Did somebody tape over the door handle ?
And they say lightening doesn't strike twice ....
The Democratic National Committee (DNC) has called in the FBI after uncovering an apparent attack against its internal voter database system. CNN reported that the DNC learned of the attempted phishing attack from cloud service provider DigitalOcean via Lookout, a mobile security firm that detected the malfeasance. Miscreants …
What is it about the human mind that pushes people to a) blindly accept what a completely unknown person sends them, and b) click on a link that they haven't the faintest idea where it will end up.
Especially at work.
Okay, this time it was a test. Fine. There will be a next time. And a next.
Until we all, collectively, understand that if someone you don't know sends you a mail, the only proper thing that can be in that mail is either a request for information or an introduction from a work colleague that has just taken his post, so you know you'll be working with him.
And you should check to be sure.
Anything else is spam and should just be binned.
The only person who can legitimately send you a URL is someone you already know. And that person had better have a good reason.
Ever worked in a large organisation - or a government one with layers of local,provincial and federal management? One with outsourced IT?
Where you get emails to update your "team foundation customer management experience portal gateway" password every month because of "security". Of course the link to where to change it changes every month depending on which cloud provider is cheapest.
Where because of a bunch of mergers, depts not talking to each and ancient outsourcing deals you have umpteen different accounts and passwords on different bits to do your job.
And you naively assume that if an email gets through all that corporate security and appears to come from your own IT dept it is their job to look through the headers and detect the real origin - not the job of cathy on reception.
Saying it's the "users job to be careful" is like saying it's the passengers job to check the maintenance logs and type approval on their holiday flight's aircraft =- not the airline's
Sorry, but I *would* expect users to notice that the URL was not votebuilder.michigan.democrat.org (or whatever) and at corporate level users should be expected to notice that the URL was not wotsit.mycompanyurl and governmental users should be expected to notice that the URL was not foobar.subsection.gov.uk exactly as I have the responsibility to check that the URL for my party's database is not thingy.myparty.org.uk.
But what if instead of companyname.sharepoint.com it is companyname.sharepoint-microsoft.com as in some of the Russian sites MSFT shut down ?
If it is an email with a from line of email@example.com but a sender header of evil-russian-hacker.ru goes to everyone in the company I expect the corporate security to notice.
Ironically Microsoft are the worst at doing this themselves. Authorisation on Office365 can be to x.sharepoint.com, x.outloook.com, x.live.com or outlook.live.com. The site for developers downloading official test ISOs of Microsoft OSes was the spammiest url you could imagine
To think that as recently as ten years ago we used to take great pains to wrap dodgy looking, and outright impossibly long, urls for 3rd party servives into more human friendly and company owned ones using reverse web proxies. That's all done for now, Microsoft and others have made it impossible to pull it off -- even where a vestige of in-house IT with the requisite talents survive. The single most frequent complaint I hear from nontechnical corporate bureaucrats about using O365 resources is about how unweildy links to those resources are. To which I have to resist replying, "Well, I'm not the one who couldn't stand the fact that skilled techs were making as much as unskilled executives: you should have thought about that before you jealously gutted the knowledge base." Or something like that.
Well, that seems very weird to me. I trust that it happened, but what has to go through one's mind to come up with the plan of action: "Let's run up a fake website for a security test for someone we don't work for, who hasn't asked us for one, and by the way we won't tell anyone about it." I have a feeling that, if I did that to someone, I'd be sued and/or arrested almost immediately.
My guess would be some PHB came up with this brilliant idea, waved it in front of some higher level and then did it. All he/she was looking for was brownie points. He probably had some poor web person on staff (or even a contractor) that got pushed into doing this.
So instead of being a hero, the PHB is a self centered clown. Hopefully it's the PHB that gets fired for not communicating this upward and not the poor schmuck at the bottom of the food chain who actually did the work.
Are we talking Democratic Party Officials from Michigan that did this test? That would seem to be countered by the last comment that it wasnt someone from the DNC (or at least not authorised by them). Was it Michigan Electoral Office officials (or whatever its called over there)? Can someone clarify exactly who these officials were?
The fact that the US has a federal system of government (with sovereignty vested both in the States and in the Federal government) means that all of the major lobbying groups (especially the political parties) are likewise organized. In this case, the state party spent state money to run a test of state systems. But those systems are heavily linked to the national (DNC) systems, so there was spillover.
The news happened because no on in the IT department at the state level expected this.
(1) Send a memo to all departments nationally well in advance so that they can brief all their staff that there is a test scheduled, when and what the test will be, and how to identify and pass it. Noting that a secret is safe if only two people know it and one of them is dead.
(2) Run the test like a real attacker with no prior warning.
Perhaps a bit like the difference between a scheduled and unscheduled quality audit. Noting of course that in quality audits the aim of both auditors and auditees is to pass the test so the company can pay for the fancy accreditation.
I would be interested to know how many people they caught before they were shut down. It did test their national security team who managed to identify the phishing attempts. So one positive benefit.
Noting also that a variant of option (1) could be to notify everyone that there was going to be a major phishing attempt in the next 3 months and instant dismissal including line management if anyone was caught. Then close the office and go fishing secure in the knowledge of a job well done.
In 2017, the company began giving out physical security keys to all 85,000 employees. And since then, no employees have reported any confirmed takeovers of work-related accounts, Google said
Stop talking crap people wake up!