Slashdot Mirror
RSA: Phish Me If You Can (Video)
Spearphishing. The deluxe (but easy) way to get unwary employees to put malware on your network. It's basically the same as phishing, except more targeted. That is, a plain phishing scam might offer an unwary web-browsing employee a chance to see a famous starlet naked, while a spearphishing attack might purport to be an urgent request from your Bizzaro County office for 200 Kg of Unobtainium Oxide. Open that email, and... ZAP! So this is social hacking (cracking for the old-timers), and cannot necessarily be fought entirely by technical means. So how about setting up fake spearphishing attempts and immediately sending employees who fall for them to an IT security class with an emphasis on how to avoid phishing scams? You can do this yourself, possibly with help from a bright person or two from a nearby University. Or you can contact PhishMe or another anti-phish training company and have them help you teach spearphishing awareness to your people. Either way, every computer-using person in your company should know about phishing -- and should know how to avoid getting hooked by phishers.
Your daily Slashvertisement brought to you by Dice Holdings, Inc.
Open an email? You mean text? Not really a problem. if you're not blocking images and JavaScript, you're headed for trouble, targeted or not.
The people who are dumb enough to fall for this, and the IT department which allows "open-email-and-zap" kind of emails to get through cannot be taught. It would be more cost effective just to fire ridiculously stupid people and hire ones who have a few brain cells.
It doesn't matter how "official" a phishing email looks. An intelligent person will always be able to determine that they aren't real, and it really isn't hard.
The problem is 100% technical. How could viewing an email ever result in malware being installed? Somebody failed -- they're called the IT department.
http://www.wombatsecurity.com/phishguru
It's the fact that they treat us like eager morons, who won't recognize it. I mean the signs are dead simple.
1. Mentions a particular company by name.
2. Includes at least one buzz-word.
3. Entirely positive language.
Regular Slashdot stories pretty clearly have signs of concern or raise questions about their subject matter. These bare-naked slashvertisements are insulting. If you're going to be blatant, please fucking acknowledge that it's sponsored in the summary.
I guess the years have accumulated and I'm now and old timer but I don't see how that's cracking by anyone's definition.
Lol, that one always works, and even though it is clear it doesn't need to be clicked, they click it anyways... I got to use that one when the Melissa virus was blocked based on the subject line "I have an attachment for your review", rather than on matching the payload of the email attachment. I made $5 on a bet with the Exchange admin, and got to watch hilarity ensue at the Exchange admin's desk when 40 hungry developers showed up, wondering why there was no free lunch and their Outlook clients were taking up all of their system resources.
So how about not running software vulnerable to malware?
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Three videos posted over the last couple of days - all of which purport to provide insight, at least in summary. I've not made it through more than a few seconds of each since there is excessive background noise.
Use a more targeted mic? Do some post-processing? Find a quieter room to interview your subject in? Provide a transcript?
Otherwise, it's just a waste of effort.
When setting up a test like this, first look at the legitimate e-mails sent around your company. If your business routinely circulates e-mails containing attachments employees are expected to open or links they're expected to click on, then ask yourself why you've got an overlap between what you expect employees to do and what you want them to not do. If you expect employees to check addresses but your e-mail client hides addresses, ask yourself why you're hiding what you want recipients to check. If you're having to ask those kinds of questions then the first problem you need to address isn't employees being vulnerable to spearphishing attacks, it's your internal e-mail culture and standards that make those vulnerabilities normal and expected.
Expect a lot of resistance to fixing these things. Not from your regular workers, from the upper layers of management who like these things because they make life easy and look "Oooh, shiny!".
It's a lot like physical security. You can emphasize it all you want, but when managers get angry at employees who closed the door in the manager's face forcing them to use their own key you will not get employees to stop letting people tailgate through doors.
Unless the email have a pdf attachment with a good enough name and you open it with Acrobat. Or a link to a website related with your company or from the government (if anonymous could hack the doj website, other can do it too, maybe in a not so obvious way), and get injected with a malicious java program (and you know the record of recent java 0day exploits, no matter which is your OS). You are far safer in Linux, but is no guarantee. Also, if we are talking about social engineering an IT department mail ordering you to apply some updates from a repository for new security measures or functionality you asked for in some moment is a good way to get root or at least run programs with your user, the vulnerability there is not the mail client but the mail user.
I THINK THE EDITORS ARE MODERATING CRITICAL COMMENTS DOWN!!!
I got 5 troll mods in a matter of one minute, making a pretty reasonable post(I thought).
I thought it was bizarre the GP got modded down once, but I really think Dice. is modding the fucking comments.
I got duped into clicking the story thinking it was a legitimate article. Instead I got a slashvertisement... ./suckered
Many corporate users use Outlook. When viewing (or previewing) HTML-formatted messages, it uses the same rendering as Internet Explorer, and is thus susceptible to the same vulnerabilities.
I can remember a happy time when I could tell people with confidence "you'll never infect your computer by merely viewing an e-mail". Or a JPG. Or a PDF. Or ...
Can someone tell me why all of Roblimo's posts 1) are his own content, versus edited reader submissions, and 2) read exactly like advertisements?
LegendMUD
Is hard to teach common sense. Is easy with enough internal information (usually kindly provided by you in social networks) to trick someone onto opening an email, an attachment, a java applet, or visit a "safe" website (that could be a hacked real one, even a government one, with "extra" content targetted at you).
Everyone who clicked on this link needs to now attend a phishing training class, you have all been suckered into clicking on this blatant advertisement!
I wrote up an article in Communications of the ACM about a year ago summarizing the state of phishing attacks.
My colleagues and I have also studied phishing extensively and have the most comprehensive peer-reviewed body of work in this area. Our studies include understanding why people fall for phishing attacks (PDF), evaluating how well simulated phishing attacks work (PDF) (the short answer is quite well, based on a study of 500 people), designing and evaluating a micro game teaching people about URLs works (PDF) (empirically tested with several thousand people), and more.
We've also commercialized our work, in terms of a service for simulated phishing attacks, the micro game for anti-phishing, and more.
Also, to anyone saying "people are stupid" or "they deserve to get malware", you really are part of the problem. It's our job to protect people, to reduce complexity, and to ensure the safety of our systems and networks. Arrogantly dismissing others as being inferior or stupid is one reason why computer security, user interfaces, and software in general is in the state it is.
If merely opening an email can do anything more that let you see and hear its content (and stop the instant you close it) then there is something wrong with your computer. And even that much is risky.
now we need to go OSS in diesel cars
Does every one remember a few weeks ago when a company sent out a real email asking for users to change passwords and some people thought incorrectly it was a phishing email..... Basically that single event proved that people don't understand how to read / detect phishing scams. if you can't even recognize or take steps to recognize whats real from whats fake then I don't know what to tell you, the issue isn't always the scammer or lack there of, sometimes just blame the users.
If only that were feasible. Unfortunately, we have created a septic environment and the only way to be sure of staying clean is to live in a bubble.
Not that I'm excusing the irresponsible decisions that are routinely made over security issues. That's how we got into this mess in the first place - one small, dumb step after another.
eh? cracking, to old timers, is the act of bypassing software locks. hacking is trick/cool repurposing/extension. spearphishing is plain old social engineering.
Or maybe something like:
"Due to frequent trouble with bad passwords, we require every employee to test the security of theirs on our newly setup password testing site at <a href="http://passwordtest.yourconpany.com/">http://passwordtest.yourcompany.com/</a>"
(Did you spot the difference?)
The Tao of math: The numbers you can count are not the real numbers.
Spearphishing. The deluxe (but easy) way to get unwary employees to put malware on your network.
Hey, if i want to put malware on my network it's even easier to just do it myself.
This Space Intentionally Left Blank
Unfortunately even Thunderbird on Linux cannot prevent bad processes to be started in the user's brain, which case that user to actively initiate the insecure operation. You need to install a special package called "user education" to protect against this. Unfortunately installing that is often tricky, and some brains don't run it particularly well.
The Tao of math: The numbers you can count are not the real numbers.
I won't say that Linux (which is what I run) is completely safe, but it's far, far safer than Windows is. That's not to say that everybody should be running Linux, but that everybody who runs Windows should be asking Microsoft why Windows is so vulnerable.
Good, inexpensive web hosting
Yeah, and while we knew there were a bunch before, I think we're def. seeing Dice's hand in all this.
The other posters are right about the shift to video, and Roblimo, who really was off the radar until last month. Here is a Reuters article describing specifically how this company is a spinoff of some other one a couple years ago. So yes, it's absolutely a Slash-vertisement. http://www.reuters.com/article/2012/03/20/idUS120683+20-Mar-2012+BW20120320
Besides your heuristics, let's go even farther. It's these companies that seem to specialize in "protecting/training", with unclear extra motives buried in there. To paraphrase xkcd: "My hobby: watching Anonymous bust open these companies purporting to specialize in providing privacy/security services." Because they're in a position where they can't have ANY incident on their record with the services they sell. Yeah, I sorta don't care if Walmart hoses their data records in some random location branch because that store manager was an idiot. It's Walmart. These security companies are in a different league. Remember HBGary?
And these Slashverts are coming *fast*. No subtle sneak-in. Fast. The question is whether the rest of what used to be slashdot is worth reading anymore if these aggressive slashverts keep barreling at us. It's like a game of Ad-DonkeyKong. Jump over the barrels!
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Then the phishing will just use another vector. Say, trick the user into installing some extension (yes, the browser will warn about a potential insecurity, but it also does so when you install known good extensions right from Mozilla's extensions page, so the user will just ignore the warning and install anyway). Or send a file format which the browser cannot handle, so the user saves it and opens it directly, without the sandbox.
The Tao of math: The numbers you can count are not the real numbers.
Spearphishing. The deluxe (but easy) way to get unwary employees to put malware on your [ Microsoft Windows ] network. It's basically the same as phishing, except more targeted. That is, a plain phishing scam might offer an unwary [ Microsoft Windows ] web-browsing employee a chance to see a famous starlet naked, while a spearphishing attack might purport to be an urgent request from your Bizzaro County office for 200 Kg of Unobtainium Oxide. Open that email [under Microsoft Windows ], and... ZAP! So this is social hacking [ on Microsoft Windows ] .. Either way, every [ Microsoft Windows ] computer-using person in your company should know about phishing -- and should know how to avoid getting hooked by phishers.
AccountKiller
Remedial training will continue until morale improves! is there a reason you need a company to tell your employees to stop clicking on the dancing kitty link?
Hmmm I'll get modded down for bashing the advert story so... oh I know, Dice is awesome, I for one embrace or benevolent overlords.
Good leaders run toward problems, bad leaders hide from them.
We tried this in 2001, after a tonne of people opened some Love virus email variant. Me and one other IT guy at our University just did it off our own bat - I wrote a small and simple vb6 exe and he emailed it out from a hotmail account as "funny.doc.exe". All it did was log who clicked the file back to a txt file on the network.
We didn't get any kind of authorisation or even discuss it with anyone first and yes, we got in trouble with management for embarrassing staff (we did not name and shame, so we didn't get in too much trouble).
First, every time I hear computers get infected, or whatever, I wanna cry. There have been people using Mac and Linux for decades now. Then obviously this is advertisement... mod this article down, please.
Sandboxing? Works in the browser*, should work in the email client.
*proper browsers, not IE...
This may off-topic, but by 'septic environment', I was also thinking of the fact that we have to live with the bad decisions of businesses and government agencies that we have to deal with.