107 replies
8h57m
A few months ago I got an email from the IT center of the company I work for that was dodgier than any phishing email I have ever received:
- Coming from a domain that looks nothing like the official domain of the company, rather some generic @itservice.com or something. - Subject: "URGENT: your account is expiring soon". - Multiple links provided in the email body, all illegible and multiple lines long, none of them from a domain that I can immediately link to the company. - No alternative way of resolving the issue is provided other than clicking on one of those links (no "go to your account settings", "contact your line manager" or so).
And still, it turns out it was real.
~100k employees company btw
Our IT did the exact same thing with expiring m365 passwords. They weren’t using the corp domain, typos all over and the URL was obscured using a bizarre link shortener.
The same guys also force us to change our passwords every 6 months and block the last twenty. Passwords we have to enter in systems that can’t pull directly from password managers and thus have to type 10-20 per day. Guess the average strength of an employee password!
I think IT incompetence should lead to audit fails or even better delisting from exchanges.
Is blocking the last 20 passwords a bad thing? I agree the other stuff is bad, but to me, that part doesn't seem bad.
Forced password updates are a bad thing.
If your company does forced password updates, they are not following the NIST recommendation: https://pages.nist.gov/800-63-FAQ/#q-b05
If your company is not following the NIST recommendation, they are incompetent, and will be held liable in case of a breach.
If your company is not following the NIST recommendation, they are incompetent, and will be held liable in case of a breach
This is a stretch. Liable? Please show the case law, or the legislation.
(My statement has no relevance to the validity of NIST's recommendations)
Not directly. However NIST is admissible in court and so if someone sues there is now evidence that they should have known better.
Anything is admissible in court, the judge merely has to allow it.
There are 1000s of such organizations, and many conflict with each other.
My point is, it's inaccurate to say you are liable for not following NIST. I could easily say you could be liable, for not following me.
Does that make it so? No.
The company I work for had a ransomware issue, so they got more zealous about security.
They require us to change our passwords every 45 days now. When I pointed out the NIST recommendations of not rotating passwords, they say they are following the guidance of the response team that helped them recover from the ransomware. And that the NIST doesn't actually deal with the real world.
Internal password resets are a bad thing. It has its place in document sharing/collaboration platforms not connected to AD as an additional layer of revoking access when people leave a company.
In combination with forced changes, it leads to…
Password1
Password2
Password3
Etc
The one I see that stays updatable is:
PasswordFebruary2024!
Where month and year update on the date of forced password change.
Oh, that's a good one. <runs off to update corporate logins>
I'm closing in on password100... It is the only sane thing to do, a good password is hard to memorize. (passphrases are must better, but hard to type correctly first thing in the morning and take too long when I need to type my password a dozen times a day)
ITYM
hunter3
hunter4
hunter5
It leads to less security as it is more likely that the new password will just be an old one with an incremented number at the end.
The worst part is it actually leads users to boasting about how they `beat the system', essentially telling their coworkers what their pattern is, making the password easier to guess.
And unless there is a minimum password age some people will just change it 20 times and then back to the same password.
Myself and most people keep our login passwords written on paper in our desk because of this stupid practice. Can't use previous passwords and new password every 90 days. This is on top of 2FA.
I mean it's great for 99% of your passwords and pretty much forces people into using randomized generated passwords.. but I still have to remember at least ONE password by heart. Whether it's 32 characters or 16 or what not, I still need SOME way to get into my password manager to even get to my passwords. So what, I'm going to make my password tacokissies69 and.. what, add a 0 every 6 months so I pass the 20 password minimum?
So a hacker can infer that my password is tacokissies69000 of some sort..
Even if this rule technically seems benign, together with the forced change it encourages users to game the system leading to predictable patterns, eg adding a rotating letter or digit combo at the end of a same password.
I forget who puts that stuff out NIST/STIG(?) but IIRC in the recent few years they determined that rotating passwords like that was basically security theater and wasn't worth the damage to the staffs productivity
NIST, whose guidelines, somehow, even other federal departments and agencies usually don’t follow.
NIST has very good password complexity and management guidelines. Just USE THEM! It’s not that hard!
How do you have billion dollar companies that can’t RTFM.
NIST whose guidelines are admissible in court and a competent judge will take over expert testimony. (an expert witness who says something that contradicts these guidelines is guilty of perjury, though good luck persecuting that)
Perjury is lying under oath, not disagreeing with government guidelines.
On one hand, I agree that just disagreeing with a guideline isn’t perjury. Especially in a case like this where lots of the industry still uses the old (bad, imo) plan.
On the other, an expert witness has specifically represented themselves to be an expert. Is there any level of incompetence that raises to the level of perjury in that case? IMO there ought to be.
That would be argued in cross-examination. A witness can be shown to be not a good witness. Perjury is very specific to knowingly lying while testifying under oath. We really don't want to expand it to areas of ignorance or disagreement; that way would stop people from testifying entirely.
An expert is someone who claims to know though, and thus if they say something that contradicts established facts they are lying under oath.
This is not even near the truth. An expert (under Daubert) is someone who convinces the court they can say something relevant and reliable based on a technique that passes a test concerning:
Whether the technique or theory in question can be, and has been tested; Whether it has been subjected to publication and peer review; Its known or potential error rate; The existence and maintenance of standards controlling its operation; and Whether it has attracted widespread acceptance within a relevant scientific community.
The expert does not “know.” The expert is the only witness who can give an opinion, more or less. Because the opinion is backed up by something, the court considers it useful.
The technique they use is what’s important, not whether their opinion contradicts a fact. I think you will find in many expert trials, two experts get the same facts and come to two completely contradictory opinions, neither of which is perjury.
The rules of evidence govern what is admissible in court and I don’t recall any rule pertaining to NIST guidelines. I think what you might mean is that the guidelines are a learned treatise which, while it would be hearsay for me or you to quote as a fact witness, is nevertheless something an expert witness can refer to.
Are there any examples of the former that you know of? Or is this just optimism?
They decided it was useless security theater decades ago. What happened recently is that they discovered that they rule they used to actively push causes severe harm to security.
Now there's a positive rule about not doing it.
Yeah when I was a shipping clerk, we had a pile of usernames and passwords for the Census Bureau's Automated Export System on sticky notes next to the shared computer because the password rotation and complexity requirements made it impossible to remember our passwords.
Oh, there are many fun games from the 90's where you must infiltrate some place and every computer has some version of "due to the password rotation requirements, this week's password for the South-East door is 1-2-3-4, effective from Monday" pasted into it.
When the NIST added the bad rule into their ruleset (it was mostly a collection of bad rules at the time), it was already widely mocked in popular culture (well, within the target population).
I now wonder if that ruleset (the original one, that basically mandated you copy every flaw on Windows NT) was honest.
"Come to think of it, it's about time to replay Deus Ex again..."
NIST, but they required password rotation up until very recently, against their own advice.
The lack of use of a non-corp domain, the typos and the use of shortened links does sound like a form of incompetence, probably at the management layer.
However, the password rotation requirement was until relatively recently something that many IT auditors would actually recommend, even though it leads directly to bad user password choices. In fact I wouldn't be at surprised to learn that was still the case in a lot of places.
It is. I work as an IT tech at a military defense contractor and they require regular recycling passwords, with a decent number of passwords remembered. They at least have complexity requirements applied so not 100% bad, but still archaic
Heh. I just increased a number in my password for my passwords. Then just repeat. So “CompanyName[00]” meets almost all complexity requirements and all I have to do is increment the numbers.
Note: I only do this when I have these requirements and I can’t use a password manager.
Sounds like a certain BOFH story... have you ever thought about just adding another "s" to the end of your password instead?
The same NIST document (800-63) that recommends against password expiration also recommends against complexity requirements, instead organizations are supposed to develop a list of bad passwords that would likely be used in an external dictionary attack.
People understandably get really fired up by the idea of not having to change their password every 90 days, but forget that the guidelines are a package that contains a lot of "shall"s (no password expiration is a mere "should") that would be more painful for organizations stuck with a lot of legacy software, like the requirement to use two authentication factors and the use of secure authentication protocols.
Fortunately NIST has specific advice that recommends against that which is admissible in court (in the US). I'm not sure how to work through the bureaucracy to do this, but your company should sue them in court for incompetence to get their money back.
Two then-current NIST standards (62 and 71?) side by side gave contradictory advice. It is a step forward though for sure.
I've seen multiple accounts from IT/security people who discovered something like "this could get the company in legal trouble" with links to details was exactly what got an otherwise intractable issue resolved.
Yeah, define recently.
Yep. That leads directly to passwords like:
ReallyLongP@assword$01, ReallyLongP@assword$02, ReallyLongP@assword$03, and so on.
Same problem here. My solution: Get a mouse with internal memory for macros, such as Natec Genesis GX78 (old, no longer available, but this is an example). Program your new password on one of the unused mouse buttons or in a different profile. Use the mouse to type the password.
Might be a good product to app-ify. Maybe a USB dongle that acts like a keyboard and controlled by your phone. Give it some sort of 1Password / Bitwarden integration.
Could make it double as a YubiKey.
Surely this exists already?
Yubikey supports this already, but without the phone part.
Does it require installing 3rd party software on the host machine? This might not work great for this kind of "shadow IT" application in all environments, whereas one that acts as a USB keyboard might be more versatile.
Only to configure it. It presents as a USB keyboard (among other device types).
Does it require installing 3rd party software on the host machine?
No, it identifies as a keyboard. It also defaults to generating a password that will use the same scancodes on (most?) western keyboard layouts so that computers configured to default to e.g. QWERTZ or AZERTY will still result in the same password.
I should do this for ssh password entry. Running ssh-agent is still 90% of the story, but it comes up often enough that I'm on a terminal in a remote machine or inside a screen session or something that it would still be awfully useful to be able to just autotype it.
Separately from the password aspect, consider how convenient it may be to use your smartphone as a kind of re-reified "clipboard": Use the camera and on-device OCR to copy text, then "paste" it as a virtual keyboard connected over USB.
It's very niche, but in those rare situations it'll be a big time-saver compared to human transcription or the rigamarole of setting up some other kind of data channel.
Yubikeys can do this.
It can, and I tried this, but in practice we have to change our passwords at my current employer so frequently that I got more irked changing it on the Yubikey (not the least hassle-free of processes, as I couldn't install the Yubikey software on the work machine) than just typing the thing.
Fear of policy is why you get things like "force us to change our passwords every 6 months and block the last twenty". Getting a central arbiter of IT competence is a hard problem.
It's good we have 26 letters, that comfortably leaves you a margin of 6 combinations :-)
The Walt Disney Company did exactly this when I was there, and everyone dreaded it. Did nothing but waste time.
While I know this may be fruitless, it might be worthwhile to point out to them that the official guidance from NIST and similar organizations is now not to do this.
The IT department where I work required yearly password changes up until I brought this change to their attention, at which point they changed to simply recommending a password change if you have reason to believe it might have been compromised.
I had a similar experience at an old company that used M365. YMMV but with Bitwarden I generate passphrases like Pregnant-Guppy-Skateboard9 and it made it tons easier for me to type 20x a day than &7UoTod#$7OOD
My work password now has an "18" embedded somewhere in the middle of it thanks to my autoincrement approach to handling that kind of obnoxious policy.
Then I became CTO and retired the policy to align to modern NIST recommendations, so that "18" is in there forever :)
I've noticed that Microsoft themselves aren't helping this right now. M365 seems to default to using random-tenant-guid.onmicrosoft.com for a lot of these transactional emails like password changes even though the official account.microsoft.com is fully multi-tenant aware and most Microsoft guidance tells you to always go directly to account.microsoft.com. These transactional email mistakes seem like another case of Microsoft accidentally exposing problems in their org chart to external customers. I imagine it has something to do with the wild rewrites from old Azure AD to new "exciting brand" Entra ID and other such shenanigans combined with Microsoft's willingness to bend over backwards to bad IT administrators and letting them set bad defaults (such as "just us the .onmicrosoft.com GUID instead of a real domain"), because companies love to pay them good money for the "control" to do stupid things in Group Policies and corporate configuration.
Combined with the fact that the largest single source of spam I'm seeing right now is also coming from random tenant GUIDs .onmicrosoft.com (is Azure really missing that much SMTP security for random M365 tenants?) and this sort of corporate anti-training users to follow bad transactional email links, it certainly feels like we are in a perfect storm of M365 phishing.
Healthcare companies in the US send the most scammy looking links for payment processing you’ve ever seen - things like my-healthcare-billing.net
It’s insane.
I’m supposed to pay my semi-annual property taxes (on the order of ~thousands of USD) on a site that ends in .org instead of .gov, and nobody apparently sees anything weird or wrong with it.
Now that I think of it, I'm not sure I've ever seen a government payment site hosted on .gov; usually .com.
You can tell it's legit if they charge you $2 extra for a credit card instead of a bank transfer lol
Most have gone that way, but a few were still letting you put your entire property tax on credit card with no fee whatsoever as recently as last year.
Woohoo free miles! Sometimes the fee is so low that even when they do charge it, it's worth using the credit card.
id.me
Still can't believe it
Best hope the government of Macedonia remains friendly I guess
*Montenegro
Some places in the US outsource not only payment processing, but the entire tax collection process to the private sector. I've heard stories of people living in Pennsylvania who have gone years without filing their local tax return because they thought the tax form was spam. Nope, that sketchy looking mail from some random business, with the .com address is the legally designated tax collector.
Yeah I got a text from one of these a couple years ago. Something like. “You have an overdue doctor bill of $183.56, please kindly pay immediately at this link: http://my-doctorpay.net/defintelylegit123. Thx!” Didn’t even include the name of the doctor or office, but after calling the only doctors office I had used recently it was apparently legit. I let them know whatever company handles their billing is completely incompetent.
What incentive do they have to change it? People will still click and still pay, and if they don’t, they’ll refer it to collections and ruin their credit. As long as the billing office gets the money, in their view, the bar for “competence” is passed.
This is something that only people like us can see. The rest of the world doesn’t care about the problem, and even if they did, they have zero incentive to fix it.
Healthcare has one of the lowest payment collection rates of any consumer industry. And as of a couple years ago, medical debt under $500 can no longer go on your credit report even after going to collections. States have passed even more consumer-friendly versions of this law, like NY where no amount of medical debt can affect your credit score.
So actually medical billers are directly hurting themselves with their incompetence in this and many other departments.
The US healthcare billing model’s total lack of authentication and disconnection from point of service means that it’s broadly plausible you do owe some random provider money at any time up to several years after your last doctor visit.
Send someone an official looking piece of paper telling them they received $394 worth of in office medical laboratory service from Tristate Medical Partners Inc in August last year, that insurance paid $374 and that they just owe you a $20 copay, and I think a lot of people will just go to the online bill pay site and hand over the money.
Lets not forget all the typosquatting looking domains Microsoft uses. It almost seems like they bought them up to protect users, forgot why they did that and said "hey we have all these domains, lets use those?"
Do you have any examples? I'm largely out of the Microsoft ecosystem these days, aside from the occasional Xbox usage.
Office.com redirects you to login.microsoftonline.com which isn't horribly bad, but is starting to get there. Now you have microsoft365.com and friends, too.
At least when things were login.microsoft.com you could apply the "last part is definitive" now that heuristic is pretty useless. And if you watch the actual DNS requests during a login, whew.
CDNs make it even worse, here's a few VALID requests from my DNS cache:
store-images.s-microsoft.com-c.edgekey.net
www.msftconnecttest.com
123499-ipv4v6.farm.dprodmgd103.aa-rt.sharepoint.com
download.windowsupdate.com.edgesuite.net
At least some end in apparently legitimate domains, but sheesh, that last one looks like something straight out of 2000s era scams.
Also Azure AD and Entra ID and other parts of Microsoft 365 all use onmicrosoft.com, too. A fun bonus to that particular domain is the random meaningless to people GUID-derived tenant IDs in the second level. Knowing what is legitimate, and what is tied so a specific corporate tenant, seems impossible. Certainly helps Microsoft themselves avoid XSS problems, I'm sure, but greatly adds to the confusion of what is a legitimate M365 URL.
Our government uses equivalent of www.mydatabox.cz (real one is mojedatovaschranka.cz).
Literally a domain that looks like from teaching material for phishing, no databox.gov.cz or something like that.
The domain is for an official legal documentation communication with government and has same legal weight as letter that was person delivered and recipient was checked against ID.
To be fair, US healthcare billing companies aren't very far removed from scammers in the first place. Except most scammers are more ethical.
Worse every doctor/lab sends their own separate bill with their own separate account numbers and URLs. You could probably make a ton of money just a bill to every address in your city, so long as the amount is around $50 many will not question it anymore as they get so many of those things.
Did you click on the "Report Phishing attempt" button installed by your IT center in your mail client?
Sorry for the probable sarcasm. In a company that size, if the IT center does not provide a means to report phishing attempts then there are more serious problems than a dodgy email campaign.
I wanted to, but I could not find it. It turn out I could not see the "report phishing" button because of an Outlook glitch. Thanks Microsoft.
Forward the email to your security org?
I did end up forwarding the email to another IT service address (one that I knew was legit). They thanked me for the feedback and said they would improve the message.
This. We have a dedicated phish/scam/it-sec channel in Slack for this (in addition to an embedded “report this email” plug-in in Outlook).
This is even worse in companies that have security offices actively sending out phishing emails worded as internal emails from your company that shame you if you click any of the links in them.
email is well and truly dead.
That reminds me that we had a "chief architect" who sent out his fairwell email with a link to his linked-in page in the footer, but the link actually went to a certain music video on youtube.
I suppose, if you want to train people to not click on links, that's a fun way to do it.
It’s a good idea.
I am usually a bit pessimistic about it though. If their SOP doesn’t account for “looks like phishing but is from internal sender” then chances are that nobody connects the dots and informs that sender.
The intelligence of a small and motivated IT team seems difficult to scale.
FWIW, I did exactly that a few times where I was 90% certain the e-mail is legit, but it still looked like a phishing attempt. The IT department needs to learn to do better, this is inexcusable, especially in a corporation with otherwise restrictive policies that waste ridiculous amounts of money and effort (think: Windows Defender real-time "protection" on developer machines, with no way to exclude your repos).
If I saw one of those in a 100k employee company I'd first just assume it's a phish-test email and that anyone who clicks on any URL in it is going to get put in the list for remedial training.
There are, of course, a whole plethora of services that a CTO-type person can hire to phish test your employees. Some of them even have several hundred real domain names with live MX on them that you can add into your office365/gsuite mail flow permit-list controls, as an admin, to ensure that the phish test arrives correctly in peoples' inboxes.
I love how those emails have extra metadata in the headers like "X-Phishing-Test: True"
I have an Outlook rule to redirect these to junk.
I wish I could do that, but then that would impact my "scoreboard" on the anti-phishing tool and they would yell at me or send me to remedial "training" too. They really like to see that useless button pressed that just patronizingly tells me "Yes, this was a training exercise".
At the moment in my current corporate email address this the number one source of spam, just all the internal phishing testing emails. It feels like the attempted cure is worse than the disease and I hate getting so much useless trash.
It's actually even a worse than that for our anti-phishing tool, somehow Outlook's processing triggers the tool to think that I've interacted with the email, but after several rounds of "our tool says you clicked a link" and my reply of "I 100% didn't, let me see some logs", they now seem to ignore notifications of me clicking on phishing test links. So a win for me, I guess?
Indeed, though the sort of person who knows how to read and understand mail headers is probably pretty unlikely to fall for a real phish.
On our company (hosting & PaaS), I was contacted on our internal messenger by a person I've never seen before, asking me to "please" run some commands as root and send back the results. After the initial shock (and due infosec diligence) I found out it was just "the new guy", needing to collect info about our systems for equipment inventory purposes. Since they didn't have access to our networked management tool yet, and didn't know the finer points about how running `curl ... | sh` randomly is not a good idea, they thought it would be ok to get that information piecemeal directly from people.
It happens.
I flip tables when people make offhand requests like this. Infra teams are not keyboard monkeys with admin creds.
When I worked at Sun Microsystems, they had a clever launcher shell script dealie for things like StarOffice documents that did usage tracking, portability fixes (usually setting obscure environment vars), and of course downloading and opening the actual document. Then they started sending those shell scripts as email attachments. One day they sent out an email telling people to not open executable email attachments: the full memo was a SO document wrapped in one of these scripts.
To their credit, after the inevitable replies to that email they never used that wrapper again (they moved the launchers to the centralized NFS install where they always should have been)
My company's security training tells me to carefully verify any URLs in received emails, but then they have some security software that rewrites all the URLs in incoming emails - presumably as a way of screening them themselves.
This might be a reasonable trade-off for centralising monitoring, but it significantly hampers the ability to judge the legitimacy of emails myself. At least update your training!
My company does that too, it's really annoying. They also sometimes send out mass emails for things like surveys but link to some third party service. I've even seen them put, in the email, things like "the link goes to a trusted third party and is perfectly safe". Why should I trust that if I'm already suspicious of the emails legitimately?
Our last round of security training was roundly mocked by our software division, especially around the subject of one of the rules emphasized over and over being to "never click URLs in emails" and the sign-in process for the website alongside the distribution of lessons was done exclusively through magic links... in emails.
Our CEO is actually a developer himself on our core product (and a bit of a paranoid fella on the cybersecurity front to boot) and he was absolutely furious about this vendor being chosen...
Banks do this as well. I made a purchase, and within minutes got a very scammy looking e-mail from them - low quality gifs, asking me to click on links to a random non-bank website(something like purchase-verification-users.net/235532/confirm.html, and the site wasn’t coming up on any searches). At the same time I get a call from a random number asking me to go over some purchases - I looked up the number, and it’s none of the ones listed for my bank.
So I hang up and call my bank directly. I spend 10 minutes going through the phone maze to talk to someone. Finally I get to them, and they confirm that is a number that they use to contact people. How come when you list numbers on your website you don’t list this one? Well, they said they often call from numbers they haven’t listed online. How about that e-mail, do you send those? Well, we sometimes contact people by e-mail, if it says it’s from us in the from: line you can click on it. Did you guys send that one? I don’t have that information; don’t click on it if the from: line isn’t us, but if it is, go ahead.
Worth noting - do not trust the incoming callerid number. This is trivial to fake.
I report those as phishing in order to get the feedback to the IT team who sent them from their colleagues in infosec. (I often have had IT and infosec reporting to me, which makes this even more effective of a feedback mechanism. :) )
Regarding the external domain thing, I can say that dealing with domains in a big company gets about as bureaucratic and terrible as just about everything else; I experienced this myself - at a youngish company when I needed a new sub-domain off the big official domain, it was just talk to $dude on the DNS team and he’ll help you out. And he did. A few years later once things had “grown up” a bit, I needed to update a record and I asked the same guy. He told me I needed to fill out a 25 question form and they’d review it. I about half copy and pasted it from another team member’s project and they accepted it.
Obviously it doesn’t excuse the practice, but I can see why people use alternative domains to get things done. The above anecdote was also purely within the company; I’m sure that if you add in a partner/managed service, it only amplifies the complexity.
Similar unforced error: I got emails from healthcare.gov for required actions on the site's marketplace. But the links used the lnks.gd shortener, hiding what domain you were actually going to end up at! They're encouraging people to blindly click on links with no idea where it takes them!
What's worse, you can't even go to the lnks.gd root to check where a shortened link is going. And the "shortened" link was actually longer, with all the payload crap they rolled in. They could have just used the normal url plus small internal identifier of which email it was if they needed to track it, and it would have been shorter.
There was no reason to use a shortener, let alone such a shady one!
Yeah, was working for a (then) 15k employee company and got an email "You have expenses due". Blank content, PDF attachment. I hadn't initiated any payments (but it later turned out the bank had just charged the annual tax on my corporate card account)
Ignored it.
Later got my manager asking as the expense team had been chasing down managers of people with overdue reports.