Slashdot Mirror
RSA: Phish Me If You Can (Video)
Spearphishing. The deluxe (but easy) way to get unwary employees to put malware on your network. It's basically the same as phishing, except more targeted. That is, a plain phishing scam might offer an unwary web-browsing employee a chance to see a famous starlet naked, while a spearphishing attack might purport to be an urgent request from your Bizzaro County office for 200 Kg of Unobtainium Oxide. Open that email, and... ZAP! So this is social hacking (cracking for the old-timers), and cannot necessarily be fought entirely by technical means. So how about setting up fake spearphishing attempts and immediately sending employees who fall for them to an IT security class with an emphasis on how to avoid phishing scams? You can do this yourself, possibly with help from a bright person or two from a nearby University. Or you can contact PhishMe or another anti-phish training company and have them help you teach spearphishing awareness to your people. Either way, every computer-using person in your company should know about phishing -- and should know how to avoid getting hooked by phishers.
Your daily Slashvertisement brought to you by Dice Holdings, Inc.
Open an email? You mean text? Not really a problem. if you're not blocking images and JavaScript, you're headed for trouble, targeted or not.
The people who are dumb enough to fall for this, and the IT department which allows "open-email-and-zap" kind of emails to get through cannot be taught. It would be more cost effective just to fire ridiculously stupid people and hire ones who have a few brain cells.
It doesn't matter how "official" a phishing email looks. An intelligent person will always be able to determine that they aren't real, and it really isn't hard.
The problem is 100% technical. How could viewing an email ever result in malware being installed? Somebody failed -- they're called the IT department.
http://www.wombatsecurity.com/phishguru
It's the fact that they treat us like eager morons, who won't recognize it. I mean the signs are dead simple.
1. Mentions a particular company by name.
2. Includes at least one buzz-word.
3. Entirely positive language.
Regular Slashdot stories pretty clearly have signs of concern or raise questions about their subject matter. These bare-naked slashvertisements are insulting. If you're going to be blatant, please fucking acknowledge that it's sponsored in the summary.
I guess the years have accumulated and I'm now and old timer but I don't see how that's cracking by anyone's definition.
Lol, that one always works, and even though it is clear it doesn't need to be clicked, they click it anyways... I got to use that one when the Melissa virus was blocked based on the subject line "I have an attachment for your review", rather than on matching the payload of the email attachment. I made $5 on a bet with the Exchange admin, and got to watch hilarity ensue at the Exchange admin's desk when 40 hungry developers showed up, wondering why there was no free lunch and their Outlook clients were taking up all of their system resources.
Slashdot is my home page -- I read the content for information and ignore the advertising. This pure advertising play is nothing more than a bid for greater income for this unethical fraud of a business. PhishMe should discontinue attempting to publish advertising as information, and pay Slashdot for the space, and Slashdot should moderate the content to prevent this sort of corporate fraud.
This must be a Windows problem, because this type of open and automatically execute ( or whatever ) does not happen on Linux.
So how about not running software vulnerable to malware?
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Three videos posted over the last couple of days - all of which purport to provide insight, at least in summary. I've not made it through more than a few seconds of each since there is excessive background noise.
Use a more targeted mic? Do some post-processing? Find a quieter room to interview your subject in? Provide a transcript?
Otherwise, it's just a waste of effort.
When setting up a test like this, first look at the legitimate e-mails sent around your company. If your business routinely circulates e-mails containing attachments employees are expected to open or links they're expected to click on, then ask yourself why you've got an overlap between what you expect employees to do and what you want them to not do. If you expect employees to check addresses but your e-mail client hides addresses, ask yourself why you're hiding what you want recipients to check. If you're having to ask those kinds of questions then the first problem you need to address isn't employees being vulnerable to spearphishing attacks, it's your internal e-mail culture and standards that make those vulnerabilities normal and expected.
Expect a lot of resistance to fixing these things. Not from your regular workers, from the upper layers of management who like these things because they make life easy and look "Oooh, shiny!".
It's a lot like physical security. You can emphasize it all you want, but when managers get angry at employees who closed the door in the manager's face forcing them to use their own key you will not get employees to stop letting people tailgate through doors.
I THINK THE EDITORS ARE MODERATING CRITICAL COMMENTS DOWN!!!
I got 5 troll mods in a matter of one minute, making a pretty reasonable post(I thought).
I thought it was bizarre the GP got modded down once, but I really think Dice. is modding the fucking comments.
I got duped into clicking the story thinking it was a legitimate article. Instead I got a slashvertisement... ./suckered
Many corporate users use Outlook. When viewing (or previewing) HTML-formatted messages, it uses the same rendering as Internet Explorer, and is thus susceptible to the same vulnerabilities.
I can remember a happy time when I could tell people with confidence "you'll never infect your computer by merely viewing an e-mail". Or a JPG. Or a PDF. Or ...
Can someone tell me why all of Roblimo's posts 1) are his own content, versus edited reader submissions, and 2) read exactly like advertisements?
LegendMUD
That's as easy as disconnecting electricity from your building.
Is hard to teach common sense. Is easy with enough internal information (usually kindly provided by you in social networks) to trick someone onto opening an email, an attachment, a java applet, or visit a "safe" website (that could be a hacked real one, even a government one, with "extra" content targetted at you).
Doesn't using Thunderbird on Linux eliminate this and pretty much all other similar schemes?
Why opening e-mail causes something to run or be saved? Is this required by any web standard? This is entirely the Microsoft invention.
Everyone who clicked on this link needs to now attend a phishing training class, you have all been suckered into clicking on this blatant advertisement!
That's as easy as disconnecting electricity from your building.
And as likely
I wrote up an article in Communications of the ACM about a year ago summarizing the state of phishing attacks.
My colleagues and I have also studied phishing extensively and have the most comprehensive peer-reviewed body of work in this area. Our studies include understanding why people fall for phishing attacks (PDF), evaluating how well simulated phishing attacks work (PDF) (the short answer is quite well, based on a study of 500 people), designing and evaluating a micro game teaching people about URLs works (PDF) (empirically tested with several thousand people), and more.
We've also commercialized our work, in terms of a service for simulated phishing attacks, the micro game for anti-phishing, and more.
Also, to anyone saying "people are stupid" or "they deserve to get malware", you really are part of the problem. It's our job to protect people, to reduce complexity, and to ensure the safety of our systems and networks. Arrogantly dismissing others as being inferior or stupid is one reason why computer security, user interfaces, and software in general is in the state it is.
This only applies if you fail as an admin. Mine sure as fuck doesn't show HTML messages unless I click the "show as html" bar.
If merely opening an email can do anything more that let you see and hear its content (and stop the instant you close it) then there is something wrong with your computer. And even that much is risky.
now we need to go OSS in diesel cars
The next logical step is to test your employees with requests that could be legitimate, but are not (e.g. calling customer service to inquire about a product), and then firing anyone that does not field the request, even if that employee knew the request to be only a test.
Wrong. For opening an email to be dangerous, requires that your email client be horribly broken. There is a technical means: don't treat email as executable code. Fix mail client bugs.
Maybe that's harder than everyone says it is, but that doesn't mean it's impossible.
Furthermore, for "spearphishing" in particular, there are other technical means to get depth. If it involves "masquerading as a trustworthy entity" then email signatures, if only people would use them, would stop it dead in its tracks.
This is an unusually bad example of a problem which can only be fixed socially.
your study is about students.. not enterprise workers.
Does every one remember a few weeks ago when a company sent out a real email asking for users to change passwords and some people thought incorrectly it was a phishing email..... Basically that single event proved that people don't understand how to read / detect phishing scams. if you can't even recognize or take steps to recognize whats real from whats fake then I don't know what to tell you, the issue isn't always the scammer or lack there of, sometimes just blame the users.
If only that were feasible. Unfortunately, we have created a septic environment and the only way to be sure of staying clean is to live in a bubble.
Not that I'm excusing the irresponsible decisions that are routinely made over security issues. That's how we got into this mess in the first place - one small, dumb step after another.
eh? cracking, to old timers, is the act of bypassing software locks. hacking is trick/cool repurposing/extension. spearphishing is plain old social engineering.
You are ill and need professional help
Spearphishing. The deluxe (but easy) way to get unwary employees to put malware on your network.
Hey, if i want to put malware on my network it's even easier to just do it myself.
This Space Intentionally Left Blank
I won't say that Linux (which is what I run) is completely safe, but it's far, far safer than Windows is. That's not to say that everybody should be running Linux, but that everybody who runs Windows should be asking Microsoft why Windows is so vulnerable.
Good, inexpensive web hosting
apk upset your sensibilities by rousing such geek angst in you losing to him in tech debates here on slashdot that you resort to such stupidity here. It's the third time I've seen you do it today and each time you've been down moderated for it here in this discussion thread, and here too http://tech.slashdot.org/comments.pl?sid=3522191&cid=43096733 and here also http://linux.slashdot.org/comments.pl?sid=3521669&cid=43094855 so like others have told you in response to this stupidity from you, do yourself a favor and seek professional psychiatric help. You obviously require it.
"Distributed Discussion And Publishing System"
http://sourceforge.net/projects/didipus/files/DiDiPuS.pdf/download
A proper Sandboxing System would contain all those buffer overflows and bad pointers in the PDF, Excel, Flash and Word crapware. And yeah, you better sandbox the FOSS crapware, too. Just have a look at libpoppler and you know what I mean. A can of void* worms.
So if your sandbox is made after the KISS principle and has lots of capable eyeballs applied to it, there would be a serious chance that we could actually safely view ANY email. In paradise, governments would fund mathematical verification of sandbox correctness. In reality they fund nasty malware for their own purposes, of course. After all, Israel and the MIC are in great need of new war, new blood and new money from arms revenue.
Yeah, as in "AIDS". Why don't you research and fix the problem at the core as Google does with their sandboxing approach ? Why don't you spend time and effort in proving sandboxes or memory safe language compilers right ? Why don't you spend time and effort in clearly marking an email as "external" or "dangerous and unverified source" or something like that ?
I'll tell you. The Band Aid Industry is big business, but only as long as the security issues are not fixed at the core, where they should be. It's a Protection Racket.
Yeah, and while we knew there were a bunch before, I think we're def. seeing Dice's hand in all this.
The other posters are right about the shift to video, and Roblimo, who really was off the radar until last month. Here is a Reuters article describing specifically how this company is a spinoff of some other one a couple years ago. So yes, it's absolutely a Slash-vertisement. http://www.reuters.com/article/2012/03/20/idUS120683+20-Mar-2012+BW20120320
Besides your heuristics, let's go even farther. It's these companies that seem to specialize in "protecting/training", with unclear extra motives buried in there. To paraphrase xkcd: "My hobby: watching Anonymous bust open these companies purporting to specialize in providing privacy/security services." Because they're in a position where they can't have ANY incident on their record with the services they sell. Yeah, I sorta don't care if Walmart hoses their data records in some random location branch because that store manager was an idiot. It's Walmart. These security companies are in a different league. Remember HBGary?
And these Slashverts are coming *fast*. No subtle sneak-in. Fast. The question is whether the rest of what used to be slashdot is worth reading anymore if these aggressive slashverts keep barreling at us. It's like a game of Ad-DonkeyKong. Jump over the barrels!
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
This year I learned that if you want a new revenue stream, all you have to do is exercise your right to "update" your Terms and Conditions.
Seriously, this type of irresponsible behavior predicates a backlash.
Spearphishing. The deluxe (but easy) way to get unwary employees to put malware on your [ Microsoft Windows ] network. It's basically the same as phishing, except more targeted. That is, a plain phishing scam might offer an unwary [ Microsoft Windows ] web-browsing employee a chance to see a famous starlet naked, while a spearphishing attack might purport to be an urgent request from your Bizzaro County office for 200 Kg of Unobtainium Oxide. Open that email [under Microsoft Windows ], and... ZAP! So this is social hacking [ on Microsoft Windows ] .. Either way, every [ Microsoft Windows ] computer-using person in your company should know about phishing -- and should know how to avoid getting hooked by phishers.
AccountKiller
Remedial training will continue until morale improves! is there a reason you need a company to tell your employees to stop clicking on the dancing kitty link?
Hmmm I'll get modded down for bashing the advert story so... oh I know, Dice is awesome, I for one embrace or benevolent overlords.
Good leaders run toward problems, bad leaders hide from them.
Please don't pretend not to be apk. It's transparent and unseemly.
From the start.
We tried this in 2001, after a tonne of people opened some Love virus email variant. Me and one other IT guy at our University just did it off our own bat - I wrote a small and simple vb6 exe and he emailed it out from a hotmail account as "funny.doc.exe". All it did was log who clicked the file back to a txt file on the network.
We didn't get any kind of authorisation or even discuss it with anyone first and yes, we got in trouble with management for embarrassing staff (we did not name and shame, so we didn't get in too much trouble).
First, every time I hear computers get infected, or whatever, I wanna cry. There have been people using Mac and Linux for decades now. Then obviously this is advertisement... mod this article down, please.
Please take the advice others gave you. Get help and get on topic.
This may off-topic, but by 'septic environment', I was also thinking of the fact that we have to live with the bad decisions of businesses and government agencies that we have to deal with.
Fuck off, Paul.
Once more, do take your own advice.
Get lost, troll.
Speak for yourself after this from you http://it.slashdot.org/comments.pl?sid=3521797&cid=43096277
Get lost, troll!
Speak for yourself after this from you http://it.slashdot.org/comments.pl?sid=3521797&cid=43096277