TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited December 2018
Oh hey. The House Oversight and Government Reform Committee has released their findings on the Equifax Breach.
Let's look at some highlights!
Entirely preventable. Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues, the data breach could have been prevented.
Lack of accountability and management structure. Equifax failed to implement clear lines of authority within their internal IT management structure, leading to an execution gap between IT policy development and operation. Ultimately, the gap restricted the company’s ability to implement security initiatives in a comprehensive and timely manner.
Complex and outdated IT systems. Equifax’s aggressive growth strategy and accumulation of data resulted in a complex IT environment. Both the complexity and antiquated nature of Equifax’s custom-built legacy systems made IT security especially challenging.
Failure to implement responsible security measurements. Equifax allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains. Failure to renew an expired digital certificate for 19 months left Equifax without visibility on the exfiltration of data during the time of the cyberattack.
Unprepared to support affected consumers. After Equifax informed the public of the data breach, they were unprepared to identify, alert and support affected consumers. The breach website and call centers were immediately overwhelmed, resulting in affected consumers being unable to access information necessary to protect their identity.
(I mean, nothing's going to happen, I realize. But that image is just too good not to share.)
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Oh, I'm sure something will happen.
Probably that Equifax will find some way to pass their legal fees on to the consumer, and/or leverage this debacle to increase their profits. But consequences for their obvious negligence? Never.
Oh hey. The House Oversight and Government Reform Committee has released their findings on the Equifax Breach.
Let's look at some highlights!
Entirely preventable. Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues, the data breach could have been prevented.
Lack of accountability and management structure. Equifax failed to implement clear lines of authority within their internal IT management structure, leading to an execution gap between IT policy development and operation. Ultimately, the gap restricted the company’s ability to implement security initiatives in a comprehensive and timely manner.
Complex and outdated IT systems. Equifax’s aggressive growth strategy and accumulation of data resulted in a complex IT environment. Both the complexity and antiquated nature of Equifax’s custom-built legacy systems made IT security especially challenging.
Failure to implement responsible security measurements. Equifax allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains. Failure to renew an expired digital certificate for 19 months left Equifax without visibility on the exfiltration of data during the time of the cyberattack.
Unprepared to support affected consumers. After Equifax informed the public of the data breach, they were unprepared to identify, alert and support affected consumers. The breach website and call centers were immediately overwhelmed, resulting in affected consumers being unable to access information necessary to protect their identity.
(I mean, nothing's going to happen, I realize. But that image is just too good not to share.)
Thing is though, the things described here could be describing just about any organization. It seems to describe my previous workplace. I'm not absolving them, but security is hard. all it takes is just one mistake, one unpatched system or application. And, of course, someone dedicated to finding that weakness and exploiting it.
Oh hey. The House Oversight and Government Reform Committee has released their findings on the Equifax Breach.
Let's look at some highlights!
Entirely preventable. Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues, the data breach could have been prevented.
Lack of accountability and management structure. Equifax failed to implement clear lines of authority within their internal IT management structure, leading to an execution gap between IT policy development and operation. Ultimately, the gap restricted the company’s ability to implement security initiatives in a comprehensive and timely manner.
Complex and outdated IT systems. Equifax’s aggressive growth strategy and accumulation of data resulted in a complex IT environment. Both the complexity and antiquated nature of Equifax’s custom-built legacy systems made IT security especially challenging.
Failure to implement responsible security measurements. Equifax allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains. Failure to renew an expired digital certificate for 19 months left Equifax without visibility on the exfiltration of data during the time of the cyberattack.
Unprepared to support affected consumers. After Equifax informed the public of the data breach, they were unprepared to identify, alert and support affected consumers. The breach website and call centers were immediately overwhelmed, resulting in affected consumers being unable to access information necessary to protect their identity.
(I mean, nothing's going to happen, I realize. But that image is just too good not to share.)
Thing is though, the things described here could be describing just about any organization. It seems to describe my previous workplace. I'm not absolving them, but security is hard. all it takes is just one mistake, one unpatched system or application. And, of course, someone dedicated to finding that weakness and exploiting it.
I'm sorry, but no.
I work in the tech sector of a similar industry (healthcare). Sure, we have outdated systems running behind the scenes in some places, but none of that is exposed to the internet. Only the slimmest of systems is exposed to the internet-at-large, and it is locked down and kept up to date.
+4
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited December 2018
I mean, there's missing a small detail here and there that can have a big impact. And then there's ridiculously absurd gross negligence, as is the case with a recent audit of the US ballistic missile system.
No data encryption, no antivirus programs, no multifactor authentication mechanisms, and 28-year-old unpatched vulnerabilities are just some of the cyber-security failings described in a security audit of the US' ballistic missile system released on Friday by the US Department of Defense Inspector General (DOD IG).
...
DOD IG inspectors found that IT administrators at three of the five locations they visited had failed to apply security patches, leaving computers and adjacent network systems vulnerable to remote or local attacks.
Investigators found that systems were not patched for vulnerabilities discovered and fixed in 2016, 2013, and even going as far as back as 1990.
The DOD IG report is heavily redacted in this particular section, suggesting that MDA administrators are still patching these flaws.
I'm all for transparency, but it does raise the question at some level whether items such as this should not be made public (or as public). Yes, it's public money, but it's also basically saying, "YO CHECK OUT THIS HOLE IN OUR FENCE WE SHOULD MAYBE CLOSE IT SOME DAY MAYBE," and that bothers me a little.
I'm torn on what level of transparency (or, if you will, spotlight) should be given to issues like this.
+4
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited December 2018
I mean, generally security by obscurity is no security at all. But in a situation like this putting a neon blinking sign on a potential vulnerability seems like a bad idea.
I feel like they should follow industry best practices in this case. Report the vulnerability directly to the 'owner' with a deadline for a public release.
Oh hey. The House Oversight and Government Reform Committee has released their findings on the Equifax Breach.
Let's look at some highlights!
Entirely preventable. Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues, the data breach could have been prevented.
Lack of accountability and management structure. Equifax failed to implement clear lines of authority within their internal IT management structure, leading to an execution gap between IT policy development and operation. Ultimately, the gap restricted the company’s ability to implement security initiatives in a comprehensive and timely manner.
Complex and outdated IT systems. Equifax’s aggressive growth strategy and accumulation of data resulted in a complex IT environment. Both the complexity and antiquated nature of Equifax’s custom-built legacy systems made IT security especially challenging.
Failure to implement responsible security measurements. Equifax allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains. Failure to renew an expired digital certificate for 19 months left Equifax without visibility on the exfiltration of data during the time of the cyberattack.
Unprepared to support affected consumers. After Equifax informed the public of the data breach, they were unprepared to identify, alert and support affected consumers. The breach website and call centers were immediately overwhelmed, resulting in affected consumers being unable to access information necessary to protect their identity.
(I mean, nothing's going to happen, I realize. But that image is just too good not to share.)
Thing is though, the things described here could be describing just about any organization. It seems to describe my previous workplace. I'm not absolving them, but security is hard. all it takes is just one mistake, one unpatched system or application. And, of course, someone dedicated to finding that weakness and exploiting it.
I'm sorry, but no.
I work in the tech sector of a similar industry (healthcare). Sure, we have outdated systems running behind the scenes in some places, but none of that is exposed to the internet. Only the slimmest of systems is exposed to the internet-at-large, and it is locked down and kept up to date.
Yeah HIPAA and HITECH pretty much don't allow for it.
I had to design a public API to interface with our patient data and it requires HTTPS, and API Key (the API won't even talk to you without it), and JWT after the user is authenticated
bowen on
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
Most of you already know this, but for those who see "military level security" on various offerings; the main AV/browser security contract for the military is currently held by McAfee. So, yeah.
Oh hey. The House Oversight and Government Reform Committee has released their findings on the Equifax Breach.
Let's look at some highlights!
Entirely preventable. Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues, the data breach could have been prevented.
Lack of accountability and management structure. Equifax failed to implement clear lines of authority within their internal IT management structure, leading to an execution gap between IT policy development and operation. Ultimately, the gap restricted the company’s ability to implement security initiatives in a comprehensive and timely manner.
Complex and outdated IT systems. Equifax’s aggressive growth strategy and accumulation of data resulted in a complex IT environment. Both the complexity and antiquated nature of Equifax’s custom-built legacy systems made IT security especially challenging.
Failure to implement responsible security measurements. Equifax allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains. Failure to renew an expired digital certificate for 19 months left Equifax without visibility on the exfiltration of data during the time of the cyberattack.
Unprepared to support affected consumers. After Equifax informed the public of the data breach, they were unprepared to identify, alert and support affected consumers. The breach website and call centers were immediately overwhelmed, resulting in affected consumers being unable to access information necessary to protect their identity.
(I mean, nothing's going to happen, I realize. But that image is just too good not to share.)
Thing is though, the things described here could be describing just about any organization. It seems to describe my previous workplace. I'm not absolving them, but security is hard. all it takes is just one mistake, one unpatched system or application. And, of course, someone dedicated to finding that weakness and exploiting it.
Okay, well have you considered patching all your systems? And renewing your certificates?
Security's not that hard. Security in an environment where nobody else gives a fuck about security is hard.
Oh hey. The House Oversight and Government Reform Committee has released their findings on the Equifax Breach.
Let's look at some highlights!
Entirely preventable. Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues, the data breach could have been prevented.
Lack of accountability and management structure. Equifax failed to implement clear lines of authority within their internal IT management structure, leading to an execution gap between IT policy development and operation. Ultimately, the gap restricted the company’s ability to implement security initiatives in a comprehensive and timely manner.
Complex and outdated IT systems. Equifax’s aggressive growth strategy and accumulation of data resulted in a complex IT environment. Both the complexity and antiquated nature of Equifax’s custom-built legacy systems made IT security especially challenging.
Failure to implement responsible security measurements. Equifax allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains. Failure to renew an expired digital certificate for 19 months left Equifax without visibility on the exfiltration of data during the time of the cyberattack.
Unprepared to support affected consumers. After Equifax informed the public of the data breach, they were unprepared to identify, alert and support affected consumers. The breach website and call centers were immediately overwhelmed, resulting in affected consumers being unable to access information necessary to protect their identity.
(I mean, nothing's going to happen, I realize. But that image is just too good not to share.)
Thing is though, the things described here could be describing just about any organization. It seems to describe my previous workplace. I'm not absolving them, but security is hard. all it takes is just one mistake, one unpatched system or application. And, of course, someone dedicated to finding that weakness and exploiting it.
Okay, well have you considered patching all your systems? And renewing your certificates?
Security's not that hard. Security in an environment where nobody else gives a fuck about security is hard.
That's actually my point. Every organization has someone in charge of decisions that doesn't think security is important, or at the very least, only gives lip service to it. And there is also the issue of internal security, you're not magically immune to threats even if you all your public facing stuff is patched and using best practices. Like I said, all it takes is one goof up. Be it lack of executive buy-in, an insider threat, or even the most dilligent, security-minded teams fuck up eventually. And there is always zero day.
Until we to security failures directly to losing lots of money for the specific people allowing it to happen, this won't get fixed. Is we do that, it will get fixed.
What is this I don't even.
+3
Options
UnbrokenEvaHIGH ON THE WIREBUT I WON'T TRIP ITRegistered Userregular
so about 3 years ago I switched from a helpdesk role to handling all the user technology training, and the internet being what it is, that means probably 1/3 of what I do is security awareness stuff. Training courses (mandatory for all new users, not yet mandatory for everyone else despite my best efforts), information sessions, newsletter updates on current threats and scams, etc.
this means that when people do get an email that freaks them out or that they think might be a scam, they'll often forward it to me to confirm which is great. I would much rather they check with me on stuff like that, and it gives me examples to use for future communications/courses.
I had two get sent to me today. One was trying way too hard and was pretty obvious, the other was a nasty piece of work that I can see working far too often.
Scam A claimed the user's account had been hacked, spoofing their email address as the sending account as "proof". it went on to use a bunch of jargon to claim how they'd hacked them, and then said they had proof that the user was watching freaky porn on their work computer, webcam footage, etc that they would send to the user's employer if they didn't pay a ransom in bitcoins.
Except 1) that scam only works on people who actually has been doing that stuff, especially with the webcam comment, and 2) they sent it to a shared mailbox used by a department for subscribing to mailing lists, not an actual user. Still, "You have been hacked" in the subject line freaked the user out enough they sent it to me.
Scam B bothers me more than any other phishing attempt I've seen to date. Our payroll administrator received an email from a gmail account set up to impersonate one of our users. The email claimed the user had just switched banks and needed to update their direct deposit information, and could this be done in time for the current pay period? Basically trying to reroute the user's paycheck to an account controlled by the scammer.
Thankfully the payroll admin CC'd the user's work email account on their reply, notifying the user of the impersonation attempt and giving them a chance to shut it down. Still, it's not hard to see how easily someone could fall for this, and I'm sure this has worked elsewhere.
I've seen lots of fraudulent wire transfer requests and iTunes gift card scams and while those are plenty shitty, there's just something about trying to steal a person's entire paycheck that really makes my skin crawl.
so about 3 years ago I switched from a helpdesk role to handling all the user technology training, and the internet being what it is, that means probably 1/3 of what I do is security awareness stuff. Training courses (mandatory for all new users, not yet mandatory for everyone else despite my best efforts), information sessions, newsletter updates on current threats and scams, etc.
this means that when people do get an email that freaks them out or that they think might be a scam, they'll often forward it to me to confirm which is great. I would much rather they check with me on stuff like that, and it gives me examples to use for future communications/courses.
I had two get sent to me today. One was trying way too hard and was pretty obvious, the other was a nasty piece of work that I can see working far too often.
Scam A claimed the user's account had been hacked, spoofing their email address as the sending account as "proof". it went on to use a bunch of jargon to claim how they'd hacked them, and then said they had proof that the user was watching freaky porn on their work computer, webcam footage, etc that they would send to the user's employer if they didn't pay a ransom in bitcoins.
Except 1) that scam only works on people who actually has been doing that stuff, especially with the webcam comment, and 2) they sent it to a shared mailbox used by a department for subscribing to mailing lists, not an actual user. Still, "You have been hacked" in the subject line freaked the user out enough they sent it to me.
Scam B bothers me more than any other phishing attempt I've seen to date. Our payroll administrator received an email from a gmail account set up to impersonate one of our users. The email claimed the user had just switched banks and needed to update their direct deposit information, and could this be done in time for the current pay period? Basically trying to reroute the user's paycheck to an account controlled by the scammer.
Thankfully the payroll admin CC'd the user's work email account on their reply, notifying the user of the impersonation attempt and giving them a chance to shut it down. Still, it's not hard to see how easily someone could fall for this, and I'm sure this has worked elsewhere.
I've seen lots of fraudulent wire transfer requests and iTunes gift card scams and while those are plenty shitty, there's just something about trying to steal a person's entire paycheck that really makes my skin crawl.
Protecting from this would probably the same as the CEO scam. Always call the persons work phone (which you already have) or walk over to their desk to verify.
so about 3 years ago I switched from a helpdesk role to handling all the user technology training, and the internet being what it is, that means probably 1/3 of what I do is security awareness stuff. Training courses (mandatory for all new users, not yet mandatory for everyone else despite my best efforts), information sessions, newsletter updates on current threats and scams, etc.
this means that when people do get an email that freaks them out or that they think might be a scam, they'll often forward it to me to confirm which is great. I would much rather they check with me on stuff like that, and it gives me examples to use for future communications/courses.
I had two get sent to me today. One was trying way too hard and was pretty obvious, the other was a nasty piece of work that I can see working far too often.
Scam A claimed the user's account had been hacked, spoofing their email address as the sending account as "proof". it went on to use a bunch of jargon to claim how they'd hacked them, and then said they had proof that the user was watching freaky porn on their work computer, webcam footage, etc that they would send to the user's employer if they didn't pay a ransom in bitcoins.
Except 1) that scam only works on people who actually has been doing that stuff, especially with the webcam comment, and 2) they sent it to a shared mailbox used by a department for subscribing to mailing lists, not an actual user. Still, "You have been hacked" in the subject line freaked the user out enough they sent it to me.
Scam B bothers me more than any other phishing attempt I've seen to date. Our payroll administrator received an email from a gmail account set up to impersonate one of our users. The email claimed the user had just switched banks and needed to update their direct deposit information, and could this be done in time for the current pay period? Basically trying to reroute the user's paycheck to an account controlled by the scammer.
Thankfully the payroll admin CC'd the user's work email account on their reply, notifying the user of the impersonation attempt and giving them a chance to shut it down. Still, it's not hard to see how easily someone could fall for this, and I'm sure this has worked elsewhere.
I've seen lots of fraudulent wire transfer requests and iTunes gift card scams and while those are plenty shitty, there's just something about trying to steal a person's entire paycheck that really makes my skin crawl.
Protecting from this would probably the same as the CEO scam. Always call the persons work phone (which you already have) or walk over to their desk to verify.
yup
we've also got software that is supposed to flag suspected impersonation attempts, and the sensitivity on it just got turned up for payroll staff
0
Options
Mr_Rose83 Blue Ridge Protects the HolyRegistered Userregular
What software is that? We need something like that for some of our customers and recommendations from someone who actually uses it are always preferred.
UnbrokenEvaHIGH ON THE WIREBUT I WON'T TRIP ITRegistered Userregular
We’re using Mimecast, which has a whole suite of email security stuff. Impersonation checks (100% certain it blocks outright, anything less it flags the email with [SUSPICIOUS] in the subject line, it can pre-scan URLs in incoming email links when clicked to catch known malicious sites, and my personal favourite - it automatically strips all potentially unsafe document attachments (office/PDF/etc) and converts them to PDF, thereby stripping out any code, harmful or otherwise, and gives that to the user with a second attachment containing instructions and a link to request the original attachment once they’ve confirmed it’s safe.
That way when one of them gets an “invoice” they weren’t expecting from someone they’ve never heard of, they can safely give in to their curiousity and open it up just in case without infecting their computer in the process.
That said, even the best software can’t help if the user is too trusting. We had one case where someone got that, opened the PDF and saw a message that said “This document was created in an online version of Word, to view click “Enable Editing” and then “Enable Content”, so naturally they released the original attachment and followed the very helpful instructions.
0
Options
UnbrokenEvaHIGH ON THE WIREBUT I WON'T TRIP ITRegistered Userregular
To be honest, the impersonation part hasn’t wowed me, or at least some stuff has gotten through unflagged that I wouldn’t have expected, but I have a feeling that we have the sensitivity set lower than recommended for most users on account of the shitstorm that would occur if a false-positive led to someone missing an important client email.
We actually once had a Partner demand to be exempted from all email filtering, including spam filters, because a client email had gotten caught in quarantine and was delayed.
They almost made it a whole day before begging to have the filters turned back on.
so about 3 years ago I switched from a helpdesk role to handling all the user technology training, and the internet being what it is, that means probably 1/3 of what I do is security awareness stuff. Training courses (mandatory for all new users, not yet mandatory for everyone else despite my best efforts), information sessions, newsletter updates on current threats and scams, etc.
this means that when people do get an email that freaks them out or that they think might be a scam, they'll often forward it to me to confirm which is great. I would much rather they check with me on stuff like that, and it gives me examples to use for future communications/courses.
I had two get sent to me today. One was trying way too hard and was pretty obvious, the other was a nasty piece of work that I can see working far too often.
Scam A claimed the user's account had been hacked, spoofing their email address as the sending account as "proof". it went on to use a bunch of jargon to claim how they'd hacked them, and then said they had proof that the user was watching freaky porn on their work computer, webcam footage, etc that they would send to the user's employer if they didn't pay a ransom in bitcoins.
Except 1) that scam only works on people who actually has been doing that stuff, especially with the webcam comment, and 2) they sent it to a shared mailbox used by a department for subscribing to mailing lists, not an actual user. Still, "You have been hacked" in the subject line freaked the user out enough they sent it to me.
Scam B bothers me more than any other phishing attempt I've seen to date. Our payroll administrator received an email from a gmail account set up to impersonate one of our users. The email claimed the user had just switched banks and needed to update their direct deposit information, and could this be done in time for the current pay period? Basically trying to reroute the user's paycheck to an account controlled by the scammer.
Thankfully the payroll admin CC'd the user's work email account on their reply, notifying the user of the impersonation attempt and giving them a chance to shut it down. Still, it's not hard to see how easily someone could fall for this, and I'm sure this has worked elsewhere.
I've seen lots of fraudulent wire transfer requests and iTunes gift card scams and while those are plenty shitty, there's just something about trying to steal a person's entire paycheck that really makes my skin crawl.
Good on you for training your employees to catch this! I've been hearing a lot of scam A's going around, or at the very least something very similar. The B one though is tricky and I know several people I've worked with in the past who've fallen for worse.
To be honest, the impersonation part hasn’t wowed me, or at least some stuff has gotten through unflagged that I wouldn’t have expected, but I have a feeling that we have the sensitivity set lower than recommended for most users on account of the shitstorm that would occur if a false-positive led to someone missing an important client email.
We actually once had a Partner demand to be exempted from all email filtering, including spam filters, because a client email had gotten caught in quarantine and was delayed.
They almost made it a whole day before begging to have the filters turned back on.
If you’re referencing a partner, you probably work at a law or accounting firm. I’m a partner at one of those. Shitty spam filtering and attachment issues almost blew the deadline on a $300 million deal i was working on, and clients demand 24/7 responsiveness and will fire you if you miss something important. That’s why people chafe under spam filters.
I think the answer, rather than to maliciously comply by turning off spam filtering, is to give people better real time access to what’s being filtered via better mimecast integration and training.
To be honest, the impersonation part hasn’t wowed me, or at least some stuff has gotten through unflagged that I wouldn’t have expected, but I have a feeling that we have the sensitivity set lower than recommended for most users on account of the shitstorm that would occur if a false-positive led to someone missing an important client email.
We actually once had a Partner demand to be exempted from all email filtering, including spam filters, because a client email had gotten caught in quarantine and was delayed.
They almost made it a whole day before begging to have the filters turned back on.
If you’re referencing a partner, you probably work at a law or accounting firm. I’m a partner at one of those. Shitty spam filtering and attachment issues almost blew the deadline on a $300 million deal i was working on, and clients demand 24/7 responsiveness and will fire you if you miss something important. That’s why people chafe under spam filters.
I think the answer, rather than to maliciously comply by turning off spam filtering, is to give people better real time access to what’s being filtered via better mimecast integration and training.
I think that's a pipe dream. Most users either are too inept to understand the information you'd give them in this case.
I think the only thing you can really do is have your level 1 support do some handholding with spam filter related issues.
Question: morning news shows recently started talking about the hack/vulnerability at Epic Games (which Epic has since patched). I'm assuming this is old because I don't remember seeing anything recent on any gaming news sites or related computer sites.
Is this recent, or is it more of the same, that mainstream news knows that Fortnite is a thing, and their parent company once had a security vulnerability?
Question: morning news shows recently started talking about the hack/vulnerability at Epic Games (which Epic has since patched). I'm assuming this is old because I don't remember seeing anything recent on any gaming news sites or related computer sites.
Is this recent, or is it more of the same, that mainstream news knows that Fortnite is a thing, and their parent company once had a security vulnerability?
A bit of column A and a bit of column B.
There was a security research company that found a vulnerability back in November that allowed Epic Games accounts to be compromised. They informed Epic in private when they found the vulnerability and Epic patched it immediately. Epic did not disclose the vulnerability, so the research company released that information publicly two days ago.
It is a bit of a thing because although the group that found it was acting in good faith, we don't know that they were actually the first people to find the exploit. Also, Epic behaved like shitbags not disclosing that the vulnerability was a thing after the fact.
I've recently been trying to change over to a password manager from using the same shitty weak password across all of my none essential accounts. I got a security email from Ubisoft telling me that someone had logged onto my account from Malaysia. Not overly worrying, I don't have any identifying or credit data on the account. So I change the password with my fancy new password manager and go on with my day. Today I get another email saying someone has attempted another login, this time from Russia. So I go to check my account and not only is there a failed attempt from Russia, but a successful login attempt from Ukraine. Now having logged in and out of my ubi account a few times this morning, the previous login has dropped off from my login history (thanks ubi!), so I can't double check the timing. The timing of the successful login was on the same minute as my new password login, but I don't know how ubi sorts the display.
As such I see there are two potential causes:
1. The login from Ukraine was just lucky timing (for them!) and they got in just before my password change.
2. Somehow the (seemingly) Ukrainian logging in somehow got access to my new password. On that front either I'm compromised or Ubi is compromised. One of which is obviously more worrying for me.
The two later logins from Russia point to the lucky login. Either way I'm a little worried. I've changed my password again and am waiting to see if anyone else tries to login. I'm going to raise a ticket with Ubi to get my login history and maybe alert them to a potential security flaw.
OrcaAlso known as EspressosaurusWrexRegistered Userregular
Change your password one more time and scan your system after booting from known-good non-writable media if you have such a beast. It's possible Ubisoft is compromised. It's also possible you're compromised.
Sounds like a good idea. I think I have a copy of Linux on a USB somewhere...
Looks like whoever it was tried to access my email account associated with Ubi too. Didn't get in though, my email was locked with a strong password already.
Ubisoft lets you add two-factor auth to your account. Might be worth activating from said temporary environment.
There is zero reason to not use 2FA on every site and account that offers it.
Unless the 2fa is shit, in which case don't.
I had to take 2fa off of my FFXIV account because the android app kept fucking up and unregistering.
Have to be honest it didn't occur to me that someone could fuck up their own 2FA but now that you mention it I can totally see that being a thing. I wonder how hard it is to use Google's app?
Gamertag: KL Retribution
PSN:Furlion
0
Options
UnbrokenEvaHIGH ON THE WIREBUT I WON'T TRIP ITRegistered Userregular
To be honest, the impersonation part hasn’t wowed me, or at least some stuff has gotten through unflagged that I wouldn’t have expected, but I have a feeling that we have the sensitivity set lower than recommended for most users on account of the shitstorm that would occur if a false-positive led to someone missing an important client email.
We actually once had a Partner demand to be exempted from all email filtering, including spam filters, because a client email had gotten caught in quarantine and was delayed.
They almost made it a whole day before begging to have the filters turned back on.
If you’re referencing a partner, you probably work at a law or accounting firm. I’m a partner at one of those. Shitty spam filtering and attachment issues almost blew the deadline on a $300 million deal i was working on, and clients demand 24/7 responsiveness and will fire you if you miss something important. That’s why people chafe under spam filters.
I think the answer, rather than to maliciously comply by turning off spam filtering, is to give people better real time access to what’s being filtered via better mimecast integration and training.
There was nothing malicious in our decision to comply - they demanded it, we did our best to explain why it wasn't a good idea and offer alternatives, they insisted, and the IT director at the time said to do it. Once they saw for themselves that we weren't exaggerating about how much spam is stopped beyond what they see in their quarantine list, they agreed to have it turned back on. The "begging" was more theatrics on their part, as they had a sense of humor about it. This was years ago, before the current system. Currently our users get emailed summaries at 4 different points throughout the day, and can check the filter at any time through an Outlook plugin and/or mobile app.
I'm aware of the importance to the business to get it right on these things, but it's a line that's getting harder to walk. When I started here I would have said we should err on the side of permissiveness, as it's better to let a dozen spam messages through than to block or delay 1 legitimate email, and while I still think that's broadly true it's getting less clear-cut as email based scams get more sophisticated and more potentially damaging. False positives are still just as bad as ever, but if the filters are too loose we start seeing wire transfer scams and fake invoices with ransomware payloads get through. The NotPetya attack from a couple years ago took one massive law firm (DLA Piper) offline for three full days, with 0 IT systems outside of mobile phones and texts. That's a lot more than one missed client email.
Part of the answer is as you say, giving users access to the spam quarantine and training on how to use it, but unless those in charge make security training mandatory for everyone, that is an incomplete solution. Too many of these scams are designed not to fool security software, but to trick the user into circumventing it themselves. As I mentioned above, we've had two instances where computers were infected because the users believed a fake file transfer email was a legitimate client communication and effectively invited a virus onto their computers.
Yeah. Our systems contain and protect patient information. We err on the side of restrictive and that's OK. Email is not the only line of communication that exists. It is important, but not compromising the health records of every patient in the state is more important.
Posts
Let's look at some highlights!
(I mean, nothing's going to happen, I realize. But that image is just too good not to share.)
I'm guessing nothing.
Steam | XBL
Probably that Equifax will find some way to pass their legal fees on to the consumer, and/or leverage this debacle to increase their profits. But consequences for their obvious negligence? Never.
Public: "Why bother? You already gave that info to everyone!"
I heard to many were donated full of various insect eggs.
I've opened so many computers and TVs that were full of bugs.
:eek:
I had an N64 traded in that was full to the brim with dead cockroaches.
And it still worked perfectly...
Steam | XBL
Thing is though, the things described here could be describing just about any organization. It seems to describe my previous workplace. I'm not absolving them, but security is hard. all it takes is just one mistake, one unpatched system or application. And, of course, someone dedicated to finding that weakness and exploiting it.
Enlist in Star Citizen! Citizenship must be earned!
I'm sorry, but no.
I work in the tech sector of a similar industry (healthcare). Sure, we have outdated systems running behind the scenes in some places, but none of that is exposed to the internet. Only the slimmest of systems is exposed to the internet-at-large, and it is locked down and kept up to date.
That's a bit of a sphincter-clencher.
I'm torn on what level of transparency (or, if you will, spotlight) should be given to issues like this.
Yeah HIPAA and HITECH pretty much don't allow for it.
I had to design a public API to interface with our patient data and it requires HTTPS, and API Key (the API won't even talk to you without it), and JWT after the user is authenticated
Okay, well have you considered patching all your systems? And renewing your certificates?
Security's not that hard. Security in an environment where nobody else gives a fuck about security is hard.
That's actually my point. Every organization has someone in charge of decisions that doesn't think security is important, or at the very least, only gives lip service to it. And there is also the issue of internal security, you're not magically immune to threats even if you all your public facing stuff is patched and using best practices. Like I said, all it takes is one goof up. Be it lack of executive buy-in, an insider threat, or even the most dilligent, security-minded teams fuck up eventually. And there is always zero day.
Enlist in Star Citizen! Citizenship must be earned!
this means that when people do get an email that freaks them out or that they think might be a scam, they'll often forward it to me to confirm which is great. I would much rather they check with me on stuff like that, and it gives me examples to use for future communications/courses.
I had two get sent to me today. One was trying way too hard and was pretty obvious, the other was a nasty piece of work that I can see working far too often.
Scam A claimed the user's account had been hacked, spoofing their email address as the sending account as "proof". it went on to use a bunch of jargon to claim how they'd hacked them, and then said they had proof that the user was watching freaky porn on their work computer, webcam footage, etc that they would send to the user's employer if they didn't pay a ransom in bitcoins.
Except 1) that scam only works on people who actually has been doing that stuff, especially with the webcam comment, and 2) they sent it to a shared mailbox used by a department for subscribing to mailing lists, not an actual user. Still, "You have been hacked" in the subject line freaked the user out enough they sent it to me.
Scam B bothers me more than any other phishing attempt I've seen to date. Our payroll administrator received an email from a gmail account set up to impersonate one of our users. The email claimed the user had just switched banks and needed to update their direct deposit information, and could this be done in time for the current pay period? Basically trying to reroute the user's paycheck to an account controlled by the scammer.
Thankfully the payroll admin CC'd the user's work email account on their reply, notifying the user of the impersonation attempt and giving them a chance to shut it down. Still, it's not hard to see how easily someone could fall for this, and I'm sure this has worked elsewhere.
I've seen lots of fraudulent wire transfer requests and iTunes gift card scams and while those are plenty shitty, there's just something about trying to steal a person's entire paycheck that really makes my skin crawl.
Protecting from this would probably the same as the CEO scam. Always call the persons work phone (which you already have) or walk over to their desk to verify.
yup
we've also got software that is supposed to flag suspected impersonation attempts, and the sensitivity on it just got turned up for payroll staff
Nintendo Network ID: AzraelRose
DropBox invite link - get 500MB extra free.
That way when one of them gets an “invoice” they weren’t expecting from someone they’ve never heard of, they can safely give in to their curiousity and open it up just in case without infecting their computer in the process.
That said, even the best software can’t help if the user is too trusting. We had one case where someone got that, opened the PDF and saw a message that said “This document was created in an online version of Word, to view click “Enable Editing” and then “Enable Content”, so naturally they released the original attachment and followed the very helpful instructions.
We actually once had a Partner demand to be exempted from all email filtering, including spam filters, because a client email had gotten caught in quarantine and was delayed.
They almost made it a whole day before begging to have the filters turned back on.
Good on you for training your employees to catch this! I've been hearing a lot of scam A's going around, or at the very least something very similar. The B one though is tricky and I know several people I've worked with in the past who've fallen for worse.
If you’re referencing a partner, you probably work at a law or accounting firm. I’m a partner at one of those. Shitty spam filtering and attachment issues almost blew the deadline on a $300 million deal i was working on, and clients demand 24/7 responsiveness and will fire you if you miss something important. That’s why people chafe under spam filters.
I think the answer, rather than to maliciously comply by turning off spam filtering, is to give people better real time access to what’s being filtered via better mimecast integration and training.
I think that's a pipe dream. Most users either are too inept to understand the information you'd give them in this case.
I think the only thing you can really do is have your level 1 support do some handholding with spam filter related issues.
Is this recent, or is it more of the same, that mainstream news knows that Fortnite is a thing, and their parent company once had a security vulnerability?
A bit of column A and a bit of column B.
There was a security research company that found a vulnerability back in November that allowed Epic Games accounts to be compromised. They informed Epic in private when they found the vulnerability and Epic patched it immediately. Epic did not disclose the vulnerability, so the research company released that information publicly two days ago.
https://www.techspot.com/news/78304-epic-games-weaknesses-check-point-hack-fortnite-accounts.html
It is a bit of a thing because although the group that found it was acting in good faith, we don't know that they were actually the first people to find the exploit. Also, Epic behaved like shitbags not disclosing that the vulnerability was a thing after the fact.
I've recently been trying to change over to a password manager from using the same shitty weak password across all of my none essential accounts. I got a security email from Ubisoft telling me that someone had logged onto my account from Malaysia. Not overly worrying, I don't have any identifying or credit data on the account. So I change the password with my fancy new password manager and go on with my day. Today I get another email saying someone has attempted another login, this time from Russia. So I go to check my account and not only is there a failed attempt from Russia, but a successful login attempt from Ukraine. Now having logged in and out of my ubi account a few times this morning, the previous login has dropped off from my login history (thanks ubi!), so I can't double check the timing. The timing of the successful login was on the same minute as my new password login, but I don't know how ubi sorts the display.
As such I see there are two potential causes:
1. The login from Ukraine was just lucky timing (for them!) and they got in just before my password change.
2. Somehow the (seemingly) Ukrainian logging in somehow got access to my new password. On that front either I'm compromised or Ubi is compromised. One of which is obviously more worrying for me.
The two later logins from Russia point to the lucky login. Either way I'm a little worried. I've changed my password again and am waiting to see if anyone else tries to login. I'm going to raise a ticket with Ubi to get my login history and maybe alert them to a potential security flaw.
Just hoooooow worried should I be?
http://steamcommunity.com/id/pablocampy
Looks like whoever it was tried to access my email account associated with Ubi too. Didn't get in though, my email was locked with a strong password already.
http://steamcommunity.com/id/pablocampy
There is zero reason to not use 2FA on every site and account that offers it.
PSN:Furlion
Unless the 2fa is shit, in which case don't.
I had to take 2fa off of my FFXIV account because the android app kept fucking up and unregistering.
Have to be honest it didn't occur to me that someone could fuck up their own 2FA but now that you mention it I can totally see that being a thing. I wonder how hard it is to use Google's app?
PSN:Furlion
There was nothing malicious in our decision to comply - they demanded it, we did our best to explain why it wasn't a good idea and offer alternatives, they insisted, and the IT director at the time said to do it. Once they saw for themselves that we weren't exaggerating about how much spam is stopped beyond what they see in their quarantine list, they agreed to have it turned back on. The "begging" was more theatrics on their part, as they had a sense of humor about it. This was years ago, before the current system. Currently our users get emailed summaries at 4 different points throughout the day, and can check the filter at any time through an Outlook plugin and/or mobile app.
I'm aware of the importance to the business to get it right on these things, but it's a line that's getting harder to walk. When I started here I would have said we should err on the side of permissiveness, as it's better to let a dozen spam messages through than to block or delay 1 legitimate email, and while I still think that's broadly true it's getting less clear-cut as email based scams get more sophisticated and more potentially damaging. False positives are still just as bad as ever, but if the filters are too loose we start seeing wire transfer scams and fake invoices with ransomware payloads get through. The NotPetya attack from a couple years ago took one massive law firm (DLA Piper) offline for three full days, with 0 IT systems outside of mobile phones and texts. That's a lot more than one missed client email.
Part of the answer is as you say, giving users access to the spam quarantine and training on how to use it, but unless those in charge make security training mandatory for everyone, that is an incomplete solution. Too many of these scams are designed not to fool security software, but to trick the user into circumventing it themselves. As I mentioned above, we've had two instances where computers were infected because the users believed a fake file transfer email was a legitimate client communication and effectively invited a virus onto their computers.