this post was submitted on 31 Aug 2023
1064 points (99.2% liked)

Comic Strips

12552 readers
5106 users here now

Comic Strips is a community for those who love comic stories.

The rules are simple:

Web of links

founded 1 year ago
MODERATORS
 
top 50 comments
sorted by: hot top controversial new old
[–] Kolanaki@yiffit.net 78 points 1 year ago* (last edited 1 year ago) (3 children)

A lot of hacking is actually social engineering. It's not hard to get a tech-illiterate person to give up their password, and that's the softest target for an attack.

[–] yokonzo@lemmy.world 31 points 1 year ago (1 children)

I prefer the old “drop a usb in the parking lot”

[–] The_Picard_Maneuver@startrek.website 21 points 1 year ago (2 children)

Be sure to put a label on it that says "secrets!"

[–] teft@startrek.website 19 points 1 year ago (2 children)

Nowadays you'd probably be more likely to get a hit by putting an "Anime titties" label on the drive

I'm interested.

[–] Viking_Hippie@lemmy.world 1 points 1 year ago

Why would you drop a drive full of world news?

[–] dandroid@dandroid.app 4 points 1 year ago (1 children)

I prefer a label that says, "Warning: USB stick contains scary virus. Do not plug into a computer"

[–] The_Picard_Maneuver@startrek.website 2 points 1 year ago (1 children)
[–] chatokun@lemmy.dbzer0.com 3 points 1 year ago (1 children)

It's what sandboxes are for.

[–] Martineski@lemmy.fmhy.net 3 points 1 year ago* (last edited 1 year ago)

There are usb sticks that can kill your pc by getting charged and then discharging all the electricity at once to your pc so no sandbox will save you in situations like those.

[–] igorlogius@lemmy.world 18 points 1 year ago* (last edited 1 year ago)

the softest target

Managment making notes

All employess must be buff! 
Fitness trainings for everyone are now mandatory!
Problem solved.
[–] UnculturedSwine@lemmy.world 9 points 1 year ago (2 children)

Or even jaded tech savvy people. I work in IT and there have been a number of times that I have witnessed or heard about people who know better causing an incident because they're burnt out or irate.

[–] Sharkwellington@lemmy.one 25 points 1 year ago (1 children)

"Wait a second...I don't give a shit about this company."

[–] illi@lemm.ee 15 points 1 year ago

This seems like there is an idea for a joke or a comic here somewhere...

[–] hellishharlot@programming.dev 7 points 1 year ago

Happy employees are less likely to be socially engineered? Wow shocker

[–] EmoDuck@sh.itjust.works 56 points 1 year ago (2 children)

Hacker voice: "I'm in"

Looks at overly complicated industry software he's never even heard of before

"I'm out"

[–] psycho_driver@lemmy.world 22 points 1 year ago (1 children)

"Looks like these guys have already been hit with ransomware."

[–] dubyakay@lemmy.ca 20 points 1 year ago
[–] Anticorp@lemmy.ml 8 points 1 year ago (1 children)

Wait, I have an idea! Yes, just as I thought, I can overlay their proprietary operating system with this fancy looking graphical interface that resembles nothing and gain full control of their system. I'm back in!

[–] twistedtxb@lemmy.ca 51 points 1 year ago* (last edited 1 year ago) (4 children)

We have these obligatory online seminars about web security /privacy at work.

Turns out that for some reason, with Privacy Badger enabled, they appear as "passed" instantly. I never saw a single second of these endless seminars.

I tried to tell the IT guy but he couldn't care less and I suspect he didn't even know what Privacy Badger actually is

"Working as intended" - the dev who loves Privacy Badger.

[–] emergencyfood@sh.itjust.works 19 points 1 year ago

Or maybe he feels that these seminars are for people who don't use things like privacy badger.

[–] supercriticalcheese@feddit.it 10 points 1 year ago

It seems like you don't need Training then (:

[–] pwalker@discuss.tchncs.de 2 points 1 year ago (1 children)

now I want to know what privacy badger is amd I'm too lazy to google it...

[–] ArbitraryValue@sh.itjust.works 31 points 1 year ago (9 children)

We get fake phishing emails that are actually from IT and if we don't recognize and report them, we get a talking-to. It's a good way of keeping employees vigilant.

[–] grysbok@lemmy.sdf.org 17 points 1 year ago (1 children)

My last company did this. They'd also send out surveys and training from addresses I didn't recognize, so I'd report those, too, only to be told they were legit 😂

[–] hemko@lemmy.dbzer0.com 2 points 1 year ago

Yeah this is a running joke at our workplace too. Only to be asked by some manager to do those week or few later

[–] cynar@lemmy.world 15 points 1 year ago (1 children)

A friend (who actually works in IT) apparently has a good system at his company. It actually automates turning real phishing attempts into internal tests. It effectively replaces links etc and sends it onwards. If the user actually clicks through, their account is immediately locked. It requires them to contact IT to unlock it again, often accompanied by additional training.

[–] zalgotext@sh.itjust.works 2 points 1 year ago (3 children)

Wait. So your friend's company has the ability to reliably detect phishing attacks, but instead of just blocking them outright, it replaces the malicious phishing links with their own phishing links, sends those on to employees, and prevents them from doing their jobs of they fall for it?

Sounds like your friend's company's IT people are kind of dickheads

[–] lazyshit@sh.itjust.works 3 points 1 year ago

I work at a company that does something similar; it can be annoying to deal with these fake phishing emails from our own IT, but a 10-15 minute training session if you fail is a lot less disruptive than what can happen if you clicked the real link instead.

I consider myself a bit more tech-savvy than average, but I’ve almost fallen for a couple of these fake phishing emails. It helps me to keep up with what the latest versions of these attacks look like (and keeps me on my toes too…)

load more comments (2 replies)
[–] SMITHandWESSON@lemmy.world 7 points 1 year ago* (last edited 1 year ago) (1 children)

I send supervisor emails about stuff I'm not gonna do to my spam folder as well.....

"Did you get the email?"

"Nope, sorry, it looked a little suspicious so I didn't open and sent it to spam.."

Basically you created a echo chamber at work where you can only hear what you want to hear

[–] GBU_28@lemm.ee 3 points 1 year ago

Lol I don't click shit.

[–] ScreamingFirehawk@feddit.uk 1 points 1 year ago

I always just ignore anything that looks dodgy, I can't be bothered to spend the time reporting emails when I get so damn many that are either spam or phishing

[–] xantoxis@lemmy.world 1 points 1 year ago

No it isn't.

Consider third-party vendor employees who have accounts at your workplace. They don't know what the norms are, or the safe URLs. Half your employees in non-coding roles don't know what the safe URLs are either. There's so much internal SSO mess that just about anything could be a real redirect. Overengineered internal messy networks keep any of this from actually accomplishing its intended purpose of "teaching employees a lesson".

I'm not sure what's worse: that you're teaching them to click on whatever they want because it's impossible to tell the difference, or that you're teaching them to click on nothing, which probably keeps them from doing their jobs.

Stop using email entirely and half of this goes away. Just tell them not to plug in USB drives.

load more comments (3 replies)
[–] saltnotsugar@lemm.ee 28 points 1 year ago (1 children)

(Opens DOS, frantically types)
“Heh. I was able to SSH right into their jpg with nothing but an Ethernet cable and router grease.”

[–] yokonzo@lemmy.world 16 points 1 year ago* (last edited 1 year ago)

router grease

I don’t think that’s what you think it is sir carefully hides tissues

[–] Perfide@reddthat.com 23 points 1 year ago (1 children)

Nah, this isn't cool. Fuck the company, but this will fuck over the users more than anyone.

[–] WereCat@lemmy.world 20 points 1 year ago

If company does not give a crap about employee then they don't about customer

[–] aviationeast@lemmy.world 17 points 1 year ago (1 children)

I might care if they paid me a living wage.

[–] hoodatninja@kbin.social 22 points 1 year ago

I’m all for acting your wage, but I don’t want to make victims of anyone who is interacting with my company simply because I was feeling spiteful. The company will be fine, the tons of people who just had their information leaked are the ones who are truly inconvenienced and may face financial repercussions later on when their information is distributed. Just something to consider

[–] teft@startrek.website 13 points 1 year ago (1 children)

A good portion of the movie Hackers was social engineering. That's how Mitnick got into a lot of systems as well. Why search for vulnerabilities in apps when people are much easier to manipulate.

[–] FlaminGoku@reddthat.com 2 points 1 year ago

Loved that movie. That has been a fallback movie for so long now.

[–] azerial@lemmy.dbzer0.com 6 points 1 year ago

I wonder if that's how my old job had 780 gb of source stolen though social engineering.

[–] CADmonkey@lemmy.world 5 points 1 year ago (1 children)

Pay people enough and this is less likely to happen.

[–] noUsernamesLef7@infosec.pub 2 points 1 year ago

As somone in IT who has to deal with executives I can assure you that high compensation has no correlation with good security practices :(

load more comments
view more: next ›