Auditors: Stop recommending that "The best way to stop phishing and social engineering is through user education and training". Please, just... stop. You can't train people not to be fooled, you can only build tools that catch them safely when they are.
-
-
Replying to @0xMatt
Training will get through to X%. Those are the folk that report phish. Then the team can respond and find the moron that clicked / change their password / remove the message from other inboxen. Not saying adding layers like ProofPoint or some such isn't needed too. Just sayin'
2 replies 1 retweet 19 likes -
Replying to @ajcaruso
NO, NO, NO. The person who clicked the link is not a moron. Security people, we have to do better than this. _Everyone_, you included, will be fooled at some point by something. The best security is when we make the outcome of being fooled less consequential.
17 replies 120 retweets 577 likes -
Clicking on untrusted links is also a fully supported security boundary. It is totally acceptable to click on any link, and nobody is expected to determine if it's a "trusted link" (I have no idea what that means) first.
13 replies 87 retweets 427 likes -
This. I have never understood this obsession with "clicking links". Unless the attacker has a browser exploit (very unlikely in most contexts), what is the danger?
8 replies 0 retweets 16 likes -
None of the replies in this thread are talking about the much bigger threat, which is much simpler... getting you to click on my link lets me serve up a fake login page to harvest your credentials. Nothing to do with browser exploits.
1 reply 0 retweets 1 like -
Replying to @josh_larsen @ZetaTwo and
There is no supported way to determine where a link takes you without clicking on it, anyone who says "trusted links" has made that term up. After clicking, the contents of the address bar is a supported security indicator, and you can make decisions from that.
2 replies 0 retweets 6 likes -
Replying to @taviso @josh_larsen and
I hate this; spoofing address bars with similar-looking strings is perfectly possible even in ASCII which we shouldn't be forcing anyway. Instead: for sites not in your password manager, only type your password if you navigated there yourself.
2 replies 0 retweets 1 like -
Replying to @ciphergoth @taviso and
Sometimes I'm prompted to type in my Google password after following a link *even if I'm already logged in*. This is always a terrible terrible thing that forces me to adopt insecure habits and we should abolish it everywhere.
1 reply 0 retweets 1 like
Strongly disagree. Please stop stigmatizing people who use browsers as they're intended, it is never wrong to click a link, it's our job to keep that safe.
-
-
Replying to @taviso @josh_larsen and
My ire is directed at website designers, not at users! But also, I don't know how to keep a user safe with only a password if they'll type that password into just anything - I want to help, I'm not being blamey, I just don't know how to help!
1 reply 0 retweets 0 likes -
Replying to @ciphergoth @taviso and
Obviously secure 2FA really does help, but adoption isn't what we'd like.
0 replies 0 retweets 0 likes
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.