No one is safe from data breaches, and at times it won't even be the company you've directly interacted and purchased from but their partners, like what recently happened to Framework. Framework are the company that make the modular Framework laptop, which is really cool!
From what I can tell, Framework have not announced this in public but sent it in an email to affected customers which one decided to copy and paste on to the Framework Forum in a post.
The email notes how their accounting partner, Keating Consulting, had a staff member fall victim to a "phishing email that utilized social engineering tactics to obtain customer PII (Personal Identifiable Information) associated with outstanding balances for Framework purchases" and anyone getting the email was affected by it. For those hit their full name, email address and balance owed would have been gained by the attackers.
Framework said about the list that it was "primarily of a subset of open pre-orders, but some completed past orders with pending accounting syncs were also included in this list".
One thing that has confused multiple people, is that even people who don't have an outstanding balance were emailed, which was cleared up in a later post by a moderator forwarding information from the Framework team. There may not be a customer-facing balance, but their system may have a slight difference due to changes in taxes since an order.
It's just another reminder to be seriously careful on clicking links to ensure they really go to where they say, especially in emails, and not entering any information into a form you're not 100% sure on. It can happen to anyone. Always check the full URL.
Bad Windows. People are using Windows and get sad. On normal systems, secretary/accountant do not has sufficient rights, but on Windows (with unskilled, cheap admin?). Additionally, Windows is not resist to malware, there was many bad design decision during Windows creating, like opening programs downloaded from internet by double-click, etc.
I don't like Windows, however it has nothing to do with that story. Social Engineering doesn't care about the OS.
Bad Windows. People are using Windows and get sad. On normal systems, secretary/accountant do not has sufficient rights, but on Windows (with unskilled, cheap admin?). Additionally, Windows is not resist to malware, there was many bad design decision during Windows creating, like opening programs downloaded from internet by double-click, etc.
I don't like Windows, however it has nothing to do with that story. Social Engineering doesn't care about the OS.
Yes. But there is difference, when system is designed in bad way, and clicking on link could install malware, or secretary have rights to install software by default.
Linux do not allow to install software without provide an password by default. Even, when we download software pointed by link, like on Windows (for example, somebody told us this is only image from holiday trip and not software), we must told system, we knew this file contain software. On Windows, we try to open image from holiday or report, potentially in Excel format, and we made mistake!
Linux do not allow to install software without provide an password by default.It does though. Both my Fedora system and Steam Deck allow me to install software w/o a password by default. I don't think Steam Deck even has you set up a system password during setup, just a button based pin to unlock it.
You're also ignoring whole fields of attacks that don't require the user to install new software like cross site scripting or supply chain attacks. Or general software vulnerabilities like Heartbleed
Linux isn't some magical impenetrable system, that's why you have software like ClamAV since 2002 and any number of other mitigations.
The accountant here isn't stupid; reading inbetween the lines they had a very convincing phishing email because the attacker knew they had access to Accounts Receivable data for a particular client, knew what to ask for, and knew who the CEO was to impersonate.
Presumably they wanted this info because then they could then phish customers that their preorder shipment was being withheld unless they sent whatever money owed to the attacker instead
This basically falls back to any system that tries to do all the work for the user is going to be more vulnerable to make that system easier to use. That's a big part of why Windows is so popular and so vulnerable.
All that said, no operating system is social engineering proof. If the system lets you access sensitive data and lets you upload stuff via a browser or any kind of utility, your users can ship said data off to anyone that tricks them. The only secure system is one that's been shattered into tiny little pieces and disintegrated.
Not to let Windows off the hook. Windows is garbage.
Linux do not allow to install software without provide an password by default.It does though. Both my Fedora system and Steam Deck allow me to install software w/o a password by default. I don't think Steam Deck even has you set up a system password during setup, just a button based pin to unlock it.
You're also ignoring whole fields of attacks that don't require the user to install new software like cross site scripting or supply chain attacks. Or general software vulnerabilities like Heartbleed
Linux isn't some magical impenetrable system, that's why you have software like ClamAV since 2002 and any number of other mitigations.
The accountant here isn't stupid; reading inbetween the lines they had a very convincing phishing email because the attacker knew they had access to Accounts Receivable data for a particular client, knew what to ask for, and knew who the CEO was to impersonate.
Presumably they wanted this info because then they could then phish customers that their preorder shipment was being withheld unless they sent whatever money owed to the attacker instead
Bad Windows. People are using Windows and get sad. On normal systems, secretary/accountant do not has sufficient rights, but on Windows (with unskilled, cheap admin?). Additionally, Windows is not resist to malware, there was many bad design decision during Windows creating, like opening programs downloaded from internet by double-click, etc.
You don't need admin/root for this attack to work and even on Windows any regular it department would remove admin rights from end users machines.
Bad Windows. People are using Windows and get sad. On normal systems, secretary/accountant do not has sufficient rights, but on Windows (with unskilled, cheap admin?). Additionally, Windows is not resist to malware, there was many bad design decision during Windows creating, like opening programs downloaded from internet by double-click, etc.
You don't need admin/root for this attack to work and even on Windows any regular it department would remove admin rights from end users machines.
I know, there is no admin rights, but on Linux, after downloading malicious software, I must point system, this is a software, and I try to open/execute software. On Windows, some one could compile program with nice photography as icon, told me, this is photography from trip and I would open it! That's all...
Bad Windows. People are using Windows and get sad. On normal systems, secretary/accountant do not has sufficient rights, but on Windows (with unskilled, cheap admin?). Additionally, Windows is not resist to malware, there was many bad design decision during Windows creating, like opening programs downloaded from internet by double-click, etc.
You don't need admin/root for this attack to work and even on Windows any regular it department would remove admin rights from end users machines.
I know, there is no admin rights, but on Linux, after downloading malicious software, I must point system, this is a software, and I try to open/execute software. On Windows, some one could compile program with nice photography as icon, told me, this is photography from trip and I would open it! That's all...
Yes Windows have this idiotic tendency to use the file extension to determine what icon to view while using the actual meta data of the file when opening it leading to the user believing that they are clicking on a PDF while actually executing a EXE.
The popup for executing scripts/binaries that you talk about I think is more a Gnome (I also assume that KDE does it) thing than a Linux thing, but that might be semantics. So here I definitely agree that the Linux desktop environment handles this a million times better than Windows.
One caveat though is that attacks like these just as easily could use exploits in the browser/pdf-viewer/image-viewer etc to execute code rather than executing a binary and then we no longer have this protection (but here instead the fragmented Linux distro environment makes us safer in that the attacker doesn't know which browser or viewer that we are using or what version).
Bad Windows. People are using Windows and get sad. On normal systems, secretary/accountant do not has sufficient rights, but on Windows (with unskilled, cheap admin?). Additionally, Windows is not resist to malware, there was many bad design decision during Windows creating, like opening programs downloaded from internet by double-click, etc.
You don't need admin/root for this attack to work and even on Windows any regular it department would remove admin rights from end users machines.
I know, there is no admin rights, but on Linux, after downloading malicious software, I must point system, this is a software, and I try to open/execute software. On Windows, some one could compile program with nice photography as icon, told me, this is photography from trip and I would open it! That's all...
Yes Windows have this idiotic tendency to use the file extension to determine what icon to view while using the actual meta data of the file when opening it leading to the user believing that they are clicking on a PDF while actually executing a EXE.
The popup for executing scripts/binaries that you talk about I think is more a Gnome (I also assume that KDE does it) thing than a Linux thing, but that might be semantics. So here I definitely agree that the Linux desktop environment handles this a million times better than Windows.
One caveat though is that attacks like these just as easily could use exploits in the browser/pdf-viewer/image-viewer etc to execute code rather than executing a binary and then we no longer have this protection (but here instead the fragmented Linux distro environment makes us safer in that the attacker doesn't know which browser or viewer that we are using or what version).
Yes. Even opening page in Web Browser or watching movie in Video Player, or viewing image in Image Viewer, PDF... could infect our computer. But see this in that way: use bug in these programs is much harder and what you say - attackers could only attack in one way, so attack vector is smaller, harder to use, etc. Bug in programs are patched, but this bug in Windows exists from beginning and still was not patched. Creating exe file pretending to be image, etc. is very simple, detecting and use bugs in programs is very hard. I will told this: attacking Linux requires skills and doing directed attack, but on Windows, hackers tend to use attack for the masses. One infected machine program are used to attack others computers, because attacking is so simple. Hackers have good days, because Windows. Even if we assume users are stupid and that's reason for spreading viruses, stupid users on other systems cannot be reason for spreading viruses, in fact, user must be very stupid, so told system: I know, that is a program, just execute it (or another: i known, that is a program, execute it and give it all permissions).
See more from me