One of the challenges of working in the security community is that you are expected to be fully aware of risk at all times. But as humans we all slip up sometimes. I was reminded of that yesterday when I helped out with a training session for new Akamai employees.
In these training sessions, we go over Akamai security procedures and how employees are to conduct themselves. There are the obvious technological best practices, like locking a computer when leaving the desk, choosing strong passwords and not sharing sensitive company data with outsiders by email and the various forms of social media. Physical security is also covered -- where to go if the building is evacuated, what not to say about the company in the crowded restaurants, coffee shops and sidewalks that surround our headquarters, and so on.
As we went down the checklist, I could think of at least two cases where adversaries got the better of me, despite all my experience. Before I go into examples, I should point out that these are mistakes I made before joining Akamai.
On the physical side, my mouth has gotten me into trouble. I have a deep, loud voice that can be heard from much more of a distance than I thought until it was pointed out the hard way. I was covering a court story and sitting in a press room, talking to a colleague about what I was working on. I thought we were alone as it was early in the morning. But someone who worked for a competing publication heard me from across a room separated by curtains and banks of computers. I was working on a scoop, and the competitor, hearing me talk about it, chased the story and got it published before I could publish mine.
It taught me that you shouldn't talk about your company's initiatives in a crowded Starbucks, in a city or town full of people who work for your competitors. You've likely heard the saying "Loose lips sink ships." Loose lips can also land your company's intellectual property in the hands of competitors.
In the training session, we also talked about how to tell if someone is attempting to dupe you into downloading malware with a phishing attack
. We know the danger signs -- emails and other messages made to look like they come from legitimate sources, telling us to click a link to fix some glitch with a bill, order or something else the victim is bound to care about. I've written hundreds of stories about it, yet a couple years ago I fell for the oldest trick in the book.
It came in as a direct message on Twitter from a colleague who sat in the next cube over from me at the office. He's a nice, mild-mannered chap, so when I got a tweet in his name, I opened the link without thought. Well, that's actually not true. I did have thoughts --based on his tweet:
"Hello somebody is saying very bad rumors about you... (URL removed)"
I've been in this profession for a long time, and have found myself on the receiving end of blistering criticism plenty of times. It's a simple byproduct of the job. And yet I had to know who was spreading bad rumors about me. And I had to know right that second. I clicked the link and got a slow-loading site that ended in a request for my Twitter username and password. Another huge red flag. But someone was out there spreading rumors about me, you see, and I had to know what it was. So I plugged in my credentials.
As the screen of my Android froze up, I got the sinking feeling that I had just committed an act of supreme dumbness. By then, it was too late.
Soon after that, a friend on Twitter sent me this message:
"Guessing you didn't mean to post that..."
It turns out the bad guys started using my Twitter account to send out a variety of spam messages to friends, including the one I fell for.
I changed all my passwords for everything, and the Twitter madness ceased.
It goes to show that we can never be too careful, and that we must always be vigilant.