Some years ago, during a (quite extended) phishing avalanche in the company I was at the time, the (then) CIO said: Let's fire every user that falls for a phishing mail! That will solve the problem for good. I considered it a joke, and I replied pretty much with a rhyme: Let's train them before we blame them and I didn't give it a second throught. We went on to deploy some training modules, but never really implemented the technical controls on the mail server; an activity that if had been implemented, several of those phishing mails would never have entered the company. I think that this is not strictly a user failure and I'm inclined to blame the IT deparment more than the user.
When multi-factor will not save youPosted on Sunday, 19th of August 2018 • security • permanent link •Read time: 11 minutes
There is a lot of discussion lately about multi-factor authentication and how this will upgrade everyone's security. Indeed, it is an improvement and it was about time we start becoming more conscious about the security issues related to authentication. As usually though, these discussions generated a lot of confusing and "why it didn't work" moments when we see cases such as Reddit's hack in August of 2018.
The problem with compromised softwarePosted on Thursday, 21st of September 2017 • security • permanent link •Read time: 2 minutes
As everybody probably knows by now, CCleaner was compromised and malicious individuals added multi-stage malware payload on it. A typical case of compromised software if you ask me, pretty much like the one with the Ukrainian tax software that spread Not-Petya. But there is a different aspect to why compromised software is very dangerous, and it actually uses (believe it or not) social engineering in a more advanced way.
Deep thought book reviewPosted on Monday, 4th of September 2017 • security/social engineering • permanent link •Read time: 3 minutes
Recently I stumbled upon A CyberSecurity story called Deep Thought from ideas42. It is a book dealing with human behavior and how it affects cyber security.