I think it's been really interesting to see how hacking and networked infrastructure has evolved to become a critical part of warfare, but also how it hasn't evolved. Even though the malware may...
I think it's been really interesting to see how hacking and networked infrastructure has evolved to become a critical part of warfare, but also how it hasn't evolved.
Even though the malware may be unique and sophisticated, it's the same old techniques for getting into places in the first place. Send a convincing fake email to 100 people, and probably at least one of them will open the attachment, if not more. We did a phishing test at my job a while ago, and something like 40% of people clicked the link...and we're a technical company.
Agreed, it's really interesting too see that no matter how security protocols & technology has improved over the past decades, it's still the same point of exploitation: humans. Phishing and...
Agreed, it's really interesting too see that no matter how security protocols & technology has improved over the past decades, it's still the same point of exploitation: humans. Phishing and social engineering attacks are one of the top ways to distribute malware now, compared to the old days of network worms, viruses on floppies, and VBS loveletters in your email inbox.
Given how susceptible humans are to phishing and social engineering attacks now, I gotta wonder, with the rise of LLMs and ChatGPT-esque services, will the rate these attacks occur increase? I personally feel we're on the dawn / very beginnings of a malware arms race between AI powered malware attacks and security vendors and human common sense.
I'm sure at least some spam and scam campaigns are utilizing ChatGPT or other services to write up email responses or run chats. I'm sure it's cheaper than paying people to do it. But the most...
I'm sure at least some spam and scam campaigns are utilizing ChatGPT or other services to write up email responses or run chats. I'm sure it's cheaper than paying people to do it.
But the most high value campaigns like this one in Ukraine I think require a human touch - they're usually highly targeted emails, intended to hit specific departments or people. You have to do your research and know the person you're writing in that case.
Even before the internet, WW2 on the allies side was a huge troll network of radio broadcasts, accompanied by an entire fake army of inflatable tanks. Now it is milliseconds instead of days to troll.
Even before the internet, WW2 on the allies side was a huge troll network of radio broadcasts, accompanied by an entire fake army of inflatable tanks. Now it is milliseconds instead of days to troll.
I knew WW2 had some trolling across enemy lines going on, it's where the saying that carrots are good for your eyesight comes from. Though I hadn't heard of the inflatable tanks, it's really...
I knew WW2 had some trolling across enemy lines going on, it's where the saying that carrots are good for your eyesight comes from. Though I hadn't heard of the inflatable tanks, it's really interesting how elaborate it was. Also didn't know that telegraph operators had really distinctive styles, I would have assumed that it was more or less the same no matter who was doing the sending.
“The idea, very simply, was to get a dead body, equip the dead body with false papers, and then drop it somewhere the Germans would find it,” historian Ben Macintyre tells NPR’s Guy Raz. Dead Man...
“The idea, very simply, was to get a dead body, equip the dead body with false papers, and then drop it somewhere the Germans would find it,” historian Ben Macintyre tells NPR’s Guy Raz.
Dead Man Floating: World War II's Oddest Operation
It's a well studied business risk. You can probably advocate internally for considering this more seriously if you have a risk management division/senior leadership role. Alternately, you could...
See, I wish we took this more seriously. If it were up to me, there'd be a 3 strike process to weed out security hazards.
It's a well studied business risk. You can probably advocate internally for considering this more seriously if you have a risk management division/senior leadership role. Alternately, you could put together a light white paper with the research on it. It's not at all unreasonable to leverage engagement like that into responsibility, since good management will reciprocate the effort.
Honestly, I think most companies would be drastically understaffed if they did that, which is why people aren't doing it. Also, phishing tests/training are more about checking a box for cyber...
Honestly, I think most companies would be drastically understaffed if they did that, which is why people aren't doing it. Also, phishing tests/training are more about checking a box for cyber security insurance than anything else in most industries, I think.
The clear and obvious need for more understanding in the public sphere about the necessity of considering digital defenses as a mandatory component of national independence is underlined by things...
The clear and obvious need for more understanding in the public sphere about the necessity of considering digital defenses as a mandatory component of national independence is underlined by things like this. When these weapons are combined with the kind of social confusion that can be generated with mechanical jamming and other more tactical IOT disabling techniques, modern lightning warfare can be heavily amplified by disrupting critical civilian response infrastructure and create flashpoints that delay military deployments/exacerbate difficulties.
I’m actually impressed by the lack of impact cyber attacks have had in this war. Despite over a year of war, we haven’t really seen the often doomsday-ed scenario of rampant industrial sabotage...
I’m actually impressed by the lack of impact cyber attacks have had in this war. Despite over a year of war, we haven’t really seen the often doomsday-ed scenario of rampant industrial sabotage even when Russia had the initiative. Russia even burned a good portion of its valuable precision missile stocks trying to knock out Ukrainian power infrastructure during the winter, so it’s not like they haven’t been trying.
Ukraine has spent the last decade getting hit with whatever Russia could hit them with, in 2014 and 2015 and 2016 and 2017. So, they knew this was coming. My impression is that Russia wasn't...
Ukraine has spent the last decade getting hit with whatever Russia could hit them with, in 2014 and 2015 and 2016 and 2017. So, they knew this was coming. My impression is that Russia wasn't really expecting Ukraine to be as prepared as they were for the invasion, which is kind of funny, because they spent years doing things that told Ukraine exactly what was coming.
I think it's been really interesting to see how hacking and networked infrastructure has evolved to become a critical part of warfare, but also how it hasn't evolved.
Even though the malware may be unique and sophisticated, it's the same old techniques for getting into places in the first place. Send a convincing fake email to 100 people, and probably at least one of them will open the attachment, if not more. We did a phishing test at my job a while ago, and something like 40% of people clicked the link...and we're a technical company.
Agreed, it's really interesting too see that no matter how security protocols & technology has improved over the past decades, it's still the same point of exploitation: humans. Phishing and social engineering attacks are one of the top ways to distribute malware now, compared to the old days of network worms, viruses on floppies, and VBS loveletters in your email inbox.
Given how susceptible humans are to phishing and social engineering attacks now, I gotta wonder, with the rise of LLMs and ChatGPT-esque services, will the rate these attacks occur increase? I personally feel we're on the dawn / very beginnings of a malware arms race between AI powered malware attacks and security vendors and human common sense.
I'm sure at least some spam and scam campaigns are utilizing ChatGPT or other services to write up email responses or run chats. I'm sure it's cheaper than paying people to do it.
But the most high value campaigns like this one in Ukraine I think require a human touch - they're usually highly targeted emails, intended to hit specific departments or people. You have to do your research and know the person you're writing in that case.
Even before the internet, WW2 on the allies side was a huge troll network of radio broadcasts, accompanied by an entire fake army of inflatable tanks. Now it is milliseconds instead of days to troll.
I knew WW2 had some trolling across enemy lines going on, it's where the saying that carrots are good for your eyesight comes from. Though I hadn't heard of the inflatable tanks, it's really interesting how elaborate it was. Also didn't know that telegraph operators had really distinctive styles, I would have assumed that it was more or less the same no matter who was doing the sending.
“The idea, very simply, was to get a dead body, equip the dead body with false papers, and then drop it somewhere the Germans would find it,” historian Ben Macintyre tells NPR’s Guy Raz.
Dead Man Floating: World War II's Oddest Operation
https://www.npr.org/2010/06/12/127742365/dead-man-floating-world-war-iis-oddest-operation
So crazy
It's a well studied business risk. You can probably advocate internally for considering this more seriously if you have a risk management division/senior leadership role. Alternately, you could put together a light white paper with the research on it. It's not at all unreasonable to leverage engagement like that into responsibility, since good management will reciprocate the effort.
Honestly, I think most companies would be drastically understaffed if they did that, which is why people aren't doing it. Also, phishing tests/training are more about checking a box for cyber security insurance than anything else in most industries, I think.
The clear and obvious need for more understanding in the public sphere about the necessity of considering digital defenses as a mandatory component of national independence is underlined by things like this. When these weapons are combined with the kind of social confusion that can be generated with mechanical jamming and other more tactical IOT disabling techniques, modern lightning warfare can be heavily amplified by disrupting critical civilian response infrastructure and create flashpoints that delay military deployments/exacerbate difficulties.
I’m actually impressed by the lack of impact cyber attacks have had in this war. Despite over a year of war, we haven’t really seen the often doomsday-ed scenario of rampant industrial sabotage even when Russia had the initiative. Russia even burned a good portion of its valuable precision missile stocks trying to knock out Ukrainian power infrastructure during the winter, so it’s not like they haven’t been trying.
Ukraine has spent the last decade getting hit with whatever Russia could hit them with, in 2014 and 2015 and 2016 and 2017. So, they knew this was coming. My impression is that Russia wasn't really expecting Ukraine to be as prepared as they were for the invasion, which is kind of funny, because they spent years doing things that told Ukraine exactly what was coming.
Haha, file names are like "video_porn.rtf.lnk, do_not_delete.rtf.lnk, and evidence.rtf.lnk". Those would get some clicks for sure.