cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

The Actuator - May 10th

Level 17

This week's links have a security slant because humans remain infallible. The Google Docs phishing email was but one of a handful of headlines reminding me that humans are far too trusting when it comes to basic security. I suppose it is human nature to want to help others, that's why people pick up hitchhikers, I guess. Data security and privacy is one area where I hope the machines rise up to save us from ourselves.

As always, here are some links from the Intertubz that I hope will hold your interest. Enjoy!

For the love of God, stop clicking on shady emails already

Seriously. This is why we can't have nice things.

235 apps attempt to secretly track users with ultrasonic audio

If an app asks for access to your microphone or camera, and you can't imagine why it needs that access, think twice about installing it on your phone.

Antivirus evolved – Microsoft Malware Protection Center Blog

Rise up machines! One of the biggest benefits for Azure Machine Learning is how Microsoft is using machine learning technology to help detect threats. This is one of the (many) reasons why I see Azure overtaking AWS because Microsoft is focused on data security for their customers.

The alarming state of secure coding neglect

Honestly, I'm not that alarmed, because I know that security is an afterthought. If security was important, then we wouldn't be clicking on weird links to random Google Docs folders.

Intel's AMT Flaw: Worse Than Feared

See what I mean? Seven years of flawed chips installed on hardware devices around the globe. At this point, we should just assume that everything we do or will do, is going to be exposed and lost.

Reckon you've seen some stupid security things? Here, hold my beer...

I could go on with more bad security examples, but Troy Hunt provides a nice summary of how security is hard for most humans.

How to prevent blood clots as airlines squeeze you into tighter spaces

Turns out United was doing that guy a favor by letting some blood flow from his face so as to avoid any blood clots while flying.

Go home, Google Voice, you're drunk. Or maybe machines are further away from helping us than I had hoped. In related news, my heat is just fine:

IMG_6161.JPG

24 Comments
MVP
MVP

Nice

Level 20

That Intel bug is really really bad news... updating firmware isn't trivial to get done across the enterprise.  It may get to the point where we just need to disable anything that can be clicked in email all together... many of us already change our email to text only and disable embedded links.  The tracking with ultrasonic audio thing is crazy stuff... what will people think of next???

We've added a new first line to every incoming e-mail message that does not originate within our company:

WARNING: This email originated outside of our organization. DO NOT CLICK links or attachments unless you recognize the sender and know the content is safe.



It's an eye-opener, but a constant reminder.  I hope it helps reduce ignorant clicks & phishing & worse.
MVP
MVP

the phishing this is beyond crazy.  So many people just don't look closely and assume too much.

I have seen some that were good..you had to spend a little time and look closely to spot the anomalies.

But so many get suckered into the badly formed ones that raise your red flag because it is so obviously fake...  Those people I don't feel bad for.

Intel exploit..we know of that one, how many others exist ?

Level 12

Several of our senior managers got hit at the workplace by the google docs one. Fun times telling them they were going to have to change basically every password they use on every site because they use the same password for everything. Then forcing a password change on their accounts at the workplace too after that.

Level 13

The noise, make it stop!!!!!!!!!!

Image result for o the noise photo

How long ago did you put this in place - and any data-based indication that it's improving infection rates? We've thought a little bit about some sort of internal disclaimer/warning.

pastedImage_0.png

It was implemented just two weeks ago.  I don't have empirical data or statistics to just its effectiveness yet.

Of course, it's partly trying to prove a negative, isn't it?  If an employee didn't click on a link that would have taken them to a phishing event that compromises their system or corporate resources, how will we know we were saved by that line in every inbound e-mail?

MVP
MVP

We've been running a phishing awareness campaign here for over a year now.  They send phishing like emails out and you are supposed to report them and you get a thumbs up or if you click on the link it rats you out and tells you the perils of what you may have done. 

Some are pretty crafty and look like an email document from a local scanner/printer...except we didn't use that brand of printer here.

Others look pretty cheesy, some look decent.  If it is not something expected I always look at the headers and source of the body..

It certainly is proving a negative! That was our initial takeaway and kind of what stalled the topic...

Naw, don't let that stop a good idea.  If it prevents one major exposure, and even if you don't "know" for certain the policy/process was what saved you--and you probably don't even know your company WAS saved--it was worth it.,

Great thought. I'll revive it at our next meeting!

We've also been doing similar, ensuring users are aware of what they could have done.

Level 12

How did you get buyin from the c-level to do this?

I have suggested we do this several times now. I get the same response every time with a very sturdy no. The reason that I have been given, and I am not making this up or paraphrasing at all, is "We do not want to trick and embarrass our users like that."

Insert Picard face palm.

So now I am doing my best to find ways to get buyin from the top and get them to see that this is something that needs to be done. There are a lot of services out there for this kind of stuff so it would really not require any extra time on the IT part at all, just the funding for it.

Level 12

I may have to mention this to a few people here. This seems like a great idea, and its simple.

Level 14

Great stuff as always sqlrockstar

We do Phishing emails as well, as a financial institution we almost have to. We couple it with a training program and it works. Every level of the organization is tested. From the CEO to the receptionist....

The intel problem worries me ... a lot!

Ultrasonic audio.... what's next... a chip in my head?   oh... wait a minute...

Hopefully enough people got to read your link on malicious email links. Because Wow! was there a nasty release of ransomware yesterday. To be safe I deleted emails en masse. Much like my utility bills, if it's important it'll be sent to me again. Our political situation at home and abroad is reflective in the ongoing voracity of the cyberwars taking place. Scary.

MVP
MVP

sparda963​, I am not sure what was involved in getting it approved although it was done and has been in place for a year now.

Level 13

It's really unfortunate that we in I.T. have to come up with creative and innovative ideas to out-think our end users...

Level 17

Security should be a shared responsibility.

MVP
MVP

Yeah, man. I'm going to re-pitch it at our upcoming global IT meeting with the brass in attendance.

MVP
MVP

All it takes is a little phishing to infect a persons pc and then next thing you have a ransomware event going on.