[Cryptography] phishing attack again - $300m in losses?
ianG
iang at iang.org
Mon Feb 16 16:03:45 EST 2015
On 16/02/2015 20:43 pm, John Ioannidis wrote:
> Here is my horror story: very large, very security-conscious
> technology firm I used to work for, mandated that its employees take
> yearly security-awareness training. How was the training offered? They
> would notify us with a very phishy-looking email message directing us
> to an external vendor, who provided said training as a Flash
> presentation!!!!!
>
> DOUBLE FACEPALM.
>
> Now, I'm sure the vendor had been properly vetted and stuff, but the
> point is, YOU SHOULD NOT TRAIN YOUR EMPLOYEES TO TRUST EXTERNAL SITES
> OFFERING FLASH CONTENT!
>
> (the training site also affirmed that one should not trust external
> vendors or flash content... go figure...)
Yeah.
Now, how many here clicked on all John Young's links about the Equation
group, downloaded PDFs, went to dodgy links via funny redirects ... even
though the mailer was saying "We think John Young is a scammer!!!"
This situation sucks. Which is why I don't buy that it is a mailer
problem. Firstly as above. Secondly because of all the other places a
link can be sent -- modern people below 30 don't even know what email is
these days.
The browser, or whatever we call the agent that handles the URL, has to
be able to defend itself. No ifs, no buts.
iang
More information about the cryptography
mailing list