To be honest, the impersonation part hasn’t wowed me, or at least some stuff has gotten through unflagged that I wouldn’t have expected, but I have a feeling that we have the sensitivity set lower than recommended for most users on account of the shitstorm that would occur if a false-positive led to someone missing an important client email.
We actually once had a Partner demand to be exempted from all email filtering, including spam filters, because a client email had gotten caught in quarantine and was delayed.
They almost made it a whole day before begging to have the filters turned back on.
If you’re referencing a partner, you probably work at a law or accounting firm. I’m a partner at one of those. Shitty spam filtering and attachment issues almost blew the deadline on a $300 million deal i was working on, and clients demand 24/7 responsiveness and will fire you if you miss something important. That’s why people chafe under spam filters.
I think the answer, rather than to maliciously comply by turning off spam filtering, is to give people better real time access to what’s being filtered via better mimecast integration and training.
I think that's a pipe dream. Most users either are too inept to understand the information you'd give them in this case.
I think the only thing you can really do is have your level 1 support do some handholding with spam filter related issues.
I don't know about inept, at least in my case. I feel like everyone I work with could handle this stuff with proper training, the hard part is convincing them to make time to take it. I put a major push on getting people to take our introductory cybersecurity course the year it was launched, and I feel like even getting 1/3 of our users to attend was an accomplishment. It's mandatory for all new users, but people that have been here for decades can be a harder sell.
0
Options
kaliyamaLeft to find less-moderated foraRegistered Userregular
To be honest, the impersonation part hasn’t wowed me, or at least some stuff has gotten through unflagged that I wouldn’t have expected, but I have a feeling that we have the sensitivity set lower than recommended for most users on account of the shitstorm that would occur if a false-positive led to someone missing an important client email.
We actually once had a Partner demand to be exempted from all email filtering, including spam filters, because a client email had gotten caught in quarantine and was delayed.
They almost made it a whole day before begging to have the filters turned back on.
If you’re referencing a partner, you probably work at a law or accounting firm. I’m a partner at one of those. Shitty spam filtering and attachment issues almost blew the deadline on a $300 million deal i was working on, and clients demand 24/7 responsiveness and will fire you if you miss something important. That’s why people chafe under spam filters.
I think the answer, rather than to maliciously comply by turning off spam filtering, is to give people better real time access to what’s being filtered via better mimecast integration and training.
There was nothing malicious in our decision to comply - they demanded it, we did our best to explain why it wasn't a good idea and offer alternatives, they insisted, and the IT director at the time said to do it. Once they saw for themselves that we weren't exaggerating about how much spam is stopped beyond what they see in their quarantine list, they agreed to have it turned back on. The "begging" was more theatrics on their part, as they had a sense of humor about it. This was years ago, before the current system. Currently our users get emailed summaries at 4 different points throughout the day, and can check the filter at any time through an Outlook plugin and/or mobile app.
I'm aware of the importance to the business to get it right on these things, but it's a line that's getting harder to walk. When I started here I would have said we should err on the side of permissiveness, as it's better to let a dozen spam messages through than to block or delay 1 legitimate email, and while I still think that's broadly true it's getting less clear-cut as email based scams get more sophisticated and more potentially damaging. False positives are still just as bad as ever, but if the filters are too loose we start seeing wire transfer scams and fake invoices with ransomware payloads get through. The NotPetya attack from a couple years ago took one massive law firm (DLA Piper) offline for three full days, with 0 IT systems outside of mobile phones and texts. That's a lot more than one missed client email.
Part of the answer is as you say, giving users access to the spam quarantine and training on how to use it, but unless those in charge make security training mandatory for everyone, that is an incomplete solution. Too many of these scams are designed not to fool security software, but to trick the user into circumventing it themselves. As I mentioned above, we've had two instances where computers were infected because the users believed a fake file transfer email was a legitimate client communication and effectively invited a virus onto their computers.
Agree completely. Your answer highlights that ultimately users will have to exercise judgment and no filter can replace that judgment. This is probably already an obvious best practice, but if useful to you, our IT Dept has had lots of success in educating users with red team exercises where they send fake spearphishing emails and payloads to users and anybody who falls for it gets additional training. It is a nice way of solving some political issues - the oldest users most resistant to training are likely to have the most sensitive info. Showing them their vulnerability in a real world context helps overcome resistance to training and has been a useful teaching moment in itself.
kaliyama on
+1
Options
UnbrokenEvaHIGH ON THE WIREBUT I WON'T TRIP ITRegistered Userregular
edited January 2019
Lets play What's Wrong With This Email?
What I have so far:
1. Official legal notices probably shouldn't come from gmail accounts.
2. It's weird how they at no point mention the name of the person they are sending this to, or their company anywhere in the email
It’s almost like they want to send the same email to thousands of people without needing to change anything.
3. it's even weirder that that they don't mention their own name or company anywhere either
4. Sending a single document through Google Docs or similar is not normal, unless you don't want it virus scanned...
5. Password protecting and putting the password in the same email adds no security... but it does make it harder to scan the file, or convert it to a PDF before opening
My company recently sent an email out for a security refresher quiz they wanted everyone to fill out. The fun begins with them using an email address from outside of our company's domain and not from one of the common online quiz providers. It then continues with all the images in the email being blocked automatically by our email filter and we don't even have the option of showing blocked images. Of course as is standard with corporate communications all the important text in the email is actually in a .jpg embedded in the email and not in text. This leaves us with a dodgy looking link emailed to everyone from an unknown email address with a short bit of text saying "check out this privacy quiz" and no signature.
Unsurprisingly, a huge amount of employees flagged it as a phishing attempt. A couple of weeks later, we start getting nag emails and comments from IT security representatives in the company through typical emails about how we should all do the survey. General response is "what survey?". This goes back and forth for a couple of weeks before we are told "okay, ignore all the stuff we have told you to do regarding phishing attempts and just click on the link and fill out the survey". People do so and then in the survey basically this exact scenario is presented and we are told that we should do what everyone did initially, but were then told by IT security people to bypass.
I think we've all learned a lot from this experience, but I don't think it was what IT security was hoping to teach us.
+19
Options
Inquisitor772 x Penny Arcade Fight Club ChampionA fixed point in space and timeRegistered Userregular
My company recently sent an email out for a security refresher quiz they wanted everyone to fill out. The fun begins with them using an email address from outside of our company's domain and not from one of the common online quiz providers. It then continues with all the images in the email being blocked automatically by our email filter and we don't even have the option of showing blocked images. Of course as is standard with corporate communications all the important text in the email is actually in a .jpg embedded in the email and not in text. This leaves us with a dodgy looking link emailed to everyone from an unknown email address with a short bit of text saying "check out this privacy quiz" and no signature.
Unsurprisingly, a huge amount of employees flagged it as a phishing attempt. A couple of weeks later, we start getting nag emails and comments from IT security representatives in the company through typical emails about how we should all do the survey. General response is "what survey?". This goes back and forth for a couple of weeks before we are told "okay, ignore all the stuff we have told you to do regarding phishing attempts and just click on the link and fill out the survey". People do so and then in the survey basically this exact scenario is presented and we are told that we should do what everyone did initially, but were then told by IT security people to bypass.
I think we've all learned a lot from this experience, but I don't think it was what IT security was hoping to teach us.
I just got an email last week from "randomtextstring@*.*.oracleoutsourcing.com" that was about my credit card reporting for expenses. It had a bunch of links that were obscured by an incredibly long internal SSO redirect (basically making it impossible to understand unless you were already familiar with those kinds of links and how to read them).
Like, this was a legitimate email that came from a nonsense sender with incredibly generic text and gobbledygook outgoing links and they expect normal employee users to actually click this, after forcing us all to go through phishing training (with corresponding mandatory quizzes) that tell us to explicitly ignore this exact scenario. In all honesty anyone who clicked the links on the email instead of logging on directly to Oracle to confirm should be forced to go through security training again, because the only thing missing to set off red flags were random spelling errors.
why are random spelling errors so common in that kind of scam anyway
I think the general consensus is that anyone smart enough to catch the spelling errors would not fall for the scam anyways. So it lets them weed out those people.
Gamertag: KL Retribution
PSN:Furlion
+3
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Like a bad movie, the sequel to the “Collections” data breach—Collections #2-#5— have snared an estimated 2.19 billion email addresses and passwords, far more than the original leak.
Researchers at the Hasso Plattner Institute have reportedly discovered that that 611 million of the credentials in Collections #2–5 weren’t included in the Collection #1 database. That brings the total to 2.19 billion, though its not clear whether some of this information may have been circulated elsewhere, according to heise.de.
My primary account's shown up in this sort of bundle something like 8 times in 8 years from various big database security failures. No one has actually bothered to steal it each time before I changed the password, but I ought to figure out how to use a password manager.
Ultimately this just shows that you NEED to use unique passwords for every system. You need to. Need to.
I mean, we also need to do away with the current password system. But in the meantime it is not tenable to reuse passwords.
What is this I don't even.
+2
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Since we're on the topic of passwords, and the EXTREME risk of password re-use, I was hoping we could re-visit the discussion of password managers.
Do people feel there's any risk involved with password managers? Obviously the ability to generate (and REgenerate) lengthy, strong passwords with minimal burden on the end user is an extremely positive benefit. Yet, password managers represent a single point of failure. I'm not just talking about compromising the master password, I mean that anything which separates the end user from their password manager. I can envision any number of situations where a password manager either leads to a user locking themselves out of all of their accounts, due to password database corruption or physical damage, or else compromise of all accounts, because they're storing their password database in the cloud or on a device that's easily broken into.
Furthermore, it seems really silly to me to put your 2FA solution and your password manager onto the same device (that is, phone). If your phone gets compromised, you lose everything - Whereas the traditional benefit of 2FA is that if either your primary computer or your phone are compromised individually, your account can't be accessed (Incidentally, this is why I'm always taken aback when 2FA devices and nothing else can be used for password resets. You've not strengthened the credentials in that case, merely made the 2FA device the new target).
You should make your email password one that's easy to remember and use 2fa.
This way if all else fails, you can still get into your email and recover everything from there. Getting a new phone to replace your old one is relatively easy anyways for the 2fa stuff.
The worst stuff is when 2fa uses something like google authenticator and you don't have the recovery keys. Make backups.
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
It's more of a bitch that the way Google authenticator handles switching devices is "remove authenticator from that account and then add it back." There's got to be a better way when I get a new phone.
Since we're on the topic of passwords, and the EXTREME risk of password re-use, I was hoping we could re-visit the discussion of password managers.
Do people feel there's any risk involved with password managers? Obviously the ability to generate (and REgenerate) lengthy, strong passwords with minimal burden on the end user is an extremely positive benefit. Yet, password managers represent a single point of failure. I'm not just talking about compromising the master password, I mean that anything which separates the end user from their password manager. I can envision any number of situations where a password manager either leads to a user locking themselves out of all of their accounts, due to password database corruption or physical damage, or else compromise of all accounts, because they're storing their password database in the cloud or on a device that's easily broken into.
Furthermore, it seems really silly to me to put your 2FA solution and your password manager onto the same device (that is, phone). If your phone gets compromised, you lose everything - Whereas the traditional benefit of 2FA is that if either your primary computer or your phone are compromised individually, your account can't be accessed (Incidentally, this is why I'm always taken aback when 2FA devices and nothing else can be used for password resets. You've not strengthened the credentials in that case, merely made the 2FA device the new target).
The way I've been doing it is for "important" stuff, I memorize the password: e-mail accounts, bank accounts, game logins, etc. I mainly use my password manager for accounts that I know I'm not going to be using that often and small (in importance) and I don't want to have to remember yet another password. Some accounts I would use only a few times a year and always forget the password. It has REALLY REALLY helped, and I have over 40 accounts in there now. It's crazy how every website in this universe requires you to create an account, there's no way that's manageable without reusing passwords or getting a password manager.
Since we're on the topic of passwords, and the EXTREME risk of password re-use, I was hoping we could re-visit the discussion of password managers.
Do people feel there's any risk involved with password managers? Obviously the ability to generate (and REgenerate) lengthy, strong passwords with minimal burden on the end user is an extremely positive benefit. Yet, password managers represent a single point of failure. I'm not just talking about compromising the master password, I mean that anything which separates the end user from their password manager. I can envision any number of situations where a password manager either leads to a user locking themselves out of all of their accounts, due to password database corruption or physical damage, or else compromise of all accounts, because they're storing their password database in the cloud or on a device that's easily broken into.
Furthermore, it seems really silly to me to put your 2FA solution and your password manager onto the same device (that is, phone). If your phone gets compromised, you lose everything - Whereas the traditional benefit of 2FA is that if either your primary computer or your phone are compromised individually, your account can't be accessed (Incidentally, this is why I'm always taken aback when 2FA devices and nothing else can be used for password resets. You've not strengthened the credentials in that case, merely made the 2FA device the new target).
I personally feel that while there's risk to everything, the risk of a password manager (with an insanely long password) being breached is far lower and enables me to use highly complex, individual passwords for all my accounts.
What is this I don't even.
+4
Options
Inquisitor772 x Penny Arcade Fight Club ChampionA fixed point in space and timeRegistered Userregular
edited February 2019
I've used LastPass for years and love it. I have a different password for everything (and you don't realize how many freaking things need an account and a password now until you have to track them), and every time there's news about another breach I roll my eyes because: (a) I don't share passwords for anything, so even if Peter's Pizza were shitty and lazy and lost my password because I ordered from them that one time it doesn't impact anything else, and (b) I just go and change my passwords whenever I need to and I move on with my life.
Edit: I've heard of people who don't even save passwords except for their most important ones, and they literally just have their password managers generate a new password every time. As long as you have access to your email account and you don't mind resetting your password for each login, it's an interesting approach to say the least.
For too many people, moving the digits around in some variation of Patriots69Lover is their idea of a strong password. So you might expect something complicated like” “ji32k7au4a83” would be a great password. But according to the data breach repository Have I Been Pwned (HIBP), it shows up more often than one might expect.
This interesting bit of trivia comes from self-described hardware/software engineer Robert Ou, who recently asked his Twitter followers if they could explain why this seemingly random string of numbers has been seen by HIBP over a hundred times.
Have I Been Pwned is an aggregator that was started by security expert Troy Hunt to help people find out if their email or personal data has shown up in any prominent data breaches. One service it offers is a password search that allows you to check if your password has shown up in any data breaches that are on the radar of the security community. In this case, “ji32k7au4a83" has been seen by HIBP in 141 breaches.
Several of Ou’s followers quickly figured out the solution to his riddle. The password is coming from the Zhuyin Fuhao system for transliterating Mandarin. The reason it’s showing up fairly often in a data breach repository is because “ji32k7au4a83" translates to English as “my password.”
...
It goes on to explain in depth how the unicode translates this way. It's basically the Chinese equivalent of calling your password "password".
This is one of those weird security quirks you'd likely only start to recognize after someone points it out to you at least once.
+9
Options
NEO|PhyteThey follow the stars, bound together.Strands in a braid till the end.Registered Userregular
It was that somehow, from within the derelict-horror, they had learned a way to see inside an ugly, broken thing... And take away its pain.
Warframe/Steam: NFyt
0
Options
Mr_Rose83 Blue Ridge Protects the HolyRegistered Userregular
You gotta trick the chip into speculatively executing code with elevated privileges, cancel the execution, and read back the address of the elevated code before it clears up, then put your malicious code there then try to spec-exec the same code again, only it’s yours now. I think. But yeah arbitrary code execution is kind of a bad thing.
The answer is to sandbox their speculation system but they can’t because it’s literally spare runtime on the main core.
OrcaAlso known as EspressosaurusWrexRegistered Userregular
Looks like at some point my "don't-give-a-fuck" password got compromised in one of the endless series of leaks.
I got the "Your account has been hacked! You need to unlock." bitcoin phishing email sent to an email I had set up specifically for imgur. The email contained the old "don't-give-a-fuck" password in it, which made me look at it much more closely (after I'll admit an instant of panic since the password lends credibility--clever).
Guess it's time to update my don't-care password to something new. *mutter*.
why are random spelling errors so common in that kind of scam anyway
Haven't checked this thread in a hot minute, but there are a few reasons. 1) Typically these e-mails come from English as a second-language folks. 2) A lot of these scammers and just spammers in general will use phishing e-mails built into a template to save time, and errors just get propagated. 3) Detection evasion. If a good guy is searching e-mail corpuses to look for patterns in spammers, indenting or adding misspellings is actually a decent way to evade a lot of automated detection. An extra indent here, semi-colon there, etc., can shake up some anti-spam systems.
0
Options
UnbrokenEvaHIGH ON THE WIREBUT I WON'T TRIP ITRegistered Userregular
why are random spelling errors so common in that kind of scam anyway
Haven't checked this thread in a hot minute, but there are a few reasons. 1) Typically these e-mails come from English as a second-language folks. 2) A lot of these scammers and just spammers in general will use phishing e-mails built into a template to save time, and errors just get propagated. 3) Detection evasion. If a good guy is searching e-mail corpuses to look for patterns in spammers, indenting or adding misspellings is actually a decent way to evade a lot of automated detection. An extra indent here, semi-colon there, etc., can shake up some anti-spam systems.
I’d also heard there was an element of target selection - anyone aware enough to be warned off by spelling/grammar errors probably isn’t going to fall for the whole scam, so a few deliberate errors makes sure they don’t waste time on anyone but the truly oblivious and gullible
why are random spelling errors so common in that kind of scam anyway
Haven't checked this thread in a hot minute, but there are a few reasons. 1) Typically these e-mails come from English as a second-language folks. 2) A lot of these scammers and just spammers in general will use phishing e-mails built into a template to save time, and errors just get propagated. 3) Detection evasion. If a good guy is searching e-mail corpuses to look for patterns in spammers, indenting or adding misspellings is actually a decent way to evade a lot of automated detection. An extra indent here, semi-colon there, etc., can shake up some anti-spam systems.
I’d also heard there was an element of target selection - anyone aware enough to be warned off by spelling/grammar errors probably isn’t going to fall for the whole scam, so a few deliberate errors makes sure they don’t waste time on anyone but the truly oblivious and gullible
Hmm - not sure I've seen that. Typically, for spear phishing e-mails, you want them to be as precise and legitimate looking as possible. For ESL scammers, that's kind of tough for linguistic reasons. Like sort of...Italian to English because Italian's who write in (while having a good mastery of speaking it) English typically struggle with comma usage or other mid-sentence punctuation, and to a native English speaker it'd look kind of suspicious. I see this with wire transfer fraud e-mails to CFO's and other money people - "Please send me $$$, honest". Those are good ones - well done, targeted, and convincing as heck.
The others depend on what the motives of the spammer's are I think - keep in mind malspam is still the top way to send malware and infect victims. It's cheap, and still works. Financial fraud e-mails tend to do their best grammar wise, but malspam e-mails, in my observation anyways, don't really care. Just click the link or open the attachment.
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
This has been a developing story for a while now, but I think it's still worth talking about here if we can.
Thanks to a new technology in our products that is capable of detecting supply-chain attacks, our experts have uncovered what seems to be one of the biggest supply-chain incidents ever (remember CCleaner? This one’s bigger). A threat actor modified the ASUS Live Update Utility, which delivers BIOS, UEFI, and software updates to ASUS laptops and desktops, added a back door to the utility, and then distributed it to users through official channels.
The trojanized utility was signed with a legitimate certificate and was hosted on the official ASUS server dedicated to updates, and that allowed it to stay undetected for a long time. The criminals even made sure the file size of the malicious utility stayed the same as that of the original one.
This attack has apparently been going on since June or July of 2018. The fact that the attack vector is, in fact, the Legitimate ASUS LiveUpdate utility is what makes it so insidious. Usually we trust a manufacturer's own distribution channels. This attack is particularly awful on another layer, because the BIOS is compromised in the process - Meaning that reinstallation of the OS is not a promise of removing the malware from the machine.
Strangely, the initial attack seems to have been scanning target machines for very specific MAC addresses - only a few hundred machines were ever the subject of that attack. Now that it's out in the wild and known, I'd presume other bad actors are trying to leverage infected machines.
Kaspersky and ASUS have released tools to analyze if you are impacted by this attack - now known as Shadowhammer.
One thing that remains unclear to me is if ASUS hardware remains vulnerable even if you don't use their ASUS LiveUpdate utility. I presume not, but then again I don't know where Windows Update pulls their ASUS drivers and the like.
Strangely, the initial attack seems to have been scanning target machines for very specific MAC addresses - only a few hundred machines were ever the subject of that attack. Now that it's out in the wild and known, I'd presume other bad actors are trying to leverage infected machines.
This isn't as strange as it sounds. By limiting the targets it significantly reduces the chance of the malware being detected (which given how long this has gone on undetected, it seems like it worked).
Kaspersky and ASUS have released tools to analyze if you are impacted by this attack - now known as Shadowhammer.
Man, I hate the people who name this shit. They have clearly named this attack after rowhammer, because rowhammer sounds scary, but this has nothing to do with rowhammer in any way. Hell, it's not even an exploit.
Ugh, I have an ASUS desktop but don’t think I’ve ever used live update unless it’s just in the background.
Also they Kasperski found it makes me sad all over again that they are at least marginally untrustworthy due to the whole Russia connection. Best AV I’ve had
0
Options
ShadowfireVermont, in the middle of nowhereRegistered Userregular
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
What the hell, that's downright evil and predatory. I can't believe Office Depot looked at one of the most insidious scams, specifically one preying on aging computer-illiterate folks, and thought "Hell yeah, let's get a piece of that action".
Ultimately this just shows that you NEED to use unique passwords for every system. You need to. Need to.
I mean, we also need to do away with the current password system. But in the meantime it is not tenable to reuse passwords.
The thing is that EVERYTHING needs a password. I can't remember fifty different passwords that I also should change every time a breach happens. Reuse is suicidal, but also your options are basically either constant reuse or resetting your password every time you go into a thing you don't use every day, cause you sure as heck ain't gonna remember the long password for that thing you set up last week.
I need to look into how password managers work, and how the whole thing works if you need to constantly access stuff from a lot of computers that aren't your own, but also the fact that I'd need to manually change fuck knows how many passwords to get it set up is kind of a barrier.
Ultimately this just shows that you NEED to use unique passwords for every system. You need to. Need to.
I mean, we also need to do away with the current password system. But in the meantime it is not tenable to reuse passwords.
The thing is that EVERYTHING needs a password. I can't remember fifty different passwords that I also should change every time a breach happens. Reuse is suicidal, but also your options are basically either constant reuse or resetting your password every time you go into a thing you don't use every day, cause you sure as heck ain't gonna remember the long password for that thing you set up last week.
I need to look into how password managers work, and how the whole thing works if you need to constantly access stuff from a lot of computers that aren't your own, but also the fact that I'd need to manually change fuck knows how many passwords to get it set up is kind of a barrier.
Password managers are in fact the solution to your problem. Most of them are quick to setup, easy to use, and robust. They are a necessity in this day. The one I use, Keepass, is free and will generate passwords for you. It also has an Android app that I keep synced using Dropbox. I am sure others here will recommend more.
Gamertag: KL Retribution
PSN:Furlion
+2
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
I have used KeePass for the last...uh...8 years? And it's great on Android with Dropbox. iOS is much more of a pain in the ass due to the permissions problem (you need to manually sync your database, and who ever remembers to do that?). Still, it's worth it.
Get the email of shame "we got compromised, we value security, more lies about privacy, etc.", just generate a new password and roll your eyes. Don't have to sweat changing 50 different accounts because one of them got compromised.
+3
Options
Inquisitor772 x Penny Arcade Fight Club ChampionA fixed point in space and timeRegistered Userregular
Been using LastPass for years. Highly recommended. Also hear good things about KeePass.
Posts
I don't know about inept, at least in my case. I feel like everyone I work with could handle this stuff with proper training, the hard part is convincing them to make time to take it. I put a major push on getting people to take our introductory cybersecurity course the year it was launched, and I feel like even getting 1/3 of our users to attend was an accomplishment. It's mandatory for all new users, but people that have been here for decades can be a harder sell.
Agree completely. Your answer highlights that ultimately users will have to exercise judgment and no filter can replace that judgment. This is probably already an obvious best practice, but if useful to you, our IT Dept has had lots of success in educating users with red team exercises where they send fake spearphishing emails and payloads to users and anybody who falls for it gets additional training. It is a nice way of solving some political issues - the oldest users most resistant to training are likely to have the most sensitive info. Showing them their vulnerability in a real world context helps overcome resistance to training and has been a useful teaching moment in itself.
What I have so far:
2. It's weird how they at no point mention the name of the person they are sending this to, or their company anywhere in the email
It’s almost like they want to send the same email to thousands of people without needing to change anything.
3. it's even weirder that that they don't mention their own name or company anywhere either
4. Sending a single document through Google Docs or similar is not normal, unless you don't want it virus scanned...
5. Password protecting and putting the password in the same email adds no security... but it does make it harder to scan the file, or convert it to a PDF before opening
6. Threatening deadlines, weird grammar/punctuation
7. Who the hell sends legal notices through a Google Form?
Unsurprisingly, a huge amount of employees flagged it as a phishing attempt. A couple of weeks later, we start getting nag emails and comments from IT security representatives in the company through typical emails about how we should all do the survey. General response is "what survey?". This goes back and forth for a couple of weeks before we are told "okay, ignore all the stuff we have told you to do regarding phishing attempts and just click on the link and fill out the survey". People do so and then in the survey basically this exact scenario is presented and we are told that we should do what everyone did initially, but were then told by IT security people to bypass.
I think we've all learned a lot from this experience, but I don't think it was what IT security was hoping to teach us.
I just got an email last week from "randomtextstring@*.*.oracleoutsourcing.com" that was about my credit card reporting for expenses. It had a bunch of links that were obscured by an incredibly long internal SSO redirect (basically making it impossible to understand unless you were already familiar with those kinds of links and how to read them).
Like, this was a legitimate email that came from a nonsense sender with incredibly generic text and gobbledygook outgoing links and they expect normal employee users to actually click this, after forcing us all to go through phishing training (with corresponding mandatory quizzes) that tell us to explicitly ignore this exact scenario. In all honesty anyone who clicked the links on the email instead of logging on directly to Oracle to confirm should be forced to go through security training again, because the only thing missing to set off red flags were random spelling errors.
I think the general consensus is that anyone smart enough to catch the spelling errors would not fall for the scam anyways. So it lets them weed out those people.
PSN:Furlion
tl;dr - Your password is probably compromised.
I mean, we also need to do away with the current password system. But in the meantime it is not tenable to reuse passwords.
Do people feel there's any risk involved with password managers? Obviously the ability to generate (and REgenerate) lengthy, strong passwords with minimal burden on the end user is an extremely positive benefit. Yet, password managers represent a single point of failure. I'm not just talking about compromising the master password, I mean that anything which separates the end user from their password manager. I can envision any number of situations where a password manager either leads to a user locking themselves out of all of their accounts, due to password database corruption or physical damage, or else compromise of all accounts, because they're storing their password database in the cloud or on a device that's easily broken into.
Furthermore, it seems really silly to me to put your 2FA solution and your password manager onto the same device (that is, phone). If your phone gets compromised, you lose everything - Whereas the traditional benefit of 2FA is that if either your primary computer or your phone are compromised individually, your account can't be accessed (Incidentally, this is why I'm always taken aback when 2FA devices and nothing else can be used for password resets. You've not strengthened the credentials in that case, merely made the 2FA device the new target).
This way if all else fails, you can still get into your email and recover everything from there. Getting a new phone to replace your old one is relatively easy anyways for the 2fa stuff.
The worst stuff is when 2fa uses something like google authenticator and you don't have the recovery keys. Make backups.
The way I've been doing it is for "important" stuff, I memorize the password: e-mail accounts, bank accounts, game logins, etc. I mainly use my password manager for accounts that I know I'm not going to be using that often and small (in importance) and I don't want to have to remember yet another password. Some accounts I would use only a few times a year and always forget the password. It has REALLY REALLY helped, and I have over 40 accounts in there now. It's crazy how every website in this universe requires you to create an account, there's no way that's manageable without reusing passwords or getting a password manager.
I personally feel that while there's risk to everything, the risk of a password manager (with an insanely long password) being breached is far lower and enables me to use highly complex, individual passwords for all my accounts.
Edit: I've heard of people who don't even save passwords except for their most important ones, and they literally just have their password managers generate a new password every time. As long as you have access to your email account and you don't mind resetting your password for each login, it's an interesting approach to say the least.
Well this is pretty neat.
It goes on to explain in depth how the unicode translates this way. It's basically the Chinese equivalent of calling your password "password".
This is one of those weird security quirks you'd likely only start to recognize after someone points it out to you at least once.
https://www.techpowerup.com/253285/spoiler-alert-new-security-vulnerability-found-affecting-intel-cpus
I am not sufficiently security savvy to work out exactly how bad this one is, I feel like we've already had some speculative execution vulnerabilities in the past.
Warframe/Steam: NFyt
The answer is to sandbox their speculation system but they can’t because it’s literally spare runtime on the main core.
Nintendo Network ID: AzraelRose
DropBox invite link - get 500MB extra free.
I got the "Your account has been hacked! You need to unlock." bitcoin phishing email sent to an email I had set up specifically for imgur. The email contained the old "don't-give-a-fuck" password in it, which made me look at it much more closely (after I'll admit an instant of panic since the password lends credibility--clever).
Guess it's time to update my don't-care password to something new. *mutter*.
Haven't checked this thread in a hot minute, but there are a few reasons. 1) Typically these e-mails come from English as a second-language folks. 2) A lot of these scammers and just spammers in general will use phishing e-mails built into a template to save time, and errors just get propagated. 3) Detection evasion. If a good guy is searching e-mail corpuses to look for patterns in spammers, indenting or adding misspellings is actually a decent way to evade a lot of automated detection. An extra indent here, semi-colon there, etc., can shake up some anti-spam systems.
I’d also heard there was an element of target selection - anyone aware enough to be warned off by spelling/grammar errors probably isn’t going to fall for the whole scam, so a few deliberate errors makes sure they don’t waste time on anyone but the truly oblivious and gullible
Hmm - not sure I've seen that. Typically, for spear phishing e-mails, you want them to be as precise and legitimate looking as possible. For ESL scammers, that's kind of tough for linguistic reasons. Like sort of...Italian to English because Italian's who write in (while having a good mastery of speaking it) English typically struggle with comma usage or other mid-sentence punctuation, and to a native English speaker it'd look kind of suspicious. I see this with wire transfer fraud e-mails to CFO's and other money people - "Please send me $$$, honest". Those are good ones - well done, targeted, and convincing as heck.
The others depend on what the motives of the spammer's are I think - keep in mind malspam is still the top way to send malware and infect victims. It's cheap, and still works. Financial fraud e-mails tend to do their best grammar wise, but malspam e-mails, in my observation anyways, don't really care. Just click the link or open the attachment.
Kaspersky Labs has reported about a supply-chain attack on ASUS hardware.
This attack has apparently been going on since June or July of 2018. The fact that the attack vector is, in fact, the Legitimate ASUS LiveUpdate utility is what makes it so insidious. Usually we trust a manufacturer's own distribution channels. This attack is particularly awful on another layer, because the BIOS is compromised in the process - Meaning that reinstallation of the OS is not a promise of removing the malware from the machine.
Strangely, the initial attack seems to have been scanning target machines for very specific MAC addresses - only a few hundred machines were ever the subject of that attack. Now that it's out in the wild and known, I'd presume other bad actors are trying to leverage infected machines.
Kaspersky and ASUS have released tools to analyze if you are impacted by this attack - now known as Shadowhammer.
One thing that remains unclear to me is if ASUS hardware remains vulnerable even if you don't use their ASUS LiveUpdate utility. I presume not, but then again I don't know where Windows Update pulls their ASUS drivers and the like.
This isn't as strange as it sounds. By limiting the targets it significantly reduces the chance of the malware being detected (which given how long this has gone on undetected, it seems like it worked).
Man, I hate the people who name this shit. They have clearly named this attack after rowhammer, because rowhammer sounds scary, but this has nothing to do with rowhammer in any way. Hell, it's not even an exploit.
Also they Kasperski found it makes me sad all over again that they are at least marginally untrustworthy due to the whole Russia connection. Best AV I’ve had
Disgusting.
The thing is that EVERYTHING needs a password. I can't remember fifty different passwords that I also should change every time a breach happens. Reuse is suicidal, but also your options are basically either constant reuse or resetting your password every time you go into a thing you don't use every day, cause you sure as heck ain't gonna remember the long password for that thing you set up last week.
I need to look into how password managers work, and how the whole thing works if you need to constantly access stuff from a lot of computers that aren't your own, but also the fact that I'd need to manually change fuck knows how many passwords to get it set up is kind of a barrier.
Password managers are in fact the solution to your problem. Most of them are quick to setup, easy to use, and robust. They are a necessity in this day. The one I use, Keepass, is free and will generate passwords for you. It also has an Android app that I keep synced using Dropbox. I am sure others here will recommend more.
PSN:Furlion
Get the email of shame "we got compromised, we value security, more lies about privacy, etc.", just generate a new password and roll your eyes. Don't have to sweat changing 50 different accounts because one of them got compromised.
I can safely say that past-Campy is a royal jeb end for not doing it sooner.
http://steamcommunity.com/id/pablocampy