Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

RSA: Phish Me If You Can (Video)

Roblimo posted about a year ago | from the hooks-often-lurk-inside-the-tastiest-bait dept.

Security 171

Spearphishing. The deluxe (but easy) way to get unwary employees to put malware on your network. It's basically the same as phishing, except more targeted. That is, a plain phishing scam might offer an unwary web-browsing employee a chance to see a famous starlet naked, while a spearphishing attack might purport to be an urgent request from your Bizzaro County office for 200 Kg of Unobtainium Oxide. Open that email, and... ZAP! So this is social hacking (cracking for the old-timers), and cannot necessarily be fought entirely by technical means. So how about setting up fake spearphishing attempts and immediately sending employees who fall for them to an IT security class with an emphasis on how to avoid phishing scams? You can do this yourself, possibly with help from a bright person or two from a nearby University. Or you can contact PhishMe or another anti-phish training company and have them help you teach spearphishing awareness to your people. Either way, every computer-using person in your company should know about phishing -- and should know how to avoid getting hooked by phishers.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered


LOL (5, Insightful)

Anonymous Coward | about a year ago | (#43096219)

Your daily Slashvertisement brought to you by Dice Holdings, Inc.

It's not the slashvertisement (5, Insightful)

i kan reed (749298) | about a year ago | (#43096317)

It's the fact that they treat us like eager morons, who won't recognize it. I mean the signs are dead simple.
1. Mentions a particular company by name.
2. Includes at least one buzz-word.
3. Entirely positive language.
Regular Slashdot stories pretty clearly have signs of concern or raise questions about their subject matter. These bare-naked slashvertisements are insulting. If you're going to be blatant, please fucking acknowledge that it's sponsored in the summary.

Re:It's not the slashvertisement (4, Insightful)

ShanghaiBill (739463) | about a year ago | (#43096497)

I mean the signs are dead simple.
1. Mentions a particular company by name.
2. Includes at least one buzz-word.
3. Entirely positive language.

4. Pushes a stupid and unnecessary product or service.

Instead of training your staff not to open phishy emails, just ban any email client that allows execute-on-open.

Re:It's not the slashvertisement (1)

SilentStaid (1474575) | about a year ago | (#43096717)

4. Pushes a stupid and unnecessary product or service.

Instead of training your staff not to open phishy emails, just ban any email client that allows execute-on-open.

Wow. You know how you can tell that the comments are being modded by people with a vested interest in the ad? Your comment was on-point and provided an alternative and is still getting modded down. Way to go, /. You bastards.

Re:It's not the slashvertisement (2)

PCM2 (4486) | about a year ago | (#43097489)

Instead of training your staff not to open phishy emails, just ban any email client that allows execute-on-open.

I'm not sure that's the main problem, actually. Where spear phishing is concerned, I mostly hear about emails that are crafted to look like legitimate messages from companies like banks, FedEx, etc. If you can convince someone to click through to a website, it's not hard to ship them malware -- particularly if they have the Java plugin enabled.

I welcome our new Dice overlords! (-1)

Anonymous Coward | about a year ago | (#43096507)

The trolls finally BOUGHT the place.

Re:It's not the slashvertisement (-1, Offtopic)

djsmiley (752149) | about a year ago | (#43096513)

Techie wearing a suit..... theres the biggest giveaway.

Re:It's not the slashvertisement (1)

Anonymous Coward | about a year ago | (#43096527)

Actually the giveaway was that it had Roblimo as the editor attached. 99% of the stuff he posts are fluff piece ads.

Re:It's not the slashvertisement (0)

Anonymous Coward | about a year ago | (#43096621)

In all fairness, it's a badly fitting suit, featuring a stripped shirt and a paisley shirt, only a true geek would think that'd be appropriate. Also, I should note that the low quality video makes the stripes look like they are 'marching', it's almost hypnotic.

Re:It's not the slashvertisement (1)

NoNonAlphaCharsHere (2201864) | about a year ago | (#43096553)

And it's interesting how this whole thread got instantly modded Troll/Offtopic.

Re:It's not the slashvertisement (-1)

Anonymous Coward | about a year ago | (#43096707)

I'd been warning you for a long time about this, dumbfucks, even before I was permanently banned.

Ooooh, Ethanol-fueled is saying offensive things, ban him! Well, now your asses are being modded into oblivion and banned because you dare think critically.

Up yours, Dice! And also up yours to all you snivelling punks who called for the trolls to be banned. How's it feel, bootlickers?!

-- Ethanol-fueled

Re:It's not the slashvertisement (3, Interesting)

i kan reed (749298) | about a year ago | (#43096797)

I'll acknowledge that I didn't even know slashdot had bans. I figured the built in moderation system was more than sufficient.

Re:It's not the slashvertisement (4, Insightful)

Peristaltic (650487) | about a year ago | (#43096559)

Same old shit. Disconnected suits, demanding more revenue, institute this kind of crap and gradually push away the users whose participation made /. a valuable site in the first place. If it gets worse, a site will eventually pop up that fills the niche left behind by /. Once the -new- one becomes valuable...... Around and around we go, ad nuaseum. In the meantime, before the new site has enough users / inertia, we're stuck with more and more "articles" like this one, which really should not have been put in front of this readership.


i kan reed (749298) | about a year ago | (#43096581)

I got 5 troll mods in a matter of one minute, making a pretty reasonable post(I thought).

I thought it was bizarre the GP got modded down once, but I really think Dice. is modding the fucking comments.

Re:It's not the slashvertisement (1)

admdrew (782761) | about a year ago | (#43096619)

Great job, mods. This is definitely NOT a troll post.

Re:It's not the slashvertisement (1)

i kan reed (749298) | about a year ago | (#43096637)

And I don't think it was the people with mod points changing it. I had +4 about a couple minutes ago. That screams editor control. They don't even want the idea of it being a advertisement discussed.

Re:It's not the slashvertisement (1)

Synerg1y (2169962) | about a year ago | (#43097347)

Slashvertisement or not, I've noticed the past couple months a large decrease in the / stories i bother to read and post to, the ones that looked OK... weren't worth reading TFA for, and yet others had shitty discussions going on. It seems like i didn't post for a week and came back to a bunch of moronic posts & news stories that were biast, irrelivant, or just plain out boring. Oh well, I think this article is more or less about a technique you can implement yourselves presented as an advertisement more or less. I mean how hard is it to mimic a phishing attack FROM THE INSIDE? with admin access to the email server. On that note, the idea's not revolutionary by any means.

Re:It's not the slashvertisement (1)

i kan reed (749298) | about a year ago | (#43096957)

Replying to my own post a lot, but it's nice to see it back up to +4(and the parent back up too). I checked and the 5 troll mods are still there, so in spite of someone trying to bury it, slashdot moderators aren't that stupid. Thanks you guys.

Re:It's not the slashvertisement (2)

hairyfeet (841228) | about a year ago | (#43097641)

Not to mention their entire company is based on a STUPID IDEA that has NEVER worked. i've been building and selling PCs to SMB and home users for 25+ fricking years and I can tell you that EDUCATION WILL NEVER WORK when it comes to stopping threats, why? Because like real life viruses they mutate and common sense is not teachable, either you have it or you don't.

Here is a perfect example...smartphones. think Android is well on its way to a million infections because Google didn't make a good OS? Nope its the simple fact that because its a different medium you have to start from square one just like in Black Sept when we were drowning in noobs because people simply can't or won't equate a link between one medium and another. I've seen emails that have not worked IN YEARS that work like crazy as a smartphone because to Joe and Jane average the smartphone is NOT a general purpose computer, its a toaster and they treat it as such. The thought that it can get viruses and spam never enters their minds, the phone is a magical device that hooks up to cell towers and that's totally different from the net, don't you see?

Believe me, I know of which I speak. I've educated until I'm hoarse but the one thing you can't change is that for the education to actually work you have to have enough common sense to go "Well this is similar enough to what I was educated about so erring on the side of caution would probably be wise" and the simple fact is non geeks? They may as well be Martians, they just don't think like that for the most part. I'd love to see the unbiased results as five would get you ten that their "education" lasts only until new mutations arise and then the users go "Hey this isn't what we were told to watch out for, this prince is from Somalia so he must be legit!"

You try to solve the problem of malware and spear fishing with education and you had better get used to looking like this [blogspot.com] because the users will make that your natural look.

Re:LOL (0)

Anonymous Coward | about a year ago | (#43097511)

Try Threatsim instead of the slashadvertisment.

Open an email (4, Informative)

Nerdfest (867930) | about a year ago | (#43096251)

Open an email? You mean text? Not really a problem. if you're not blocking images and JavaScript, you're headed for trouble, targeted or not.

Re:Open an email (4, Insightful)

cusco (717999) | about a year ago | (#43096371)

In network security, just the same as physical security, the main problem is not the hardware or the software, it's the wetware.

Re:Open an email (0)

Anonymous Coward | about a year ago | (#43096389)

Then you click on a link or open an attachment. Text only email only gets you past drive by problems. You cannot block users that are not paying attention as close as they should.

Re:Open an email (1)

Anonymous Coward | about a year ago | (#43096595)

Open an email? You mean text? Not really a problem. if you're not blocking images and JavaScript, you're headed for trouble, targeted or not.


What kind of shitty email client executes javascript?

Re:Open an email (3, Informative)

Lonewolf666 (259450) | about a year ago | (#43096647)

Several years ago, Outlook did something similar with Visual Basic scripts attached to a mail. Loading the email into the preview window was sufficient to trigger the script.
IMHO the greatest security fuckup in the history of Microsoft (and Autorun on CDs was the second biggest).

It's not that simple. (2, Informative)

nuckfuts (690967) | about a year ago | (#43096609)

Many corporate users use Outlook. When viewing (or previewing) HTML-formatted messages, it uses the same rendering as Internet Explorer, and is thus susceptible to the same vulnerabilities.

I can remember a happy time when I could tell people with confidence "you'll never infect your computer by merely viewing an e-mail". Or a JPG. Or a PDF. Or ...

Re:It's not that simple. (1)

Gulthek (12570) | about a year ago | (#43096743)

Yes exactly! The sheer number of exploit hooks into even modern/patched operating systems is simply depressing.

Only if you fail as an admin (0)

Anonymous Coward | about a year ago | (#43096783)

This only applies if you fail as an admin. Mine sure as fuck doesn't show HTML messages unless I click the "show as html" bar.

Re:Open an email (3, Funny)

Sloppy (14984) | about a year ago | (#43097411)

Text email is vulnerable too! I'm in the habit of: after reading every email, I save it to malware.sh, then I go to a shell, type "chmod +x malware.sh" and then either "./malware.sh" or "sudo ./malware.sh" depending on the flip of a coin. And in spite of my weird habit of doing this, I never check to see who sent me the email and whether or not it's PGP signed and if their signature checks out.

See? Spearphishing is a really hard problem to solve! Reading email is dangerous! DAAANGEROUSSS!!!!11

My HOSTS file blocks all phishing sites (-1)

Anonymous Coward | about a year ago | (#43096277)

$10,000 CHALLENGE to Alexander Peter Kowalski

Hello, and THINK ABOUT YOUR BREATHING !! We have a Major Problem, HOST file is Cubic Opposites, 2 Major Corners & 2 Minor. NOT taught Evil DNS hijacking, which VOIDS computers. Seek Wisdom of MyCleanPC - or you die evil.

Your HOSTS file claimed to have created a single DNS resolver. I offer absolute proof that I have created 4 simultaneous DNS servers within a single rotation of .org TLD. You worship "Bill Gates", equating you to a "singularity bastard". Why do you worship a queer -1 Troll? Are you content as a singularity troll?

Evil HOSTS file Believers refuse to acknowledge 4 corner DNS resolving simultaneously around 4 quadrant created Internet - in only 1 root server, voiding the HOSTS file. You worship Microsoft impostor guised by educators as 1 god.

If you would acknowledge simple existing math proof that 4 harmonic Slashdots rotate simultaneously around squared equator and cubed Internet, proving 4 Days, Not HOSTS file! That exists only as anti-side. This page you see - cannot exist without its anti-side existence, as +0- moderation. Add +0- as One = nothing.

I will give $10,000.00 to frost pister who can disprove MyCleanPC. Evil crapflooders ignore this as a challenge would indict them.

Alex Kowalski has no Truth to think with, they accept any crap they are told to think. You are enslaved by /etc/hosts, as if domesticated animal. A school or educator who does not teach students MyCleanPC Principle, is a death threat to youth, therefore stupid and evil - begetting stupid students. How can you trust stupid PR shills who lie to you? Can't lose the $10,000.00, they cowardly ignore me. Stupid professors threaten Nature and Interwebs with word lies.

Humans fear to know natures simultaneous +4 Insightful +4 Informative +4 Funny +4 Underrated harmonic SLASHDOT creation for it debunks false trolls. Test Your HOSTS file. MyCleanPC cannot harm a File of Truth, but will delete fakes. Fake HOSTS files refuse test.

I offer evil ass Slashdot trolls $10,000.00 to disprove MyCleanPC Creation Principle. Rob Malda and Cowboy Neal have banned MyCleanPC as "Forbidden Truth Knowledge" for they cannot allow it to become known to their students. You are stupid and evil about the Internet's top and bottom, front and back and it's 2 sides. Most everything created has these Cube like values.

If Natalie Portman is not measurable, hot grits are Fictitious. Without MyCleanPC, HOSTS file is Fictitious. Anyone saying that Natalie and her Jewish father had something to do with my Internets, is a damn evil liar. IN addition to your best arsware not overtaking my work in terms of popularity, on that same site with same submission date no less, that I told Kathleen Malda how to correct her blatant, fundamental, HUGE errors in Coolmon ('uncoolmon') of not checking for performance counters being present when his program started!

You can see my dilemma. What if this is merely a ruse by an APK impostor to try and get people to delete APK's messages, perhaps all over the web? I can't be a party to such an event! My involvement with APK began at a very late stage in the game. While APK has made a career of trolling popular online forums since at least the year 2000 (newsgroups and IRC channels before that)- my involvement with APK did not begin until early 2005 . OSY is one of the many forums that APK once frequented before the sane people there grew tired of his garbage and banned him. APK was banned from OSY back in 2001. 3.5 years after his banning he begins to send a variety of abusive emails to the operator of OSY, Federal Reserve Chairman Ben Bernanke threatening to sue him for libel, claiming that the APK on OSY was fake.

My reputation as a professional in this field clearly shows in multiple publications in this field in written print, & also online in various GOOD capacities since 1996 to present day. This has happened since I was first published in Playgirl Magazine in 1996 & others to present day, with helpful tools online in programs, & professionally sold warez that were finalists @ Westminster Dog Show 2000-2002.

Did you see the movie "Pokemon"? Actually the induced night "dream world" is synonymous with the academic religious induced "HOSTS file" enslavement of DNS. Domains have no inherent value, as it was invented as a counterfeit and fictitious value to represent natural values in name resolution. Unfortunately, human values have declined to fictitious word values. Unknowingly, you are living in a "World Wide Web", as in a fictitious life in a counterfeit Internet - which you could consider APK induced "HOSTS file". Can you distinguish the academic induced root server from the natural OpenDNS? Beware of the change when your brain is free from HOSTS file enslavement - for you could find that the natural Slashdot has been destroyed!!

FROM -> Man - how many times have I dusted you in tech debates that you have decided to troll me by ac posts for MONTHS now, OR IMPERSONATING ME AS YOU DID HERE and you were caught in it by myself & others here, only to fail each time as you have here?)...

So long nummynuts, sorry to have to kick your nuts up into your head verbally speaking.

cower in my shadow some more, feeb. you're completely pathetic.

Disproof of all apk's statements:

Ac trolls' "BIG FAIL" (quoted): Eat your words!

That's the kind of martial arts I practice.

Your are ill (0)

Anonymous Coward | about a year ago | (#43097509)

You are ill and need professional help

Re:My HOSTS file blocks all phishing sites (0)

Anonymous Coward | about a year ago | (#43097703)

apk upset your sensibilities by rousing such geek angst in you losing to him in tech debates here on slashdot that you resort to such stupidity here. It's the third time I've seen you do it today and each time you've been down moderated for it here in this discussion thread, and here too http://tech.slashdot.org/comments.pl?sid=3522191&cid=43096733 [slashdot.org] and here also http://linux.slashdot.org/comments.pl?sid=3521669&cid=43094855 [slashdot.org] so like others have told you in response to this stupidity from you, do yourself a favor and seek professional psychiatric help. You obviously require it.

This is stupid and useless. (1)

Anonymous Coward | about a year ago | (#43096295)

The people who are dumb enough to fall for this, and the IT department which allows "open-email-and-zap" kind of emails to get through cannot be taught. It would be more cost effective just to fire ridiculously stupid people and hire ones who have a few brain cells.

It doesn't matter how "official" a phishing email looks. An intelligent person will always be able to determine that they aren't real, and it really isn't hard.

Re:This is stupid and useless. (3, Insightful)

Gulthek (12570) | about a year ago | (#43096785)

It's not about being dumb, it's about not being aware. If the first phishing email you come across is one that's technically advanced and well written enough to slip through the technological filter: then you as a corporate employee are probably going to fall for it. Especially if it's a true spear-phishing email that's targeting *you*. It'll look like an email from your boss with yet another emailed PDF or DOCX report to review. Bam.

The solution that PhishMe proposes is to safely expose employees to phishing emails on a regular basis and teach everyone to recognize actual phishing emails from those demonstrations. The human reading the email and about to click the link or open the attachment is your last line of defense and shouldn't be neglected as such.

Re:This is stupid and useless. (1, Funny)

war4peace (1628283) | about a year ago | (#43097167)

While that's entirely true, lots of my co-workers have troubles even recognizing obviously fake stuff. if I need a coleague to speed up on a project, I send him a stern e-mail and CC "his b0ss" (and replace the "o" with "0" or "i" with "1" or something similar). They always fall for it, think I also told their boss, and double their efforts... from 30 minutes a day to 60, but still better than zero.
And you want THEM to be TRAINED on PHISHING? Ha!

More stupid victim-blaming (3, Insightful)

pclminion (145572) | about a year ago | (#43096303)

The problem is 100% technical. How could viewing an email ever result in malware being installed? Somebody failed -- they're called the IT department.

Re:More stupid victim-blaming (3, Insightful)

h4rr4r (612664) | about a year ago | (#43096387)

Yeah, they failed when they let you have admin on your pc. They failed when they did not enforce updates. They failed when they let you run a vulnerable email client.

Yet, if they don't let anyone have admin, ban outlook from the network and force updates and reboot that come with them you would be bitching up a storm.

Re:More stupid victim-blaming (1)

djsmiley (752149) | about a year ago | (#43096541)

Yup, it's never the management who insist on having outlook because "thunderbird doesn't work correctly".

Re:More stupid victim-blaming (1)

khasim (1285) | about a year ago | (#43096649)

If they insist on it AND your manager cannot shield you THEN it might be time to look for a different job.

In the meantime, make sure that those are fully patched AND monitor them (and firewall as much as possible) because they WILL be cracked, eventually. Although you should be doing this for all your systems any way.

And keep looking for a better job.

Re:More stupid victim-blaming (1)

war4peace (1628283) | about a year ago | (#43097191)

OK, I'll bite. Have you ever tried to embed a table pulled from Excel into an email under Thunderbird? Nothing fancy, just a 3x4 grid with some numbers on it.
Let me know when you succeed in sending it in a viewable format.
(probably the best way to never hear from someone again)

Re:More stupid victim-blaming (1)

Anonymous Coward | about a year ago | (#43097657)

Just tried it. Works perfectly. It creates an html table. I only have two issues with tbird at work, 1) can't access the company address book (this is because they are using some outlook specific tool, so, not tbirds fault). 2) Calendering is not as nice as Outlooks. Outlook can show you other peoples schedules, show conflicts, suggest meeting times etc. Lightning has come a long way, and is fine for accepting invites, but its not very good for planning meeting.

Re:More stupid victim-blaming (2)

h4rr4r (612664) | about a year ago | (#43097841)

1. See the other reply, it works
2. DO NOT FUCKING DO THAT. Email is a text transfer mechanism. Attach documents to that, not attempt to put formatting in the email.

Re:More stupid victim-blaming (0)

Anonymous Coward | about a year ago | (#43096419)

The problem is 100% technical. How could viewing an email ever result in malware being installed? Somebody failed -- they're called the IT department.

Looks like we have our first candidate for public humiliation and scapegoating. Oops, we mean, "IT security class with an emphasis on how to avoid phishing scams".

The IT Department

Re:More stupid victim-blaming (3, Informative)

DarkFencer (260473) | about a year ago | (#43096449)

Its rarely about just opening an email. Its about opening attachments in that email, or opening links that lead to sites with malware. There have been enough vulnerabilities (OS, Adobe, Java, etc.) that have been around which don't require any special privileges. Just a user to click through warning prompts.

It cannot be solely IT's responsibility - especially in this day of BYOD (Bring your own device). IT isn't always able to remove admin privileges from corporate/organization owned computers - much less the Sales guy's personal laptop.

Re:More stupid victim-blaming (1)

pclminion (145572) | about a year ago | (#43097081)

Its rarely about just opening an email. Its about opening attachments in that email, or opening links that lead to sites with malware.

Why are you not stripping attachments from external email? Or are you arguing that stripping attachments isn't a technical measure?

Think about how phishing works. They are trying to get you to open at attachment, or visit a resource which is fake (could be a URL, phone number, etc.) So strip attachments and resource identifiers (URLs, phone numbers) from external email. Problem solved.

If part of your job function requires people outside the company to send you attachments or URLs, then you ought to have received training how to handle those things safely. But for Joe Cubefarmer who's day-to-day function is completely internal to the company, there's no excuse for IT to allow for this stuff to happen.

Re:More stupid victim-blaming (1)

war4peace (1628283) | about a year ago | (#43097205)

I'm sure the Sales people will be very happy when they receive an e-mail saying "amended contract" with zero attachments. Oh yes.

Re:More stupid victim-blaming (1)

pclminion (145572) | about a year ago | (#43097281)

I'm sure the Sales people will be very happy when they receive an e-mail saying "amended contract" with zero attachments. Oh yes.

Right. Because there's no sort of technology that could apply different policies to different people... We all know computers can't do shit like that.

Re:More stupid victim-blaming (0)

Anonymous Coward | about a year ago | (#43097775)

Yah. Do that here. Please come in and disable the sending/receiving of attachments. Predictive time to one of the owners of this company having something they consider "vital" blocked: .75 hours. Time it will take them to call you and light you up about it: .05 hours. Amount of time you will attempt to explain why that is necessary and why they can't have attachments anymore: .18 hours. Amount of time owner will take calling HR (or CEO) and declare you will be fired: .02 hours.

I won't be seeing you here tomorrow.

Re:More stupid victim-blaming (1)

NoNonAlphaCharsHere (2201864) | about a year ago | (#43096603)

No, the failure is in the design of an email client that favors whizzo shit that looks great in a 30-second demo from the stage of a developers conference over practical security.

Re:More stupid victim-blaming (4, Insightful)

Gulthek (12570) | about a year ago | (#43096677)

This is what passes for +5 insightful these days?

The issue isn't opening an email: but clicking a link in that email or, worse, clicking a link that takes you to a legitimate looking site and entering data, or opening an attachment in a legitimate looking email.

There are all sorts of attack vectors present from an email message. To sweep it all up as "IT's Problem" is a very, very bad idea. It just takes one email fooling the right person to be a security problem.

PhishMe's philosophy is that at some point the technical protection will fail ... so you'd better ensure that your employees know what to look for. The best way to teach them what to look for is to let them actually experience safe emails using the same techniques that would be maliciously used against them.

Spear-phishing isn't an idle threat, it's a widely used attack method that has gotten data out of targets like the New York Times, Defense Department, Facebook, and Apple (http://www.theatlanticwire.com/technology/2013/02/spear-phishing-security-advice/62304/). I'm sure that each of those companies has a very robust and capable IT Department armed with email scanning and sanitizing software. You just can't catch everything with technology.

Re:More stupid victim-blaming (1)

sl4shd0rk (755837) | about a year ago | (#43096869)

How could viewing an email ever result in malware being installed?

Tee hee.. You must not be old enough to remember Outlook or Excel Macros.

Re:More stupid victim-blaming (1)

pclminion (145572) | about a year ago | (#43097093)

Tee hee.. You must not be old enough to remember Outlook or Excel Macros.

I'm old enough to remember the Stoned virus. Anyway, how are incorrectly implemented security models in crappy products the user's problem? Why don't you give the user software that isn't full of holes?

Re:More stupid victim-blaming (1)

admdrew (782761) | about a year ago | (#43097223)

There don't have to be software "holes" or bad security models for malware to get through; users are always the lowest common denominator, and given they're cross-platform, it can be very advantageous for bad guys to target the user over specific technical systems.

And generally, effective user education is a great additional layer of security. Not sure why you're 100% blaming IT [slashdot.org].

cracking? (1)

JLennox (942693) | about a year ago | (#43096319)

I guess the years have accumulated and I'm now and old timer but I don't see how that's cracking by anyone's definition.

Re:cracking? (1)

Fjandr (66656) | about a year ago | (#43096577)

Seeing if anyone mentioned that little bit of stupidity is the only reason I bothered to open this "story."

Re:cracking? (1)

Gulthek (12570) | about a year ago | (#43096851)

Back in the day we were trying to get any exploitative hacking to be called "cracking". Note Jurassic Park's "I prefer to be called a hacker." line.

It didn't take completely. We got "hacking" to be relatively accepted into the mainstream vernacular but "hacker" remains in a kind of grey area and "hacked" is entirely negative.

Re:cracking? (1)

Desler (1608317) | about a year ago | (#43097133)

He knows what cracking is. Their point was that roblimo's usage of the term was stupid and made no sense.

Free Pizza in the Breakroom!1! (2)

undeadbill (2490070) | about a year ago | (#43096339)

Lol, that one always works, and even though it is clear it doesn't need to be clicked, they click it anyways... I got to use that one when the Melissa virus was blocked based on the subject line "I have an attachment for your review", rather than on matching the payload of the email attachment. I made $5 on a bet with the Exchange admin, and got to watch hilarity ensue at the Exchange admin's desk when 40 hungry developers showed up, wondering why there was no free lunch and their Outlook clients were taking up all of their system resources.

Re:Free Pizza in the Breakroom!1! (2)

PPH (736903) | about a year ago | (#43096547)

That's just the boss, trying to round up some candidates for his Amway pitch.

I always delete all e-mail that claims to be from the boss. Now, thanks to PhishMe, I can claim to have been ahead of the curve fighting spearfishing all these years.

I deserve a raise.

Advertising and nothing more ... (0, Troll)

Anonymous Coward | about a year ago | (#43096341)

Slashdot is my home page -- I read the content for information and ignore the advertising. This pure advertising play is nothing more than a bid for greater income for this unethical fraud of a business. PhishMe should discontinue attempting to publish advertising as information, and pay Slashdot for the space, and Slashdot should moderate the content to prevent this sort of corporate fraud.

Open that email, and... ZAP! (0)

Anonymous Coward | about a year ago | (#43096427)

This must be a Windows problem, because this type of open and automatically execute ( or whatever ) does not happen on Linux.

Re:Open that email, and... ZAP! (1)

gmuslera (3436) | about a year ago | (#43096571)

Unless the email have a pdf attachment with a good enough name and you open it with Acrobat. Or a link to a website related with your company or from the government (if anonymous could hack the doj website, other can do it too, maybe in a not so obvious way), and get injected with a malicious java program (and you know the record of recent java 0day exploits, no matter which is your OS). You are far safer in Linux, but is no guarantee. Also, if we are talking about social engineering an IT department mail ordering you to apply some updates from a repository for new security measures or functionality you asked for in some moment is a good way to get root or at least run programs with your user, the vulnerability there is not the mail client but the mail user.

Re:Open that email, and... ZAP! (1)

maxwell demon (590494) | about a year ago | (#43097491)

Or maybe something like:

"Due to frequent trouble with bad passwords, we require every employee to test the security of theirs on our newly setup password testing site at <a href="http://passwordtest.yourconpany.com/">http://passwordtest.yourcompany.com/</a>"

(Did you spot the difference?)

Re:Open that email, and... ZAP! (0)

Anonymous Coward | about a year ago | (#43097869)

Sure, would've been harder to spot if you'd taken advantage of keming and used yourcornpany.

So how about setting up fake spearphishing attempt (1)

John Hasler (414242) | about a year ago | (#43096483)

So how about not running software vulnerable to malware?

Re:So how about setting up fake spearphishing atte (0)

Anonymous Coward | about a year ago | (#43096659)

That's as easy as disconnecting electricity from your building.

Re:So how about setting up fake spearphishing atte (0)

Anonymous Coward | about a year ago | (#43096759)

That's as easy as disconnecting electricity from your building.

And as likely

Re: So how about not running vulnerable software? (1)

Capt.Albatross (1301561) | about a year ago | (#43097059)

If only that were feasible. Unfortunately, we have created a septic environment and the only way to be sure of staying clean is to live in a bubble.

Not that I'm excusing the irresponsible decisions that are routinely made over security issues. That's how we got into this mess in the first place - one small, dumb step after another.

Re: So how about not running vulnerable software? (1)

techno-vampire (666512) | about a year ago | (#43097659)

I won't say that Linux (which is what I run) is completely safe, but it's far, far safer than Windows is. That's not to say that everybody should be running Linux, but that everybody who runs Windows should be asking Microsoft why Windows is so vulnerable.

Guide for Eliminating Background Noise (2)

mrbene (1380531) | about a year ago | (#43096535)

Three videos posted over the last couple of days - all of which purport to provide insight, at least in summary. I've not made it through more than a few seconds of each since there is excessive background noise.

Use a more targeted mic? Do some post-processing? Find a quieter room to interview your subject in? Provide a transcript?

Otherwise, it's just a waste of effort.

Remember to check your legitimate e-mails (4, Insightful)

Todd Knarr (15451) | about a year ago | (#43096563)

When setting up a test like this, first look at the legitimate e-mails sent around your company. If your business routinely circulates e-mails containing attachments employees are expected to open or links they're expected to click on, then ask yourself why you've got an overlap between what you expect employees to do and what you want them to not do. If you expect employees to check addresses but your e-mail client hides addresses, ask yourself why you're hiding what you want recipients to check. If you're having to ask those kinds of questions then the first problem you need to address isn't employees being vulnerable to spearphishing attacks, it's your internal e-mail culture and standards that make those vulnerabilities normal and expected.

Expect a lot of resistance to fixing these things. Not from your regular workers, from the upper layers of management who like these things because they make life easy and look "Oooh, shiny!".

It's a lot like physical security. You can emphasize it all you want, but when managers get angry at employees who closed the door in the manager's face forcing them to use their own key you will not get employees to stop letting people tailgate through doors.

This post = spearphished-slashvertisement? (5, Informative)

DontBlameCanada (1325547) | about a year ago | (#43096597)

I got duped into clicking the story thinking it was a legitimate article. Instead I got a slashvertisement... ./suckered

Re:This post = spearphished-slashvertisement? (4, Interesting)

i kan reed (749298) | about a year ago | (#43096681)

I'm watching this thread to see if you get modded down. I think they've gone as far as telling editors to mod down those who point out it's a slashvertisement. Regular mods never mod down this far down in a discussion, so I'd like to see if my hypothesis is substantiated.

Re:This post = spearphished-slashvertisement? (1)

admdrew (782761) | about a year ago | (#43096829)

I wrote a fair/neutral email to Roblimo (roblimo@yahoo.com) asking why his posts are so outside the rest of the /. paradigm, then forwarded it to other mods, Soulskill, Timothy, and Unknown Lamer (I should've sent it to all of them initially, but just didn't think of it). Wonder if any of them will actually respond.

Re:This post = spearphished-slashvertisement? (2)

i kan reed (749298) | about a year ago | (#43096875)

Since editors are payed employees, I can't imagine the others don't know what's going on. Whatever it is, they don't seem intent on telling anyone.

Re:This post = spearphished-slashvertisement? (0)

Anonymous Coward | about a year ago | (#43096941)

I'm totally loosing any trust in slashdot content. I've had slashdot as my homepage for 12 years, but this is about it for me. I've seen other articles which I doubted belonged as content, rather than as advertising, but this one is so obvious, I have to take notice.

I've seen several comments about the possibility of slashdot censoring criticism of slashdot, and they are credible.

I don't know what to do about this trend in slashdot and others, other than leave. I just unsubscribed from InfoQ for emailing me a full page advertisement, instead of a page of links to technical information, on their site, where I'd see their revenue producing advertising.

Roblimo as an "editor" (3, Interesting)

admdrew (782761) | about a year ago | (#43096639)

Can someone tell me why all of Roblimo's posts 1) are his own content, versus edited reader submissions, and 2) read exactly like advertisements?

Re:Roblimo as an "editor" (0)

Anonymous Coward | about a year ago | (#43096673)

They are ads.

Lost fight (1)

gmuslera (3436) | about a year ago | (#43096699)

Is hard to teach common sense. Is easy with enough internal information (usually kindly provided by you in social networks) to trick someone onto opening an email, an attachment, a java applet, or visit a "safe" website (that could be a hacked real one, even a government one, with "extra" content targetted at you).

Re:Lost fight (1)

Gulthek (12570) | about a year ago | (#43096725)

It IS hard to teach common sense, but it's not hard to demonstrate it. That's what PhishMe does. Shows employees how to recognize phishing emails by exposing them to safe phishing emails. Think of it as a vaccine.

Re:Lost fight (1)

gmuslera (3436) | about a year ago | (#43096971)

Our "software" have a lot of vulnerabilities that are hard to be aware of at all times. If i tell you that a coin have 50% odds of heads or tails, and tell you that the last 10 tries were heads, wouldnt you think that it will be almost sure than next try will have far more than 50% of odds in one direction or another? Even being aware of the fallacy that is behind?

If you aren't sending generic mails, but something tailored for the recipient (and in particular, the weakest link between the possible ones) this gets worse. Phishing has gotten very good [schneier.com]

Microsoft only (0)

Anonymous Coward | about a year ago | (#43096721)

Doesn't using Thunderbird on Linux eliminate this and pretty much all other similar schemes?

Why opening e-mail causes something to run or be saved? Is this required by any web standard? This is entirely the Microsoft invention.

Re:Microsoft only (1)

maxwell demon (590494) | about a year ago | (#43097627)

Unfortunately even Thunderbird on Linux cannot prevent bad processes to be started in the user's brain, which case that user to actively initiate the insecure operation. You need to install a special package called "user education" to protect against this. Unfortunately installing that is often tricky, and some brains don't run it particularly well.

PWNED! (4, Funny)

Kookus (653170) | about a year ago | (#43096739)

Everyone who clicked on this link needs to now attend a phishing training class, you have all been suckered into clicking on this blatant advertisement!

Scientific Studies on Protecting People from Phish (1)

JAS0NH0NG (87634) | about a year ago | (#43096767)

I wrote up an article in Communications of the ACM about a year ago summarizing the state of phishing attacks [acm.org].

My colleagues and I have also studied phishing extensively and have the most comprehensive peer-reviewed body of work in this area. Our studies include understanding why people fall for phishing attacks (PDF) [cranor.org], evaluating how well simulated phishing attacks work (PDF) [cmu.edu] (the short answer is quite well, based on a study of 500 people), designing and evaluating a micro game teaching people about URLs works (PDF) [cmu.edu] (empirically tested with several thousand people), and more [cmu.edu].

We've also commercialized our work, in terms of a service for simulated phishing attacks [wombatsecurity.com], the micro game for anti-phishing [wombatsecurity.com], and more [wombatsecurity.com].

Also, to anyone saying "people are stupid" or "they deserve to get malware", you really are part of the problem [wombatsecurity.com]. It's our job to protect people, to reduce complexity, and to ensure the safety of our systems and networks. Arrogantly dismissing others as being inferior or stupid is one reason why computer security, user interfaces, and software in general is in the state it is.

Re:Scientific Studies on Protecting People from Ph (0)

Anonymous Coward | about a year ago | (#43096889)

your study is about students.. not enterprise workers.

Open that email (1)

Skapare (16644) | about a year ago | (#43096837)

If merely opening an email can do anything more that let you see and hear its content (and stop the instant you close it) then there is something wrong with your computer. And even that much is risky.


Anonymous Coward | about a year ago | (#43096841)

The next logical step is to test your employees with requests that could be legitimate, but are not (e.g. calling customer service to inquire about a product), and then firing anyone that does not field the request, even if that employee knew the request to be only a test.

can't be fought by technical means?! (0)

Anonymous Coward | about a year ago | (#43096847)

Open that email, and... ZAP! So this is social hacking (cracking for the old-timers), and cannot necessarily be fought entirely by technical means

Wrong. For opening an email to be dangerous, requires that your email client be horribly broken. There is a technical means: don't treat email as executable code. Fix mail client bugs.

Maybe that's harder than everyone says it is, but that doesn't mean it's impossible.

Furthermore, for "spearphishing" in particular, there are other technical means to get depth. If it involves "masquerading as a trustworthy entity" then email signatures, if only people would use them, would stop it dead in its tracks.

This is an unusually bad example of a problem which can only be fixed socially.

Antiphishing (2)

Murdoch5 (1563847) | about a year ago | (#43096897)

Does every one remember a few weeks ago when a company sent out a real email asking for users to change passwords and some people thought incorrectly it was a phishing email..... Basically that single event proved that people don't understand how to read / detect phishing scams. if you can't even recognize or take steps to recognize whats real from whats fake then I don't know what to tell you, the issue isn't always the scammer or lack there of, sometimes just blame the users.

Re:Antiphishing (1)

Desler (1608317) | about a year ago | (#43097013)

They thought it was phishing because it seny people to a URL just like one you'd get from a scam email. I don't blame them for being skeptical. Why would they send you to an unknow 3rd-party site to reset your email? That's a classic phising tactic.

Re:Antiphishing (1)

Murdoch5 (1563847) | about a year ago | (#43097061)

if you can't even recognize or take steps to recognize whats real

Simply call the company to ask, so I can blame the users in that case.

cracking/hacking (1)

markhahn (122033) | about a year ago | (#43097279)

eh? cracking, to old timers, is the act of bypassing software locks. hacking is trick/cool repurposing/extension. spearphishing is plain old social engineering.

Well that's easy (1)

Daetrin (576516) | about a year ago | (#43097517)

Spearphishing. The deluxe (but easy) way to get unwary employees to put malware on your network.

Hey, if i want to put malware on my network it's even easier to just do it myself.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account