Kevin Beaver's Security Blog

The latest Android / Gmail security flaw & why people don’t take IT & security seriously

You may have heard about the recently-discovered Android exploit that makes Gmail vulnerable to criminal hackers. I read it over and realized that I have to use this opportunity share an example of what I talk about when “researchers” claim that all is bad in the world because of the latest and greatest exploit impacting whatever software or device they’ve discovered.

This Android/Gmail finding in particular is a great example of yet another one of those the sky is falling security “flaws” that I’ve been calling out for years…and they won’t go away…and we wonder why people outside of IT and security don’t see us as credible business professionals! 

Let me explain.

The AJC story states that:
“Security researchers have uncovered a major flaw in mobile operating systems which could give hackers easy access to personal information. Here’s the scary bit: The exploit can hack into your Gmail account with a 92 percent success rate.” 

Wow…scary indeed. That’s a great success rate that shows all IT and security departments need to drop everything they’re doing and put this exploit at the top of their priority lists. Something tells me that there’s not a fix…

Yet it goes on to say:
“A Greenbot writer notes actually using this vulnerability is pretty complicated. “First, you have to download a malicious app to start monitoring your activity. Then, the attack has to happen at the exact moment you are entering sensitive information. … The malicious app has to inject a phony, look-alike login screen without the user noticing. That means the fake screen has to be precisely timed.”

Oh, so it’s not really that bad. In fact, so many variables have to magically line up that most people and businesses will never be impacted? Whew…

And, finally: 
“…the best advice researchers have for avoiding these attacks is not to download sketchy apps in the first place.” 

Perfect…I won’t. Good to confirm there is no solution to fix a problem that may or may not be creating security risks in any given environment. 

This leads me back to the security basics that people keep avoiding and then go on to wonder they keep getting hit. It’s a perpetual cycle of ignorance brought on by research unvetted by the media and, like most things, made into a bigger deal than it needs to be.

I’m glad there are folks out there (who are way smarter than me) finding such flaws and keeping vendors honest. But you can’t follow their lead. 

Want to know the real secrets avoiding security incidents and data breaches? Know your environment, understand your unique risks, and follow the proven security essentials that have been around for decades. Don’t fall for the IT geek speak that likely has no bearing on your business. These are the things that will keep what’s important in check – and very likely keep your users’ Gmail passwords more secure – than anything else possibly could.