Thinking about getting gas. Then Ranting.

gas2-jpg.96316


I can't even figure out what that is.
Thin bags of gasoline positioned so that when they break and flood the trunk they’ll leak down onto the hot muffler and maybe even forward onto the much-hotter catalytic converter
 
they looked like underripe watermelons.
 
I have no words. :mad2:

Hoping wal-mart finds a way to refuse returns on funnels next week. And also, it would seem, tupperware.
 
Well, at least he had safety in mind. I mean... the gloves, right?
 
Love watching a self-fulfilling prophecy come to life. Unfortunately, this disproportionally affects an awful lot of people that actually NEED the gas.
 
Love watching a self-fulfilling prophecy come to life. Unfortunately, this disproportionally affects an awful lot of people that actually NEED the gas.

Not sure what self fulfilling prophecy you're referring to here.

On the way back from the post office, I went by six gas stations. No gasoline at any of them, but two of them had diesel.

Not really the way I'd want to deal with ransomware extortion: https://www.msn.com/en-us/money/new...ers-to-end-ransomware-cyberattack/ar-BB1gHBuP

Like I was saying before, theses guys aren't the brightest bulbs in the chandelier:

“atrocious” information management practices and “a patchwork of poorly connected and secured systems:
https://www.thenewstribune.com/news/business/article251366503.html

1.2 million gallons of gasoline leaked near Huntersville, NC: https://www.wsoctv.com/news/local/s...ated-huntersville/ZNFVGL3VHJCUZF6GVLKY76NQSY/

Colonial alerted to lead by kids riding ATVs, their internal processes failed to find the leak again.
https://www.charlotteobserver.com/news/local/article248632600.html
 
Wonder if the pipeline company will NOW spend some money on their IT infrastructure. Sounds like they paid the ransomware. Would've been cheaper to maintain their IT infrastructure properly....
 
You would think the garmin attack and payout would've woken these companies up to the fact they are targets. It certainly showed the hackers that the strategy works...
 
You would think the garmin attack and payout would've woken these companies up to the fact they are targets. It certainly showed the hackers that the strategy works...

It tells me that they had no and/or insufficient backups to restart themselves and HAD to capitulate. Failure to plan and all that...
 
You would think the garmin attack and payout would've woken these companies up to the fact they are targets. It certainly showed the hackers that the strategy works...
Garmin. The bank's before them. The DC Police department. Other city agencies around the country. The OPM hack a few years ago. The list goes on and on. In many companies, if it's not revenue producing, it doesn't get the capital - although some have woken up to the reputational risk concerns.
 
Hackers are getting more sophisticated; attacks more complex. For companies, it’s not enough to just catch up or keep pace, they need active security programs to advance and stay ahead.
 
"However on April 13, we sent out a test phishing email to [where I work] faculty & staff entitled Password Check Immediately Required. Many spotted it as phishing and reported it to the HelpDesk, but 159 users clicked on the embedded link included in the email and 31 actually shared their username and password in the phishing screen."

[About 500-600 total faculty / staff most faculty have PHDs...]
 
"However on April 13, we sent out a test phishing email to [where I work] faculty & staff entitled Password Check Immediately Required. Many spotted it as phishing and reported it to the HelpDesk, but 159 users clicked on the embedded link included in the email and 31 actually shared their username and password in the phishing screen."

[About 500-600 total faculty / staff most faculty have PHDs...]

That should be a continued employment test. Click on link, or enter password is a fireable offense.
 
Our org does phishing tests routinely. We have a plug-in that integrates with Outlook where you can click a Phish button and it will send the email to info-sec for analysis. The info-sec group offers up prizes to people who correctly identify phish emails. For those who click the phish-test-emails - First offense is you have to re-take the phishing web-based-training. Second offense is your manager gets a call. Third offense.... yeah, you get sent to HR and it becomes a performance issue.

There have been some tricky fake-phish-test emails that have gone out. One looked really close to an actual email requesting sign-up for the company picnic. Others look pretty darn close to emails from Microsoft and Apple.
 
"iT Is a CosT CenTeR!!!"

Yep. Until it's not. I've worked in organizations where the ratio of IT to non-IT was completely out of whack. Like around 1:100 or so. That was a relatively large financial organization, too.
 
That should be a continued employment test. Click on link, or enter password is a fireable offense.
That would be something, wouldn’t it.

My firm has adopted the stance similar to the FAA. If you fail our phishing tests, you get to take extra security training. It’s a lot better than most companies believe it or not.
 
Our org does phishing tests routinely. We have a plug-in that integrates with Outlook where you can click a Phish button and it will send the email to info-sec for analysis. The info-sec group offers up prizes to people who correctly identify phish emails. For those who click the phish-test-emails - First offense is you have to re-take the phishing web-based-training. Second offense is your manager gets a call. Third offense.... yeah, you get sent to HR and it becomes a performance issue.

There have been some tricky fake-phish-test emails that have gone out. One looked really close to an actual email requesting sign-up for the company picnic. Others look pretty darn close to emails from Microsoft and Apple.

What BS.

I’m surprised no one has begun sending all their emails to info-sec for analysis. “Here are yesterday’s 347 emails, folks. Please let me know which ones are safe. Thank you!”
 
What BS.

I’m surprised no one has begun sending all their emails to info-sec for analysis. “Here are yesterday’s 347 emails, folks. Please let me know which ones are safe. Thank you!”

Hadn't thought about that. I could see two schools of thought here:

  1. It's IT's responsibility to ensure the information security of the organization, so they should be the ones to ultimately stop threats at the doors, and if a threat does get in, deal with it before it gets out.
  2. It's the employee's responsibility not to be a sucker and do stupid things like send their password around in an email.
I think it's definitely a mix of both, and can see both sides of the coin there. Employees shouldn't have to deal with the mental energy, stress, and time to have to sleuth out very cleverly disguised email (be they tests or actual phishing attempts), and IT just can't catch everything.

Interesting times we live in, and I'm super happy I got out of IT when I did.
 
I’m surprised no one has begun sending all their emails to info-sec for analysis

I think the spam/phish filters do a pretty good job of getting rid of the vast majority of the irritating and malicious traffic. The phish button is there to provide a way for folks to send the ones that slip through to infosec for quarantine and analysis. I get what you are saying, but the number of these questionable emails that slip through is pretty low.

But yeah, I'm glad I'm not in infosec.
 
"iT Is a CosT CenTeR!!!"

Yep. Until it's not. I've worked in organizations where the ratio of IT to non-IT was completely out of whack. Like around 1:100 or so. That was a relatively large financial organization, too.

For just about every company "IT" IS a cost center. If it doesn't generate profit on the income statement, it's pretty much a cost center by default. However, using that as a justification for not investing capital dollars is short-sighted.
 
You know this because...are you the one pictured pumping gas?
Initial thoughts stand.

Nope, but the message that you are trying to send is that the person in the photo, presumably of libertarian or democratic leaning, is engaging in some sort of hypocrisy because she wants the benefit of easy access to fossil fuels but is opposed to a pipeline. The truth of the situation is that the Atlantic Coast Pipeline proposal, which is what that bumper sticker refers to, was unpopular in the Shenandoah Valley (which is heavily conservative) across party lines. It was more of a “not in my backyard” phenomenon than anything else. There are plenty of deeply conservative households that have this same bumper sticker and sign in their front yard.

It makes a cute picture to trivialize opinions that aren’t aligned with your own and stoke fake outrage, but this is at odds with reality.

So yeah, whooooooosh.
 
You would think the garmin attack and payout would've woken these companies up to the fact they are targets. It certainly showed the hackers that the strategy works...

As another member of our industry security sharing group said two weeks ago...

“I can hire 20 analysts and 10 pen-testers and against nation-states I will always lose.”

There’s a huge ROI problem in security, baked in by billion dollar OS makers with crap code.

Hacking is no longer a matter of “if”, just a matter of “when”. Security theater.
 
Look out ya'll... I bet the word 'triggered' is going to get thrown in here soon...
 
I think the spam/phish filters do a pretty good job of getting rid of the vast majority of the irritating and malicious traffic. The phish button is there to provide a way for folks to send the ones that slip through to infosec for quarantine and analysis. I get what you are saying, but the number of these questionable emails that slip through is pretty low.

But yeah, I'm glad I'm not in infosec.


If the company is going to punish employees who are not infosec specialists for getting suckered occasionally, they should be punishing the infosec group for letting the crap through in the first place.

What they’re doing seems akin to punishing the victims of a mugging.
 
ah yes... privatize profits, socialize losses.

No, just pass along COGS. Government isn’t involved at all — unless they mandate “security certifications”. Which are mostly just checkbox checking and generally worthless busywork.

None of the ways the controls in those are implemented are how the bad guys will actually get you, they’re just old methods automatic software will.

What’s really missing from the executive level is an understanding that computers done right are hideously expensive. A filing cabinet and a manual valve really are cheap even if you have to pay humans to operate them.

They don’t measure the risk as a built in cost.

“What’s our worst case scenario?”

Nobody wants to hear ...

“We are down for a week minimum, we are plastered all over the news, and we’ll need twenty more staff just to clean it up and it’ll take six months... then it’ll happen again. Unless we hire those twenty staff now in perpetuity. And even then it’ll still happen, we’ll just recover faster.”

It’s a recovery rate game now. Not a security game. Maybe a fire containment game.
 
If the company is going to punish employees who are not infosec specialists for getting suckered occasionally, they should be punishing the infosec group for letting the crap through in the first place.

What they’re doing seems akin to punishing the victims of a mugging.

Punishment never works. Rewarding those who did it right is better.

Problem is the ones who did it wrong will see their lack of a treat as punishment. Just like my dogs if only one gets a Scooby snack.
 
May I ask why they use the same computers for e-mail/web browsing and controlling mission-critical objects, such a pipeline valves?
 
May I ask why they use the same computers for e-mail/web browsing and controlling mission-critical objects, such a pipeline valves?

People don't know better? I'm the engineer over a small group of expensive electrical test equipment, and when I took over responsibility for that area I found operators on the internet surfing IE and getting personal email while running jobs. I stopped that right away, those machines are now on the internal network only with no connection to the outside world. Dumb.
 
How interesting that hypocrisy is assumed to be a political issue.
 
Back
Top