|
French Canadian posted:Yes? I guess I don't know what you mean. secondly if someone is dumb enough to click on a button that says "click here to download your Very Important file" why do you think they're not also dumb enough to click on a button that says "click here to read your Very Important file"
|
# ? Aug 5, 2017 06:02 |
|
|
# ? May 14, 2024 06:27 |
|
anthonypants posted:people turn that setting off all the time, because it's inconvenient and prevents them from doing their Very Important job Email address whitelist and locked Excel settings? I dunno dude. People are always gonna be dumb as hell. Is there not some IT solution for this poo poo? Education on the topic will help obviously. But something always gets through if you let the employee be the last line of defense.
|
# ? Aug 5, 2017 06:19 |
|
French Canadian posted:Email address whitelist and locked Excel settings? I dunno dude. People are always gonna be dumb as hell. Is there not some IT solution for this poo poo? Education on the topic will help obviously. But something always gets through if you let the employee be the last line of defense. The employee is always the last line of defence, and you're a fuckup.
|
# ? Aug 5, 2017 06:52 |
|
Trabisnikof posted:https://arstechnica.com/tech-policy/2017/08/security-researcher-who-neutralized-wcry-to-be-released-on-30000-bond/ I'm getting a real vibe of this guy said something stupid and sarcastic online= and the FBI is taking it at face value.
|
# ? Aug 5, 2017 08:24 |
|
Proteus Jones posted:I'm getting a real vibe of this guy said something stupid and sarcastic online= and the FBI is taking it at face value. maybe they have actual evidence though
|
# ? Aug 5, 2017 10:28 |
|
just another row in yospos_secfucks.xlsm
|
# ? Aug 5, 2017 12:14 |
|
French Canadian posted:I shouldn't check email at home after a visit to the bar? It's pretty much impossible to get phishing responses to zero. Even for people who work in security, or send phishing attempts literally an hour after anti-phishing awareness training. Doing these kind of white hat phishing tests and then shaming the people who fail is pointless, aside from curiosity about your population's baseline response rate. Second factor auth requirements and other multilayered protections are much more effective than shaming people.
|
# ? Aug 5, 2017 12:30 |
|
lol being denied bail because you do the perfectly legal defcon tradition of going to shoot at a gun range
|
# ? Aug 5, 2017 12:34 |
|
how dare he exercise his basic rights! LOCK HIM UP
|
# ? Aug 5, 2017 13:10 |
|
pfff he's a dirty foreigner, he has no rights straight to gitmo, never to be heard from again
|
# ? Aug 5, 2017 13:32 |
|
neat little bug in how windows handles TMI icons https://www.cybereason.com/labs-a-z...-special-icons/ https://www.youtube.com/watch?v=cF3sw80oBjY
|
# ? Aug 5, 2017 14:44 |
|
Who was complaining earlier that their bank only asks for 3 characters from their password, and what a secfuck it is? I'm updating addresses and just realised my bank does the same. Also their garbage tier website won't parse my new address of "13 Some Flats, A Street" properly, it sees either "13, A Street" or "Some Flats, A Street" and there's no manual input boxes. Perhaps it's time to switch banks.....
|
# ? Aug 5, 2017 15:05 |
|
mrmcd posted:Second factor auth requirements and other multilayered protections are much more effective than shaming people. Can you explain a bit more how this would apply to me clicking a shameful link? I am not professional computer toucher as evidenced by my phishing 101 failure. Avenging_Mikon posted:The employee is always the last line of defence, and you're a fuckup. This is helpful and if I heard it from my IT person I would definitely bow my head in shame and change my ways forever.
|
# ? Aug 5, 2017 16:50 |
|
mrmcd posted:It's pretty much impossible to get phishing responses to zero. Even for people who work in security, or send phishing attempts literally an hour after anti-phishing awareness training. Doing these kind of white hat phishing tests and then shaming the people who fail is pointless, aside from curiosity about your population's baseline response rate. shaming is bad, but if you use it as a teachable moment (hey this could have been malicious, here's some tips on how you can identify bogus emails in the future) it can be a Good Thing
|
# ? Aug 5, 2017 17:12 |
|
jammyozzy posted:Who was complaining earlier that their bank only asks for 3 characters from their password, and what a secfuck it is? I'm updating addresses and just realised my bank does the same. idk it might have been me but yeah this is such poo poo behaviour because a) only 3 chars lol and b) if I set a goddamn 15 character passphrase I don't want to have to squint at it to count characters to find 3, 8 and 14 my banking app insists on 3 chars of a 6 char number but I think this is only if you've previously authenticated the device so it's not quite as bad
|
# ? Aug 5, 2017 17:16 |
maskenfreiheit posted:shaming is bad, but if you use it as a teachable moment (hey this could have been malicious, here's some tips on how you can identify bogus emails in the future) it can be a Good Thing thing is you cant really use a negative thing as an effective teachable moment
|
|
# ? Aug 5, 2017 17:49 |
|
cinci zoo sniper posted:thing is you cant really use a negative thing as an effective teachable moment Excuse me but fear of consequences has worked quite well to instill a sense of shameful obedience in my children. They don't know why "thing" is bad, just that "thing" equals "even worse thing".
|
# ? Aug 5, 2017 17:58 |
|
French Canadian posted:Can you explain a bit more how this would apply to me clicking a shameful link? If your security posture is predicated on users never loving up, then you're doomed to failure. Authentication should be a combination of password + hardware token + device identity, and limiting the ability for an attacker to move laterally once an individual user is compromised. As it happens, the things you do to limit damage from phishing also armor against insider risk, because they're essentially the same thing from a security perspective. I can't (unfortunately) get into the technical details of things we do at my employer to that end, because a lot of it is still confidential. The security people long ago realized that there will always be some non-zero number of users who will get phished, either through zero day attachments or straight up "herd derp I'm so tired let me enter my password into companyinteralaccess.notavirus.ru" or " better get on curl bashing this thing my boss sent me from his personal email." Once you realize that, the entire strategy changes. Education to minimize success is obviously important, but it's only part of a good strategy.
|
# ? Aug 5, 2017 18:12 |
French Canadian posted:Excuse me but fear of consequences has worked quite well to instill a sense of shameful obedience in my children. They don't know why "thing" is bad, just that "thing" equals "even worse thing". you are not educating them, just disciplining poorly
|
|
# ? Aug 5, 2017 18:13 |
|
cinci zoo sniper posted:you are not educating them, just disciplining poorly My sarcasm game is weak...
|
# ? Aug 5, 2017 18:59 |
French Canadian posted:My sarcasm game is weak... dont worry you could maul me with a sack of jokes without me noticing it
|
|
# ? Aug 5, 2017 19:14 |
|
French Canadian posted:Everyone already knew they weren't getting bonuses. But still a lovely thing to play off of I would say. it's illustrative of the type of thing you should take a moment to consider before you click. at this point many wary users won't fall for "hey check out this cool link" types of bait anymore, so an attacker can get some mileage out of another psychological button to push. compensation is one that works great in business.
|
# ? Aug 5, 2017 19:23 |
|
Midjack posted:it's illustrative of the type of thing you should take a moment to consider before you click. at this point many wary users won't fall for "hey check out this cool link" types of bait anymore, so an attacker can get some mileage out of another psychological button to push. compensation is one that works great in business. To be fair, it was partially the "authenticity" of the DropBox-esque email that screwed me over. Gone are the days of Nigerian emails and poor grammar.
|
# ? Aug 5, 2017 19:51 |
|
French Canadian posted:To be fair, it was partially the "authenticity" of the DropBox-esque email that screwed me over. They're still there, phishing is just another attack strategy. 419 emails look like garbage on purpose.
|
# ? Aug 5, 2017 20:03 |
|
as if we didn't know already that the outline is garbage: https://theoutline.com/post/2054/the-wannacry-hacker-hero-was-spending-big-in-vegas-before-his-arrestquote:Before being arrested by the FBI while attempting to take a flight back to the United Kingdom, Marcus Hutchins was partying hard in Las Vegas: renting sports cars, going clubbing, and staying at a lavish $1,900 per night rental that happens to have the biggest private pool in the city.
|
# ? Aug 5, 2017 20:49 |
|
French Canadian posted:This is helpful and if I heard it from my IT person I would definitely bow my head in shame and change my ways forever. Good Less antagonistic, a white list for emails doesn't work for 95% or more of businesses, and you can't lock down everything to absolutely safe levels because you're going to get a dozen+ calls a day asking for IT to allow something to run that's job essential. User education is one of the best things for any sizeable group, and suggesting users shouldn't have a role in security practices is naive at best.
|
# ? Aug 5, 2017 20:54 |
|
Chris Knight posted:as if we didn't know already that the outline is garbage: https://theoutline.com/post/2054/the-wannacry-hacker-hero-was-spending-big-in-vegas-before-his-arrest
|
# ? Aug 5, 2017 21:30 |
|
"UK model kidnapped by Polish national who reportedly planned to auction woman on dark web" https://www.theguardian.com/uk-news/2017/aug/05/uk-model-kidnapped-and-held-captive-in-italy-for-six-days
|
# ? Aug 5, 2017 23:28 |
|
agilebits more like agileshits do you want to save this password oh and also all of your payment information you typed into this form
|
# ? Aug 6, 2017 01:33 |
|
i'm the signup page that also takes all your payment info in one stage
|
# ? Aug 6, 2017 01:50 |
|
maskenfreiheit posted:"UK model kidnapped by Polish national who reportedly planned to auction woman on dark web" politely tittering at them using the name of the town in the local dialect
|
# ? Aug 6, 2017 02:26 |
|
i've found it, the dumbest opinion so far: https://cybersecpolitics.blogspot.co.uk/2017/08/the-killswitch-story-feels-like-bullshit.htmlquote:But let me float my and others initial feeling when MalwareTech got arrested: The "killswitch" story was clearly bullshit. What I think happened is that MalwareTech had something to do with Wannacry, and he knew about the killswitch, and when Wannacry started getting huge and causing massive amounts of damage (say, to the NHS of his own country) he freaked out and "found the killswitch". This is why he was so upset to be outed by the media.
|
# ? Aug 6, 2017 02:27 |
|
i think john mcafee is the real hacker
|
# ? Aug 6, 2017 02:31 |
|
Wiggly Wayne DDS posted:yeah there's an absurd amount of mudslinging going on inc. mixing up accounts who were trying to pass as him from 2013 onwards I think what's worse is the fucker from the outline claiming to be telling "just facts" as if that excuses the narrative he's attempting https://twitter.com/williamturton/status/893237886979514368
|
# ? Aug 6, 2017 02:32 |
|
listen i'm just the messenger, what do you expect from me some sort of journalism?
|
# ? Aug 6, 2017 02:33 |
French Canadian posted:Can you explain a bit more how this would apply to me clicking a shameful link? normally when your computer gets infected with malicious software the hacker is after your login and password because once they have that they can use it to log into other systems and either take the data they have or infect them to get more login information. but if you have a second authentication factor (for example you need to enter in a constantly changing code from a little keyfob in addition to your password whenever you log in) they can't do that. they are still able to access anything on your machine and (when you are logged into the network) anything your machine can access like network shares. that's where additional layers come into play: your machine should only have read access to what you need to do you job and write access to things you need to change often. ideally your machine and something valuable like the payroll database server shouldn't be able to even figure out that the other exists, the network infrastructure should simply drop every attempt at communications between the two while also alerting the admins that the attempt was made.
|
|
# ? Aug 6, 2017 03:45 |
|
today my friend managed to catch in code review one of our shittier devs' "solution" to running tasks remotely. anyone wanna guess what it was doing? it was literally just netcat piped to sh of course! this was going to be installed on a customer's corporate network
|
# ? Aug 7, 2017 23:40 |
|
ate all the Oreos posted:today my friend managed to catch in code review one of our shittier devs' "solution" to running tasks remotely. That's not so ba- wat
|
# ? Aug 7, 2017 23:49 |
|
ate all the Oreos posted:today my friend managed to catch in code review one of our shittier devs' "solution" to running tasks remotely.
|
# ? Aug 8, 2017 00:05 |
|
|
# ? May 14, 2024 06:27 |
|
the term is "unix philosophy"
|
# ? Aug 8, 2017 00:51 |