Slashdot Mirror
1 in 3 Michigan Workers Tested Opened A Password-Phishing Email (go.com)
An anonymous reader quotes the AP:
Michigan auditors who conducted a fake "phishing" attack on 5,000 randomly selected state employees said Friday that nearly one-third opened the email, a quarter clicked on the link and almost one-fifth entered their user ID and password. The covert operation was done as part of an audit that uncovered weaknesses in the state government's computer network, including that not all workers are required to participate in cybersecurity awareness training... Auditors made 14 findings, including five that are "material" -- the most serious. They range from inadequate management of firewalls to insufficient processes to confirm if only authorized devices are connected to the network. "Unauthorized devices may not meet the state's requirements, increasing the risk of compromise or infection of the network," the audit said.
"1 in 3 Michigan Workers Tested Opened A Password-Phishing Email"
What the hell kind of headline is that? English please.
We have similar results during my companies initial phishing test so I suspect that this result is not uncommon. Sending out training and multiple rounds of phishing test emails (which then require more training if you click) is the ONLY way to bring this number down. The users need to be made as paranoid as possible before clicking ANY links. After a year and a 1/2 we still have a few repeat offenders who still click on the links or enter username/passwords so Multi factor authentication was implemented, but its far far less then we previously had. Posting as AC for obvious reasons.
I've got the sender and subject visible to me, if they look legit of course I'm gonna open it. I don't click links unless it's something like a new website setup or lost password reset or somesuch where I'm expecting a message. I never enter logins nor passwords to links I get in email.
In other words, opening the email isn't (err, shouldn't be) the problem. It's what you do after that that's the problem.
Then again, I don't use Outlook so opening the email isn't all that hazardous to me.
1/3 opened the email? That means that 2/3 don't read their email.
You can't tell if it's a phish just by the subject line and the displayed sender name, you have to at least check the sender email address, path headers and link html to make an informed decision.
Seriously, these phishing scams have been going on for far too long now and cost billions. If there is information that can not be disseminated people should be directed to go to a well vetted website.
Time is what keeps everything from happening all at once.
Michigan turned red in 2016.
Conservatives like you are really a stupid bunch, but we knew that already.
the email system never verified the URL nor where the email was from
so your email system is so poor you have to rely on the end user not to click on a link ?
simply block / rewrite URL's that have not been verified
only accept mail from domains that have been verified and claim the email is from them
(for example that have DNSSEC and DANE setup correctly as gov address's have this and can therefore prove that they sent the email)
simple basics that are not the end users fault
They like their phishing up there.
Best practice in computer security is not to open any emails or visit any websites. In fact, unplug from the Internet completely. Also put glue in all your USB slots and disable any optical drives. Require MFA and post an armed guard to stick a finger up your ass upon logon/logoff. In fact, forget using the computer, just get a room with the guard, curl up in a security blanket and jam your thumbs in each other's asses.
Meanwhile, the rest of the world will keep getting stuff done in a world where risks exist.
Michigan has been the home of communism since Henry Ford died.
He was America's last stalwart fascist, but uneducated buffoons like you and GP would never know it.
But how many like me entered a username password combo of:
Yourmom
8====D
Crack my account now Ivan!
Around 20% of the population have an IQ under 85, that should be about it.
I guess lots of them have a MAGA hat. GDARVF
Send out fake phishing email, collect logins to database, generate pink slips from that database. Automate away management jobs.
Only because they voted against Hillary. Otherwise, they're strong blue.
... and I dealt with it during my career. I'm a retired IT.
I held seminars, talked to employees one-on-one, and damned if we didn't still get hit.
It was a law firm and the staff never fell for phishing.
My problem was the fucking lawyers, especially the managing partner!
That bastard would click on anything.
He got a goddam email that said his UPS package wasn't going anywhere unless he looked at the invoice and corrected the address.
I asked him if he sent anything via UPS and he said, no.
I asked him if he remembered signing an exclusive with FedEx that I negotiated and he did.
I asked him if he, personally, ever sent a package anywhere or if he let his staff do that -- he said staff.
He did that shit over and over again.
--
I'm waiting for AI to step in; predict the outcome of clicking on a link and forbidding forward progress until an IT person concurs.
It little behooves the best of us to comment on the rest of us.
strong blue
Republican governor, republican legislature.... doesn't seem that "strong" to me.
It's one of several states with Muslim Sharia law though.
Holy frak guys, just start the second civil war already. The rest of the world knows it's coming, might as well just get down to it.
The 20% is the important statistic and that's scary enough already; no need for ABC News to embellish the story.
A civil war in Russia?
if you had read the audit, you would find that:
1. They were auditing the telecom (read phones, routers and switches) area of the Michigan Department of Technology Management and Budget.
2. Email is handled outside in a different group called messaging (still a part of DTMB but not being currently audited).
3. There is nothing the telecom people can do to make users take computer security courses.
4. There is very little the telecom people can do to prevent people from opening email short of blocking all communications to and from the email servers.
So, the Auditors audited the telecom (wrong) group and found them at fault (for not teaching state employees to avoid phishing emails) and published it in the papers!
Does this really sound correct?
I think someone should call the auditors out on this and have them dismissed (not the state employees who opened the email as previous posts indicated).
This isn't the only audit that they have executed where the wrong people/area were held responsible for things that they cannot control or influence.
Just because their title is auditor, does not make them always correct.
Michigan has been the home of communism since Henry Ford died.
Back in the days when communists were red and conservatives were blue, i.e. before a TV channel employee got the two mixed up in a poll presentation and the wrong colours stuck in the minds of largely ignorant Americans.
What we have in the US these days is brown.
Yea, I always thought it should be the blue blood elites versus the red communists.
It isn't a Civil War, it is a way of life.
I'm taking the CompTIA SY0-501 Security+ exam next week - This news does not surprise me and is in fact consistent with what I have been learning in CompTIA's latest rendition of their Sec+ certification; Internal employees constitute the single largest security threat to a company.
I've been a part of aggressive, well crafted phishing tests in Silicon Valley companies. Some of those tests were secret enough that only 3 people were aware of the test in advance... and the results were terrifying. Thanks to HTML abuse, forged headers and very good copy, I've seen 70% of storied security teams fall for the phishing attempt, going as far as to enter their 2fa values for AWS. In a real world situation, just one person falling for it would have been a problem.
In practice, what I have learned is that against a sophisticated opponent, any security system that relies on just usernames, passwords, and simple 2fa might as well not exist. The bare minimum is unique usernames and passwords just to double check that the right human is on the other side, attached to client certificates that are unique to each machine, and strong mechanisms to make sure that nobody generates user + certificate pairs for new computers without big flashing signs popping up. Anything weaker is just relying on being an uninteresting target, which is not a good thing to rely on.
The problem is that they also use a number of 3rd party vendors (with non-State domains) to host various official systems. They conducted a mandatory survey of employees once (survey monkey, iirc) and had to send out a follow-up e-mail telling everyone that the first e-mail was real and was safe to click on. Apparently, a large percentage of people were reporting the e-mail as a phishing attack or simply ignoring it.
It didn't help that the mandatory yearly cyber-security training came out shortly before the survey and how the survey e-mail was written and the type of questions asked in the survey ticked off a number of the "This is how you spot a phishing attack" pointers from the training.
You must be new here. The whole point of /. is to let someone else RTF[AMS] for you! :P
I've been a daily visitor for 18 years, and during that time I think I've read the linked article a few dozen times (e.g. cool NASA stuff with pretty pictures), and I only bother to read about 1-2 summaries per month.
That's of State of Michigan workers, not "Michigan workers". (Before the coasties get too smug)
(Then again, I wouldn't expect much better from a typical company. Anywhere.)
I have found that when the security team sends out "phishing" emails about once a month, that helps. Opening the link takes the employee to a page reminding them about phishing. If instead they click the "report" button in Outlook, they get a happy message. It changes behavior after a few months.
Michigan voted for Trump you conservative Republican idiot.
Michigan turned red in 2016. Conservatives like you are really a stupid bunch, but we knew that already.
One election doesn't change the dozens of years of voting history
my karma will be here long after I'm gone
Quick search revealed at least a dozen companies that offer phishing tests to employees, to send fake phishing emails to them to see if they open and click on links. If management isn't using these tools when so many are available they're as much responsible as if they chose not to use virus scanners or network firewalls. And why doesn't Google, Microsoft and the other email providers do more by sending fake phishing emails out to educate users more? All it takes is a few fake phishing emails to educate users. First time is 20% entering passwords, second might be 10%, by the time you get to fifth fake email you're probably at less than 1% and only a few percentage higher even opening the email.
my karma will be here long after I'm gone
I configure my mail clients to only put my inbound in my inbox if you're in my collected addresses. When the report came out, it was an email I simply never saw. But... about 1/3 of this high tech company got phished. On the downside I kinda sorta failed because I didn't report the suspicious email. Meh.
I need my guns to fight the government. The constitution says so.
It's not like if IT doesn't do their job, that absolves workers. Security is something that needs to be thought about by everyone, from janitor to CFO.
Simply declaring such a responsibility, whether rightfully or not, doesn't improve security an inch. That would be magical thinking.
Obvious fact is, people who are no IT specialists tend to lack the awareness and knowledge to be able to fulfill such a responsibility. If employers, or, in case of public service, we as a society, want employees to care for security, employers have to make sure that they get proper training. Something that obvously has been neglected in the cases we're talking about here. It's as simple as that.
The entire state of Michigan shut down, Russian hackers to blame.
(Not the idiots living in Michigan)
Michigan has a republican governor, state senate and state house, and has for the last 8 years. It's had a republican senate for the last 12 years. Currently, in the house and senate, they have a super-majority.
We've got one of those fine cases of gerrymandering. Michigan isn't as extreme as some other places, but our districts have been drawn to "crack" and "pack" to pretty much hand the republicans the majority. My district is 9 houses wide at my section, and extends 6 miles in each direction where they expand to dilute our votes.
And nobody notices the shutdown because they were all at a juggalo gathering.
Unless our police are using databases which connect to laptops to dictate how they behave, but get real, right..
He is crazy if you think about it; I am not.
AC for obvious reasons.
Got a phone call from Anthem. They left a voice mail with a number of personal details (name of family members) and asked for a call back to some 1-800 number, The originating phone number was not listed on their web site. I called back the 1-800 number and it asked for personal details such as date of birth. "To make sure it's you, please enter your date of birth."
Uh... No.
I hung up and sent my HR department a note telling them that someone was conducting a phone phishing campaign on employees. Hey, they were using phone numbers that were not listed as Anthem's, so that was obvious, right? I expected that this was the end of it, but HR duly contacted Anthem.
A few days later, I got an irate email from some Anthem customer communication guy that, in essence, tells me I am a fool and that this is not phishing but a business-as-usual communication, and can I please stop wasting his time and comply?
I am flabbergasted. These Anthem guys have my email, a site on which they can send me personal notifications, and of course my mailing address. And they chose to sent automated phone calls from unverifiable origin? With personal detail requests that sound furiously like spear phishing? SERIOUSLY?
Does anyone in that company have any bloody clue?
Did anyone else get this type of legit-sounding-phony calls?
Holy frak guys, just start the second civil war already. The rest of the world knows it's coming, might as well just get down to it.
In before Han shoots first!
The part you missed is that the purpose of the audit is to find out what the state of the situation is. It is not the purpose of the audit to assign or restrict Virtue.
So the whole, "Golly it isn't their fault but they look bad" angle is really weak. If you know better, simply refrain from thinking the wrong party is responsible, and take the message as, "there is no system, and the users aren't expert enough to do it right without a system." You don't hide that from ebil "papers" in order to protect people's Virtue, instead it is good for the People to know that there is no working system. Maybe some people later will react by putting a system in place?
Your response is what I'd expect from a representative of the Neckbeard Union or something, just trying to white knight it and protect people not under any attack.
...all the time has already failed.
Please do not read this sig. Thank you.
Odd. I am not a neckbeard Union Rep. I am not in the Union. And I am not sure why you are attacking me.
The Audit was to examine the security and configuration of switches and routers. That was the purpose of the Audit.
The Audit was not to test the security of the State of Michigan. Email is not part of switches and routers. The training courses for internet security comes from a whole different Bureau. The State of Michigan has courses that all employees must take that covers phishing scams amongst other things. If they want to audit the group responsible for the training, that is cool. But the Auditors have assigned a finding to a group that has nothing to do with the internet security training. Individuals who configure routers and switches cannot re mediate the finding. Now they are stuck with an audit finding forever. The bureau that is responsible for the training should be assigned the finding. They would have the ability to fix things.
btw, I am not part of either bureau. I am not trying to be a white knight and I am not trying to cover things up. There is a problem, but to get it fixed it needs to be assigned to the right group.
Me too. I'm just here for the entertaining comments.