US Counterintelligence czar tells government employees, “raise your shields”
- Thread starter JournalBot
- Start date
Nope. Users don't know how to 'raise their shields". Computer security is a highly abstract topic and as such is very hard to understand. Add to that the basic human willingness to help out (oh you want me to give you my password / open this file / fill this form? SURE! ) and the breaches will keep on happening.
Besides the inability to get secure, there's also the element of apathy at play. We are talking about employees whose sole reason for showing up every morning is the paycheck. They don't care. They could be made to care through disciplinary action (stick) or reward (carrot). But there are usually no consequences to picking up a virus on a computer, or responding to a phishing e-mail. No disciplinary action. Why would there be when malware is perceived as IT dept problem? Often seen as just a normal part of owning and using computers? :facepalm: Simply put, users aren't incentivized to keep their computer secure. Asking them "pretty please" simply does not work. It never has.
Here's an analogy we used in a meeting recently. Compare computer security to a common parking garage with a broken gate. "Please get out of your car and make sure the gate is securely closed behind you." HAHA yeah right. Hardly anyone is going to do that. All it takes is one driver leaving the gate open and everyone's car gets broken into.
My proposal, which was unfortunately shut down, was anyone with a virus gets their computer taken away immediately (to wipe and reimage) and replaced with a hand-me-down older/slower computer. There's an incentive however meager. But that too was apparently too much to adopt.
Besides the inability to get secure, there's also the element of apathy at play. We are talking about employees whose sole reason for showing up every morning is the paycheck. They don't care. They could be made to care through disciplinary action (stick) or reward (carrot). But there are usually no consequences to picking up a virus on a computer, or responding to a phishing e-mail. No disciplinary action. Why would there be when malware is perceived as IT dept problem? Often seen as just a normal part of owning and using computers? :facepalm: Simply put, users aren't incentivized to keep their computer secure. Asking them "pretty please" simply does not work. It never has.
Here's an analogy we used in a meeting recently. Compare computer security to a common parking garage with a broken gate. "Please get out of your car and make sure the gate is securely closed behind you." HAHA yeah right. Hardly anyone is going to do that. All it takes is one driver leaving the gate open and everyone's car gets broken into.
My proposal, which was unfortunately shut down, was anyone with a virus gets their computer taken away immediately (to wipe and reimage) and replaced with a hand-me-down older/slower computer. There's an incentive however meager. But that too was apparently too much to adopt.
Upvote
-5
(17
/
-22)
Their example isn't really spear phishing, it's just regular phishing. Spear phishing is highly targeted. It mentions you specifically and is "from" a person you know. A well crafted campaign (the type that would target government employees with security clearances) might appear to be a message from your boss, mentioning a current project/activity and asking for your feedback on an attached document by the end of the day. Even better ones come up with an approach that wouldn't trigger any suspicious follow-up and go undetected (you might tell your boss the prior attachment wouldn't open).
Advanced spear phishing techniques are hard for users to notice even with good training. Who inspects the headers of an email that looks like every other one they get from their boss?
The goal with most phishing awareness training is, and should be, for users to catch the basic phishing messages using techniques like the ones shown in the video. Those working in industries with valuable data (PII, IP, TS, etc.) then take steps to mitigate the impact of stolen credentials (two-factor authentication, automated monitoring/alerting systems, audit trails, air-gap networks, etc.).
Advanced spear phishing techniques are hard for users to notice even with good training. Who inspects the headers of an email that looks like every other one they get from their boss?
The goal with most phishing awareness training is, and should be, for users to catch the basic phishing messages using techniques like the ones shown in the video. Those working in industries with valuable data (PII, IP, TS, etc.) then take steps to mitigate the impact of stolen credentials (two-factor authentication, automated monitoring/alerting systems, audit trails, air-gap networks, etc.).
Upvote
21
(21
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=29718833#p29718833:19ztl2yz said:
This is how ODNI classifies spear phishing with regard to employees on their personal systems. They believe that foreign intel will use some bulk approach to send tailored messages to millions of feds based on data culled from credit card, bank and OPM breaches , going after their home computers as well as their work accounts. Most agencies have at least begun to implement two factor, but the Joint Chiefs had two factor and got clobbered by a simple credit card alert spearphish that was barely a spearphish.
I'm not saying the definition is right...
Upvote
13
(14
/
-1)
[url=http://meincmagazine.com/civis/viewtopic.php?p=29718775#p29718775:ikthgk9h said:
Wow, fuck you.
Sorry, I don't have a better comment, but I don't honestly know a more constructive or useful response to that.
Upvote
-7
(14
/
-21)
Upvote
4
(7
/
-3)
So, I watched Frontline's "the trouble with chicken" and I was screaming "prepare and cook properly"!!
Same deal...
Same deal...
Upvote
7
(7
/
0)
Multiple hull breaches. Dilithium crystals shattered. Warp core in process of ejecting. One nacelle broken off and drifting away. Other nacelle bent into a pretzel. Command crew dead or MIA. Romulans boarding at multiple incursion points. Food processor full of tribbles.
But, yeah, raise shields now.
But, yeah, raise shields now.
Upvote
32
(32
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=29719073#p29719073:2gm5j5oz said:
Its more of a Kobayashi Maru situation; don't ya think?
Upvote
9
(9
/
0)
Carpetsmoker
Ars Praetorian
The fix is so easy: just sign the emails with a signature.
PGP/GPG and S/MIME are well known, and have been around for decades. S/MIME will work *RIGHT NOW* in almost all mail clients. PGP requires more work, but an OS-distributed set of keys is very feasible (in fact, many Linux package managers already do this), and within an organisation (like, say, a government branch) you can do your own key distribution.
Both solutions are also 100% backwards-compatible, and can be set up in a day for many email systems. Sure, there will probably be some challenges along the way in wide-spread roll-out, but we're talking about millions being stolen and even national security threats. The gain vs. effort ratio is very large.
That Paypal, Amazon, banks, etc. don't sign their e-mals with S/MIME is a disgrace. I am a software developer who wrote 2 emaiil clients and did lots of other stuff with email over the years. I'd like to think that I know more about email than most. But on occasion a phising mail still comes through the spam filter, and I really have to *look* very carefully to see if it's real or fake. The days of phising mails with bad spelling and other obvious errors are over (and even those fooled many people). The assholes have stepped up their game, and so should we.
"Educating the public" is a non-fix, and even harmful.It somehow implies that you, as a person, are responsible when you're a phising victim. Sure, there are plenty of people being a bit silly, but that's in the human nature, and in this case you need to be very vigilant and don't have to be all that silly to make a mistake.
The responsibility is with *us*, the IT folk, in providing a system where you can *easily* see if a mail is genuine.
IMHO, this is something a government should just mandate like the "EU cookie law" (except that it actually makes a difference and doesn't annoy everyone, plus the retarded EU cookie law probably took a lot more effort to implement than signed emails).
PGP/GPG and S/MIME are well known, and have been around for decades. S/MIME will work *RIGHT NOW* in almost all mail clients. PGP requires more work, but an OS-distributed set of keys is very feasible (in fact, many Linux package managers already do this), and within an organisation (like, say, a government branch) you can do your own key distribution.
Both solutions are also 100% backwards-compatible, and can be set up in a day for many email systems. Sure, there will probably be some challenges along the way in wide-spread roll-out, but we're talking about millions being stolen and even national security threats. The gain vs. effort ratio is very large.
That Paypal, Amazon, banks, etc. don't sign their e-mals with S/MIME is a disgrace. I am a software developer who wrote 2 emaiil clients and did lots of other stuff with email over the years. I'd like to think that I know more about email than most. But on occasion a phising mail still comes through the spam filter, and I really have to *look* very carefully to see if it's real or fake. The days of phising mails with bad spelling and other obvious errors are over (and even those fooled many people). The assholes have stepped up their game, and so should we.
"Educating the public" is a non-fix, and even harmful.It somehow implies that you, as a person, are responsible when you're a phising victim. Sure, there are plenty of people being a bit silly, but that's in the human nature, and in this case you need to be very vigilant and don't have to be all that silly to make a mistake.
The responsibility is with *us*, the IT folk, in providing a system where you can *easily* see if a mail is genuine.
IMHO, this is something a government should just mandate like the "EU cookie law" (except that it actually makes a difference and doesn't annoy everyone, plus the retarded EU cookie law probably took a lot more effort to implement than signed emails).
Upvote
19
(20
/
-1)
[url=http://meincmagazine.com/civis/viewtopic.php?p=29718993#p29718993:30373zy9 said:
Upvote
8
(9
/
-1)
[url=http://meincmagazine.com/civis/viewtopic.php?p=29718993#p29718993:2rixhqrp said:
Upvote
-5
(1
/
-6)
Work sends out a fake spearfish every month. The failure rate is still 15% or so iirc and they have instructions the special people have to watch so that they can learn. So yeah, seems like getting that to 0% will never happen as this is one year into the program.
Upvote
16
(16
/
0)
That hacker is so pro, he had lines of code on his screen! You know he's a real hacker because he had green text.
Upvote
6
(6
/
0)
This is worth a read if you haven't seen it- real world security sucks. http://swiftonsecurity.tumblr.com/post/ ... ut-jessica
Upvote
6
(6
/
0)
As if phishing emails are the worst that could come from the massive caught-with-our-pants-down OPM breach! How about blackmail, in person contact, spy surveillance, postal mail tampering, information-gathering expeditions masked to look like a common robbery...
The possibilities are endless.
But if we're going to focus on email, then yes, email needs built in authentication mechanisms already. The only reason we don't is simple lazy inertia. Industry needs to step up, before the government makes it a heavy-handed requirement.
The possibilities are endless.
But if we're going to focus on email, then yes, email needs built in authentication mechanisms already. The only reason we don't is simple lazy inertia. Industry needs to step up, before the government makes it a heavy-handed requirement.
Upvote
2
(2
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=29719161#p29719161:1nt5b0k7 said:
I am not a security expert by any means, but this was my first thought as well. I can't imagine any *technical* reason for an organization as large as the government not to be cryptographically signing e-mails (at the very least internal e-mails via key servers.
That solves part of the problem of an external e-mail masquerading as your bosses.
The other part is that the major tech companies need to implement verified e-mails (i.e. e-mail header spoofing should not work), but I doubt that will happen especially when we look at the issue of spoofed caller IDs as we all know how that problem is totally solved. /s
But in short, the real problem is that e-mails are essentially postcards. Trusting information from a postcard is pretty silly and there needs to be some easy to use, uniform email encryption that grandma can use whether via gmail, outlook, yahoo, silly isp supplied e-mail, etc., etc.
Upvote
5
(5
/
0)
Also, a totally different rant about all these data breaches.
Dear [consumer / customer / employee / stranger],
As a heads-up, we got hacked. It wasn't really our fault but rather a
[external contractor, malicious government, black-hat hacker, 3rd party who we sort of don't have control over but maybe we do, rogue employee] was able to access our systems in an unauthorized manner.They took your [credit information, PII, health-care data, dog's name, pizza topping preference] and were able to ex-filtrate it from our totally secure network.
We have contacted the [CIA, NSA, FBI, state police, local police, mall rent-a-cops] and are working in conjunction with them to catch the aforementioned perpetrators. Have no fear that we are doing everything in our power to [cover our own butts] and make sure that your [credit score probably can't get any worse, deep dark sexual secrets and fantasies haven't fallen in the wrong hands, embarrassing health conditions won't become the laughingstock of the office].
To that end we are supplying you with [1 year of credit monitoring].
Good luck!
In short the problem with identity theft is:
1. SS numbers are not supposed to be a unique identifier
2. Our society works on "open" credit, which is stupid (see #1 above)
3. The credit bureaus are not incentivized to protect/verify people's information (in fact they have a perverse incentives not to, since then they can't give access to any Joe Schmoe who wants to give them money for people's information and then they can then sell extra "credit" monitoring services to people).
*Edit: accidentally submitted comment before finished typing
Dear [consumer / customer / employee / stranger],
As a heads-up, we got hacked. It wasn't really our fault but rather a
[external contractor, malicious government, black-hat hacker, 3rd party who we sort of don't have control over but maybe we do, rogue employee] was able to access our systems in an unauthorized manner.They took your [credit information, PII, health-care data, dog's name, pizza topping preference] and were able to ex-filtrate it from our totally secure network. We have contacted the [CIA, NSA, FBI, state police, local police, mall rent-a-cops] and are working in conjunction with them to catch the aforementioned perpetrators. Have no fear that we are doing everything in our power to [cover our own butts] and make sure that your [credit score probably can't get any worse, deep dark sexual secrets and fantasies haven't fallen in the wrong hands, embarrassing health conditions won't become the laughingstock of the office].
To that end we are supplying you with [1 year of credit monitoring].
Good luck!
In short the problem with identity theft is:
1. SS numbers are not supposed to be a unique identifier
2. Our society works on "open" credit, which is stupid (see #1 above)
3. The credit bureaus are not incentivized to protect/verify people's information (in fact they have a perverse incentives not to, since then they can't give access to any Joe Schmoe who wants to give them money for people's information and then they can then sell extra "credit" monitoring services to people).
*Edit: accidentally submitted comment before finished typing
Upvote
6
(6
/
0)
They're not "hacks" or "breaches," they're "terrorism investigations."
Editorial directive #17
Editorial directive #17
Upvote
0
(0
/
0)
Had to laugh as I clicked on your link to the video of "Don't be like this guy" clicking on a link. It was a sardonic, bitter laugh, not a carefree one BTW.
Upvote
5
(5
/
0)
On a serious note, "...22 million people 22 MILLION, including some who had merely applied for government employment or contract work in the last 10 years." I vote it should be a criminal offense to keep personal data any longer than necessary for processing -- after which time it should be destroyed. That might help.
Upvote
3
(4
/
-1)
Imagine that. The government doesn't know what spearphishing is, and just uses the term because it is new and popular. Go figure.[url=http://meincmagazine.com/civis/viewtopic.php?p=29718929#p29718929:cg0vpx30 said:
Upvote
3
(3
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=29718775#p29718775:2fm9gd69 said:
It's difficult in government because you can't discipline people in any meaningful way and even rewards are difficult because the undeserving take umbrage. However, there are still good workers who really don't want to the source of a leak and training these individuals to detect and avoid phishing and spear phishing attacks can help. I'm shocked that they are only now training their employees in this stuff. Better late than never, I suppose. My company has been conducting this training along with regular fake attacks for at least a decade. Operator training should always be the last line of defense, but it's still an important one.
I like your idea of punishing users when their errors cause failures however, you're hurting your company giving productive people substandard machines for failures unrelated to their actual job. I like the idea of regular fake spear phishing attacks. Set up a bonus fund that users lose part of the cut of whenever they get caught in an attack. Give the attackers a strong incentive to trick users and then give the trainers an incentive to reduce successful attacks.
Upvote
2
(3
/
-1)
Let's keep in mind that the jokers briefing this did a *worse* job securing the details of everyone in the US with a clearance than Ashley Madison did securing passwords. Ashley Madison at least tried to encrypt passwords. These guys pointing fingers at someone else clicking a link didn't even try to encrypt any of this info right here --> https://www.opm.gov/forms/pdf_fill/sf86.pdf
What I want to hear is who is getting prison time for this?
What I want to hear is who is getting prison time for this?
Upvote
3
(3
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=29721627#p29721627:bimhorvh said:
But who would even be arrested? Poor security isn't against the law. It's pure incompetence, but if we arrested every top level bureaucrat who was incompetent, they wouldn't have enough room in the prisons. I guess they could let out all the people in jail for having a bit of pot to make room...ok I don't really have an objection to this. Arrest away!
Upvote
-1
(0
/
-1)
[url=http://meincmagazine.com/civis/viewtopic.php?p=29721627#p29721627:39j04mh4 said:
Let's not keep that in mind at all, because it's completely wrong.
The National Counterintelligence and Security Center has nothing to do with OPM, except that their HR is probably handled by OPM. And all of their PII was released too.
That's like lambasting something the President said because it contradicts what a Supreme Court Justice did.
Upvote
2
(2
/
0)
I just bet that 99% of those who may have seen or heard of this OPM campaign probably shrugged their shoulders and moved along thinking "meh, I don't phish or hunt!"
Upvote
0
(0
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=29722245#p29722245:2gvworkz said:
Fair enough statement, though I do believe that the heat for the OPM hack was too squarely centered on "just OPM".
All of the agencies that had their privileged data entrusted to OPM had a core, invested interest in their security, and that includes a great many individuals and organizations above OPM, with a controlling influence of OPM.
There is a profoundly powerful, implicit message sent by that attack. And a large part of that implicit message does tie in with the whistleblowers, leaks, and moles. Altogether, it says, "When it comes to security and secrets, the government is very bad at it, both in terms of true concern, and in terms of capacity to protect".
With OPM this message is especially powerful for all 20 some odd million effected by it. They trusted the respective government branches they filled out those forms for with that private, personal data. And they trusted the government at large in doing so, as well.
They don't hear about it and forget about it. They will think about it regularly. Consistency is a major component of such messaging, as well as personal vulnerability.
Which gets to my last concern here: The followup is miserable.
This agency in question is in charge of important domestic communications. And probably few, if any there, really know even very much about the difference between implict and explicit communication. They do not understand what those terms mean, and while there are more widely known terms that could be substituted for those terms -- anyone familiar with those more widely known terms would be able to understand what is meant by them, anyway, by context.
What this is like, is like how people run by automatic, "instinctive" behaviors, unconscious drives and thoughts, as opposed to rationality, conscious awareness.
This means, that they are not addressing the real communication issues that need to be addressed with the OPM attacks. They don't even know what those issues are. I am sure, if they tried to think about it, they would briefly see some of those underlying issues. I am sure they will see it when they get feedback from people about it. But, they would dismiss much of that, without much of a thought.
Which means their followup approach is condemnable. It is not "as if blaming the President for a decision by the Supreme Court". It is as if, "they don't even know what the hell they need to be addressing", at all.
On a technical level, in terms of education on specifically aiding government employees to help prevent becoming victims of attackers using this data, they fail there, too.
The approach and attack vectors go far more then just system hacking. Which very often would involve zero day and other such attacks, so is not "just phishing". There is very much also "human hacking", one could say. If you have all of that data about someone, it is trivial to approach them and get into their rapport.
They don't have to use email to do that, at all. They can use FB. They can use any social media. If the target is important enough, they can do it in person.
Upvote
0
(0
/
0)
On the attack vector, technically, relegating intel attacks *just* on tech:
I just got a talk on this, "foreign intelligence attack vector" is listed as 78% email attachment. Problem with that, anyone?
That is just from:
1. they know about
2. they have caught
3. that other teams are willing to tell them
4. all attacks are by no means equal -- one OPM attack weighed against how many hundreds and thousands and teens of thousands of smaller attacks?
On point 3, I strongly doubt all attacks are reported to this department, not even on terms of "we were ashamed", which probably almost never happens, but in terms of "we think they might also be compromised, so this knowledge has to be extremely compartmentalized".
Could be argued, "Well, they have to still train on this attacks, non-email borne attacks don't effect them". Not so. There are attacks which target individuals that may fall exactly under these criteria, which make the email attack vector meaningless.
I just got a talk on this, "foreign intelligence attack vector" is listed as 78% email attachment. Problem with that, anyone?
That is just from:
1. they know about
2. they have caught
3. that other teams are willing to tell them
4. all attacks are by no means equal -- one OPM attack weighed against how many hundreds and thousands and teens of thousands of smaller attacks?
On point 3, I strongly doubt all attacks are reported to this department, not even on terms of "we were ashamed", which probably almost never happens, but in terms of "we think they might also be compromised, so this knowledge has to be extremely compartmentalized".
Could be argued, "Well, they have to still train on this attacks, non-email borne attacks don't effect them". Not so. There are attacks which target individuals that may fall exactly under these criteria, which make the email attack vector meaningless.
Upvote
0
(0
/
0)
- Status