Being the grinches that we are we thought that instead of giving you a gift this Christmas we’d give you a warning! You’ll get a lot of messages over the next few days and weeks wishing you season’s greetings. Amongst them though, will be well-wishers with more sinister motives. My family has already received a scam SMS: it told us we had a package with an outstanding duty payment on it (of $2) and we just needed to follow the link to pay the amount and release our package. This is pretty typical of delivery scams that many kiwis are receiving at the moment. Luckily we had a bit of skepticism and a handy cybersecurity expert to seek advice from!
Sometimes I think my cybersecurity colleagues believe they are living in a spy novel. I mean, we are all guilty of trying to make our day jobs sound more interesting or trying to make them sound more ‘sexy’, but this industry in particular takes the cake. Even the name “cybersecurity” is like “oooh, I work in a William Gibson novel!” Though we can’t fault someone trying to make their job sound better than “security guard at an online shopping mall”.
There is a debate at work about what to call what we do. Actually, it’s not really a debate, more sort of a code of silence, or an agreement not to mention the subject in polite company lest it offends. When the subject comes up there is a sort of shuffling of feet, nervous laughter, “ahem”s and a subject quickly changed. But in Axenic’s spirit of transparency let’s get this out in the open: is what we do information security or cybersecurity? Certain people (I’m not naming names but they have numbered among our more beardy team members) have had such strong views that even using the word “cyber” at work is like a red rag to a bull. Actually, while I’m being honest, I have to admit that even though I am amongst the least hirsute of our team, I had strong leanings that way.
We’ve been seeing a bit of a buzz in the technical security press about a new method of phishing that bypasses many key security controls. Using a rogue Azure app, the attacker tricks the user into granting the app permissions to access their Office 365 email account and all of the information associated with it. Patrick Gray at Risky Business has been writing and talking up a storm on this one, and we believe that he is right to do so. In fact, we thought this was interesting and scary enough to let you know so you can understand what’s going on and maybe do something to prevent it.