Auditors: Stop recommending that "The best way to stop phishing and social engineering is through user education and training". Please, just... stop. You can't train people not to be fooled, you can only build tools that catch them safely when they are.
-
-
Replying to @0xMatt
Training will get through to X%. Those are the folk that report phish. Then the team can respond and find the moron that clicked / change their password / remove the message from other inboxen. Not saying adding layers like ProofPoint or some such isn't needed too. Just sayin'
2 replies 1 retweet 19 likes -
Replying to @ajcaruso
NO, NO, NO. The person who clicked the link is not a moron. Security people, we have to do better than this. _Everyone_, you included, will be fooled at some point by something. The best security is when we make the outcome of being fooled less consequential.
17 replies 120 retweets 577 likes -
Clicking on untrusted links is also a fully supported security boundary. It is totally acceptable to click on any link, and nobody is expected to determine if it's a "trusted link" (I have no idea what that means) first.
13 replies 87 retweets 427 likes -
This. I have never understood this obsession with "clicking links". Unless the attacker has a browser exploit (very unlikely in most contexts), what is the danger?
8 replies 0 retweets 16 likes -
None of the replies in this thread are talking about the much bigger threat, which is much simpler... getting you to click on my link lets me serve up a fake login page to harvest your credentials. Nothing to do with browser exploits.
1 reply 0 retweets 1 like -
Replying to @josh_larsen @ZetaTwo and
There is no supported way to determine where a link takes you without clicking on it, anyone who says "trusted links" has made that term up. After clicking, the contents of the address bar is a supported security indicator, and you can make decisions from that.
2 replies 0 retweets 6 likes -
Replying to @taviso @josh_larsen and
I hate this; spoofing address bars with similar-looking strings is perfectly possible even in ASCII which we shouldn't be forcing anyway. Instead: for sites not in your password manager, only type your password if you navigated there yourself.
2 replies 0 retweets 1 like
The point is, social engineering exists, but not because people click links. Your advice is just as flawed, typosquatting is a real thing. We have real solutions to this problem, like Webauthn, and it does not and cannot involve "trusted links".
-
-
Replying to @taviso @josh_larsen and
Right, my advice shuts down only one avenue of attack. What I really want is a secure in-browser password protocol with spoof-resistant UI. That way the only rule I have to worry about is "only type your Google password into the special UI".
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.