords and important stuff on the cloud
It's easy to not consider your Gmail account a 'cloud based' service, but that's exactly what it is now or what it always was... Email accounts in many respects were one of the first cloud based services. Storing your private email, on servers, in data centers... well, you get the picture. However, it's even more so today with additional services being added to the list. Now you can keep Word and Excel documents, files, pictures, you name it! It's all tied to your Gmail account making that one password even more important than ever.
The real lesson to be learned is never ever ever ever (enough evers?) put your important information on cloud based services. Share your photos, videos, and other stuff with your friends. Send e-xmas cards to your loved ones with photos. Use Dropbox to share whatever files you want with your family and coworkers (as long as they don't contain sensitive information!) - but when it comes to passwords, bank documents, tax forms, social security info, and any other sensitive data, don't even think about it. It's just not worth it. If you're looking for a super secure file sharing service - consider using FTP through SFTP.
There is already a big enough risk out there that some clever hacker will get some malware in the Dropbox server and steal 100 million user account credentials not to mention the classic password '123456'. It's just not worth it. The more we dump our digital lives into the cloud, the more of our digital lives we put at risk. There are too many great alternatives right on your desktop that will store and encrypt important passwords and files without ever risking them to the internet.
In the case of my mother in law, who uses a Mac, this problem could have easily been avoided by using the great built in software package "KeyChain". If you're on a Mac, this is where you should store ALL your passwords, banking info, etc. It's is a super heavy duty encrypted file system for this exact use. The minute you store a password and close KeyChain, all the data is immediately encrypted meaning that if anyone were to gain access to your machine, they would not be able to access this information and it would be useless to them. The minute you open KeyChain and type in your password, your information decrypts and you have access to your passwords and other info. Needless to say, much more safe than storing these passwords on a Word document on Google Drive.