Robin DeRosaMar 6
I am taking a required online training on "internet security" at my new university. In order to get the course to run properly, I was advised to enable all cookies and pop-ups and relax several other security settings in my browser. Good times.
Show threadPaul_IPv6Mar 6

@actualham

i was working for a large corporation during a time they were going through the due diligence for a merger. since both companies were publicly traded, there were some very strict SEC rules about access to the info from both companies.

in order for me to see said documents to do the techical review, it required that i used only windows explorer, disable all ad blockers, all security features, and authenticate over an insecure web link.

yay for security...

Show threadPseudo Nym

@paul_ipv6 @actualham

Same as it ever was. Same as it ever was.

As part of #infosec, I weep when I see stuff like this and the training class.

The unauthenticated emails from 3rd party platforms that HR uses to inform employees of legit business stuff, the surveys, all of it.

And they wonder why BEC (business email compromise) keeps happening when the bad guys send a legit looking "We changed our bank account, please update this routing number" email to Accounts Payable.

Mar 6 at 8:41pmWeb
Show threadPaul_IPv6Mar 6

@pseudonym @actualham

i worked at a company that did 3rd party phishing mandatory training, with "click on this link" to start the video.

HR forgot to tell anyone that the email would be coming from a 3rd party or what domain name it should be for the link.

our VP of engineering was pretty proud that over 70% of the engineering part of the company reporting the email as a suspicious phishing attempt. sadly, we still had to watch the video, which was pretty useless...

Show threadMichelle BaconMar 6
@paul_ipv6 @pseudonym @actualham I've heard the head of IT tell off multiple people for not doing the mandatory training...and they all tell him they thought the emails were malicious. Nothing has changed.
Show threadMozMar 6

@pseudonym @paul_ipv6 @actualham for a while I had a mortgage with a bank that primarily communicated via a generic bulk email provider that obfuscated links in emails.

So I'd get "Important notice about your loan" from nsw6252.salesmail-au.com and every URL was to ...cliktrak.org

They could not understand how this was problematic. "just click the link"