---------------------------------------- > Subject: Re: SA and Spear Phishing > From: guent...@rudersport.de > To: users@spamassassin.apache.org > Date: Sat, 19 Mar 2011 02:02:35 +0100 > (a) Never hand out your password. Less so in mail. No administrator ever > will ask for the user's password. > The same applies to any sensitive, personal information. Before > handing it out, make sure this is legitimate [1], and you're not > using an insecure medium (which mail is). > > (b) Be conscious about where to send any information. Account details > never should be sent off-site. > > The basic rules against spear phishing, or actually any phishing. > > Even if (b) doesn't hold due to a cracked account, (a) still does.
I highly regard your input. I think we have been always yelling that our users are stupid and blah, and the reality still shows that users (which we hope to be educated) are still the weakest element in the security chain. Some people still focus on user training programmes (such as a) b) points what you have list). However, number of other people focus on enhancing the software to build better solutions for the dear stupid clients. As an engineer, I would make my life with less work if I simply blame the end user for his stupidity (which makes sense from some perspective). However, from the perspective of safety, we know that there are traps and problems that will happen and things will go unplanned, which is why we need to take some actions in advance, similar reasons why we have fire fighting systems to solve human mistakes should they make fire accidentally. Or my mother board shutting down my laptop should it heat way beyond the limits, just in case I wasn't educated enough to take correct actions to fix the fans, heat sink, paste..etc In my view, if we look at engineers, I see contradicting opinions (some are pro-human training, some are pro-software enhancing). But, if we look at the reality, we will see that we are adapting how the vast majority of humans are deciding to interact with technology. Example? look at firefox v2, or IE v6, they all replaced their little pop warnings for invalid X.509 certs for HTTPS with another alternative approaches: the new alternative approach is blocking the WHOLE user interface, with BIG SCARY RED-Background, with only a little button to by pass the security warning. Why? users didn't bother reading the warnings *shrug*, we told them to read and it didn't work, so we though let's make it more obvious. The reality in my view is that we are enhancing the user interface for the dear fellow stupids -- thanks to them (e.g. my CEO), I get my pay checks (at least mine) are paid by them! Now, do you think that the reality is also moving toward enhancing the knowledge of users? I personally haven't seen anything serious in user-awareness programmes. Most companies ignore it, while it's almost semi-impossible to see a mail server without a software anti-bad_stuff filter as a front-end. What I have observed is improvements on the software side, but haven't seen improvements on human-training side; did you observe such thing? and were they evaluated? > Yes, these are inherently harder to catch by filters. But still, well > trained and educated users can stop them dead. There is a survey [1] with hand-made spear-like phish mail (which is not real spear from the real internet, but rather tailored by the authors), and it showed that user training has aTP that is 74%, whith FP being no less than ~26%, and in some cases +50%. [1] http://lorrie.cranor.org/pubs/pap1162-sheng.pdf ps: I'm using hotmail's web interface to send my stuff, it says it's text/plain, and things look compatible with old-school inet manners. lemme know if my mails are still awkward, so that I'll use another freemail (too afraid to show my personally identifiable information -- PII).