mstdn.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A general-purpose Mastodon server with a 500 character limit. All languages are welcome.

Administered by:

Server stats:

18K
active users

I've been doing information security for more than a decade. I have trained people, written organization policies, built systems with security in mind.

And yet a few days ago I almost lost money to a phishing campaign pretending to be my infrastructure provider asking me to "update my payment details."

I was tired. I clicked the link, followed the instructions.

What saved my bacon is that I opened the link in a private-mode browser window, where I was not logged into my provider's system.

Point being: people make mistakes. Even people who really, truly should know better.

You might be tired.
You might be unwell.
You might be distracted.

You might click the link.

And so might people you're tasked with helping and protecting.

Keep that in mind. It's never just the person's fault.

Design systems and policies in a way that takes this into account, always. Add a little friction, it really helps.

Because… people make mistakes. Even people who really, truly should know better.

The private browsing thing adds friction for me all the time. Is it a bit annoying to always have to sign-in explicitly to that provider's system? Sure.

But that friction turned a potentially really bad situation into a somewhat embarrassing, but otherwise harmless one.

Obviously be gentle and thoughtful with where you add such friction. It's not about torturing yourself or people you are trying to protect.

But don't discount the value of friction either.

Stay safe out there!

Michał "rysiek" Woźniak · 🇺🇦

If you happen not to be an infosec person, and would just like some advice on how to not get phished, here's one simple non-technical rule that will help:

👉 If you got a message that demands immediate action of you and is making you feel stressed – take a short break.

Deep breaths, make some tea, take a short walk.

Whatever it is, it almost certainly can wait a few minutes. And a few minutes might just be what it takes for you to figure out it's a scam, or ask someone's opinion.

:blobcattea:

@rysiek this is great advice for avoiding all sorts of scams, really. "Police" need money to get your relative out of some foreign jail? Take a breath, say you'll call them back, and do it from a trusted source. Etc.

@tim @rysiek It's great advice for any possible situation in life, really.

"In the land of giraffes, there is no urgency."

(One of the foundational rules of nonviolent communication: Check in with yourself; when you feel pressured or stressed or time-bound, you are not in your nonviolent quality. Take a break. Do not act.)

@gamambel @tim @rysiek “tomorrow is good enough” is something I read early on and it stuck (mostly)

@adamklimowski @tim @rysiek

“In order to show the differences between communication styles, Rosenberg started to use two animals. Violent communication was represented by the carnivorous Jackal as a symbol of aggression and dominance. The Giraffe was chosen as symbol for nonviolence, its long neck is supposed to show the clear-sighted speaker, being aware of his fellow speakers’ reactions; and because the Giraffe has a large heart, representing the compassionate side."

streetgiraffe.com/origin-story

Street Giraffe: Experiments with Truth · Origin Story (of Jackal/Giraffe)“Street Giraffe” Origin Story Marshall Rosenberg(Credit: Etan J. Tal)   Learn  more as to mediating/translating between our interior jackals/giraffes (not to mention those we encounter …

@tim @rysiek NEVER give the police anything. Not even your words. Cops are not even members of society.

@voxofgod @BetaCuck4Lyfe @tim @rysiek really? Placing the favorite word of nazis and a reference to a part of jews in the same sentence?

@peh @BetaCuck4Lyfe @tim @rysiek

Zionist is not Jewish, it's a political agenda

And you're either intentional or unintentional ABSOLUTE misrepresentation of the opposite is exactly how the world is being ruined right now.

One of the words I love to use because it's as accurate as can be

Was given to me by another non-Jewish semite: zionazi

The people murdering semites don't get to claim anti-Semitism because people are trying to stop their murders

@voxofgod You think you "have to" use a German word (actual Nazi term) to dehumanise people (like the Nazis did). That is antisemitism and hate speech, simples.

@frauxirah@chaos.social I'm not talking about Jews I'm talking about Zionists

Get it through your thick skull

And after that

Go

FUCK

Yourself

Especially when we consider that by sheer body count, you are the anti-semite

186,000 semites have been murdered by Zionists and the last year in Palestine and now they're doing the same in Lebanon

BUT GO AHEAD CLUTCH YOUR PEARLS ABOUT A FUCKING WORD I'M USING TO DESCRIBE BEHAVIOR NOT PEOPLE

You are normalizing genocide with this garbage

Again
FUCK
OFF

@voxofgod @peh @BetaCuck4Lyfe @tim @rysiek >> Zionist is not Jewish, it's a political agenda

Tell that to all the antisemites who were using it as a slur for decades.

It is really fun (NOT) to see the left eagerly adopt “Zionist” like a slur when y’all could just say “Israel,” “Israeli(s),” “settler-colonialism,” etc.

@voxofgod @peh @BetaCuck4Lyfe @tim @rysiek Like, the fact that you gotta jump on a thread for a totally unrelated subject to bark out “Zionist” like a right-wing chud who thinks he’s found an excuse to say the N-word really tells me all I need to know about the sense in which you are using it.

@rysiek On the flip side, it is also important to welcome phone calls out of the blue from people whose Spidey-sense has tingled a bit, and who trust you enough to sanity check what they're looking at.

Gives me the warm fuzzies, every time.

@tim_lavoie 💯

In $OLDJOB where I was responsible for people at real risk, a person pinged me with "did you actually send that e-mail?"

It took *me* a couple of minutes to figure out it was a targeted attack. Coming from a very similar e-mail address to mine. Having *my actual e-mail signature*.

The attack got blown. Nobody got phished. Later I figured out the attack took 3 months of prep.

Asked the person how did they know.

"I didn't. It was a hunch. You told us to trust our hunches." 🎉

@rysiek @tim_lavoie eMails asking me to "update" anything are 100% spam/scam.

@mirabilos @rysiek I did get a handful of legit ones lately, but they were expected. My old credit card expiry had passed, and these were services I'd given it to at one point. As a heuristic though, you're spot on.

@mirabilos @rysiek @tim_lavoie

I skip the email completely and login to the account I question to see if there is a notice there.

@mirabilos @rysiek @tim_lavoie This is why I hate "update your W-9" (no nothing changed, I would have told you if it did!), "update your domain contact information", etc. mails. They train ppl to get phished.

@tim_lavoie @dalias @rysiek I have no idea what W-9 is. My domains etc. usually ask to check if my info is still correct, not request to update them, and in general don’t read like these scam. So at least some have more sense.

It also helps to not live in an english-speaking country. While a good part of my correspondence is still in English, most of the rest is in German, so scammers would have to guess which. It’s also usually written by native speakers while most German-language scam is visibly machine-translated, though AI crap might lose me that advantage when multinational companies use that to translate later. (And, of course, people not taking care to be sensible to this still fall for it.)

@rysiek @tim_lavoie @http_error_418 ❤️❤️❤️

And good on ya for building that kind of rapport with your team.

@tek @tim_lavoie @http_error_418 thank you. It was one of the proudest moments of my career so far.

It wasn't even my team, per se – it was a non-technical administrative person working for the organization. But we had a policy that all staff get the same infosec trainings, as everyone can get attacked and used as an entry point.

That policy was 100% on-point. Most targeted attacks I've seen there went after administrative staff first, not the really juicy targets like journalists.

@rysiek @tek @tim_lavoie justifiably so. I have been in teams that have attempted to do the same but not been as clearly successful, partly due to senior management wanting a more punitive approach. Glad you had a culture that supported this kind of effort instead of suppressing it

@http_error_418 @tek @tim_lavoie it's always a struggle

What I found very helpful was never wasting a good crisis. Somebody got phished? Clean up, write a post-mortem, and then use that to push to finally enforce 2FA across the org, for example.

And I had an amazing team to work with. Got really lucky there.

@rysiek
When I had staff, I insisted that everyone on the network attend infosec training. And agreed, most of the incoming attacks were aimed at two places: c-suite and admin. C-suite, bless their hearts...never learned. The admins were always on point.

@tek @tim_lavoie @http_error_418

@rysiek @tim_lavoie
Wow. Three months? I'm blown away: one person's spidey sense stopped it, that's inspiring!

And that's great training: trust your hunches. I wish lots of places built that into their infosec training.

@Giselle @tim_lavoie yeah.

The attack used a lookalike domain, I checked when was it created and when was the certificate issued.

I also had one of the attacker's VM's IP address, where the phishing site was hosted.

That allowed me to check the logs and see if it pops up earlier. And lo and behold, there it was, quite a lot at some point. Probably when they were building the phishing site and pulling our resources for it.

It was very satisfying to see all this prep work go down the drain. 😉

@rysiek @tim_lavoie
That's great work to figure this out. I'm still gobsmacked that one person double checking on a hunch made the whole thing implode. Fantastic job on your parts all round!

@rysiek i never get phished because i only pretend to have read my e-mails, i never actually do 😤😤😤
@quad @rysiek Here I barely ever follow the links in emails, like only time is for things I specially asked for like email verification. (And with SMS I can't follow them, my phone is rightfully dumb)
While most of the time I'm pulling the URL from my bookmarks or password manager.
@quad @rysiek And I'm pretty sure there's at least 2 phishing attempts I got over the phone. Lucky draw for them as I picked up the damned thing, sadly for them I always refuse to provide personal info when it's from an incoming phone call.
One of them that was kind of funny is when I asked "Huh, you're asking for personal info, who are you?" just out of curiosity and they just hanged.

@rysiek Yesterday I made a big purchase at an online shop that was new for me. The next bank account phishing came late at night and I was still brooding over that expense.

I have trained myself to change my online bank password every time a phishing message is unusually scary.

@rysiek

Don't click on their link.
Don't call their phone number.

Use your own favorites and phone book to call the person or company.

.

My mother got an urgent email from a friend, stuck in a foreign country, needing money. I said it's a scam. She didn't believe me.

So I say you know her well; what's her phone number?

She looks it up and I call. It's a land line, and the friend answers. (So, of course they're not trapped overseas.)

@rysiek
My goto is to open up my account website and see if there is a problem. If not, report them and delete.

@rysiek
It worked for my mom.
My mom is not someone to take being rushed gracefully. She told the phisher she was not going to do what they said immediately, they went bananas, and she hung up.

We re-installed her computer from scratch as a precaution.

@rysiek Also she doesn't do financial transactions on-line as a matter of policy (and security).

@rysiek ...and anyone who demands you stay on the phone with them and *not* take a short break or contact anyone else?

Absolutely, 100%, always a scammer.

@rysiek

Time pressure (and timing) is one principle used in many social engineering attacks. It reduces your cognitive ability and coaxes you into reacting automatically with System 1.

Frank Stajano and Paul Wilson wrote a paper on it and other common principles.

infosec.exchange/@realn2s/1126

Regarding System 1 and System 2 Thinking see "Thinking, Fast and Slow" by Daniel Kahneman

bookwyrm.social/book/271430/s/

Infosec ExchangeClaudius Link (@realn2s@infosec.exchange)Regarding #SocialEngineering I love the work of Frank Stajano and Paul Wilson. The documented 7 common principles of #scams. The principles are (in my adaption) 1. Need or Greed / Bait: Something the victim/mark wants or wants to avoid. 2. Deception: A connection to reality 3. Distraction: an elaborate story around the scam hiding the true intentions. 4. Authority or Trust: Scams "originate" often trusted or authoritative person, role, or organisation 5. Time pressure & timing: The victims are pressured to decide or act quickly. And the attacks are timed, often after lunch, or the afternoon were the victim is like less energetic and attentive. 6. Secrecy (or Dishonesty): keep the mark from asking someone else. and may slightly less relevant in a digital Social Engineering context: 7. Herd/Group Principle: Others are doing it as well, so I either have FOMO or think it can't be that bad You can read more in https://www.cl.cam.ac.uk/~fms27/papers/2011-StajanoWil-scam.pdf

@rysiek @inthehands we tell that to newcomers, it's amazing the stupid things we do under time pressure.
And "if possible, try to check back with a different (ideally private) channel".
The number of "hello, it's XXX [the correct manager or director], I need you to do that" we get on new hire is frightening.

@fanf42 @rysiek
My department at the college long had a scammer who would regularly email all the faculty with an “oh no! I’m in a meeting! I need someone to buy an Amazon/Apple gift card for my niece’s birthday!” message. We took to calling them Fake Tom. Sometimes they’d go quiet for a while, and when they returned, there were excited emails: “Fake Tom is back! They’re OK!!” When the chair rotated, it was a real milestone we we got the first Fake Susan message.

@rysiek @mercrow I reflexively get annoyed at messages with that vibe, it serves me well.