November « 2007 « PhishMe

No Phishing Allowed

January 16

"You'll see the typical security geek saying, 'People are dumb, people are stupid, they're never going to be trained,'." said Rohyt Belani, PhishMe co-founder and CEO. "We have statistics to prove otherwise."
PhishMe Twitter
- Zappos customers, make sure you look out for phishing emails: http://t.co/xcavPbOs 03:51:21 PM January 26, 2012 from CoTweet Reply Retweet Favorite
- The importance of educating users to spot potential attacks is talked about in article about DoD ID card attack: http://t.co/jRnL7AXB 04:06:34 PM January 18, 2012 from CoTweet Reply Retweet Favorite
@phishme
Blogroll
Links
- Intrepidus Group
- Layered Security
Archives


	Archive for November, 2007


	Phishing joins the SANS Top 20 Thursday, November 29th, 2007 Phishing is now recognized as a 2007 SANS Top 20 risk, and rightly so. What I was even more excited to see is SANS calling out the countermeasure correctly. They didn’t recommend deploying millions of dollars worth of technology to “catch” phishing attacks, but said “user awareness is a key defense. The most promising method of stopping spear phishing is continuous periodic awareness training for all users; this may even involve mock phishing attempts to test awareness”. As I said in a previous blog post , we are in total agreement with SANS on the efficacy of this countermeasure. In fact we are so in agreement that we have developed a solution (www.phishme.com) to do exactly that – run mock phishing attacks to test and measure employee awareness. Now for the gimmicksmen. Qualys just made an interesting announcement – “Free security scan available for the new SANS Top 20“. I wonder how they are going to scan for phishing vulnerabilities. - Rohyt
	77No Comments »Phishing+joins+the+SANS+Top+20+2007-11-29+22%3A10%3A40Rohyt \| Posted in Phishing


	Owning Rails 2.0 Cookies at OWASP: Part II Monday, November 19th, 2007 Post moved here: http://intrepidusgroup.com/insight/2007/11/owning-rails-20-cookies-at-owasp-part-ii/
	764 Comments »2007-11-19+19%3A05%3A08Corey \| Posted in Conferences, Web Apps


	Owning Rails 2.0 Cookies at OWASP Wednesday, November 14th, 2007 Post moved here: http://intrepidusgroup.com/insight/2007/11/owning-rails-20-cookies-at-owasp/
	744 Comments »Owning+Rails+2.0+Cookies+at+OWASP2007-11-14+16%3A37%3A58Corey \| Posted in Conferences, Web Apps


	Phishme Update Monday, November 12th, 2007 The development of our phishing attack emulation service, to be hosted at www.phishme.com, is on target for a February 2008 release. We are in the midst of alpha testing at this time and hope to be ready for beta in January 2008. At that time, we will be opening up the service for free evaluation. If you are interested in being notified (via email) when the evaluation accounts become available please sign up at http://phishme.com/signup.php (we will not phish you ). - The Phisherman
	73No Comments »Phishme+Update2007-11-12+19%3A27%3A00Rohyt \| Posted in Phishing


	Google? Andriod? Open Handsets? Security nightmare Tuesday, November 6th, 2007 We might finally have some decent mobile viruses to worry about. Why is it that McAfee’s VirusScan Mobile is only Windows Mobile 5 and 6? Simply put, it’s because that platform gives the end-user enough rope to hang themselves. Users can grab a .CAB file of the brick breaker game from only god knows where and install it themselves through Activesync. Surely tech-savy users don’t just install any hackware from untrusted sources right? If you believe that then you haven’t spent much time on http://www.howardforums.com/ or http://www.mobile-files.com/forum/ where every day, technophiles repackage and swap DLLs and other tasty bits from one carrier’s phone to another. Users don’t care about running untrusted code. To them, it’s just an annoying split second while they click away the nag window so they can dive into Justin Timberlake-screensaver-ring-tone wallpaper bliss. It goes beyond running untrusted code from untrusted sources. Users will replace entire operating systems through unofficial channels: Windows Mobile 6 for the XV6700: www.downloadsquad.com If you step outside of your tech circle for a moment you’ll notice that most of your friends and family (you know, the people that will be watching football over Thanksgiving while you’re fixing their computers) don’t have windows mobile, RIM, or palm phones. If they have a typical Verizon phone then they follow a path like this to get applications: Developers create and sign BREW code, that code is then tested and certified via Qualcomm’s NSTL site: https://www.nstl.com/brew/ . Ultimately the wireless carrier decides on what application they put in their catalog. (Usually after they test it themselves.) Some see this path as a way to lock the user into the carrier’s applications. Another way to look at is the carrier is certifying that code for your phone. Given that the wrong code can put your handset into a chronic state of reboot permanently ruining the device I can see why carriers like to keep tabs on what users load on the phone. The masses are crying about an open iPhone API. I’m sure they’ll get the open API, along with everything else that comes with it. If you look at any of the press surrounding Android, the mantra is clearly openness and convenience. Openness and convenience; security’s best friend? <borat> NOT! </borat> -higB
	71No Comments »2007-11-06+15%3A54%3A28Aaron \| Posted in Mobile Security, Techno