Subscribe to our Newsletter!

Subscribe to Blog

Follow Me

KnowBe4 Security Awareness Training Blog

Current Articles | RSS Feed RSS Feed

Scam Of The Week: Starbucks Gift From a Friend Phishing Emails

 

Starbucks Phishing Emails Love your tall latte? Better watch it, as a "friend" might send you an email with a fake Starbucks Coffee Gift offer. 

These emails read something like this in broken english. "Your friend just made an order at Starbucks Coffee Company a few hours ago. He pointed he is planning to make a special gift for you and he have a special occasion for that. We’ve arranged an awesome menu for that case that can really surprise you with our new flavors."

They then continue with describing the whole menu, and when you can come over and celebrate the day with your friend. The only thing you need to to is (of course) open the attachment.

Granted, Starbucks does have options for people to give gifts to friends, but this phishing attack has nothing to do with that. There are several red flags, the language is broken, the emails come from hacked accounts at Yahoo and Gmail, and they are sent with "high importance."  

In the malicious attachments sits a variant of the banking Trojan ZeuS, directly attached without any attempt to hide, and will install itself as a hard-to-remove rootkit. They probably hope you get so excited about the free offer that you will ignore all the warnings your email might give you.  Don't fall for it. Think Before You Click !

What's The Best Free Antivirus For Windows 8?

 

MalwareShield SmallUse the free built-in antivirus called Windows Defender? Use a free tool like Avast? Buy a third party tool?

The situation is an interesting one. Redmond is walking a tightrope here. On the one hand they do not want to tick off their third party security partners, and on the other hand they do not want to have millions of users unprotected that do not want to/can put AV on their machines for a variety of reasons.  

So, what I seem to observe here is that they make both sides (AV vendors and users) "moderately unhappy" as a compromise, but in the mean time provide a very efficient AV engine that protects against what is -really- out there now. Kind of like Audi under-reporting the amount of horsepower in some of their high-end cars. 

Here is what Holly Stewart, a senior program manager of the Microsoft Malware Protection Center, told Dennis Technology Labs that Security Essentials -- by design -- will "always be on the bottom" of antivirus software rankings.

The reason, per Stewart, is that in 2011 Microsoft decided it didn't make sense to fixate on developing the best antivirus software in the industry -- which at times relies on effectively gaming third-party tests that don't necessarily reflect real-world threats. (Having been inside the AV business, this is actually true). 

The company shifted toward focusing on "prevalent threats," Stewart said. "We developed this new telemetry to look for emerging threats -- sort of an early notification system that new threats were emerging. We had this group of folks start focusing on those threats and we saw that it increased our protection service level for our customers. We're providing all of that data and information to our partners so they can do at least as well as we are," Stewart said. "The natural progression is that we will always be on the bottom of these tests. And honestly, if we are doing our job correctly, that's what will happen." Stewart said Microsoft was "doing everything we can to protect against real threats" and passing data on those threats to antivirus makers, so multiple parties can target the problems.

So, my take on this question is that the best free AV for Win8 is Windows Defender (and I am running it on my home and office PC now) BUT, AV IS NOT ENOUGH.... so I am also running the beta of our coming whitelisting product in tandem with Redmond's protection, and the combination of the two have not let me down yet. Want to participate in the Beta? Fill out the survey at the bottom of this page: 

http://www.knowbe4.com/project-malwareshield/

Phishing Attacks Work Best On Wednesday, Coming From IT

 

Mandiant M-Trends report.

I had a look at the recent Mandiant M-Trends report. Interesting stuff. They observed that employees seem to fall for hacking tricks mostly on Wednesdays, and are most likely to click on these phishing links seem to come from IT in their own organization. The graph above is just a snippet of much more interesting data.

Laura Galante, manager of threat intelligence for Mandiant, told SCMagazine.com in an interview that the social engineering trend remained a common attack method through the first quarter of this year, as well. "We were able to go in and see the initial compromise, in this case, [by] looking at spear phishing emails," Galante said. More at SC Magazine.

Funny thing is that well over three years ago, we standardized on an email coming from IT in our baseline Phishing Security Test which is the start of our Kevin Mitnick Security Awareness Training program. 

CyberheistNews Vol 4, # 15 Scam Of The Week: Heartbleed Phishing Attack

 
CyberheistNews Vol 4, # 15
KnowBe4
Stu Sjouwerman's New Security Newsletter Don't miss the Fave Links! Case Studies Resources About Us Contact Us
Facebook LinkedIn Blog Twitter YouTube YouTube
 

CyberheistNews Vol 4, 15

Editor's Corner

KnowBe4

Scam Of The Week: Heartbleed Phishing Attack

The Heartbleed vulnerability truly is causing almost everyone a major headache. Talk about a FIRE that needs to be put out. On a scale of 1 to 10, this is an 11.

And to throw some gasoline on this fire, there are hackers sending out phishing emails related to Heartbleed. One of these is that they try to trick users to give passwords that have not been compromised yet!

A list of more than 10,000 domains that were vulnerable, patched or unaffected by the bug was found on Pastebin by Easy Solutions. The fraud prevention company believes hackers are most likely behind the list.

"A lot of time what these guys will do is dump a list of inventory on Pastebin, cut that link and then share the link with their friends on a (underground) forum," Daniel Ingevaldson, Chief Technology Officer for Easy Solutions, said. "So, it's essentially a billboard for a service."

There are now world-wide scans going on across the whole 'Net, many of these are legit scans, but the bad guys are not sitting still and they are also looking for potential victims. "We're seeing a systematic canvassing of the entire Internet right now to see what's vulnerable and what isn't," Ingevaldson said. "It's a bit of a gold rush."

Tell your users to watch out for any emails (or scam phone calls) that relate to the Heartbleed bug. Any emails with links should not be followed, any attachments should not be opened, and in case they want to change a password, wait until that site has announced they are patched, and they should go to that site directly and not click on any link to get there. Oh, and if you want to send them to a simple, funny cartoon that explains the (simple, stupid) bug, here is a recent xkcd cartoon that explains...
http://xkcd.com/1354/

KnowBe4 has a new Current Events simulated phishing attack related to the Heartbleed bug so our customers can send this to their users and inoculate them against this attack.

Regarding your own IT environment, Roger Grimes over at InfoWorld has a very good write-up. This thing is more pervasive than you think. Grimes said: "There's a very good chance that if you can connect to an SSL-/TLS-based service and it's not running Microsoft Windows or Apple OS X, it's vulnerable. This includes most VPN appliances, copy machines, and even most appliances. If you can connect to it using HTTPS, and it's not running on Microsoft Windows or OS X consider it vulnerable until proven otherwise. Do your best due diligence to make sure that you and your company are covered. This isn't just about external, Internet-facing websites. The bad guys routinely get on the internal networks and you can bet that they will be looking for vulnerable versions of OpenSSL with vigor." Read his full article here:
http://www.infoworld.com/d/security/the-heartbleed-openssl-flaw-worse-you-think-240231?

Wall Street Journal Quoted Me Regarding Ransomware Phishing Attacks

This week, Wall Street Journal MarketWatch reporter Priya Anand quoted me in an article she wrote about the new wave of ransomware phishing attacks.

She started out with: "Malware attacks that hijack your computer files until you pay a ransom increased by 500% from January to December last year, reaching 600,000 identified cases, according to a report released Tuesday by the security software company Symantec. And the kidnappers may not take cash. The criminals increasingly demand cryptocurrencies like bitcoin as payment, and have raked in some tens of millions of dollars in the last year."

And here is my quote: "The criminals often give their victims a decryption key to get back their files after receiving a ransom. For small businesses that haven’t backed up files, it becomes a game of chance, says Stu Sjouwerman, CEO of the Clearwater, Florida-based security consulting and training company KnowBe4. "If you have a choice between losing a month’s worth of work or playing the game, you’re going to…just pay up and hope it doesn’t happen again," he says. (Unless you step your users through effective Kevin Mitnick Security Awareness Training, that is...)

Here is the article, recommended to forward to your C-level; it's in the WSJ!
http://www.marketwatch.com/story/data-kidnappers-hold-your-files-for-ransom-2014-04-08

Quotes of the Week

"Judge a man by his questions rather than his answers." - Voltaire, Writer and Philosopher (1694 - 1778)

"Don't judge a man by his opinions, but what his opinions have made of him." - Georg Christoph Lichtenberg, Scientist (1742 - 1799)

Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here

Thanks for reading CyberheistNews! Warm Regards, Stu Sjouwerman | Email me: feedback@knowbe4.com
Facebook LinkedIn Blog Twitter YouTube YouTube
KnowBe4

Which Security Awareness Training Has The Best Results?

A new whitepaper from Osterman Research shows which of the 5 types of awareness training has the best results.

Well over 200 organizations were asked questions related to their awareness training, malware infiltration, and if their problems with phishing were worse, the same or getting better. Research showed that an organization's Security Awareness Confidence Score varies significantly depending on the awareness training type they use.

Download this whitepaper and find out which awareness training approach correlates with improvement of the phishing problem.
http://info.knowbe4.com/whitepaper-osterman-14-04-15

KnowBe4

More Than Half Of End Users Did Not Get Security Awareness Training

This week I attended a webinar about Security Awareness Training hosted by David Monahan, Research Director Security and Risk Management of Enterprise Management Associates.

Some astonishing numbers came out of this study of 600 employees. A whopping 56% of end-users state that they did not get any security awareness training from their employer.

Think about that for a moment, and how that translates in behavior like opening attachments infected with ransomware. Yikes. Next, the other 44% stated that they received their once-a-year training. That is almost just as worrisome, because getting reminded once a year not to click on bad links simply does not hack it (pun intended) these days. Recent scientific research shows that even being reminded every 90 days not to click on phishing links is completely ineffective.

Having no training obviously leads to all kinds of security policy violations, first because they simply do not know about them, and second because they simply don't care. Here are some more hair-raising statistics:

 

  • 59% say they store work information on cloud services
  • 58% of respondents say they store company-sensitive information on their personal devices
  • 35% of the respondents say they have clicked on an email link from an unknown sender
  • 33% say they use the same password for both work and personal devices
  • 30% say they leave mobile devices unattended in their vehicles

 

This is the Internet equivalent of taking candy from strangers. "People repeatedly have been shown as the weak link in the security program," stated Monahan. "Without training, people will click on links in email and release sensitive information in any number of ways. In most cases they don't realize what they are doing is wrong until a third-party makes them aware of it."

Words straight out of my mouth, and I'm glad someone else is confirming the sorry state of affairs with security awareness training. More @hackbusters: http://www.hackbusters.com/news/stories/36193-majority-of-users-have-not-received-security-awareness-training-study-says

KnowBe4

Fake Anti-Virus App Gets 10,000 Downloads on Google Play

When you do not provide effective security awareness training, people get social engineered ALL the time. For a short time, the fake app was the Top New Paid app on Google Play, but the app simply was a total scam and did nothing at all.

Android Police reports that a new Android app called Virus Shield, which was first made available on the Google Play store on March 28, 2014 for $3.99. Open the app and click on the shield, and an X changes to a check mark, apparently indicating that your device is now being protected. Hah.

"Let's not mince words here," writes Android Police's Michael Crider. "This is fraud, pure and simple, and the developer 'Deviant Solutions' potentially made considerable amounts of money based on a complete lie." The app has since been removed from Google Play, and the developer's account has been suspended. More @hackbusters: http://www.hackbusters.com/news/stories/36217-fake-anti-virus-app-gets-10-000-downloads-on-google-play

KnowBe4

The History Of Malware Samples In Numbers

Virus Bulletin came up with some interesting historical facts. In 1989, when the very first Virus Bulletin rolled off the press (produced in a black-and-white, printed pamphlet style), there was only one subscriber and there were only 14 viruses known for the IBM PC. Five years on in 1994 there were over 3,000 viruses known to researchers, and here are the approximate numbers from there on out.

These numbers are an aggregate from several sources like AV-test, and antivirus vendors like Symantec, Sophos and Avast. As you can see, this is exponential. New malware strains are created on an industrial scale at about 1,000,000 a week now. No wonder that traditional antivirus can't keep up anymore and that it's time to "do a 180" and use a whole new way to protect workstations...

1989 = 14
1994 = 3,000
2002 = 15,000
2003 = 28.000
2004 = 90,000
2005 = 103,000
2006 = 124,000
2007 = 711,000
2008 = 11,600,000
2009 = 30,000,000
2010 = 46,000,000
2011 = 63,000,000
2012 = 70,000,000
2013 = 80,000,000
2014 = 130,000,000 est

The graph is at our blog where I have this posted as well. Always good ammo to show users and management to illustrate the malware challenge:
http://blog.knowbe4.com/bid/382586/The-history-of-malware-samples-in-numbers

KnowBe4

Cyberheist 'FAVE' LINKS:

* This Week's Links We Like. Tips, Hints And Fun Stuff.

Old but amazing! Bob Hoover is one of the world's greatest aviators with unbelievable flying skills. Watch him pour iced tea while the plane is doing a roll!. It's an Aviation Special Faves this week:
http://www.flixxy.com/bob-hoover-flying-ace.htm?utm_source=4

An Airbus A310 of the Portuguese Airline TAP makes an incredibly low pass turn at the 2007 Airshow in Evora. Watch that wingtip -almost- touch the ground:
http://www.flixxy.com/airbus-a310-air-show.htm?utm_source=4

Wouldn't it be nice to get a singing reception when you arrive at the airport? No instruments were used in this film, although I suspect they recorded it in the studio first, and then redid it live:
http://www.flixxy.com/welcome-back-heathrow-airport-t-mobile.htm?utm_source=nl

The world’s smallest twin-engine airplane has a wingspan of 16 feet, weighs 158 pounds, runs on two 15 hp engines, cruises at 120 mph, has a range of 310 miles and can even do aerobatics! (first 2 minutes):
http://www.flixxy.com/worlds-smallest-twin-engine-airplane.htm?utm_source=4

And staying with small planes, Featured in the James Bond flick "Octopussy", the Bede BD-5J is the world's smallest jet aircraft:
http://www.flixxy.com/worlds-smallest-jet-plane-bd5.htm?utm_source=4

And here is the exciting future of small planes - The Quiet Supersonic Transport (QSST) aims to redefine air travel in the 21st Century:
http://www.flixxy.com/super-sonic-business-jet.htm?utm_source=4

Last bit of very cool brand new technology. A bionic kangaroo. Really:
http://youtu.be/mWiNlWk1Muw

A huge herd of elk crossing the road in Montana near Yellowstone Park. Cute ending:
http://www.flixxy.com/huge-herd-of-elks-crossing-with-an-ending-that-will-make-you-smile.htm?utm_source=4

Last but not least, this is is a 6-minute essay that you should really watch:
http://www.flixxy.com/the-long-road-to-success.htm?utm_source=4

 
KnowBe4
Facebook LinkedIn Blog Twitter YouTube YouTube

Pirated PC's And Software Loaded With Malware

 

new pcs with pirated software infected with malwareHere is another reason why buying legitimate operating systems and application software is a good idea. new study conducted by IDC and commissioned by Microsoft reveals some troubling statistics that illustrate the depths of the global malware and pirated software problem. The study, sponsored by Microsoft and published this month, found that nearly 46 percent of computers purchased from common distribution sources – such as computer specialty shops, resellers, and local markets – came with dangerous malware, including viruses, worms, Trojan horses, rootkits, and unwanted Adware. 

How come? These non-brand PCs had a pirated version of Windows on it, so that the vendor could make higher margins on the sale. But the machine is infected with malware from the get-go and Microsoft's defenses are turned off.  Conclusion? Only buy PCs from major, international brands and not from a guy at your local stripmall. (Tip 'o the Hat to PC Pitstop.)

 


 


New Whitepaper: Improving the Compliance Management Process

 

Improving the Compliance Management ProcessWe are excited to announce a new whitepaper that covers important compliance requirements that you are obligated to satisfy, provides some high level recommendations about what you can do to address these issues, and offers a brief overview of a tool that helps you to better manage these compliance problems.

The whitepaper is called "Improving the Compliance Management Process". One of the conclusions of the research is that only 13% of the organizations Osterman surveyed are “very satisfied” with the way that they manage regulatory compliance issues, despite the fact that 63% consider regulatory compliance to be “very important”.

Moreover, Osterman's research found that you typically spend 19% of your compliance and audit time each year on tracking requirements and another 31% on gathering and maintaining audit evidence. Because these two activities alone consume fifty percent of your compliance efforts, improving the process of just these two requirements can save you significantly on overall compliance costs both in time and budget.

There Is No "Unregulated" Industry

All organizations must deal with compliance obligations. These range from relatively minimal obligations that focus only on protection of certain types of records; to very strict obligations to monitor and sample employee communications, retain a wide range of record types for long periods of time, and to protect the confidentiality of highly sensitive customer information. Consequently, all organizations must satisfy varying levels of compliance obligations – the only difference between a “heavily” regulated vs. a “lightly” regulated one is in the number and invasiveness of the regulations that they must satisfy.

Organizations in some of the more regulated industries – for example, financial services, insurance, healthcare, energy, government, education and life sciences – must deal with a large and growing number of compliance obligations. A failure to satisfy these obligations can result in serious consequences, including fines, sanctions or even business closure.

Complicating the problem is the fact that there are regulations at the federal, state and local level; not to mention the variety of industry-focused and international regulations that organizations must satisfy. Moreover, many of these regulations are in a continual state of flux as regulators modify and add to the body of regulations to which organizations are subject.

Managing Compliance Is Cumbersome And Expensive

Many organizations satisfy their compliance obligations using manual processes focused on maintaining spreadsheets or using out-of-date software to help compliance managers keep the organization as close to full compliance as possible. Moreover, compliance obligations are managed with a significant amount of labor, which drives up costs beyond where they would be if a more automated and holistic approach for compliance management were available.

To understand the high cost of conventional compliance management processes, Osterman Research conducted a survey with organizations in a variety of industries. Using a subset of their survey sample to eliminate outliers, they discovered that the combination of labor and expenditures on tools and services totals $523.93 per employee per year translates to a cost of $43.66 per month.

Next Steps

Osterman Research recommends that any organization that must satisfy compliance obligations take a multi-step approach toward reducing their compliance costs and improving their ability to satisfy its compliance obligations. The Whitepaper with these steps is available for download here.

 

The history of malware samples in numbers

 

Virus Bulletin came up with some interesting historical facts. In 1989, when the very first Virus Bulletin rolled off the press (produced in a black-and-white, printed pamphlet style), there was only one subscriber and there were only 14 viruses known for the IBM PC. Five years on in 1994 there were over 3,000 viruses known to researchers, and here are the approximate numbers from there on out.

These numbers are an aggregate from several sources like AV-test, and antivirus vendors like Symantec, Sophos and Avast. As you can see this is exponential. New malware strains are created on an industrial scale at about 1,000,000 a week now. No wonder that traditional antivirus can't keep up anymore and that it's time to "do a 180" and use a whole new way to protect workstations...

1989 14
1994 3,000
2002 15,000
2003 28.000
2004 90,000
2005 103,000
2006 124,000
2007 711,000
2008 11,600,000
2009 30,000,000
2010 46,000,000
2011 63,000,000
2012 70,000,000
2013 80,000,000
2014 130,000,000 est
Here is the graph

The History Of Malware Samples In Numbers

Here is a link to a FULL SIZE graph over at our Amazon content delivery network.

 

 

Wall Street Journal Quoted Me Regarding Ransomware Phishing Attacks

 

ransomware demandThis week, Wall Street Journal MarketWatch reporter Priya Anand quoted me in an article she wrote about the new wave of ransomware phishing attacks.

She started out with: "Malware attacks that hijack your computer files until you pay a ransom increased by 500% from January to December last year, reaching 600,000 identified cases, according to a report released Tuesday by the security software company Symantec. And the kidnappers may not take cash. The criminals increasingly demand cryptocurrencies like bitcoin as payment, and have raked in some tens of millions of dollars in the last year."  And here is my quote:

"The criminals often give their victims a decryption key to get back their files after receiving a ransom. For small businesses that haven’t backed up files, it becomes a game of chance, says Stu Sjouwerman, CEO of the Clearwater, Florida-based security consulting and training company KnowBe4. “If you have a choice between losing a month’s worth of work or playing the game, you’re going to…just pay up and hope it doesn’t happen again,” he says.

Unless you step your users through effective Kevin Mitnick Security Awareness Training, that is...

 

 

 


More Than Half Of End Users Did Not Get Security Awareness Training

 

EMAThis week I attended a webinar about Security Awareness Training hosted by David Monahan, Research Director Security and Risk Management of Enterprise Management Associates

Some astonishing numbers came out of this study of 600 employees. A whopping 56% of end-users state that they did not get any security awareness training from their employer.

Think about that for a moment, and how that translates in behavior like opening attachments infected with ransomware. Yikes. Next, the other 44% stated that they received their once-a-year training. That is almost just as worrisome, because getting reminded once a year not to click on bad links simply does not hack it (pun intended) these days. Recent scientific research shows that even being reminded every 90 days not to click on phishing links is completely ineffective.

Having no training obviously leads to all kinds of security policy violations, first because they simply do not know about them, and second because they simply don't care. Here are some more hair-raising statistics:

  1. 59% say they store work information on cloud services
  2. 58% of respondents say they store company-sensitive information on their personal devices
  3. 35% of the respondents say they have clicked on an email link from an unknown sender
  4. 33% say they use the same password for both work and personal devices
  5. 30% say they leave mobile devices unattended in their vehicles

This is the Internet equivalent of taking candy from strangers. "People repeatedly have been shown as the weak link in the security program," stated Monahan. "Without training, people will click on links in email and release sensitive information in any number of ways. In most cases they don't realize what they are doing is wrong until a third-party makes them aware of it."

Words straight out of my mouth, and I'm glad someone else is confirming the sorry state of affairs with security awareness training.

CyberheistNews Vol 4, # 14

 
CyberheistNews Vol 4, # 14
KnowBe4
Stu Sjouwerman's New Security Newsletter Don't miss the Fave Links! Case Studies Resources About Us Contact Us
Facebook LinkedIn Blog Twitter YouTube YouTube
 

CyberheistNews Vol 4, 14

Editor's Corner

KnowBe4

Backup Failures And Ransomware Phishing: Recipe For Disaster

With system administrators in the crossfire between cybergangs who are wielding sophisticated ransomware like CryptoLocker on one side and CryptoDefense on the other, it's likely many of them have had backups and disaster preparedness on their minds. And that is a smart thing to do, because it looks like that their backup efforts need a boost.

Baseline Magazine recently reported on the findings from cloud storage provider TwinStrata, who "indicate that companies are plagued by backup issues— even when no emergencies threaten their data. The majority of respondents say they're experiencing multiple backup failures each year. Despite the fact that most organizations say the volume of data they need to back up is increasing, more than half of them aren't backing up applications daily. And when a disaster does hit, nearly two-thirds say it takes days to recover."

If over 50% of companies have problems with backups, and if end-users are not getting effective security awareness training, (so that they will not open ransomware phishing attachments and get their workstation infected and files encrypted) that's an accident waiting to happen, costing days of lost production time. End-users are the first line of defense and to prevent a whole bunch of lost files, lost time, or both, they need to get trained and constantly sent simulated phishing attacks so that they stay on their toes and keep security top of mind.

The 7 Steps Of The Cyber Kill Chain

Cyber security professionals are slowly but surely grabbing more and more military jargon. No surprises there, with a possible cyberwar brewing. The "kill chain" is a traditional warfare term most often used by the US Air Force as the command and control process for targeting and destroying enemy forces.

The last 12 months this "kill chain" concept has made it into cyber security marketing. Many vendors have come up with models, but Websense recently broke it out into a well-defined seven-stage model that cyber criminals utilize to get to their victims. You do not have to use all of these steps all the time, but often this is how attacks go down. Here is what it looks like:

1) Initial reconnaissance
2) Crafting a phishing lure to encourage the victim to click
3) Redirecting victim to a compromised server
4) Using an exploit kit to scan for vulnerabilities and zero-days
5) Drop malware onto the victim's machine
6) Call home to the command & control server
7) Exfiltrate (or encrypt) data and take over the workstation

 

Cyber security vendors are using these steps to explain how their products will disrupt the criminal process. These steps are also useful for you as an IT pro, so you can assess your own network and see how you can best defend against cyber attacks.

Arthur Wong, HP senior vice-president and general manager of HP Enterprise Security Services (ESS) globally, told ZDNet at a media briefing last Wednesday: "The bad guys, the adversaries, they collaborate way more than governments, and way more than commercial industries do themselves. When anyone wants to even launch an attack out there on a particular company, they're going to go into chat rooms and ask, 'Hey does anybody own a computer or a system inside this company?', and someone will put up their hand, or they'll know someone else, and a deal is negotiated".

I have been talking a lot about the criminal ecosystem the last few years. It's becoming more specialized, aligned with the 7 steps in the kill chain. According to Bob Hansmann, Websense's director of product marketing, cyber criminals now provide tailored services for every step of the kill chain, and even have aggregators that pull together whole attack campaigns.

Stay careful out there.

14 Things That Definitely Should Not Be On The Internet, But Are

You would think that after the recent few years of press showing the risks of the Internet that people would wise up. But no. To my astonishment it's getting worse, not better. Just have a look at this InfoGraphic that shows 14 things that absolutely should not be hooked up to the Net, but are, and worse, have weak passwords. Un-friggin-believable. If this is what the "Internet-of-Things" is going to look like, I want to get off this planet. Things like the entire traffic control system of Los Angeles, waterplants and hydroelectric plants. Augh! Just check out the InfoGraphic at our blog and shiver. (Hat Tip to WhoIsHostingThis)
http://blog.knowbe4.com/bid/381750/14-Things-That-Definitely-Should-Not-Be-On-The-Internet-But-Are

Quotes of the Week

"Happiness resides not in possessions, and not in gold, happiness dwells in the soul." - Democritus, Philosopher (460 BC - 370 BC)

"Attitude is a little thing that makes a big difference." - Winston Churchill, Statesman (1874 - 1965)

Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here

Thanks for reading CyberheistNews! Warm Regards, Stu Sjouwerman | Email me: feedback@knowbe4.com
Facebook LinkedIn Blog Twitter YouTube YouTube
KnowBe4

NEW: Full Free Preview of the 2014 Kevin Mitnick Security Awareness Training!

You May Qualify For A Full Free Preview. You know that your employees are the weakest link in your organization’s IT security. You are looking for an effective approach that will protect your network against phishing attacks. This free preview gives you access to the full new 2014 version of the 30-40 minute training. The preview is free, and after you decide to sign up, your yearly subscription allows you to both train all employees and to schedule simulated phishing attacks to all employees, with tracking of ‘who clicks when’. You can also check out the 15-minute APT version in 9 languages and the modules Mobile Device Security, PCI Compliance Simplified, and Handling Sensitive Information. Sign Up For Your Free Preview Now:
http://info.knowbe4.com/kmsat-preview-14-04-08

KnowBe4

New Crop Of CyberCrime InfoGraphics

It's April and here is a new crop of fresh, fragrant Cybercrime InfoGraphics. The first of these I mentioned in the Editors Corner, but there are 13 more. With some of these you will have an "OMG how can they be SO stupid" moment....With others you might learn some factoids that you had not run into before so here goes:
http://www.hacksurfer.com/posts/19-new-cybercrime-infographics-march-2014

KnowBe4

Final Fixes For XP -- And A Way To Keep It Running Safely

Windows XP End Of Life is today after a 12 year run. Unbelievable that it lasted this long, and then to think that tens of millions of machines will be running it a few years longer, some even forever in a virtualized state. Bill Gates would -never- have envisioned that.

Redmond last week released its advance notification for today's April 8 Patch Tuesday which has the final security updates for Windows XP and Office 2003. There will be four patches, two of which are rated critical. One of the flaws that will be fixed is a RTF file handling issue in Word that is being exploited in limited, targeted attacks.

If you are upgrading to Win7 or 8 as part of getting rid of XP, you should take the opportunity to upgrade your security policy and procedures while you are at it and train your users on these new rules.

Look at locking down admin privileges, have Windows auto-update turned on by default, turn browser security settings up to paranoid, and possibly deploy whitelisting as a whole new way to protect your network.

Whitelisting is a very successful way to get a few more years of life out of XP in case you cannot get rid of it yet. Did you know that the Australian Government has made whitelisting mandatory for -all- their workstations? Learn more:
http://www.knowbe4.com/project-malwareshield/

KnowBe4

The April SANS OUCH! Has Arrived

SANS said: "We are excited to announce the April issue of OUCH! This month, led by Guest Editor Eric Conrad, we discuss why you are a target, how cyber criminals are targeting you and what you can do to protect yourself. As always, we encourage you to download and share OUCH! with others. English Version (PDF):
http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201404_en.pdf

KnowBe4

Cyberheist 'FAVE' LINKS:

* This Week's Links We Like. Tips, Hints And Fun Stuff.

Remember that you can get the very latest Trending, Most Popular and Recent IT security news at the new hackbusters site!
http://www.hackbusters.com/

Pay close attention. Your attention is being diverted. Will you spot the changes? With over 6 million views, "The Colour-Changing Card Trick" by Richard Wiseman has become a YouTube classic:
http://www.flixxy.com/color-changing-card-trick.htm?utm_source=4

Can you imagine living on a tiny planet like that of 'The Little Prince'?
http://www.flixxy.com/360-degree-spherical-panorama.htm?utm_source=4

The Flying Shanghai Circus Acrobats with their amazing performing at the International Circus Festival of Monte-Carlo. Some awesome routines!
http://www.flixxy.com/flying-trapeze-with-the-greatest-of-ease.htm?utm_source=4

The amazing things Andrew Kelly can do with a deck of cards will blow your mind:
http://www.flixxy.com/magician-andrew-kelly-amazes-ellen.htm?utm_source=4

This is the first time in history that a meteorite has been filmed in the air during dark flight - after it has burned out. And almost killed someone:
http://www.flixxy.com/skydiver-films-meteorite-nearly-hitting-his-parachute-full-story.htm?utm_source=4

The Buoyant Airborne Turbine (BAT) uses a helium-filled, inflatable shell to lift to high altitudes where winds are stronger and more consistent than those reached by traditional turbines:
http://www.flixxy.com/the-next-generation-of-wind-power.htm?utm_source=4

Amazing Magic Trick! Master Magician Kevin James performing in Las Vegas on America's Got Talent. I have no idea how he does it! Watch it twice:
http://www.flixxy.com/cutting-edge-magic.htm?utm_source=4

To end off, this cartoon (I thought) was very funny...
http://abstrusegoose.com/432

 
KnowBe4
Facebook LinkedIn Blog Twitter YouTube YouTube
All Posts