How average folks don't stand a chance against phishing, example #80,144,963: "Security" "Professionals"

"Warning! Your account is about to be deactivated."
Log in soon or terrible things will happen.
Consider clicking on a link in this email.
BUTTON [Click it... Click it... Click it...]
Grey on grey because accessibility is for losers.

Click the password manager plugin icon on a browser tab,
start typing "cis...",
click to open and autofill credentials and login (in one step),
click the (old) password field to autofill,
click to accept the suggested very long and random password suggestion which autofills both the new password field and the one to check that the autofill typed it correctly the first time then automatically submit,
log out, and
wait for the next email from Compliance Isn't Security inviting me to the next dance.

For the historians: this is during the current wave of phishing campaigns claiming that your service is being shut down, retired, updated or otherwise changed in a way which requires you to click urgently before all that you love is lost.

PS. "This email was sent with love from" <[email protected]>

PPS. NIST SP 800-63B §3.1.1.2 #6 - https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver

#Phishing #ComplianceVsSecurity #CIS #CenterForInternetSecurity #InfoSec #InformationSecurity #CyberSecurity

In my experience Common Criteria is a double-edged sword. The NIAP Protection Profiles are often extremely detailed and describe the threats and mitigations that the product needs to take. Yet, there often is some misconception what it means that a device has the certification, and some companies seem to use the certification in kind of false marketing.

Common Criteria validation does not replace security testing. When the validated for certification, the product is rigorously tested against the specific Protection Profile, but this is the extent of this testing. In fact if you read many validation reports carefully, they actually do often go to detail in explaining that the evaluation did not look for or attempt to exploit vulnerabilities. This is what the validation laboratories are expected to do after all: Validate the target against a very specific Protection Profile.

This does leave an obvious gap however: On numerous occasions I’ve seen gaping security holes (mostly logical ones), that fall outside of the scope of the specific Protection Profile. If there is no-one actually taking a holistic view of the entire environment and use case for the product, these flaws can go unnoticed. If not careful, the CC compliance could be interpreted as something that it is not, leading to false sense of security.

Many security flaws can be prevented by adhering to the Protection Profile rules and validating the target for Common Criteria certification. The scope of the impact of the certification is limited, however. Organizations buying products need to understand what the Common Criteria compliance means and even more importantly what it does not.

#infosec #commoncriteria #compliance #ComplianceVsSecurity