this post was submitted on 10 May 2024
1289 points (98.6% liked)

Comic Strips

17970 readers
2453 users here now

Comic Strips is a community for those who love comic stories.

The rules are simple:

Web of links

founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] frickineh@lemmy.world 53 points 1 year ago (12 children)

Ours do that too. It's so obvious that I'm not sure if they think we're all stupid, except then I remember that some of my coworkers actually are stupid, so it's probably aimed at them.

[–] jballs@sh.itjust.works 24 points 1 year ago (9 children)

I've worked with a dude for years who I would consider smart both technically and non-technically. One time we got an email at work with an attachment that was something like "microsoft_update.exe.txt". The email said "due to a technical limitation on the email system, this file needs to be renamed to drop the .txt and executed to apply a critical to your computer."

It was, in my mind, such an obvious phishing attempt that I laughed out loud and said "who the fuck would ever fall for this?" Then my coworker popped his head over the cube wall and said "WAIT WHAT? We weren't supposed to run that?!"

Fortunately, the security team sat nearby and heard the whole thing and rushed over to quarantine his PC

[–] Emerald@lemmy.world 15 points 1 year ago (7 children)

quarantine his PC

You mean shut it off and steal and the Ethernet cable? Lol

[–] groet@feddit.de 11 points 1 year ago (1 children)

You DONT want to turn it off. Digital forensics work WAAAAAAY better if you have a memory dump of the system. And all the memory is lost if you turn it off. Even if the virus ran 10h ago and the program has long stoped running, there will most likely still be traces in the RAM. Like a hard drive, simply deleting something in RAM doesn't mean it is gone. As long as that specific area was not written over later it will still hold the same contenta. You can sometimes find memory that belonged to a virus days or even weeks after the infection if the system was never shut down. There is so much information in ram that is lost when the power is turned off.

You want to 1: quarantine from network (don't pull the cable at the system, but firewall it at the switch if possible) 2: take a full copy of the RAM 2.5: read out bitlocker keys if the drive is encrypted. 3: turn off and take a bitwise copy of the hard drive or just send the drive + memory dump to the forensics team. 4: get coffee

[–] Emerald@lemmy.world 7 points 1 year ago (1 children)

Why would you be doing digital forensics?

[–] KISSmyOSFeddit@lemmy.world 13 points 1 year ago (1 children)

To find out if nuking that one workstation is enough or if you have to take more drastic measures.

[–] Emerald@lemmy.world 4 points 1 year ago (2 children)

I feel like most companies wouldn't bother with all that. They'd probably just nuke the workstation and call it a day.

[–] KISSmyOSFeddit@lemmy.world 7 points 1 year ago (1 children)

And then get ransomwared a bit later.

[–] Emerald@lemmy.world 4 points 1 year ago

Oh yeah probably

[–] JasonDJ@lemmy.zip 2 points 1 year ago

Yeah no. You gotta do due diligence. Getting one system compromised isn't enough. The whole point is to pivot, elevate, repeat.

load more comments (5 replies)
load more comments (6 replies)
load more comments (8 replies)