AuthorSharky

Back to the ol’ spam-fighting drawing board

Pilot fish returns from an extended holiday weekend to find his inbox full of spam -- and for once, dozens of the messages seem to be related.

"I was curious, so I didn't delete all 50 of them right away," says fish. "The first one was obviously spam -- a 'Hi, do you remember me, can we talk?' message with a phishing link.

"But the first reply was from an autoresponder at a legal-services company: Thank you for your email. You have reached the email inbox for... Please let us know if you have any questions."

The next message is from another autoresponder, replying not to the spam but to the first autoresponder: Thank you for contacting us. This is an automated response confirming the receipt of your ticket. Our team will get back to you as soon as possible.

To read this article in full, please click here

One small step forward, one giant leap back

This pilot fish is paying his monthly bills online when he discovers one of his utilities has changed the payment part of its website -- a lot.

"I clicked on the 'Payment' button, and saw that I now had the option of paying with or without logging in," says fish.

"OK, the no-login option could be handy, but I've been paying this bill online for years, so I clicked on the login option. It asked me for my user name and eight-digit PIN. What PIN? I have a long, secure password. I tried that. It didn't work."

And after several unsuccessful attempts, fish tries the no-login version -- which just takes him to the same screen asking his PIN.

To read this article in full, please click here

Throwback Thursday: Just one more thing to worry about

This pilot fish and his wife are planning a long-overdue vacation to an all-inclusive resort -- one of those places where you don't have to worry about things like meals or tipping.

"I log onto the resort's website in order to make some reservations ahead of our arrival," fish says, "and am presented with the standard registration page."

He enters his information on the page, which also asks "for security reasons" that he set up a password.

It's not until after he has clicked "OK" that fish looks at the icon in his web browser and realizes the page isn't encrypted. He does a quick browse of the source code for the page, and finds that there's no SSL anywhere securing the data he's just typed in.

To read this article in full, please click here

Why security is the first thing to go, episode 65,723

IT contractor has a project to upgrade some software for a client -- and the project is way behind schedule, says a pilot fish on the client side.

And why is that such a problem? "The existing product goes End-of-Life soon, at which time it will no longer be an approved product for us," fish explains.

"The contractor's people come in and pitch their schedule to upper management. In the briefing, they bring up the fact that the new product is not even approved to be on our highly secured network, and they have not even started on getting it approved.

"Essentially, if they have to get it approved, they can never get it deployed on time.

To read this article in full, please click here

Throwback Thursday: Well, trial and error IS a mechanism

New regulations go into effect requiring more physical and electronic security at this health insurance company, so the company hires a chief security officer to oversee the efforts, says a pilot fish there.

"I was involved in the original security implementation on most of the systems and offered to help, but the new CSO refused our input," fish says. "He put keycard access on the computer room and UPS room and confiscated any physical keys he could find.

"When asked what would happen if the keycard system went down, he responded that 'mechanisms are in place,'" fish recalls.

Soon, only three people have physical keys: the CSO, chief financial officer and facilities manager.

To read this article in full, please click here

Throwback Thursday: Well, trial and error IS a mechanism

New regulations go into effect requiring more physical and electronic security at this health insurance company, so the company hires a chief security officer to oversee the efforts, says a pilot fish there.

"I was involved in the original security implementation on most of the systems and offered to help, but the new CSO refused our input," fish says. "He put keycard access on the computer room and UPS room and confiscated any physical keys he could find.

"When asked what would happen if the keycard system went down, he responded that 'mechanisms are in place,'" fish recalls.

Soon, only three people have physical keys: the CSO, chief financial officer and facilities manager.

To read this article in full, please click here

You’ve got malware!

Flashback to the early 2000s, when this non-IT pilot fish works in a building where the level of computer literacy is hovering near absolute zero.

"I was the only person in my department who had any computer skills at all," fish grumbles.

"One day we all got an email notice from management about a virus that was going around, spread by email. We were warned about clicking links and opening pages and all the other standard warnings."

Fish suspects that most people in the department will just delete the warning, since they don't use their computers for anything but the bare minimum required by company business -- and they barely understand even that.

To read this article in full, please click here

Throwback Thursday: How did…er, DIDN’T he do that?

It's 1977, and this network analyst pilot fish is working at a newly constructed data center -- one with a big fence.

"The company had just gotten a new sense of needing physical security, so they had included a new, state-of-the-art security system," says fish.

"It had electronic locks at a handful of doors in the building, a 10-foot-high fence with a motorized gate, and key-card reader stations by each of the locked doors and the gate."

One day, company needs to bring a new communications line up between the data center and an office 10 miles away. Fish's team leader decides the best way to do this without disrupting the users is to have fish go to the remote office at 4:30 a.m., while his team leader goes to the data center.

To read this article in full, please click here

Grand Theft IT? Not quite

The time has come for the sales team at this financial services company to get new top-of-the-line laptops -- and they're being upgraded 80 at a time, reports an IT pilot fish there.

"Late one night, the guy in charge of the upgrade got a call from Security saying that a break-in had occurred," fish says. "They told him that on the security cameras they saw the thieves making off with a lot of laptops.

"The upgrade project manager arrived at the scene to meet the police -- who were very puzzled when he started laughing.

"Turns out the thieves stole 80 decommissioned laptops with no hard drives, while ignoring the 80 new laptops sitting in boxes beside the decommissioned ones."

To read this article in full, please click here

Nice to know our financial world is in safe hands

This company is the target of a spear-phishing attack, but it doesn't actually get very far, according to an IT pilot fish working there.

"It was the typical 'CEO is out of the office and needs a wire transfer done right away' message," fish says.

"Our people are pretty good at spotting phishing attempts, and our administrative assistant was immediately suspicious because we do wire transfers approximately never. She strung the guy along over multiple emails and got all the transfer information -- amount, routing number, account number and so on.

To read this article in full, please click here