That is the question!

Given this week?s (alleged) security lapses, I felt it would be prescient to bring up the subject of macro-enabled worksheets. They?re ubiquitous. Almost all authorities that we deal with serve up some kind of spreadsheet-as-an-input-form via their websites (I?m looking at you LEED ?). Invariably, they include some kind of active content to add extra inputs or hide/ show elements.

Furthermore, these things are typically password protected; secure enough to keep a pleb like me out, but not secure enough to keep a determined state-actor out. Considering how such an entity probably could compromise a website or server, we are all just two fragile steps away from downloading a Trojanized workbook that quietly seeks out sensitive content on our private company networks.

This kind of tool (as an email attachment) is essentially how Sony pictures were hacked in 2014, and the Bank of Bangladesh had close to US$ 1 billion raided from its foreign currency reserves. I?ve been listening to ?the Lazarus heist? podcast recently on BBC sounds (also on Spotify if not available in your region). https://www.bbc.co.uk/sounds/brand/w13xtvg9

Let?s stay 100% on OPSEC ?

Chris