Here are two staggering Facebook privacy statistics: Nearly 13 million US Facebook users have never set, or don’t know about, Facebook’s privacy tools, and only 37 percent have used Facebook's privacy tools to customize how much information is shared with third parties. That's according to a Consumer Reports survey released earlier this month. Given that there are now over 900 million Facebook users, more than the population of most countries, and given the broad sharing that is Facebook's default privacy setting, those stats strongly suggest a lot of people have some online privacy catching up to do.

A few months ago we highlighted Facebook security settings and how to enable various protections. In this post, we delve more into granular control of your data privacy. By ratcheting down your privacy settings, you can have more control over who can get to your data, helping to keep your social networking experience positive, and potentially preventing problems before they occur.

Protect Yourself

When you log into your account, you can view or modify your privacy settings on a pulldown menu under “Home” on the top right of the page. Here’s what mine looks like:

When you get to the Privacy landing page, you might notice your default settings are set to “Public”, here we update them.

Notice this is targeted at your default sharing options, you can also change them for specific items on the site by using the inline audience selector, but here it’s a good idea to select “Custom” and specify what fits your needs, here’s what’s shown by default:

That’s a little too public for many, so I make the default visibility to “Only Me”, keeping in mind that you can use the inline audience selector to widen the audience of particular data you want to share, but if you don’t, the default will be to keep it more private.

Notice you can also explicitly list people or lists you DON’T want to share things with, a sort of data sharing blacklist, which you may find useful if you opt to share with others but want to restrict certain aspects more granularly. If you select this option you are also presented with a note saying:

That means if you tag someone in a photo, for example, they will be able to view the photo, even though you don’t explicitly opt to share it.

Now let’s look at ways other people can access your profile information. We start by selecting the “Edit Settings” link back on the Privacy Settings page:

The default settings show “Everyone”, shown below:

These default settings are a little too permissive for my tastes, so I ratchet them down like this:

This setting keeps my profile a little more private. Back at the Privacy home page, let’s take a look at “Profile and Tagging” to control how information gets tagged and shared:

Here we can ratchet down who can post to your wall, who can see posts tagged in your profile, and so on. Below is the default:

I would prefer to restrict more content to friends only, so I change it to reflect that preference:

Also, you might want to control who can tag you in their content by enabling “Review posts friends tag you in before they appear on your profile” if you choose to restrict that.

Next we restrict past post visibility, which is a good idea if you’ve had a lot of posts in the past, and you’d prefer more granular control over how that information is shared:

When you edit this section, you are presented with a screen warning you about restricting past posts, warning that since it’s a global change, you may also choose to just restrict specific posts, rather than across your whole profile. Continue past this warning by selecting “Limit Old Posts.” You will be asked to confirm this choice, warning that this change may not be easy to undo.

Next we take a look at “Blocked People and Apps”, a sort of blacklist for specific functionality:

Click on “Manage Blocking” link, which opens the following dialog box:

This functionality can come in handy if you have been getting unwelcome interactions from someone on your friend list. Also, note that once you add a user to your Restricted List, they aren’t notified of the change, which is handy for dealing with potentially pestering friends wanting to know why you’ve changed your settings.

Summary

These are some of the basic protections that will help control the data sprawl of your private information. Of course, Facebook updates its security and privacy settings on fairly regular intervals, so we will provide updates from time-to-time. In combination with our earlier security post, this privacy primer should go a long way toward keeping your social networking safer and prevent problems with your personal data spreading further than you planned or expected. If you find this post helpful, or have any Facebook privacy tips you'd like to share, please let us know in the Comments below.

Read this article:
Millions have not reviewed Facebook privacy settings: Here’s how

The Flashback trojan has been all over the news lately, but it is not the only Mac malware threat out there at the moment. A few weeks ago, we published a technical analysis of OSX/Lamadai.A, the Mac OS X payload of a multi-platform attack exploiting the Java vulnerability CVE-2011-3544 to infect its victims. OSX/Lamadai.A has built-in features typical of a backdoor: namely download and execution of an arbitrary file, uploading of local files to the operator’s Command and Control (C&C) server, and spawning of a command-line shell.

After the technical analysis was done, we began the monitoring phase. This phase is very important because it allows for tracking of how the malware is used by its operator. We can catch new variants of the threat early on, or even a totally different malware family (as often seen in pay-per-install schemes), or see the operator launch Denial-of-Service attacks (or any other kind of malicious activity) from the infected systems.

The monitoring phase allowed us to witness a short, live dialog between our infected machine and the malware operator that we published this dialog in our initial analysis of OSX/Lamadai.A. This experience gave us some new ideas that we could put in place in order to gather more knowledge about this threat and the person or people behind it.

What we did is this: we planted some fake files in the home directory of our test “infected user” and waited for the operator to come back. About one week later, we got our first connection. Here are the highlights of the dialog that took place over a period of about 10 days. It started with a little reconnaissance in the ~/Documents directory. The Unix command ls is used to list directory content:

Then we see the theft of some Tibetan army status documents and a little porn for added value.

Now more reconnaissance and file theft, this time in the ~/Downloads directory.

It is quite interesting to see that the operator did not steal all the files we had put out for him. He left these three untouched:

• 2012_report.doc
• application.zip
• im5744.jpg

A few days went by during which the operator was only connecting to the system to issue some basic commands, most likely with a view to determining whether this was a newly infected system or not. The Unix command id returns the current user's identity and the sw_vers command prints the OS version information.

We decided it was time to refresh the environment to simulate infection of a new user and to install interesting new files to the user’s home directory.

Shortly after the new environment was up and running, we got an incoming connection. Almost instantly, the operator issued a command to download and execute a file (technical details of the new file below)!

Immediately after, the operator ran a few netstat commands, most probably looking to see if the new payload was listening on the network properly. The Unix command netstat displays the network status of the system, such as network connections and routing table.

Not seeing what he wanted to see, our operator tried to re-execute the dropped executable! Let’s see how that turned out:

Yes, you do have to specify the path to the executable when /tmp is not in $PATH. In despair, he attempted to take some screenshots of the entire desktop window, using the OS X ‘screencapture’ command. Oddly enough, the file was not saved in his current work directory as it should have. We can’t explain why that happened.

Then, a few connection attempts later, the operator logged back on and totally lost it. He issued two Unix ‘rm’ commands, used to remove directory entries: one to remove the user’s home directory and one to remove the system’s root directory.

That concludes this dramatic episode of Monsieur Frustrated Operator. Now to some technical stuff.

One of the first things we did was to recover and analyze the Mach-O executable dropped onto our test machine. We were curious to see what that was: a new variant of OSX/Lamadai, or even a specialized new piece of software? Instead, we found it was the same variant of OSX/Lamadai with a hardcoded C&C server set to 127.0.0.1. This explains why the operator grepped his netstat output for “127.0.0.1”. However, the rationale behind this action is up for debate inside ESET’s Security Intelligence Laboratory. Some argue that the operator realized he was connected to a monitoring system instead of a real, infected one and wanted to redirect the traffic away from the real C&C. Others contend that it would have been easier for him to simply deactivate or remove the malware from the system.

Also, when we first analyzed OSX/Lamadai.A, we said that the malware did not have persistence capabilities on an OS X 10.7.2 system, as the path /Library/Audio/Plug-Ins/AudioServer was not user-writable. We looked a little deeper into this, as other researchers reported that the threat was indeed persistent on their machines. We realized that this very same path is user-writable in previous OS X versions (10.5/Leopard and 10.6/Snow Leopard). This is the cause of some potential confusion and a timely reminder of the benefits of upgrading to the latest version of OS X.

Credits go to Marc-

Does your company have a written information security program? If not, you could be an easy target for cybercriminals AND end up on the wrong side of the law, regardless of where your company is located or what size it is. Which law? Something they passed about two years ago in the Commonwealth of Massachusetts, something that is usually referenced with the snappy title of 201 CMR 17.00. And before you go thinking that this does not apply to you because you don't do business in the Bay State, bear in mind that 201 CMR 17.00 applies to personal information about residents of Massachusetts, and that means it does apply to your company if you take orders from Bay Staters.

To be accurate, 201 CMR 17.00 is not a law but a regulation that implements the provisions of a law, and that law is Chapter 93H of Massachusetts General Law Part I, Title XV (M.G.L.93H for short), which states, in part:

“Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards…”

In other words, you need to have a Written Information Security Program or WISP to comply with the law. Note that this applies to “every person” and includes one-person companies through SMBs to large enterprises. If your company suffers a security breach and does not have a WISP, then things are probably not going to turn out well. Indeed, the penalties can be severe, and don't expect to be let off with a slap of the wrist just because you are a small company.

Consider what happened a year ago to Ned Devine's, the Irish pub that is a Boston landmark. The Briar Group, the company that owns Ned's and several other popular venues, was fined $110,000 by the the Attorney General to settle allegations that the restaurant chain “failed to take reasonable steps to protect its patrons' personal information, thereby putting the payment card information of tens of thousands of consumers at risk.” Here's what AG Coakley said at the time:

“When consumers use their credit and debit cards at Massachusetts establishments, they have an expectation that their personal information will be properly protected…In this instance, the Briar Group did not take proper protections to protect customers' personal information. In addition to the payment [of the $110,000 fine], this agreement also works to ensure that steps have been taken to protect consumer information moving forward. Our office will continue to take action against companies that fail to implement basic security measures on their computer systems to protect the sensitive information entrusted to them by consumers.”

That's a pretty big stick, one that should encourage you to implement a WISP if you operate a business in Massachusetts or do business with citizens of that state. But there is also a carrot to go with the stick. Having a WISP can add a lot of value to your company, whatever business you are in, even if you never do business with people from Massachusetts. Why? Because a written security policy or program is often a prerequisite for doing business with other companies.

While Joe Consumer is probably not going to ask to see your WISP before he buys an inkjet paper from your office products store, Office Products Inc. may well ask to see your WISP if you want to be an approved vendor supplying them with paper or servicing their inventory management software. I have seen the lengthy compliance documents that some large companies present to smaller companies with whom they want to do business and, without a WISP, it is going to be hard to comply in a timely fashion, which means you could lose the business to a competitor who already has their security program in place and documented.

If you're wondering why larger companies are increasingly taking this approach, or why I am even bringing up a two-year old security law from Massachusetts, consider these findings in the recent Verizon Data Breach Investigations Report or DIRB, which I strongly encourage you to download and read:

97% of breaches were avoidable through simple or intermediate controls.

79% of victims were targets of opportunity.

85% of breaches took weeks or more to discover.

92% of incidents were discovered by a third party.

This is a pretty dismal state of affairs, but if you create a WISP and the controls that go with it, then train your employees to comply, you can avoid the all-too-common, and increasingly expensive scenario of finding out from a third party that you've been leaking sensitive data for weeks just because you missed an obvious step in securing your data.

Here are some links to free information and samples that can help you tackle the WISP creation and implementation:

• Massachusetts Written Information Security Plan developed by Buchanan & Associates of Boston (.pdf)
• Common misconceptions about the Mass privacy law
• A Small Business Guide: Formulating A Comprehensive Written Information Security Program (.pdf)
• A Sample Information Security Policy from Advanced System Integrators (.pdf)

There are several commercial vendors that offer tools for implementing policy, for example Info-Tech's Security Policy Implementation tool.

Having a written security policy leads to better security awareness amon employees, something we saw in our survey of the BYOD phenomenon. The security risks of BYOD alone are ample reason to document your security program now rather than later (for example, what is your company policy on letting friends and family access personal devices on which company data is stored or accessed? We found 46% of employees were allowing this to happen).

If you are an SMB then a WISP might sound like too much work, but consider the exposure you suffer if you continue to delay implementing a WISP. You might want to take in our latest free webcast: Are SMBs Targets for Cyber Criminals? Let me leave you with a sobering quote from the DIRB:

“Smaller organizations represent the majority of these victims…this relates to the breed of “industrialized” attacks mentioned above; they can be carried out against large numbers in a surprisingly short timeframe with little to no resistance (from the victim…). Smaller businesses are the ideal target for such raids, and money-driven, risk-averse cybercriminals understand this very well. Thus, the number of victims in this category continues to swell.”

See more here:
Will of the WISP: Your company’s Written Information Security Program

The phenomenon of organizations allowing or encouraging their employees to use their own computing devices for work–known as Bring Your Own Device, or BYOD–is now widespread in many countries, bringing with it some serious risks to company networks and data. As we first reported here on the blog a few weeks ago, ESET commissioned a Harris Interactive survey to help companies get a handle on the scale and scope of these risks. We have now summarized the most important findings in this handy BYOD graphic appropriately titled: BYOD security is no LOL matter.

After contacting 2,000 people, Harris got detailed responses from some 1,300 adults in America who are currently employed and found that more than 80 percent of them “use some kind of personally owned electronic device for work-related functions.”

Some of these devices are older technologies like laptop and desktop computers, but smartphones and tablets (iPhones and iPads, Windows Mobile and Android devices, etc.) are already a significant part of the BYOD phenomenon.

And a variety of what you might call “unsafe computing” practices were observed across all devices. For example, among employees who have been using their own laptop for work, more than 30 percent have connected to the company via a free or public (and quite likely hackable) WiFi connection.

Another BYOD risk factor is the practice of letting someone else use the device. This could be “just” a family member or friend but it introduces the possibility of that person gaining access to the company network or sensitive company data stored on the device. Furthermore, if this “other person” is not trained in safe computing practices there is a serious risk of them getting the device infected or compromised.

As for strangers accessing the device and its corporate data bounty, the BYOD risk is high, with 37 percent of respondents saying they don't use the auto-lock feature on the device (meaning that anyone who steals it or finds it on the seat of a taxi can use it right away). Adding to that concern is the finding that a third of those surveyed said company data on their personal devices was not encrypted (another third did not know if it was encrypted, meaning that as few as one third of people are encrypting company data on their personal devices).

A big clue as to why these BYOD risks exist is the finding that two thirds of organizations have not implemented a BYOD policy. And a strong indicator that the risks are real is provided by the final statistic in the BYOD infographic: a quarter of those surveyed said that they have been a victim of hacking or malware on a device they own.

We trust this infographic will be useful in helping you raise awareness of this issue within your organization. Feel free to share the image above or download the larger .pdf version that includes the following helpful BYOD security tips:

• Provide cybersecurity training to all BYOD employees. That training should include physical security, WiFi security and social engineering attacks. Try to provide at least four hours of face-to-face learning.
• Make password-protected auto-locking a requirement on personal devices used for work and make sure employees know what makes a password strong.
• Develop and enforce a clear, written policy that lets employees know what work-related data they may access with their own devices.

Excerpt from:
BYOD Infographic: For security it’s not a pretty picture

Malicious software that gets updates from a domain belonging to the Eurasian state of Georgia? This unusual behavior caught the attention of an analyst in ESET's virus laboratory earlier this year, leading to further analysis which revealed an information stealing trojan being used to target Georgian nationals in particular. After further investigation, ESET researchers were able to gain access to the control panel of the botnet created with this malware, revealing the extent and the intent of this operation.

Finding a new botnet is not unusual these days and most are not particularly interesting from a nerdy, techie point of view, but it turns out that this one (dubbed Win32/Georbot) is both unusual and interesting. Amongst other activities, it will try to steal documents and certificates, can create audio and video recordings and browse the local network for information. One unusual aspect is that it will also look for “Remote Desktop Configuration Files” that enables the people receiving these files to connect to the remote machines without using any exploit. That approach will even bypass the need for RDP exploits such as the one that was revealed last week

SKYPE: Securely Keep Your Personal E-communications

From time to time people get new computer equipment and need to (re-)install all their favorite programs. Often a painful and time-consuming job, but afterwards it should ease the way of working with the new equipment. Even security gurus have to undergo this procedure at regular intervals. In November 2011 I started to use Skype for the very first time after many people asked me if I had a Skype ID. I quickly installed and started to use it. Indeed it proved a convenient (and cheap) way of communicating. But when I got a new laptop to travel with, installed Skype and started to use it, even I was surprised!

After logging in into Skype with my Skype ID, all Instant Message Communications I had with other people suddenly appeared. I am no stranger to saved Histories, like in Live Messenger, but these are always stored on your local machine and the option is disabled by default. Skype stores this locally too, but also “In the Cloud”.

Before people start to think that this blog is a rant against Skype, forget it! Yes, Skype could improve on a few points, I will even point them out, but this blog is purely for educational purposes, a reason why people should read an End User License Agreement (EULA), a Privacy Policy and a Terms of Use.

First, let us reconstruct what happened using a Test Account on Skype on system number #1 (note the subtle single finger).

Then I sent an Add Contact request to my regular account.

After adding the ESET Skype Test Account, of course I wanted to communicate and sent the lyrics from Elvis Presley’s “Return to Sender” which was received as expected.

After I installing Skype on system number #2 (note the subtle two fingers), I was immediately prompted notified of received and unread messages. This is weird as I’m sure I read all the messages on system number #1.

Last Friday, the German federal government decided on a law against internet scammers and subscription traps – the so called “button” solution. Sites like www.software-und-tools.de often cheated unsophisticated and often defenseless surfers, taking from them a three-digit sum while the surfers just thought they were downloading a freeware program. I’m happy with this new law – even if it is years too late and probably not comprehensive enough.

Using the example of www.winload.de, a well known page here in Germany, I want to introduce a relatively new scam today that is, unfortunately, also used by supposedly reputable sites.

Those currently downloading software through the www.winload.de portal must read the content of the page below the download button – where most users will not scroll – very carefully. (Update: After informing the website owner the Opt-Out infos are now visible above the download button)  If you simply click the “Download” button, you will experience a surprise. After installation, the settings for the homepage and the search provider are changed – without any prior notice within the setup. In addition, an unsolicited toolbar is installed whose license conditions allow the operator to:

• Change of the default search engine in your Internet Browser’s built-in search box
• Change of the default Homepage of your Internet Browser
• Add an alternative “Page not Found” functionality
• Add other search related services
• Install updates on the PC
• Send notifications to the user
• Collect location-based information
• Collect information contained on your Social Network account and/or site

Kaspersky Labs analyzes the consequences of the latest epidemic The ‘Helkern’ epidemic has become huge, not only in the number of infected severs (nearly 80,000), geographic coverage and its rate of spreading, but also in the consequences it has caused regarding the general functioning of…

More here:
"Helkern" – The Beginning of End As Anti-virus Experts Have Long Warned

I recently signed up for Pinterest.com, a hip, trendy pin board style website that allows beefed up sharing of your interests with friends via a large visual bulletin board style forum where fans of a particular subject can post what they find compelling, and want to share. Then other friends can weigh in on the subject “pinned”, thereby creating a crowd-ranked list of what folks in that sector are talking about, with the more popular, relevant, and timely pins rising toward the top. The service is heavily integrated with other social media venues, specifically Facebook and Twitter. In fact, you’ll need your account information from one of them to sign up. This means much of the personalized information you may already have on Facebook, for example, might be used to form a composite of what you might also be interested in on Pinterest.

Is it popular? The numbers have been going crazy lately. Who knew? Other than some half-starved startup team somewhere who hit it big, the idea is sickly engaging and addictive, likely because the site is all about you and what others following your same interests find, well, interesting. I also thought Twitter was a hard sell, but now, well, the numbers speak for themselves on that crazy 140 character status update app that's also addictive and successful.

Here in this article we dive into Pinterest.com, show you what's involved in signing up, securing your profile and feeling your way around the world of Pinterest, with an eye toward your own privacy, security, and best practices.

One thing to note: If you're in a hurry and just click through the default options without an eye for security, privacy, and the possible spread of personal information (either semi-automatically or inadvertently aided by unwitting friends), you may end up with more than you bargained for. Allowing your information to be shared with nearly everyone by default might cause heartache down the road, so locking things down a bit seems like a good stance to take.

Let’s Get Started

If you haven't signed up already, it's tougher than it looks. First, you have to sign up for a waiting list to be invited, or better yet, get someone on the service already to invite you. This hearkens back to the early days of gmail, which was pretty successful as well, despite the curious process.

Once you’ve received your invite, continue the process like:

creating an account – facebook login prompt

I opted in this test to sign up using Facebook, so when you click the Facebook link, you are directed to the Facebook login on behalf of Pinterest.com, like:

facebook login for pinterest

Once you login, you are faced with the option to go back to Pinterest, or fine tune your Facebook interface settings. Notice the default selection is to share with friends.

default settings for friend sharing

Note the notification that says by default this app will share “other activity” on Facebook. That seems like a very broad term for information sharing. If you are more privacy/security conscious, it may be a good idea to restrict the visibility like:

update friend preferences

I changed it to look like this:

share to “only me”

When you are finished customizing your Facebook sharing settings, select the “Go to App” button and it will take you back to the Pinterest.com signup page to continue the process of creating an account there.

create pinterest account

Since there really isn’t a way to sign up without a Facebook or Twitter account as well, it would be difficult to totally isolate the information flow from those sources. Your best bet is to review your account settings in Facebook, and make sure you’re only sharing what you intend to share, as default permissions tend to be set more lenient than security/privacy fans might prefer.

Now you’ll have a chance to tell Pinterest.com what interests you might have:

define likes

This will continue to build a profile of what/who you might be interested in following.

You now have a chance to create your own Boards:

create your own boards

On the same screen it will highlight those who you may be already following. Next there is a screen where you can customize your tastes, again building the profile the service will target for specific interests:

create your first pinboard

Once you enter your interests, the next time you visit, you’ll see more subjects presented that relate to these preferences.

You now have an option to integrate Pinterest preferences with your browser, for another level of integration:

add to browser

Now let’s look at some of the settings you might choose to adjust. You have access the settings under the menu shown below:

user settings

On the settings page you will see options to control how Pinterest.com integrates with Facebook/Twitter:

link to facebook / twitter

Notice that they are set to integrate by default. For those who want more privacy/security, it may be wise to disable the buttons above, thereby segregating the services a bit more. Notice how tightly the sharing may be integrated, including a feature to tap into your Facebook Friends yet another way.

Summary:

While Pinterest grabs market share and your friends become familiar with the service, expect more fine-tuned controls to be available. Being aware of these settings may help you have a more secure profile and sharing stance while using the service. It also may prevent sharing more information than you planned on, both now and in the future.

What else to watch for:

As with many websites that soar to popularity, we are already seeing scams like fake apps bundled with borderline or outright malicious functionality that users could download for smartphones like Android. The folks at gottabemobile.com point out an app, purportedly for using Pinterest on Android, was not an app at all, but a platform for scams. Many users would simply click through the installation prompts, only to find out later they’ve gotten more than they bargained for.

As Pinterest.com continues to catch on, expect more scams that try to do things like tricking users into revealing credentials through fake notifications, spam texts to your mobile devices, efforts at phishing and other emerging scams. As Pinterest.com grows, we will revisit this in a security series about the platform, helping to keep users safe online.

Read this article:
Pinterest.com security – step by step howto

Computer security is not created, nor is it improved, by calling people stupid. That's the conclusion I have arrived at after more than two decades in computer security and auditing. To put it another way, we should stop dropping the “S” bomb, especially when it comes to people who don't know any better.

Consider the phenomenon of people posting photos of credit cards on Facebook, a sort of self-inflicted security breach. Your first reaction might be “Is that stupid or what?”

In my opinion the “or what?” is a fair question, one that I thought about this President's Day, a day when a lot of credit cards in America get a good workout (with the notable exception of the one in this picture).

Note that what you're seeing is a doctored version of what actually appeared on Facebook, where the details on the front of credit card were clearly visible. These have been masked in this screenshot, along with other identifying information (I have tried to find out who produced the above image in order to give them credit, as it were, but so far I've not succeeded).

Also note that the person who posted the pic does not seem to be the card owner, so it's not a case of “stupid kid posts photo of his first credit card” which is how some bloggers described it (although I am sure there are cases of that kind as well). No, this is just a case of a person, possibly a parent, being proud of that “first credit card” moment, and wanting to share it with friends and family. This person was probably in the same state of mind as many other Facebook users who:

A. Think of Facebook as a place to share things with a few select friends, but have not adjusted their “share” settings accordingly, and;

B. Under-estimate the number of people who are willing to take advantage of their fellow human beings.

In other words “they don't know any better” and possibly lack the kind of life experiences that make other people think twice about putting a photo like that online. Now, I don't know what percentage of Facebook's 800+ million users are currently A+B positive, so to speak, but they represent a rich vein of potentially exploitable persons. Fraudsters and scam artists are keen to mine that vein, as evidenced by the constant appearance of new deceptions documented by websites like Facecrooks.

What should really be of concern to companies, and society at large, is that these A+B folks are not just a target on Facebook. Criminals are targeting users who lack security awareness across a wide range of information systems. They are crafting attacks that rely on exploiting digital device users who have little or no security training.

So the next time you hear infosec professionals bemoaning the stupidity of users you need to ask: “Are they stupid because they are ignoring the security training they received, or are they doing stupid things because we have failed, as an organization, and as a society, to teach them to know better?”

And while we're at it, what say we cut Shannon and Dustin a break!

See the original post here:
Security awareness, security breaches, and the abuse of “stupid”