from here |
Friday, September 29, 2017
Never heard of Shannon or her friend Maxim
That's my personal work computer
found on Imgur |
It never ceases to amaze me what people think they are entitled to do with company-owned hardware. Check out the Imgur link for this security tale, because it's got more details and other stories too.
Thursday, September 28, 2017
Don't call me, I'll call you
from here |
I do wonder if I gave the guy who called me a fair chance, but he made an unsolicited phone call to ask permission to send me email because he didn't want to send unsolicited email. Really, phone-guy?
He then pretended to know what my email address was. I don't know who thinks this stuff up but it's bananas. Presenting me with the wrong email address makes it clear to me that you didn't get my contact info from anyone who knows me and also that you are hoping that you either guessed right or that I'll follow the natural human inclination to correct someone when they're wrong. That's not gonna happen. Too many red flags. I'm not giving you my real email address or even the format we use for corporate email addresses at work. I don't want to click on whatever it is you were planning to send me. I don't want to take the chance that you're trying to penetrate our organization through either malware or social engineering.
Can you patch a plot hole?
posted to Instagram by James Lewis |
Well that seems like a pretty glaring plot hole, although the show may have started around the time when the Silk Road was taken down by the authorities, so trust in the darknet may not have been high.
Wednesday, September 27, 2017
What are your GPS coordinates today?
from here |
You don't necessarily need to have good OpSec in order to get on the 10 most wanted list, but you do need good OpSec to stay there. Just ask the guy who gave away his location with an Instagram post.
Them's the rules
found on Navy Memes |
You'd think a weapon like that would at least need to be stored down in the hold in a secure container
Tuesday, September 26, 2017
On ALL of the computers that you maintain
from here |
Before you tell me how you already run AV free on your own computer, take note of the title of the post. Do you have a computer at work? Do you have parents and/or children with computers? Right, go ahead and remove it from those too.
Bad Luck Marcus
found on Reddit |
I didn't make this (believe it or not I'm quite a bit better at digital image manipulation than this) but when I stumbled across it while searching for memes I knew I just had to share it. Credit goes (I think) to Reddit user 98cwitr.
If you were going to choose a meme to modify in order to represent the absurd tribulations of Marcus Hutchins, then Bad Luck Brian seems like a perfect fit.
Monday, September 25, 2017
Do you want to play a game?
from here |
Never underestimate the unusual ways that people view security concepts. Each person sees the world the the lens of their own unique experiences. Sometimes that isn't helping them and you point them down the correct path, but sometimes you might be the one with the crazy ideas and they're trying to set you straight.
Is there anyone this doesn't apply to?
found on Memegenerator |
I suspect if you examine people's practices closely enough you'd find that most people (even security people) violate the principle of least privilege at least some of the time, Heck, Microsoft even went so far as to nerf the administrator account because they gave up on the idea of people only using admin sparingly. Does UAC now mean that people don't have to worry about least privilege anymore? Does it give us a licence to be lazy about security? I don't know, but I'm going to continue using a non-admin account for day-to-day computing, regardless of the presence of UAC on my machine.
Friday, September 22, 2017
Why admin isn't always admin
from here |
You know how nowadays when you want to run something that requires administrator access you have to right-click and choose "Run as administrator" even though you're already logged in as a user who is a member of the Administrators group? Yeah, Microsoft had to literally change how administrative users work because people couldn't be trusted to follow the principle of least privilege.
Setting up 2 accounts (a non-admin one for everyday use and an admin one for actual administration) was apparently too complicated for most people so now it's just assumed that everyone is running as admin so to get the REAL administrative you have to "Run as administrator".
Thursday, September 21, 2017
Security vendors in glass houses
from here (source image) |
McAfee really shouldn't be throwing stones here, considering their own intelligence community ties. And you know what? With all the focus on the NSA in recent years, ties to American spies is probably going to carry more weight internationally than Americans might realize.
The song of my people
found on Imgur |
Part of me wishes I had found the entire song parody that this meme alludes to, but another part of me is glad I didn't. We don't need to get into details about how things break when you apply patches (necessitating the practice of testing patches on a test system before rolling them out to production systems)
Wednesday, September 20, 2017
Of course pirates want to steal resources
from here |
Although the site operators have tried to explain what their intentions were, the fact remains that The Pirate Bay ran miners on people's computers without their consent. The distance between this and distributing mining trojans is vanishingly small.
The secret purpose of The Great Firewall of China
found on Memecenter |
On the other hand, perhaps instead of making them smarter, it's designed to help identify the smarter ones so that they can be conscripted into China's cyberwarfare unit.
Tuesday, September 19, 2017
Hope you didn't get taken to the cleaners
from here |
If you are a user of CCleaner then you should know that it has had malware embedded in it recently and you probably ought to get the latest version that eliminates that particular problem.
Why not both?
found on Imgflip |
Monday, September 18, 2017
What happens if they're already in the house
from here |
A locked door only helps if the baddies are still on the outside, not on the inside with you.
Spying on yourself
found on Chuckles Network |
Having spyware on your system would certainly make it an asset, but not in a 007 sort of way. More like a you've been owned sort of way.
Friday, September 15, 2017
For want of a patch our data was lost
from here |
Keeping up to date is hard? When you've got that much data that's that sensitive you either keep it safe or you don't keep it at all. I don't care how hard it is, this isn't a valid excuse at this scale.
Thursday, September 14, 2017
I sense another governmental agency coming
from here |
Maybe it's just me but I think if you take 14 months to clean up after a USB worm, maybe banning an antivirus vendor's products from being used in your agencies isn't such a good idea. Honestly, you need all the help you can get.
Perverse incentives for security updates
found on Quick Meme |
There's a kernel of truth in this conspiracy theory. When Sun has figured out a way to monetize attempts to update their software (by nagging you and then pre-checking a checkbox to install a 3rd party toolbar) then there's something kind of suspicious about Java requiring a security update - the argument could be made that they have a financial incentive to leave a few vulnerabilities in the product in order to force users to go through the install process all over again and in at least some cases forget to uncheck the checkbox for that toolbar.
Wednesday, September 13, 2017
What happens when your face is your password
from here |
Our faces are probably the part of the human body that we change the most often, whether it's with shaving or makeup or surgery or injury. Of all the biometrics one could use to unlock a device, it is perhaps the most problematic.
That's one way to disinfect your computer
found on Chuckles Network |
On the one hand, this may very well eliminate biological viruses so the statement could actually be true. On the other hand I now want there to be a malware removal tool called Lysol to take advantage of this kind of misunderstanding.
Tuesday, September 12, 2017
Not the kind of 'friendly' skies you want to fly
from here |
Maybe we could fly the professional skies in stead? Or better yet, how about the polite skies? That sounds good to me.
Fraud or not
posted to the Boing Boing forum by forceblink |
The complicated problem of figuring out whether something like this is a scam or not is the fact that Equifax seems to have behaved in some decidedly scammy ways in the past. There needs to be a way to protect yourself without giving up the very same sorts of data that was compromised in the first place, and Equifax needs to stop trying to screw victims over.
Monday, September 11, 2017
Identity Theft 'Protection'
from here |
I can't imagine how consumers are supposed to trust Equifax now that they've been breached and over 100 million records were exposed. It's a good thing for Equifax that they don't need consumers to trust them, they just need other businesses who get breached to give them their own customers' details in order to offer those customers free credit monitoring in response to their own breach.
Ultimately, though, it is the fate of all large databases of valuable information to eventually be breached. We need to rethink what information we compile and hold on to for the long term.
I'd wait too, wouldn't you?
found on Imgur bur originally from Carbon Based Slice |
They say patience is a virtue, but I guess it's also a part of good OpSec by helping you avoid entering secrets into computers you don't (and probably shouldn't) trust.
Of course 2 factor authentication could help in this scenario, but many 2 factor authentication schemes these days use the phone, so....
Friday, September 8, 2017
Crooks don't want to work harder than they have to
from here |
If you're looking for money then you rob banks because that's where the money is. If you're looking for personal info then you rob Equifax because increasingly that's where the personal info is.
There's actually a couple of reasons why breaching Equifax may have been easier than compiling the data
- Equifax may not have done a good job of protecting the data (we don't know yet)
- The more breaches there are the more work is required to collect the data from all the various sources
No master keys allowed
found on Imgur |
A password that a lot of people use is a password that will get you into a lot of accounts without much effort. Eliminating this is a good thing.
The weird thing is that it would have been harder to do this without all the password breaches because they're what tell us what the commonly used passwords are.
Thursday, September 7, 2017
Now we know why they're so virus prone
from here |
Computers running Microsoft operating systems (be they Windows or DOS) were not the only ones to get viruses, but viruses certainly were more prolific on them than any other kind of system. I wonder why that might be.
Jack Vale: Scamming the elderly online
Watch on YouTube
Wow. I knew scammers were greedy, underhanded assholes, but if this is real then that characterization is an understatement. Scamming the elderly is one thing, but trying to take them for virtually everything they have? Despicable.
Wednesday, September 6, 2017
Do you practice safe hex?
from here |
There is a school of thought that says a certain kind of browsing is responsible for a great deal of the nastiness people found on their computers, and part of safe hex involved avoiding unsafe sites or at least doing something to mitigate the threat.
But do people even know the term "safe hex" anymore? It was big in the 90's, but it seems like the security community has opted (foolishly in my opinion) for the "users should just be invisibly protected without having to know anything" model so nobody talks about safe hex anymore. Frankly, if people can't be automatically protected from something as simple as biological viruses, I'm not sure how we can expect that kind of protection against intelligent adversaries.
On the other hand, I'm not even sure what constitutes safe hex now. The computing landscape has become so fragmented, it's difficult to keep up with what the best practices are for this platform or that technology, and the more things that get computers put into them the worse that is going to get.
That's not how any of this works
found on Failbook |
- You should know what your favourite anything is. If you don't then you don't have a favourite
- If you don't know the answer now then you won't remember it in the future when you need it
- Other people aren't supposed to choose the answer to your security question for you, it's supposed to be personal
- If other people know the answer to your security question then it's not very secure
- etc...
It's hard to believe so much security fail can fit in such a small Facebook status.
Tuesday, September 5, 2017
Let's see what kitty's been up to today
from here |
We don't even try to hide the data collection capabilities of smart devices for animals, why should we be surprised when the smart devices we use have many of the same capabilities?
The security clause has security claws
found on Pinterest |
There's actually a ton of cool security cat memes on this Pinterest page. As near as I can tell, many of them came from the Security Awareness Company's Security Cat line of posts, but I can't find the exact link for this (hence the Pinterest link).
Monday, September 4, 2017
Achy Breaky Pacemakers
from here |
One of the lessons from this story is that security problems aren't going to simply go away just because they're inconvenient for the business. You will eventually have to deal with it and I can't think of many ways of dealing with it that are worse than waiting a year to issue a warning about problems with pacemakers.
Friday, September 1, 2017
What could possibly go wrong?
from here |
If this is the kind of fore-thought we can expect from the new FCC, I think we're going to need to find an alternative interpretation for those 3 letters.
A question for all the ransomware victims
found on Imgflip |
If you've got ransomware, this is a question you need to ask yourself before you decide to pay the ransom.
Subscribe to:
Posts (Atom)