On this episode of PVCSec, Ed & Paul talk why we make security difficult, attack attribution, mobile access, Tactical Edge, and more!
Welcome to episode 74 of the PVC Security Podcast. This week, Paul duets with the Silver Fox himself, Ed Rojas. The rest of the cast are off on adventures, we presume.
Making InfoSec Hard
Password complexity rules still suck (for your own good, allegedly)
Sites are still breaking password managers (making it hard for people to do good)
HTTPS remains hard (except it’s not)
Crazy password advice (and censoring critics)
Security is often mixed, crazy messaging (and uncoordinated, too)
Because security is just pointless (not really)
Paul’s story: A large international corporation I know does the typical phishing testing in their organization. Quarter after quarter the number of employees who were tricked into clicking on the testing email links fell, showing the program was working.
All of a sudden the number shoots up. No one can explain it, but the numbers start dropping again.
Then it shoots back up again.
Baffled, the security VP sent the team to interview the employees who clicked on the fake email links. All reported back the same thing: there were mass emails sent to employees from HR and benefits outsourcers right before the phishing emails went out. The outsourcers’ used their own URLs, not the corporation’s URLs, in their emails.
Oh, and the phishing emails looked MORE professional than the legitimate ones.
Does Attack Attribution Matter?
Paul’s take: NO! Unless you’re a security researcher, it’s not actionable data!
Wifi on the Road
Eye of the Tiger by Survivor
We are the Champions by Queen