[Cryptography] phishing attack again - $300m in losses?
John Ioannidis
ji at tla.org
Mon Feb 16 15:43:16 EST 2015
On Mon, Feb 16, 2015 at 2:17 PM, Christian Huitema <huitema at huitema.net> wrote:
> On Monday, February 16, 2015 8:36 AM Steve Furlong [mailto:demonfighter at gmail.com] wrote
>
>> I'd guess that getting rid of the tight integration between MS Windows, IE, and MS Office would
>> solve most of the problem, but I don't see that happening -- it's too conveeeeenient for the users.
>
Conveeeeenience always trumps security. I forget where I heard this,
but "you can dial convenience (or features) to zero, and you don't
have a product, but you can dial security to zero and still have PSN".
Here is my horror story: very large, very security-conscious
technology firm I used to work for, mandated that its employees take
yearly security-awareness training. How was the training offered? They
would notify us with a very phishy-looking email message directing us
to an external vendor, who provided said training as a Flash
presentation!!!!!
DOUBLE FACEPALM.
Now, I'm sure the vendor had been properly vetted and stuff, but the
point is, YOU SHOULD NOT TRAIN YOUR EMPLOYEES TO TRUST EXTERNAL SITES
OFFERING FLASH CONTENT!
(the training site also affirmed that one should not trust external
vendors or flash content... go figure...)
/ji
More information about the cryptography
mailing list