> Google is running the program to reduce the risk of cyberattacks, according to internal materials. “Googlers are frequent targets of attacks,” one internal description viewed by CNBC stated.
Fair. The higher the profile you have, the worse and the more numerous the attacks.
I found after creating a LinkedIn account, attacks went up on my account 12x. Again, caveat emptor... but this makes a great deal of sense in who to target. When you willingly put "I am Gee Golly Whillikers, Sr Systems Engineer of Really Important Systems that 10m people use", well... you're self-selecting who to hit.
> The company has also in recent months been striving harder to contain leaks.
Wait WHAT? That's what we cybersec folks call an "Insider Threat". "Leaks" are done by insider employees wishing to harm the org they work for, up to leaking classified data, or secret corporate data.
> "Leaks" are done by insider employees wishing to harm the org they work for
This isn’t always the main motivation, and in my experience this isn’t even usually the main motivation.
(But if I’m wrong, please tell me. Don’t downvote me for my opinion/life experience. I have definitely seen the whole “f the company” scenario a number of times. But usually it’s “f a particular person” or it’s a “this violates my principles” kind of thing. Companies are legally entities but not that much psychologically, in my opinion.)
It’s a “oops, I’m drunk or forgetful and said or did more than I should have” lol.
I forgot to add that one.
> Companies are legally entities but not that much psychologically.
This is my own statement that I can’t edit. I understand that many people think otherwise depending on the context. I do also. In this particular context of “insider threat” (i.e. employee leaks), I still believe the main cause isn’t to “harm a company”.
> I found after creating a LinkedIn account, attacks went up on my account 12x.
I'm curious to know more about what you're doing to quantify this as an individual–I think I have a fairly sophisticated personal security posture and have implemented various business infosec measures professionally, but I'm not sure I have a great way of measuring how many attacks are targeted at me day to day, beyond a sort of vague sense of "this month I'm noticing more {frequent|targeted|sophisticated} attention".
I had a suspicion that phishers were using LinkedIn to build an employee directory to attack at work (using names and guessing our email address pattern), so I created a honeypot to test that: a company email along with a LinkedIn profile for a fake employee. Sure enough the honeypot mailbox started to get targeted by the same spear phishing emails our employees get pretty soon after.
Most of the attempts that I had were flagged as spam so I didn’t notice.
The one that almost caught me was a simple email allegedly from the CEO asking if I had a minute. I was working at a small enough company that it wouldn’t be out of the question for the CEO to email me and I replied, sure.
The next email was, fortunately, a clumsy attempt at fraud, asking me to buy some Xbox gift cards for a client, which made me look a little closer and notice that the email address hidden by the email client behind the CEO’s name was at a Russian ISP, so I dumped them into spam and posted a warning on Slack. Something less clumsily targeted might have caught someone (e.g., to do a test booking on our site, or open some tech window). That said, LinkedIn is useful enough to me that I’m willing to leave that window open, although it would be nice if company email addresses were less easily guessed.
The solution to such problems isn't just technical - if you see a mail from someone that sounds out of character like in your case, best is to contact them directly or via a fresh mail composed to their address to confirm what was sent.
Other examples are receiving an attachment from a known person with just a one line 'check this out' or sometimes nothing.
Social engineering attacks always trump technical hacking and tend to be more successful.
So the simplest most common email scam for anyone with a work email. It's not sophisticated or targeted, if anything you do matters to anyone you will get an email like that.
It's really on you for not checking the email instead of replying to basically a horny single in your area that could maybe give you a promotion.
During a phishing test at an old company, I was able to:
1. buy a cheap VPS ($5)
2. Buy a domain name with homoglyph unicode similar to the company's name
3. get a full stack of ssl from letsencrypt for the attack domain
4. set up postfix to use this domain with SPF/DKIM/DMARC
I then sent emails as the "CEO" and got by every spam and anti-impersonation filter. Outlook showed my emails as 100% legit in all ways. The ONLY way to tell was to go to email->properties->headers and KNOW and check the IP addresses of the servers.
Homoglyphs in Outlook desktop app are not shown as punycode. However the users who used OWA saw the punycode expansion of the domain and rightly reported them.
I thought that had been fixed, by ordering the registrars not to allow problem domains (e.g. domain must be entirely in Cyrillic+Numbers or not at all), though Wikipedia says this isn't yet the case for .com. I'm not sure if that's up-to-date though.
Pretending I work for asdf.com, I could register аsdf.com (Cyrillic а) and maybe αsdf.com (Greek α) as a precaution.
But "xn--sdf-5cd.com" and "xn--sdf-nxc.com" both show as unavailable for registration.
Something like asclf.com (all ASCII) could be mistaken in some circumstances.
I've aways wondered what on earth possesses companies to make these idiotic decisions. Take some feature that obviously works well and make a very trivial change that makes it much worse? Who sits down and decides to do this? How do they ignore the chorus of actual smart people telling them "don't do this, the domain name is important!" What possible financial ROI could they have gotten out of making such a small but terrible change? I don't understand how the checks and balances at a big, mature company like Microsoft would let something like this pass.
true, but even the domain is a really obvious signal for most of these attacks, considering most companies use their own domain for emails and it's fairly difficult to fake an email coming from that domain. So something coming from <ceo><random string of digits>@gmail.com should raise alarm bells for both automated systems and users (assuming the users can actually see it, which they now can on outlook)
Yes of course - this is why I mentioned that authenticating the domain is the main win.
Now - setting up SPF, DMARC, ... is technically easy but not so much organizationally. This is a real pain in the ass to find what various organizations used in the past in their outsourced communication (marketing, pay system, travel, ...).
The advantage that Outlook had (and has) is that it will resolve the user information from Active Directory. Receiving an email in Microsoft from "Bill Gates <helloworld@kjshkjsdhfkj.com>" will yield a very unusual visual (not the right firstname/lastname sequence, no picture, ...).
If I were someone of note who was concerned about increasing likelihood of attacks targeting me, I wouldn’t answer that question, doubly so if I was security conscious.
Leaks also happen accidentally, e.g. by employees copy-pasting sensitive data or code into ChatGPT or using Copilot. Although that may not result in a breach, it certainly opens up legal and IP concerns for Google.
I’m not sure those examples should be referred to as “accidents”. If you deliberately give the information to an external company, you leaked it deliberately, even if you thought they wouldn’t do anything bad with it.
Definitions might very by organization. The training I have received defined both "insider threat" and "leak" to include accidental disclosures by insiders as well.
Incidentally, accidental disclosures are the main thing SCIFs are designed to prevent. Deliberately taking classified data out of a SCIF is not particularly difficult (although it is harder to plead accident if you are caught, which acts as a dissinsentive).
Varies, and the terminology in news seems to actually favor 'leaked' as a way to describe any information a company doesn't want being disclosed. You'll often see headlines like "Video Game Source Code Leaked Online", when it's a system breach, not a 'leaker'.
Recent news headlines from a cursory search:
Massive Leak Of ChatGPT Credentials (June 2023)
Far Cry's Source Code Has Leaked All Over The Internet (July 2023)
VirusTotal leaked data of 5,600 registered users (6 hours ago)
Pikmin 4 ROM leaks online (14 hours ago)
Wow, I was expecting to find a few examples of different kinds from the past year, not... several from today.
The language used is not formalized. There is no "normal". The language is chosen (or arbitrarily used) to serve the goals of the company. This may include trying to align with a minimization campaign or an overblown narrative to provide cover.
Totally agreed. Also, now I am going to start using that phrase mashed up with an Archer reference when discussing security controls - "Do you want SCIFs? Because that's how you get SCIF's." LOL.
Fair. The higher the profile you have, the worse and the more numerous the attacks.
I found after creating a LinkedIn account, attacks went up on my account 12x. Again, caveat emptor... but this makes a great deal of sense in who to target. When you willingly put "I am Gee Golly Whillikers, Sr Systems Engineer of Really Important Systems that 10m people use", well... you're self-selecting who to hit.
> The company has also in recent months been striving harder to contain leaks.
Wait WHAT? That's what we cybersec folks call an "Insider Threat". "Leaks" are done by insider employees wishing to harm the org they work for, up to leaking classified data, or secret corporate data.
This is a WHOLE DIFFERENT REALM of attacks, and relevant appropriate defense. And this is how you get SCIF's https://en.wikipedia.org/wiki/Sensitive_compartmented_inform...