[Linux-aus] Security conferences (was: LUGs)

Info info at petermoulding.com
Sat Jul 8 09:06:15 AEST 2023 

Thank you for the reference. AFR is one newspaper I have not read for a while. I might have to look 
more often.

Stories like that are often better for informing friends and staff about phishing and similar. What 
is missing is often the detail. SMH and other newspapers often mention phishing without explaining 
it. On rare occasions, they point out an email has a wrong return address.

One of the reasons for converting people from proprietary email to open source is the display of 
actual email addresses instead of just the name. I encourage people to check then report scams.

I think news.com.au and similar run articles on victims of phishing just for the shock value, not to 
help anyone avoid phishing.

MFA works locally and people run into problems when they travel using cheaper local cards. Anyone 
with serious access should use two telephone and reserve one for the calls back to the office.

If you use your telephone number, lose your telephone, then try to get a new telephone with the same 
number, you can end up in an authentication loop. One friend hit that road block recently.

CACert was a great idea. I hoped that would lead to key authentication for Facebook and everything 
instead of just the Musk Blue Tick.

On 7/7/23 23:06, Adam Nielsen via linux-aus wrote:
>> I looked at a few conference links and did not find the "What we did
>> wrong" style confessions from failed organisations. How can anyone
>> know what to avoid if there are no investigations and coroner reports?
> 
> These conferences are more proactive.  They focus on newly discovered
> issues, alerting people to the problems they need to address *before*
> there is a major security breach.
> 
> When there is a compromise like the Medibank one and the reasons are
> made public, quite often you will find the very methods the attackers
> used have been discussed at these conferences many years earlier.
> 
> This is why many companies and government agencies with a strong focus
> on security send delegates to these conferences, because they want to
> address their security shortcomings before there is a public breach
> rather than after.
> 
>> The medibank incident should be investigated out in the open the same
>> as an aeroplane crash.
> 
> I haven't looked into it but a quick web search shows it is being
> investigated by police, and there is some preliminary information
> available.
> 
> It looks like someone with high-level access was tricked into typing
> their credentials into a phishing scam, and those login details were
> used to discreetly install remote access software that was used to
> extract the information.  It appears MFA was not used so compromising
> the username and password was all that was needed to allow access.
> There is more detail on this article I found:
> https://www.afr.com/technology/revealed-how-crooks-got-inside-medibank-20221024-p5bsg4
> 
> None of this will come as a surprise to anyone who has attended
> security conferences, as they always have talks on how sophisticated
> social engineering and phishing scams are getting, and how end users
> will always be tricked into handing over their passwords, so you need
> MFA to save them from themselves.  MFA has been considered mandatory for
> many years now and at this point no self respecting company would be
> without it, because it makes the very thing that happened to Medibank
> significantly more difficult.
> 
> The latest social engineering trick being discussed is how AI can be
> used to fake the voice of real people.  It will only be a matter of time
> until there are breaches because someone gets a call from their boss who
> forgot their password and needs some files urgently, and they just need
> them e-mailed to their personal GMail address.  The files will
> dutifully get e-mailed because nobody wants to disappoint their boss,
> only to find out later the confidential files were just e-mailed
> directly to a scammer.  MFA won't help you there.
> 
> Hearing about how an actual breach took place is certainly very
> interesting, but from the point of view of protecting your own data,
> finding out about these things before they happen is of much more
> benefit than hearing of them after the fact.
> 
> Cheers,
> Adam.
> _______________________________________________
> linux-aus mailing list
> linux-aus at lists.linux.org.au
> http://lists.linux.org.au/mailman/listinfo/linux-aus
> 
> To unsubscribe from this list, send a blank email to
> linux-aus-unsubscribe at lists.linux.org.au

More information about the linux-aus mailing list