|
@pwnallthethings | |||||
|
Indictment of hackers this week a good opportunity to remind you all to sign-up for Google Advanced Protection Program if you use Gmail at home
Everyone should, but *esp* journos, think-tankers, folks in politics, govt employees or activists.
Do it now. landing.google.com/advancedprotec… pic.twitter.com/K3G4qoExUn
|
||||||
|
||||||
|
Pwn All The Things
@pwnallthethings
|
14. srp 2018. |
|
Modern spearphishing is *really* good. When high-end hackers come for you, will 100% fall for it. It's not a matter of being "smart" or training not to click the link.
You set up countermeasures via 2FA or Yubikeys, or you are 100% trusting to chance that you never get targeted
|
||
|
|
||
|
Pwn All The Things
@pwnallthethings
|
14. srp 2018. |
|
Seriously. Look. Just look at it. This is the email Podesta was sent.
You're probably thinking "wow how come Google algorithms didn't catch this email, it's right there asking for your password?". Because the letters aren't English to trick the filters. Hackers are smart. pic.twitter.com/6fDGvjsVD8
|
||
|
|
||
|
Pwn All The Things
@pwnallthethings
|
14. srp 2018. |
|
And then he landed on this page. Look!
* URL looks a lot like myaccount,google,com. You have to look close to see it's not.
* Prepopulated his account name + picture.
When. They. Come. You. Will. Fall.
You put in 2FA countermeasures, or it's blind luck your emails aren't online pic.twitter.com/Xv0HJgof86
|
||
|
|
||
|
Pwn All The Things
@pwnallthethings
|
14. srp 2018. |
|
And it's not just a couple of emails. Your personal email is where "forgot my password" reset emails get sent. Once your home email account falls, all your online identities get pwned all in one fell swoop.
Podesta didn't just lose his email in that hack
twitter.com/pwnallthething…
|
||
|
|
||
|
Pwn All The Things
@pwnallthethings
|
14. srp 2018. |
|
"But I'm not important enough to hack"
Stop. Last year FBI prosecuted a guy who compromised 1000+ accounts, used that access to reset pwds to cloud accounts and searched for cloud-synced intimate pictures. You don't have to be "important" to be targeted.
justice.gov/usao-sdny/pr/i…
|
||
|
|
||
|
Pwn All The Things
@pwnallthethings
|
14. srp 2018. |
|
Today's the day you should enable 2FA on your home account. Or if you use Gmail, their Advanced Account Protection.
No day better than today to do it. Go do it now.
|
||
|
|
||
|
Pwn All The Things
@pwnallthethings
|
11. kol 2018. |
|
They defend against phishing, not malware.
|
||
|
|
||
|
David Carroll 🦅
@profcarroll
|
14. srp 2018. |
|
Ironically government officials and registered candidates are barred for Google’s Advanced Protection Kit pic.twitter.com/yg4WixBcQN
|
||
|
|
||
|
C:\Mike\
@494ml
|
14. srp 2018. |
|
Maybe to comply with campaign donations regulation?
|
||
|
|
||