[PLUG-TALK] Cisco Secure Email Encryption Service (CRES)

[TomasK]

On Fri, 2021-03-19 at 08:33 -0700, Ash (Richard) Powell wrote:
> I know this isn't a security list, and there's probably better lists
> to 
> pose this question to.  But, despite my limited active conversation 
> here, I feel more comfortable here (Portland locals) than the 
> global/larger lists.
> 
> After conducting a security awareness training about phishing scams, 
> someone on my billing department ran this by me to be safe.  And I
> was 
> somewhat shocked to see that a reputable company such as Cisco has a 
> product where they encourage people to save .html files with
> Javascript 
> in them to their local machine, and then to open those files and
> enter 
> their password.  I understand browser developers have probably made 
> great strides in "sandboxing" Javascript in a browser.  But I
> remember 
> the days when running an html file with Javascript from a local
> machine 
> would enable the script to run in the context of that local
> computer, 
> rather than the sandbox.  It was some scary shit, and still is for
> me.
> 
> Anyway.  I have always cautioned users against opening and running 
> attachments that run code.  So what the hell?  Has Cisco just thrown 
> this recommendation out the window for me?  Do I need to now monitor 
> these things on a case by case basis for my company employees?
> 
> Just looking for thoughts.  Am I overreacting?  Should I reevaluate
> my 
> understanding on opening html email attachments?
> 

I think that you should treat the root cause of this:
a) find those who invented this solution and participated in the scheme
by sending the emails
b) contact their parents for badly needed re-education intervention

I do not think there is anything else that could really solve this.

Hope that helps - as therapy, -T