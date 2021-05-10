 Skip to content
(Guardian)   "You essential workers kept our trains running during the pandemic, you deserve a bonus" *clicks link* "Just kidding, you just failed our cybersecurity test"   (theguardian.com) divider line
Dead for Tax Reasons [TotalFark]
‘’ 1 hour ago  
that would've been a lot of toy yodas for them to find
 
iheartscotch
‘’ 18 minutes ago  
I mean...they did think that their company might be grateful for their hard work and sacrifices....
 
NotThatGuyAgain
‘’ 16 minutes ago  
Asinine?  This is Cybersecurity 101.  It's good training, especially for non-IT users.

"The design of the email was just the sort of thing a criminal organisation would use - and thankfully it was an exercise without the consequences of a real attack." This is a true statement.

Let's see how the Colonial ransomware attack made it into their system then revisit this thread.  I haven't seen any details other than "hackers attacked," and that could mean a ton of things.
 
UTD_Elcid [BareFark] [OhFark]
‘’ 16 minutes ago  
I'm not saying they are right, but as someone who understands IT challenges, I get it.
 
Solty Dog
‘’ 14 minutes ago  
People in IT being dicks in the name of cybersecurity? Say it ain't so.
 
Jeebus Saves
‘’ 14 minutes ago  
One hand hand I can't believe people are so stupid as to click a link in an email.  On the other, I'm pretty sure I think that because I'm afraid to admit that there are so many stupid people out there.
 
Englebert Slaptyback
‘’ 13 minutes ago  
"The company must now account for their totally crass and reprehensible behaviour. They could and should have used any other pretext to test their internet security. It's almost beyond belief that they chose to falsely offer a bonus to workers who have done so much in the fight against this virus."
(emphasis added)


Yeah, how dare they use a tactic that was quite likely to be effective?

(Sarcasm, Sarcasm, *ah-OOOO-gah*)
 
HotWingConspiracy [TotalFark]
‘’ 13 minutes ago  
A West Midlands Trains spokesperson said: "We take cybersecurity very seriously. We run regular training and it's important to test your resilience.

"The design of the email was just the sort of thing a criminal organisation would use - and thankfully it was an exercise without the consequences of a real attack."

"Besides, these idiots should know by now there's no bonuses or raises coming. I mean, what kind of dope would buy that?"
 
Boo_Guy
‘’ 13 minutes ago  
Seems like a pretty shiat security / phishing test if the email is from their own company.

You want your employees not to trust anything coming from their actual place at work at all then? That's what some of those employees are going to do now, completely disregard any work email, good job I guess.
 
groppet [TotalFark]
‘’ 13 minutes ago  
A few years ago I got a work email about clicking a link for an updated. Never had anything like that happen before so I got the IT guy that was next door and he seemed confused about it too and called his boss. Turns out yes it was a cyber security test to see who would click it. I passed and didn't get anything for it but people who failed got a nice remedial cyber security class.
 
abbarach
‘’ 11 minutes ago  

UTD_Elcid: I'm not saying they are right, but as someone who understands IT challenges, I get it.


From an IT standpoint, this is EXACTLY the kind of attack email you really want to simulate and test your users against.

From a management standpoint, this is pretty terrible because employees got their hopes up, only to have them dashed.  I've seen administration get VERY upset with IT for running these kinds of tests without conferring with admin first about the messaging.

Best case scenario, management was aware of the nature of the test, AND was already planning on bonuses.  Right after the test concludes, admin announced the real bonus.
 
NotThatGuyAgain
‘’ 11 minutes ago  

Solty Dog: People in IT being dicks in the name of cybersecurity? Say it ain't so.


People in IT trying to educate their users so IT doesn't have to spend 3 weeks cleaning up after some dipshiat clicked a link in a fake e-mail?  Say it ain't so.
 
lolmao500 [recently expired TotalFark]
‘’ 10 minutes ago  

iheartscotch: I mean...they did think that their company might be grateful for their hard work and sacrifices....


Dont they know they live in a late-stage capitalism system and that kind of thing doesnt happen? They still believe that corporations give a fark about them? How stupid are they?
 
steklo [TotalFark]
‘’ 10 minutes ago  
Fark user imageView Full Size
 
lolmao500 [recently expired TotalFark]
‘’ 8 minutes ago  
Seems to me its time to destroy cryptos once and for all.
 
wage0048 [TotalFark]
‘’ 8 minutes ago  

Boo_Guy: Seems like a pretty shiat security / phishing test if the email is from their own company.

You want your employees not to trust anything coming from their actual place at work at all then? That's what some of those employees are going to do now, completely disregard any work email, good job I guess.


I get these sorts of "tests" pretty regularly - at least a couple per month in the various mailboxes I monitor (including my direct email address) and they always come from a domain other than @[mycompany].com, so even a cursory inspection would make it obvious that it's not actually from our own HR or whoever.
 
gar1013
‘’ 7 minutes ago  

Solty Dog: People in IT being dicks in the name of cybersecurity? Say it ain't so.


You're just mad you didn't collect your free Guinness bar towel
 
Medic Zero
‘’ 7 minutes ago  

NotThatGuyAgain: Asinine?  This is Cybersecurity 101.  It's good training, especially for non-IT users.

"The design of the email was just the sort of thing a criminal organisation would use - and thankfully it was an exercise without the consequences of a real attack." This is a true statement.

Let's see how the Colonial ransomware attack made it into their system then revisit this thread.  I haven't seen any details other than "hackers attacked," and that could mean a ton of things.


I've only fallen for one of these things once, and it was because IT sent out a fishing email that purposefully looked like an internal email.

Of course, it didn't help that I was in the middle of transferring to another internal position and getting bombarded with emails asking me for information that HR already had and didn't share with them.
 
BeesNuts
‘’ 7 minutes ago  

Boo_Guy: Seems like a pretty shiat security / phishing test if the email is from their own company.

You want your employees not to trust anything coming from their actual place at work at all then? That's what some of those employees are going to do now, completely disregard any work email, good job I guess.


This.  It appears the lesson is: Don't click links in emails.  Ever.

Cool.  I hope that not a single manager sends links in emails.  Oh, these employees will get shat on from both ends?  Nice.
 
Dead for Tax Reasons [TotalFark]
‘’ 6 minutes ago  

NotThatGuyAgain: Solty Dog: People in IT being dicks in the name of cybersecurity? Say it ain't so.

People in IT trying to educate their users so IT doesn't have to spend 3 weeks cleaning up after some dipshiat clicked a link in a fake e-mail?  Say it ain't so.



the bonuses should come out of the IT department's salary now
 
whither_apophis [TotalFark]
‘’ 6 minutes ago  
All emails should be plain text anyway
 
Spermbot [BareFark]
‘’ 6 minutes ago  

Boo_Guy: Seems like a pretty shiat security / phishing test if the email is from their own company.

You want your employees not to trust anything coming from their actual place at work at all then? That's what some of those employees are going to do now, completely disregard any work email, good job I guess.


You want employees to practice good cyber-hygiene regardless of the source of an email. Email addresses can be spoofed.
 
Solty Dog
‘’ 6 minutes ago  

NotThatGuyAgain: Solty Dog: People in IT being dicks in the name of cybersecurity? Say it ain't so.

People in IT trying to educate their users so IT doesn't have to spend 3 weeks cleaning up after some dipshiat clicked a link in a fake e-mail?  Say it ain't so.


The truly computer stupid can't be educated. They will still click a bad link.
 
gar1013
‘’ 5 minutes ago  

BeesNuts: Boo_Guy: Seems like a pretty shiat security / phishing test if the email is from their own company.

You want your employees not to trust anything coming from their actual place at work at all then? That's what some of those employees are going to do now, completely disregard any work email, good job I guess.

This.  It appears the lesson is: Don't click links in emails.  Ever.

Cool.  I hope that not a single manager sends links in emails.  Oh, these employees will get shat on from both ends?  Nice.


No, the lesson is to actually read the farking email and use common sense.

It works well if you aren't a moron who just throws up their hands and says THIS IS HARD.
 
Stud Gerbil
‘’ 5 minutes ago  
csb: I worked at an airport/AFRES base.   After 9/11. the military posted armed grunts at the front door.   Since it was a part-time base ops/terminal, I was the first guy there in the morning of the 12th.   Out front was the guard, who had no idea what he was supposed to be doing.   So, I took out my key and opened the door so we could get in.   And of course as soon as we got in, he asked my for my ID.
 
Boo_Guy
‘’ 4 minutes ago  

wage0048: Boo_Guy: Seems like a pretty shiat security / phishing test if the email is from their own company.

You want your employees not to trust anything coming from their actual place at work at all then? That's what some of those employees are going to do now, completely disregard any work email, good job I guess.

I get these sorts of "tests" pretty regularly - at least a couple per month in the various mailboxes I monitor (including my direct email address) and they always come from a domain other than @[mycompany].com, so even a cursory inspection would make it obvious that it's not actually from our own HR or whoever.


Well that makes some actual sense then.
 
Some Junkie Cosmonaut
‘’ 3 minutes ago  

Englebert Slaptyback: "The company must now account for their totally crass and reprehensible behaviour. They could and should have used any other pretext to test their internet security. It's almost beyond belief that they chose to falsely offer a bonus to workers who have done so much in the fight against this virus."
(emphasis added)


Yeah, how dare they use a tactic that was quite likely to be effective?

(Sarcasm, Sarcasm, *ah-OOOO-gah*)


From an effectiveness standpoint?  100%  From an optics standpoint?   Shaky at best.  Especially when you've probably got people that do deserve such bonuses and have instead gotten farkall and a hot cocoa sampler.  Sure, you've tested security damn well - you've also gone, "Yeah, you probably deserve better.  Not gonna get it though.  Sucks to be you huh?"  I'd test it with something that doesn't shove people's feelings of being hard done by to an even higher pitch automatically.  Morality completely aside, from a pure corporate "riling up the peons for no reason doesn't improve efficiency." standpoint.

/riling them up when they can shave another buck of profit?  Np
//but for no reason at all, that's a net productivity loss
///even the numbers bots should be able to see that far
 
UltimaCS
‘’ 3 minutes ago  

NotThatGuyAgain: Solty Dog: People in IT being dicks in the name of cybersecurity? Say it ain't so.

People in IT trying to educate their users so IT doesn't have to spend 3 weeks cleaning up after some dipshiat clicked a link in a fake e-mail?  Say it ain't so.


I'm sure Matt Gaetz was just trying to give some curious high schoolers a couple lessons in sex ed, but there are certainly better ways to do it.
 
ryebread [TotalFark] [OhFark]
‘’ less than a minute ago  
Building rapport with your users is important when you're asking them to comply with things, and for getting them to actually come to you to report suspicious/malicious activity... And that's before you look at the increased risk of insider threats, damage to reputation, etc.

They damaged their overall security with this test.

Phishing simulations are a great thing. The lure they used was ruthlessly effective, I'll give them that. I'd be fine with using that against the execs, even. But using that specific lure against regular users is a dick move, and counterproductive at that.
 
