? Click This or I'll Sue. (Hint: Don't.)

In This Issue:

  • The spy who socially engineered me
  • Click this or I'll sue
  • This isn't ARPANET anymore—you can't just trust everyone
  • Making a hash of it

The Spy Who Socially Engineered Me

The Spycraft Revolution. A lengthy but fascinating look at how technology helps and hinders espionage. While you might not have ambitions to join the intelligence world, as the article states, "Anyone responsible for a company’s cybersecurity now has to think like a counterintelligence officer. To protect a firm’s sensitive information, he or she must identify the most gullible and careless members of the organization and fire them or give them better training."

Countermeasure:

Read this, possibly with a stiff drink at hand to mitigate dismay. This article contains an overwhelming amount of material about how to think like a spy (or a hacker), but bear in mind that both spies and hackers want to accomplish their aims efficiently and economically. They will go for the easiest targets first. These are often people.
 
While it may be tempting to fire the "gullible and careless," there's no guarantee their replacement will be any better. 97% of Americans Can’t Ace a Basic Security Test. So remedial education is probably your best option. You could start with the article below.

Read More >

Click This or I'll Sue. (Hint: Don't.)

Malefactors keep phishing because phishing works. Some phishers rely entirely on accuracy by volume.  Others, like any successful entrepreneur, get a leg up on the competition through careful instrumentation, monitoring, and data analysis. Legal Threats Make Powerful Phishing Lures is a fantastic look into a well-crafted phishing scam that seems to be the result of focusing exclusively on what works best.
 

Countermeasure:

Spread this article around. It's a quick read, and as many people as possible in your organization should know about this evolution of phishing.

Read More >

This Isn't ARPANET Anymore—You Can't Just Trust Everyone

Ever notice how every time someone creates an approach to technology that's based on trust, it all goes to hell? Alphabet's Chronicle Explores Code-Signing Abuse in the Wild is an incredible exploration of exactly this problem, and looks at how malware writers are managing to do bad things by using malware that they've managed to get digitally signed.
 
Some related pieces on the interesting topic of trust in technology are The 3 Cybersecurity Rules of Trust and What You Need to Know About Zero Trust Security.

Countermeasure:

Where possible, don't implement—or at the very least, don't exclusively rely upon—technologies that depend on trust to operate. Never trust anyone, or anything. Instrument everything. Log everything. Audit everything. And make sure your backups and disaster recovery plans are both working. In its purest form, this is an impossible goal, but the achievable aim is to presume both that compromise is inevitable, and that literally anything can be compromised. From your operating system to your printer. If you don't have plans for how to deal with a compromise of every piece of technology—and every person—in your organization, now's the time. And where possible, automate and test your incident response. Don’t wait until a compromised event before trying out half-baked plans.

Read More >

Making a Hash of It

G Suite'n'sour: Google Resets Passwords after Storing Some Unhashed Creds for Months, Years. You'll probably hear about this story, if you haven't already. If you're like your Countermeasure authors, your first response might be snarky. After all, who doesn't store passwords in plain text these days? All the cool social media giants are doing it.
 
While the news is sadly not that shocking, this particular article gives a useful explanation about the difference between “encryption” and “encryption + hashing.”
 

Countermeasure:

If you have developers who write applications in which those applications must store passwords, consider trapping them in a room with this article and letting them out until they can recite it. Backward.

Read More >

This Week's Sequels

Further developments and analysis about last week's big infosec stories.
 
WhatsApp
 

 
Intel CPU Vulnerability
 

Threads of the Week

This week we have two threads.  Both are a little bit on the "someone was wrong on the internet" side of things, but ... people actually were wrong on the internet, and the education dished out is worthwhile.
 
Telegram
 
Telegram is _never_ the solution. Friends don't let friends use Telegram. This'll be a thread!Evan Sultanik (@ESultanik)
 
Equifax
 
This take is common but inaccurate. Understandably so, but still important to correct. Usually the primary culprit where a known vuln is exploited is delays in applying patches. Not the culprit here. It was a breakdown in the data exfiltration prevention/detection that did it.Katie Moussouris (@k8em0)
 

Tweet of the Week

PATCH. WINDOWS. NOW.
 
ATTN virtual I/O MMU users – a serious issue has been discovered in some updates to Windows 10, Windows Server, and Windows Server 2019 LTSC editions. @Plankers with details. - @VMwarevSphere
 
The Tweet links to Virtualization-Based Security Issues with Windows 1903/19H1 Releases
 

Podcast of the Week

This episode includes cybercriminals scamming each other: 129: Too Long; Didn't Listen

Quick Links

Get Your Copy.