Yesterday (Wed May 3, 2017) Google announced it had stopped a hacking attempt (called Phishing attempt) targeting its users. This has immediately raised concerns in education circles especially that many districts are using GAFE (Google for Education). This article will explain this hacking attempt in laymen's terms and how you can protect yourself.
- Users got an email claiming a document was being shared and to click on a link to see it
- Then the typical app sharing popup appears saying they should allow Google Docs to access their account
- Once a user authorizes this app, they are compromised and their account is exposed
First, what really happened
A malicious developer created an App on the Google interface which they called 'Google Docs' (first mistake by Google, allowing misrepresentation).
They then sent an email with a link to their App which requested access to user's Google account claiming to be 'Google Docs'. Once a user agrees, they have opened up their entire Google 'life' (accounts, email, friends, etc.) to this hacker. But thankfully, they did not expose their password, Google and other providers do a good job of keeping that safe.
What happens in the background is through a process called oAuth. You allowed Google to give access to your account to an App. This is how all legitimate Google-enabled apps work (including ClassroomAPP too; in fact, this is how Facebook, Microsoft and others do things too).
When Google was notified an hour later, they moved to correct the issue (in their statement they talk about 'manual' intervention, which is concerning, it should be automated - more on that in the addendum at the bottom).
We got so used to accepting such requests that we don't follow the proper checks.
Google Docs does not need that same popup requesting permission from itself. It simply opens it up as you already have a Google account
Look at the origin of the popup, it must be google.com, otherwise it's a password stealing attempt
Look at the email of the developer in that popup (Google and others authenticate the email and the website where it comes from, so you know it's real). If you don't recognize it, say no. If it's not a 'safe' domain name (e.g. it's someone's gmail account, like in the case of this phishing attempt) you must say no. No respected company will use a gmail account as its authenticated address. You can accept later when you are sure
It's safer and easier to deny request when you are not sure, than to remedy. Once your account is compromised, malicious developers move fast to download your data or worse, use your account maliciously (e.g. emailing your contacts requesting access to their account)
Legitimate apps are used to their requests being denied (due to users validating first their security policies) and give you as many tries as possible. If you feel pressured to accept right away, that's cause for concern (just like those limited-time offers to get you to buy now)
Read carefully the list of permissions requested. For instance, do they really need access to your contacts, Google+ or Gmail? Most Apps only really need to know your name and email (in our case, we also ask for your classroom information if that is available). If they ask to manage your contacts raise a red flag
Make sure you only provide your password to Google. Here is a well-known fact: apps linked to Google (and others) do not know your password. We trust Google to authenticate you and tell us who you are (this is what Single Sign-On is all about)
Once you realize you got compromised, disconnect that App (For Google you go to: https://myaccount.google.com/permissions)
It is very easy to disconnect apps from your permissions dashboard. We recommend you visit this dashboard often to make sure all is well and adjust as need be
Emails and Sites
This is important, as spoofing the originator is one of the most common phishing attempts.
google.com is not the same thing as google.my.com, you need to look at what comes before the .com (or .org, .net etc.) -- this is called the Domain, it's the main address of that app provider (the domain of google.my.com is actually my.com and not google)
Make sure you see the official company site in the emails or apps (no emails like firstname.lastname@example.org or email@example.com) -- note: you may have to click on the company / developer name in the popup
ALL your secure communication needs to be over https (e.g. https://www.classroomapp.com)
Do not use your Google (or Microsoft) password on any other site than Google
Look at the address of any page you visit. That magical 's' at the end of https means 'secure', and that all communication is encrypted. In fact, sites that are well-maintained now offer secure connection by default (Google even gives them a plus in search rankings)
- Make sure you follow the steps from Protecting Yourself above
- Look carefully at the email and site domains asking you to login
- Only connect apps if you really need to (we promise you won't be using that 'really cool' app for long -- it has to be useful)
- Disconnect first, talk later -- you can always re-connect a good app
- Anyone can create and deploy an App - Google and Microsoft do not run any serious checks for Web, Chrome and Android Apps (iOS and Mac apps are, however, well policed)
An easy (and admittedly unfair) test is to check whether they have an iOS APP (if it's applicable). Apple goes to great lengths to police developers and has little tolerance for low-quality apps and security breaches
The only 360 security in education: ClassroomAPP
Your peace of mind is important, and here is how we contribute to it: ClassroomAPP handles browsing, login, app integration and classroom activity - a full 360 - so there are no security holes as you switch to another app or browser in the classroom or at home
- ALL App communication is secured, even if you are just loading the main page
- If you are storing your login passwords on our system, they are all safely hashed (more on that in our passwords article) - our system also prevents brute-force attacks
- We only request permissions we really need
- We are running our secured servers and not sharing with anyone else (all servers secured, locked down and only running ClassroomAPP - to prevent vulnerabilities from third-party software)
- We do not cross-share information between accounts without your and the school's permission (e.g. teacher access to student information etc.). We explicitly prevent access from outside your district
- Parents can only communicate with the teachers of their students, can only see their students' information, and only as the teacher sees fit
- With our built-in firewall and site filtering we block malware, viruses, phishing websites, proxies, file sharing sites to prevent any vulnerabilities even when students are home
- No passwords are stored on the device and cached data is cleared as soon as the student logs out
- If you integrate us with third-party applications we only send the minimum data for a typical educational app to function
We were asked whether it was really Google's mistake and not just the users'.
Truth is, all major providers got their users compromised one way or the other. From private photos on iCloud to emails from compromised hotmail accounts, and let's not forget the 'fake news' saga on Facebook.
The underlying reason for this is not technology per se. It's scale. Technology companies make money by providing their service to as many people as possible with as little human intervention as possible (to keep costs down).
Remember the magical number of 1B users Facebook was boasting? Facebook has reportedly less than 18,000 employees. That's over 50,000 users per employee!
Your Google or Facebook ads are served through ad matching algorithms, offending or 'fake news' posts on Facebook are removed automatically when too many people complain. It's all automated.
What technology companies try to do is learn from their mistakes and improve the process. This is how they stay in business. They are generally reactive
In this case, Google does little check on App developers. It wants as many Apps linking to its systems as possible, as that means more users using GMail and Google+ etc. and the virtuous circle of profitability continues.
So we expect they will improve their process simply by not allowing anyone to impersonate their own Apps (and likely those of others). Something else they can do, is place a limit on how much data a new App can download from its users (or what actions they can perform with your data) until it 'proves' itself. As the number of users actually using it go up, a human can even jump in to validate and increase its allowances.
But until the next hacking attempt comes along (and it will come), stay safe!