[PLUG-TALK] Cisco Secure Email Encryption Service (CRES)
TomasK
tomas.kuchta.lists at gmail.com
Fri Mar 19 17:12:28 UTC 2021
On Fri, 2021-03-19 at 08:33 -0700, Ash (Richard) Powell wrote:
> I know this isn't a security list, and there's probably better lists
> to
> pose this question to. But, despite my limited active conversation
> here, I feel more comfortable here (Portland locals) than the
> global/larger lists.
>
> After conducting a security awareness training about phishing scams,
> someone on my billing department ran this by me to be safe. And I
> was
> somewhat shocked to see that a reputable company such as Cisco has a
> product where they encourage people to save .html files with
> Javascript
> in them to their local machine, and then to open those files and
> enter
> their password. I understand browser developers have probably made
> great strides in "sandboxing" Javascript in a browser. But I
> remember
> the days when running an html file with Javascript from a local
> machine
> would enable the script to run in the context of that local
> computer,
> rather than the sandbox. It was some scary shit, and still is for
> me.
>
> Anyway. I have always cautioned users against opening and running
> attachments that run code. So what the hell? Has Cisco just thrown
> this recommendation out the window for me? Do I need to now monitor
> these things on a case by case basis for my company employees?
>
> Just looking for thoughts. Am I overreacting? Should I reevaluate
> my
> understanding on opening html email attachments?
>
I think that you should treat the root cause of this:
a) find those who invented this solution and participated in the scheme
by sending the emails
b) contact their parents for badly needed re-education intervention
I do not think there is anything else that could really solve this.
Hope that helps - as therapy, -T
More information about the PLUG-talk
mailing list