A lot of hacking is actually social engineering. It's not hard to get a tech-illiterate person to give up their password, and that's the softest target for an attack.
There are usb sticks that can kill your pc by getting charged and then discharging all the electricity at once to your pc so no sandbox will save you in situations like those.
Or even jaded tech savvy people. I work in IT and there have been a number of times that I have witnessed or heard about people who know better causing an incident because they're burnt out or irate.
Wait, I have an idea! Yes, just as I thought, I can overlay their proprietary operating system with this fancy looking graphical interface that resembles nothing and gain full control of their system. I'm back in!
We get fake phishing emails that are actually from IT and if we don't recognize and report them, we get a talking-to. It's a good way of keeping employees vigilant.
A friend (who actually works in IT) apparently has a good system at his company. It actually automates turning real phishing attempts into internal tests. It effectively replaces links etc and sends it onwards. If the user actually clicks through, their account is immediately locked. It requires them to contact IT to unlock it again, often accompanied by additional training.
Wait. So your friend's company has the ability to reliably detect phishing attacks, but instead of just blocking them outright, it replaces the malicious phishing links with their own phishing links, sends those on to employees, and prevents them from doing their jobs of they fall for it?
Sounds like your friend's company's IT people are kind of dickheads
I work at a company that does something similar; it can be annoying to deal with these fake phishing emails from our own IT, but a 10-15 minute training session if you fail is a lot less disruptive than what can happen if you clicked the real link instead.
I consider myself a bit more tech-savvy than average, but Iโve almost fallen for a couple of these fake phishing emails. It helps me to keep up with what the latest versions of these attacks look like (and keeps me on my toes tooโฆ)
It's not every phishing email. I think it's technically those that get through the initial filters, and get reported, but don't quote me on that. Apparently it's quite effective. They also don't need to report every one. It's only if they do something that could have compromised the company that causes a lock down. It's designed to be disruptive and embarrassing, but only if they actively screw up.
My last company did this. They'd also send out surveys and training from addresses I didn't recognize, so I'd report those, too, only to be told they were legit ๐
We get those, but the sender email shows up as [email protected] or whatever. Literally the most obvious possible address. I'm always tempted to forward one to IT and ask if they're serious with that shit.
Ours are the opposite: the sender's email shows up as a normal [email protected] email. Gmail is supposed to warn when a return address is being spoofed like that, but I guess my company turned that warning off for these fake phishing emails. There's still no SPF but I don't check the SPF unless an email looks suspicious so I hope that that warning will work for real, sophisticated phishing.
I always just ignore anything that looks dodgy, I can't be bothered to spend the time reporting emails when I get so damn many that are either spam or phishing
Iโm all for acting your wage, but I donโt want to make victims of anyone who is interacting with my company simply because I was feeling spiteful. The company will be fine, the tons of people who just had their information leaked are the ones who are truly inconvenienced and may face financial repercussions later on when their information is distributed. Just something to consider
A good portion of the movie Hackers was social engineering. That's how Mitnick got into a lot of systems as well. Why search for vulnerabilities in apps when people are much easier to manipulate.
A lot of hacking is actually social engineering. It's not hard to get a tech-illiterate person to give up their password, and that's the softest target for an attack.
I prefer the old โdrop a usb in the parking lotโ
Be sure to put a label on it that says "secrets!"
Nowadays you'd probably be more likely to get a hit by putting an "Anime titties" label on the drive
Why would you drop a drive full of world news?
I'm interested.
Pick Me Up.
Just put the CEO's name on it and a very recent date. They'll be dying to know what secret information the CEO was carrying around.
I prefer a label that says, "Warning: USB stick contains scary virus. Do not plug into a computer"
I bet someone still would
It's what sandboxes are for.
There are usb sticks that can kill your pc by getting charged and then discharging all the electricity at once to your pc so no sandbox will save you in situations like those.
Me: Plugs USB into throwaway computer. Computer: dies. Me: "well that's a pretty boring virus!"
Managment taking notes:
Or even jaded tech savvy people. I work in IT and there have been a number of times that I have witnessed or heard about people who know better causing an incident because they're burnt out or irate.
"Wait a second...I don't give a shit about this company."
This seems like there is an idea for a joke or a comic here somewhere...
Happy employees are less likely to be socially engineered? Wow shocker
That's a good point! I like the way you think! What is your password?
It's *******, what's yours?
Edit: that's cool, Lemmy blocks it out!
Ah, cool, let me try:
iWantToSuckFrozengyro'sToes69
Oh so that's why Lemmy sensors my f words
hunter2
5
I am so sick of everyone asking me for my password with no spaces or capitals.
W h A t I s Y o U r P a S s W o R d ?
Hacker voice: "I'm in"
Looks at overly complicated industry software he's never even heard of before
"I'm out"
"Looks like these guys have already been hit with ransomware."
So SAP.
Wait, I have an idea! Yes, just as I thought, I can overlay their proprietary operating system with this fancy looking graphical interface that resembles nothing and gain full control of their system. I'm back in!
That sounds like Grafana with extra steps.
I was thinking of the James Bond movies where they show hacking to be a guy wearing glasses looking for a glowing ball in a flashing GUI that he rotates around somehow by typing really fast.
So they have a fancy representation of ... something with a hex table, that then transforms into a map of London given the right key?
We have these obligatory online seminars about web security /privacy at work.
Turns out that for some reason, with Privacy Badger enabled, they appear as "passed" instantly. I never saw a single second of these endless seminars.
I tried to tell the IT guy but he couldn't care less and I suspect he didn't even know what Privacy Badger actually is
"Working as intended" - the dev who loves Privacy Badger.
Or maybe he feels that these seminars are for people who don't use things like privacy badger.
It seems like you don't need Training then (:
now I want to know what privacy badger is amd I'm too lazy to google it...
Its like the only accurate part of hackers
And sadly, hackers is like the most accurate hacking in any movie.
Untrue, we also have a functioning Gibson screensaver.
The books that Cereal Killer pulls out are all legit also. The titles at least are all real books.
(Opens DOS, frantically types)
โHeh. I was able to SSH right into their jpg with nothing but an Ethernet cable and router grease.โ
I donโt think thatโs what you think it is sir carefully hides tissues
We get fake phishing emails that are actually from IT and if we don't recognize and report them, we get a talking-to. It's a good way of keeping employees vigilant.
A friend (who actually works in IT) apparently has a good system at his company. It actually automates turning real phishing attempts into internal tests. It effectively replaces links etc and sends it onwards. If the user actually clicks through, their account is immediately locked. It requires them to contact IT to unlock it again, often accompanied by additional training.
Wait. So your friend's company has the ability to reliably detect phishing attacks, but instead of just blocking them outright, it replaces the malicious phishing links with their own phishing links, sends those on to employees, and prevents them from doing their jobs of they fall for it?
Sounds like your friend's company's IT people are kind of dickheads
I work at a company that does something similar; it can be annoying to deal with these fake phishing emails from our own IT, but a 10-15 minute training session if you fail is a lot less disruptive than what can happen if you clicked the real link instead.
I consider myself a bit more tech-savvy than average, but Iโve almost fallen for a couple of these fake phishing emails. It helps me to keep up with what the latest versions of these attacks look like (and keeps me on my toes tooโฆ)
It's not every phishing email. I think it's technically those that get through the initial filters, and get reported, but don't quote me on that. Apparently it's quite effective. They also don't need to report every one. It's only if they do something that could have compromised the company that causes a lock down. It's designed to be disruptive and embarrassing, but only if they actively screw up.
Well the company probably can't detect them reliably, so wih the ones it does detect it trains them to avoid the ones that they can't detect.
My last company did this. They'd also send out surveys and training from addresses I didn't recognize, so I'd report those, too, only to be told they were legit ๐
Yeah this is a running joke at our workplace too. Only to be asked by some manager to do those week or few later
For me (us) it's simply because the security training emails are sent from some 3rd party service with sender email like [email protected]
I send supervisor emails about stuff I'm not gonna do to my spam folder as well.....
"Did you get the email?"
"Nope, sorry, it looked a little suspicious so I didn't open and sent it to spam.."
Basically you created a echo chamber at work where you can only hear what you want to hear
๐๐๐พ
I just realised how you control reality at work and how much enjoyment you get.... Until you are enjoying too much and get fired
...but until then๐
We do as well, except we only concern ourselves with the people who click them.
My workplace does this too. I can usually tell when the email isn't a legit phishing email but an IT test though. Not sure how helpful that is.
Lol I don't click shit.
That's neat, will steal this.
We get those, but the sender email shows up as [email protected] or whatever. Literally the most obvious possible address. I'm always tempted to forward one to IT and ask if they're serious with that shit.
Ours are the opposite: the sender's email shows up as a normal [email protected] email. Gmail is supposed to warn when a return address is being spoofed like that, but I guess my company turned that warning off for these fake phishing emails. There's still no SPF but I don't check the SPF unless an email looks suspicious so I hope that that warning will work for real, sophisticated phishing.
Same. Users who click on links get signed up for remedial training courses lol
But if they're recognized it means they aren't doing a good enough job faking them
Oh well, time to get better IT guys
I always just ignore anything that looks dodgy, I can't be bothered to spend the time reporting emails when I get so damn many that are either spam or phishing
We do too, so I just tell my team to flag everything as spam
Nah, this isn't cool. Fuck the company, but this will fuck over the users more than anyone.
If company does not give a crap about employee then they don't about customer
companies care about money everything else is means for the purpes
"I wonder why they'd need my 2FA too, but oh, well... "
You get a duo push! And you get a duo push! ...
Duo push more like duo push you off a cliff because you forgot to do your Spanish lessom
I might care if they paid me a living wage.
Iโm all for acting your wage, but I donโt want to make victims of anyone who is interacting with my company simply because I was feeling spiteful. The company will be fine, the tons of people who just had their information leaked are the ones who are truly inconvenienced and may face financial repercussions later on when their information is distributed. Just something to consider
I have to care about mine. If I cause a security breach, I can be sent to prison.
A good portion of the movie Hackers was social engineering. That's how Mitnick got into a lot of systems as well. Why search for vulnerabilities in apps when people are much easier to manipulate.
HACK THE PLANET
Loved that movie. That has been a fallback movie for so long now.
I wonder if that's how my old job had 780 gb of source stolen though social engineering.
780 gb of source code? Sounds a bit overengineered, I bet that was hard to audit for security flaws
If there's 780 gb of source code, I doubt anyone there has the wherewithall to do security audits
Pay people enough and this is less likely to happen.
As somone in IT who has to deal with executives I can assure you that high compensation has no correlation with good security practices :(