Subscribe to our Newsletter!

Subscribe to Blog

Follow Me

KnowBe4 Security Awareness Training Blog

Current Articles | RSS Feed RSS Feed

Kevin Mitnick Selling 0-day Exploits Is A Good Idea

 

Kevin Mitnick 1OK, so here is my take on the recent hatchet job by WIRED Magazine.

I have been aware of Kevin's new 0-day business venture for more than 6 months. Kevin told me about the idea early this year and I saw beta versions of his new website before they went live. There is a market for these types of 0-days, and no reason not to jump into that market if you are able to assess the value of a 0-day correctly. (Note that the 0-day trade is done within Mitnick Security, not KnowBe4).

The actual problem is that there are many hundreds of unknown zero-day threats out there, that NO antivirus engine can protect against. These 0-days are spread over dozens of popular apps. And as we recently saw, even AV engines themselves are riddled with 0-days.

Various organizations buy these from specialized companies like British/German FinFisher, the French company Vupen, and an Italian company called "Hacker Team" (yes, really). Cyber mafias buy them from independent criminal researchers. The spear-phishing attacks that target your company are laced with these 0-days. No AV is going to be effective against that. We need to get more of these 0-days above water.

Hacking can be used for good and bad, it's a matter of intent.  If security researchers are spending months to dig up a major 0-day, and want to monetize this by selling it to the software vendor that wrote the offending code, I'm all for it. Often software companies offer bug bounties inviting people to do just that. The WIRED article sensationalized Kevin's idea, and made it look controversial. What else is new with the press. There's actually a benefit the WIRED article overlooked, and that's that this has the potential to pull (part of) the black market for 0-days into a legit sphere.  Kevin commented: "Yes, our plan is to sell bugs to the software vendor that created it. Not to NSA and foreign entities, etc. The buyers are vetted as well-known reputable companies. This is really a private bug bounty but we pick the price not the vendor."

My take is that you cannot buy this kind of advertising. Any PR expert will tell you that any press is better than no press, even if it is controversial. WIRED magazine just provided Kevin with millions of free advertising for this new sideline.

So, in short, tempest in a teacup. :-D

Warm regards,

Stu 

Home Depot Hack Turns Into Criminal Negligence Scandal

 

Home Depot Hack Turns Into Criminal Negligence ScandalWait for the class-actions lawsuits to get unleashed. The layers are going to be over this one like white on rice. Ex-employees from the Home Depot IT technology group are now claiming that management of the retailer had been warned for years that their Point Of Sale systems were open to attack and did not act on these warnings. Several members of the Home Depot IT security team quit their jobs in protest.

It gets worse. In 2012, Home Depot management hired Ricky Joe Mitchell as their Senior IT security architect, apparently without doing their due diligence and background check. Turns out that Mitchell was fired from a company called EnerVest Operating where he sabotaged that
company’s network for 30 days in an act of revenge.

It gets even worse. Mitchell was kept on the job at Home Depot even after his indictment a year later and remained in charge Home Depot security until he finally pled guilty to federal charges Jan 2014.

Wait, we're not done yet. Things are worse than _that_. The same ex-employees claim that Home Depot relied on antivirus that was not being updated with new antivirus definitions, a version of Symantec AV purchased in 2007.

And here is the next epic fail. As we all know, to be PCI compliant, you need quarterly security scans, done by authorized third parties. However, vulnerability scans were only done irregularly, and most of the time only on a relatively small number of stores. A few IT
security ex-employees said that their team was blocked from doing security audits on machines that handled customer data.

And to add final insult to injury, in a total disregard for best practices, the Home Depot didn’t run any kind of behavioral network monitoring, which means they were not able to detect any breaches and for instance see unusual files being exfiltrated from the network.

Now their PR team tried to paper over all this criminal negligence and claims that the company maintains "robust security systems",  and that the malware was custom made and hard to detect. Yeah, right. I see another CEO being fired in the near future...

Looking at this type of negligent behavior, Home Depot must not have done a lot of security awareness training for their employees either. It is not sure yet how the hackers got in, but a website that was not sufficiently protected and allowed a SQL injection and a spear-phishing attack are the most likely attack vectors. 

Don't let this happen to you and step your users through effective Kevin Mitnick security awareness training. Click on the button and find out how affordable this is for your organization.

Get A Quote Now

 

CyberheistNews Vol 4, # 38 Home Depot Target Breaches Exploited Old WinXP

 
CyberheistNews Vol 4, # 38
KnowBe4
Stu Sjouwerman's New Security Newsletter Don't miss the Fave Links! Case Studies Resources About Us Contact Us
Facebook LinkedIn Blog Twitter YouTube YouTube
 

CyberheistNews Vol 4, 38

Editor's Corner

KnowBe4

Home Depot And Target Breaches Exploited Old WinXP Flaw - OUCH.

The massive security breaches and theft of credit card information at The Home Depot and Target have something in common. They were both allowed by a vulnerability in XP embedded that was more than 10 years old!

The XP embedded, used in their POS systems, (yes, both definitions apply) was Win XPe SP3, which is not the last version of the XP-based embedded OSen. This whole disaster could have been avoided if Target and Home Depot upgraded to Win7 for Embedded Systems. OUCH. Internal IT security people knew about this and told their friends and relatives to pay cash at Home Depot.

Specific malware created for embedded XP systems reared up its ugly head in the middle of the last decade. They use a technique called "RAM scraping", as WinXP has relatively weak memory access protection. Win 7's memory protection is much better.

This means that once malicious code is inside the XP box, it can pretty much do what it wants. RAM scraping is how hackers stole credit card data from TJ Maxx stores, Office Max, Barnes & Noble, Sports Authority and several more.

Moral of the story? Despite brutal economies, increased worldwide competition, and demanding shareholders that only look at short-term quarterly numbers, skimping on IT security budgets is a Really Bad Idea. And oh, using whitelisting software on those XP-based POS machines would also have prevented this type of attack. Incredible, no? More technical detail at the dailytech site:
http://www.dailytech.com/Appalling+Negligence+DecadeOld+Windows+XPe+Holes+Led+to+Home+Depot+Hack/article36517.htm

And as expected, cyber thieves are now raiding bank accounts via stolen Home Depot data, there is a spike in PIN debit card fraud. The fact that it is still possible to use customer service or an automated system to change someone else’s PIN with just the cardholder’s Social Security number, birthday and the expiration date of their stolen card is "remarkable", to say the least. Brian Krebs explains how this is done:
http://krebsonsecurity.com/2014/09/in-wake-of-confirmed-breach-at-home-depot-banks-see-spike-in-pin-debit-card-fraud/

Scam Of The Week: iPhone Six Purchase Receipt

Scammers are using the recent iPhone Six release for several phishing scams. Emails claiming to be purchase receipts from the iTunes store, lists orders supposedly made and charged to their Apple account or Mastercard. The email informs users that if this is erroneous, they should report a problem, please click on the link and supply information to rectify the issue.

KnowBe4 has added a template with a similar simulated phishing attack so that current customers can send this to end-users and inoculate them

Citadel Banking Trojan Recycles As Spy Tool

Security researchers discovered a variant of the Citadel malware which has been repurposed to spy on and steal data from petro companies in the Middle East. The Citadel malware was originally designed to steal online banking credentials through man-in-the-middle (MITM) browser attacks. Most enterprise security does not do enough to protect against this type of attack. You need end-to-end encryption by default, your policies need to be restrictive and of course your authentication needs to be very strong. Hat Tip to SANS Editor Murray.

Quotes of the Week

"Great things are done by a series of small things brought together." - Vincent Van Gogh

"My attitude is that if you push me towards something that you think is a weakness, then I will turn that perceived weakness into a strength." - Michael Jordan

Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here

Thanks for reading CyberheistNews! Warm Regards, Stu Sjouwerman | Email me: feedback@knowbe4.com
Facebook LinkedIn Blog Twitter YouTube YouTube
KnowBe4

New KnowBe4 Whitepaper: A Short History of Ransomware

Read the short and brutal history of how vicious ransomware came into existence. 2014 was the year that ransomware went mainstream... but how did we wind up here?

Learn about: Hacking Generations, first ransomware in 1989 (!), Bitcoin 101, and why criminals want to be paid in Bitcoin, CryptoLocker and its copycats, different ransomware types and families, the future of ransomware, and how to best mitigate against it. Download here:
http://info.knowbe4.com/whitepaper-ransomware-history

KnowBe4

Regular Facebook Users Are More Likely To Fall For Phishing Scams

Techcrunch was the first one to report on some very interesting findings: "Researchers at SUNY Buffalo have found that habitual Facebook users — those who are on the site more frequently than their peers — were more susceptible to phishing scams. How did they figure this out? By asking them about their habits and then surreptitiously creating a fake friend who then asked them for private information, including their student ID number and date of birth.

As per the researchers:

Arun Vishwanath (Associate Professor of Communication, University at Buffalo – State University of New York) subjected 150 college students to real phishing attacks on Facebook. At the beginning of the semester students were asked to participate in an online survey on general technology use, buried among these questions were measures for their Facebook usage habits. Six weeks after the survey, the participants were located on Facebook and each student was sent a friend-request from a phony Facebook account. Two weeks later, an information-request was sent to them from that profile. This communication asked for the participants’ student ID number, e-mail username, and date of birth.

It turns out the more you used the service the more likely you were to give up your information. While we could argue that the information provided was innocuous, it’s a very interesting correlation. As we begin to trust these services with more and more information, the researchers posit, we become less careful about what we send to whom." Article:
http://techcrunch.com/2014/09/18/regular-facebook-users-are-more-likely-to-fall-for-phishing-scams/

KnowBe4

Vishing Module Takes a Bite Out of Automated Attacks

The Dark Reading site wrote about the new KnowBe4 Vishing Module which allows you to send social engineering attacks to your users via the phone. They wrote:

"Individual employees may be targeted for seemingly innocuous information in a vishing scam and are caught unaware, providing key credentials or a way in to steal corporate data. KnowBe4 trains users on these new scenarios and how to recognize and avoid such social engineering attempts. The module plugs into the new KnowBe4 V3.5 cloud-based Admin Console for quick and easy deployment."

Good to send to higher-ups and/or colleagues. Link here: http://www.darkreading.com/operations/vishing-module-takes-a-bite-out-of-automated-attacks/d/d-id/1315790

KnowBe4

New Online Black Market Trades in Drugs, Credentials & Health Data

Remember the Silk Road takedown? It was an online black marketplace, selling all kinds of illegal goods for Bitcoin. The Feds shut them down but new criminal entrepreneurs stepped in and built a thriving site only accessible via the TOR network.

The biggest one of these is called "evolution" but this site deals not only in all kinds of drugs, but also stolen financial account credentials and medical records. These records appear to have been exfiltrated from a Texas life insurance company. Very interesting story about state of the art, fifth-generation criminal e-commerce at WIRED Mag:
http://www.wired.com/2014/09/dark-web-evolution/

KnowBe4

Cyber Insurance Coverage Will Be A Basic Insurance Policy By 2020

By 2020, private firms will be buying cybersecurity insurance when they sign up for product liability coverage and other basic policies, a top White House cyber official said Monday.

 

Within six years, "We're going to be well on our way to everyone having cyber insurance as just a basic set of insurance, just like property insurance," said Ari Schwartz, director for cybersecurity on the White House National Security Council, during a Sept. 8 panel discussion at the Nextgov Prime conference.

Some businesses are clamoring for coverage, but cannot obtain the type of policies they need. A Bipartisan Policy Center report on power grid cybersecurity published in February recommended the government initially guarantee coverage.

"A federal backstop would increase carriers' willingness to offer cyber insurance and lower the cost of doing so", said the co-authors, who included retired Gen. Michael Hayden, former CIA and National Security Agency director.

Schwartz, however, said the marketplace is "really growing quite a bit" today without government intervention. However, the demand for such services still outstrips the supply. More at the NextGov site:
http://www.nextgov.com/cybersecurity/2014/09/wh-official-cyber-coverage-will-be-basic-insurance-policy-2020/93503/?oref=ng-skybox

KnowBe4

Cyberheist 'FAVE' LINKS:

* This Week's Links We Like. Tips, Hints And Fun Stuff.

MIT lets its robotic cheetah off the leash. This is fun, high-tech, scary and hard to understand because of the researcher's accent. But the robot cheetah is running on its own!:
http://youtu.be/XMKQbqnXXhQ

Amazing things happen when store employees have nothing to do at night at the Cora Supermarket in Rennes, France:
http://www.flixxy.com/amazing-dominoes-in-a-french-supermarket.htm

This Russian girl decided to do something about littering. She straps a GoPro camera to her helmet and sets out to teach the litterbugs in her city a lesson. A great way to get run over by irate motorists:
http://www.flixxy.com/girl-on-a-motorcycle-against-littering.htm?utm_source=4

Ants form a 'daisy chain' to haul dinner back to their home. Never seen that before!:
http://www.flixxy.com/anything-is-possible-with-teamwork.htm?utm_source=4

Caught on camera by a remote-controlled submarine, the Siphonophore isn’t actually a single being, but a colony of highly integrated tiny organisms:
http://www.flixxy.com/stunning-deep-sea-siphonophore.htm?utm_source=4

Just really like this Eurovision song: Pamela Falcon & Isaac Roosevelt - Lost in a mad world:
http://youtu.be/JMn4SjcWSmM

Mat Franco - the last magician standing - performs the most amazing mind-blowing magic trick at America’s Got Talent 2014 Finale:
http://www.flixxy.com/mat-franco-mind-blowing-magic-performance-americas-got-talent-2014-finale.htm?utm_source=4

Jetpack helps soldiers run faster. The (assisted) 4-minute mile is now possible ...I want one!
http://vimeo.com/98084869

 
KnowBe4
Facebook LinkedIn Blog Twitter YouTube YouTube

New Android Ransomware Strain Locks The Device Twice

 

Android UpdateResearchers in Russia discovered a new Android ransomware strain which does not lock the device just once but twice. It spreads by using a social engineering trick, disguising itself as a system update, and as soon as the user downloads the app, it asks for admin rights. Once installed, a message is sent to a remote server that the infection is successful.

The "extra" feature is a second lock, which kicks in if the user tries to remove the initial ransomware infection. The command to lock the device can be sent trough the command & control server and also via text. First, the device gets put into stand-by (screen lock) mode and then shows a fake warning that all files will be erased. 

Erase All DataThe moment the user makes a choice related to this fake warning, the ransomware brings up the lock screen again and activates a feature that requires the user to enter a password to toggle off the standby mode.

Even if the feature hasn’t been used before, the malicious locker sets its own password: "12345". That way the infected smart phone or tablet is locked until the criminals involved get their ransom. The lock can be removed with the set_unlock command, or the user resets all the device's settings to default.

Hat Tip to the Dr.Web blog, who gave this version the name of Android.Locker.38.origin.

 

 

 

Home Depot, Target Breaches Exploited Old WinXP Flaw

 

Home Depot hacked with old XP flawThe massive security breaches and theft of credit card information at The Home Depot and Target have something in common. They were both allowed by a vulnerability in XP embedded that was more than 10 years old!

The XP embedded, used in their POS systems, (yes, both definitions apply) was Win XPe SP3, which is not the last version of the XP-based embedded OSes. This whole disaster could have been avoided if Target and Home Depot upgraded to Win7 for Embedded Systems. Internal IT security people knew about this and told their friends and relatives to pay cash at Home Depot.  OUCH.

Specific malware created for embedded XP systems reared up its ugly head in the middle of the last decade. They use a technique called "RAM scraping", as WinXP has relatively weak memory access protection. Win 7's memory protection is much better.

This means that once malicious code is inside the XP box, it can pretty much do what it wants. RAM scraping is how hackers stole credit card data from TJ Maxx stores, Office Max, Barnes & Noble, Sports Authority and several more.

Moral of the story? Despite brutal economies, increased worldwide competition, and demanding shareholders that only look at short-term quarterly numbers, skimping on IT security budgets is a Really Bad Idea.  And oh, using whitelisting software on those XP-based POS machines would also have prevented this type of attack. Incredible, no? More at
http://www.dailytech.com/Appalling+Negligence+DecadeOld+Windows+XPe+Holes+Led+to+Home+Depot+Hack/article36517.htm

And as expected, cyber thieves are now raiding bank accounts via stolen Home Depot data, there is a spike in PIN debit card fraud. The fact that it is still possible to use customer service or an automated system to change someone else’s PIN with just the cardholder’s Social  Security number, birthday and the expiration date of their stolen card is "remarkable", to say the least. Brian Krebs explains how this is done:
http://krebsonsecurity.com/2014/09/in-wake-of-confirmed-breach-at-home-depot-banks-see-spike-in-pin-debit-card-fraud/

Regular Facebook Users Are More Likely To Fall For Phishing Scams

 

facebook phishingTechcrunch was the first one to report on some very interesting findings:

"Researchers at SUNY Buffalo have found that habitual Facebook users — those who are on the site more frequently than their peers — were more susceptible to phishing scams. How did they figure this out? By asking them about their habits and then surreptitiously creating a fake friend who then asked them for private information, including their student ID number and date of birth.  As per the researchers:

Arun Vishwanath (Associate Professor of Communication, University at Buffalo – State University of New York) subjected 150 college students to real phishing attacks on Facebook. At the beginning of the semester students were asked to participate in an online survey on general
technology use, buried among these questions were measures for their Facebook usage habits. Six weeks after the survey, the participants were located on Facebook and each student was sent a friend-request from a phony Facebook account. Two weeks later, an information-request
was sent to them from that profile. This communication asked for the participants’ student ID number, e-mail username, and date of birth.

It turns out the more you used the service the more likely you were to give up your information. While we could argue that the information provided was innocuous, it’s a very interesting correlation. As we begin to trust these services with more and more information, the researchers posit, we become less careful about what we send to whom." Article at:
http://techcrunch.com/2014/09/18/regular-facebook-users-are-more-likely-to-fall-for-phishing-scams/

New KnowBe4 Whitepaper: A Short History of Ransomware

 

ransomeware whitepaper

Your Money or Your Files!

2014 was the year that ransomware went mainstream... but how did we wind up here? Ransomware attacks cause downtime, data loss, possible intellectual property theft, and in certain industries a ransomware attack is considered a data breach.

Multiple ransomware strains are now attacking your end-users. Since September 2013, CryptoLocker has become vicious, inspired several copycats, and the first strain of second-gen ransomware has reared its ugly head. But how did it get this far? Read the short and brutal history of how vicious ransomware came into existence. 

Download this whitepaper now from our Amazon content delivery network:

http://info.knowbe4.com/whitepaper-ransomware-history

PS: We are particularly happy with this whitepaper. You will learn some things you did not know yet!

Warm regards

Stu Sjouwerman

Founder & CEO, KnowBe4

NEW - KnowBe4 Vishing Security Tests (VST) Now Available

 

VST Screen ShotWe are excited to announce that you are now able to test your users with our brand new automated interactive voice response phishing module. Earlier this year this was our customer's #1 requested functionality, and it's ready for you now. Very much like our PST's, the VST module trains your employees against social engineering attacks but now via the phone on their desk.

Cyber criminals have moved into fully automating these types of attacks, utilizing open source tools that allow thousands of dials per hour, attempting to trick end-users into giving out confidential information like their voice mail pin number, (company) bank account and credit card information, and/or healthcare related data.

The new VST feature includes five Kevin Mitnick VST Scenarios™ which you can use to test your users and keep them on their toes with security top of mind. As a KnowBe4 customer you are able to upload a CSV file with employee phone numbers, choose a VST template, and start the campaign, very similar to the existing phishing security test campaigns that you already run.

If an end-user enters data via the telephone keypad in response to the VST, that means a "fail" which can be used as a reason for a short remedial training, for instance the Mobile Security Module. KnowBe4 added this module to the platinum pricing level and existing customers are invited to do a free VST to try this powerful new option to further strengthen the human firewall you need to protect your network and corporate data.

Talk to your sales rep or reseller for more information about the new VST module.

Warm regards,

Stu Sjouwerman

Founder and CEO, KnowBe4

CyberheistNews Vol 4, # 37 Symantec: Crypto Ransomware Phishing Up 700 Percent in 2014

 
CyberheistNews Vol 4, # 37
KnowBe4
Stu Sjouwerman's New Security Newsletter Don't miss the Fave Links! Case Studies Resources About Us Contact Us
Facebook LinkedIn Blog Twitter YouTube YouTube
 

CyberheistNews Vol 4, 37

Editor's Corner

KnowBe4

Symantec: Crypto Ransomware Phishing Up 700 Percent in 2014

Very interesting data from Symantec. This is fresh from the press and shows Phishing, Spam and Malware trends. As reported in their annual 2013 threat report, that year saw a 500 percent increase in ransomware in the latter part. Overall ransomware levels remained high through March 2014, and then slowly started to decline, in part due to the disruption of the GameOver Zeus botnet back in late May.

In contrast, during 2014, crypto-style ransomware has seen a 700 percent-plus increase. These file-encrypting versions of ransomware began the year comprising 1.2 percent of all ransomware detections, but now make up 31 percent at the end of August. One variant known as CryptoDefense began to appear in large numbers in early June. By the end of July, it made up 77 percent of all crypto-style ransomware for the year to date.

This is a pretty staggering uptrend, which only points out that you really, really need to step end-users through effective security awareness training. For graphs and links to the Symantec August 2014 report, see our blog:
http://blog.knowbe4.com/bid/396484/Symantec-Crypto-Ransomware-Phishing-Up-700-Percent

Home Depot Hit by Same Russian Hackers as Target

Right after the Target Hack, C-level execs at Home Depot Inc. put together a task force to prevent being the victim of a similar attack. The task force recommended to fully encrypt payment card data at the chain's 2,200 stores, but it wasn't until many months later that they started the work.

You could ask yourself how could this happen, with the Target hack fresh in mind?

The reason is that they thought they could defend against a hack like this, and apparently gave the wrong priority to the possibility they had already been breached. Instead of prevention, they should have focused on detection of the existing breach and getting the hackers out of their network. OK, hindsight is 20-20, but in this case it should have been obvious.

The data breach is very similar to the breach at Target. The malware used to steal card data from Home Depot had the same code base as the tool used against Target, people who analyzed the code said. (The data is generally vulnerable in the brief moment it passes into the system's memory after the card is swiped.) After analyzing the malware, it was found that in both "malwares', the code had Russian words in it.

Russian President Vladimir Putin allows cybercrime to continue, because he considers it a resource and now and then tells them to attack a country that is bothering Russia in some way. Imagine, cyber mafia as shock troops for the Russian government. Draw your own conclusions.

It would not surprise me if they got in the same way they got into Target, spear-phishing one of the Home Depot vendors. Another reason to step your users through effective security awareness training.

Want News Like This Much Faster?

We have two ways to do that. Follow me on Twitter @stuallard and you get tweets the moment I hear some hot IT security news. You can also check www.hackbusters.com once or twice a day, there is Trending, Most Popular and Recent news, purely about IT security and it's updated real-time.

Quotes of the Week

"One of the most beautiful qualities of true friendship is to understand and to be understood." - Lucius Annaeus Seneca, Philosopher (5 BC - 65 AD)

"The key is to keep company only with people who uplift you, whose presence calls forth your best." - Epictetus, Philosopher, AD 55 – AD 135)

Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here

Thanks for reading CyberheistNews! Warm Regards, Stu Sjouwerman | Email me: feedback@knowbe4.com
Facebook LinkedIn Blog Twitter YouTube YouTube
KnowBe4

SC MAG POLL SHOCKER: 40% Do Not Train Users ?!

SC Magazine ran a poll this week, and asked: "How frequent is the training related to the security awareness program at your organization?" A whopping 40% answered "We don't have a security awareness program"

And then the other shoe dropped: Another 40% only trains users annually. I almost had a heart attack when I saw those numbers. Really???

And then organizations are surprised that end-users click on phishing emails and get their files encrypted by ransomware?

Find out how affordable security awareness training is for your organization now. Get a quote and demand budget for effective Kevin Mitnick Security Awareness Traing right away. This is the best bang you get for your IT security budget. And you get a crypto-ransom guarantee: we pay your crypto-ransom if you get hit. GET A QUOTE NOW:
http://info.knowbe4.com/ransomware-cryptolocker-guarantee_primary_14-08-26-0

KnowBe4

NEW - Vishing Security Tests (VST) Now Available

We are excited to announce that you are now able to test your users with our brand new automated interactive voice response phishing module. Very much like our PST's, the VST module trains your employees against social engineering attacks but now via the phone on their desk.

Cyber criminals have moved into fully automating these types of attacks, utilizing open source tools that allow thousands of dials per hour, attempting to trick end-users into giving out confidential information like their voice mail pin number, (company) bank account and credit card information, and/or healthcare related data.

The new VST feature includes five Kevin Mitnick VST Scenarios™ which you can use to test your users and keep them on their toes with security top of mind. As a KnowBe4 customer you are able to upload a CSV file with employee phone numbers, choose a VST template, and start the campaign, very similar to the existing phishing security test campaigns that you already run.

If an end-user enters data via the telephone keypad in response to the VST, that means a "fail" which can be used as a reason for a short remedial training. KnowBe4 added this module to the platinum pricing level and existing customers are invited to do a free VST to try this powerful new option to further strengthen the human firewall you need to protect your network and corporate data.

Talk to your sales rep or reseller for more information about the new VST module!

KnowBe4

We Are at War in the Digital World

I just read an opinion editorial in the Wall Street Journal that really did clarify the new threat we are faced with the last decade. "Ten years ago, the 9/11 Commission Report triggered the most significant reorganization of the U.S. intelligence community since 1947. Two months ago, the former members of the commission—we are among them—issued a new report assessing where national security stands, 13 years after the most devastating attacks on America's homeland.

Most of the new report's observations focused on counterterrorism, the central focus of the 9/11 Commission. But in speaking with many of the nation's most senior national-security leaders, we were struck that every one of these experts expressed concern about another issue: daily cyberattacks against the country's most sensitive public and private computer networks.

A growing chorus of national-security experts describes the cyber realm as the battlefield of the future. We are at war in the digital world. And yet, because this war lacks attention-grabbing explosions and body bags, the American people remain largely unaware of the danger. That needs to change."

Could not have said it better myself, and am thrilled to see this in the WSJ, because it needs to penetrate into the C-level suite. Messrs. Kean and Hamilton served as chairman and vice chairman of the 9/11 Commission and make the case for a National Cyber Commission, and a National Cyber Center, which would bring together government and private experts to ensure unity, similar to the National Counterterrorism Center, created 10 years ago in response to a 9/11 Commission recommendation, which is working well.

"In recent months, we have heard time and again from leading experts that the cyber threat is serious—and that the government is not doing enough. One lesson of the 9/11 story is that, as a nation, we didn't awaken to the gravity of the terrorist threat until it was too late. We must not repeat that mistake in the cyber realm." Article in WSJ (paywall):
http://online.wsj.com/articles/tom-kean-and-lee-hamilton-a-new-threat-grows-amid-shades-of-9-11-1410390195

KnowBe4

Social Engineering Audits on the Rise

A social engineering audit looks for internal data or security breaches. The uptick in these audits is a reminder to C-level execs that security is an inside as well as an outside responsibility. The Target data breach and a new data breach at Home Depot are reminders to CIOs and CSOs about the dangers of security problems on a massive scale, though the smart executives are giving equal time to the potential of internal data breaches. Article at TechRepublic:
http://www.techrepublic.com/article/social-engineering-audits-on-the-rise-what-this-means-for-cios-and-csos/

KnowBe4

Cyber Criminals Use AEA-256 Crypto to Obfuscate Phishing Sites

The Register said: "Well, at least someone listened to Snowden about privacy... Phishing fraudsters have begun using industry-standard AES-256 encryption to disguise the content of fraudulent sites.

 

Obfuscated phishing sites are nothing new. Various techniques such as JavaScript encryption tools are commonly used but Symantec recently caught what it reckons is the first use of AES-256 encryption in dodgy sites designed to hoodwink consumers into handing over their login credentials.

"The site used AES to hide the phishing page content", Paul Wood, manager of cyber security intelligence at Symantec, told El Reg. The tactic is designed to make the analysis of phishing sites more difficult for security researchers without interfering with how sites are presented to victims, as a blog post by Symantec explains. More:
http://www.theregister.co.uk/2014/09/09/phishing_scam_uses_aes_crypto_to_hide/

KnowBe4

Cyberheist 'FAVE' LINKS:

* This Week's Links We Like. Tips, Hints And Fun Stuff.

SUPER FAVE: Galactic Gear Reviews The Origin M50. I want one!!! (Top Gear Parody)
http://www.flixxy.com/galactic-gear-reviews-the-origin-m50-top-gear-parody.htm?utm_source=4

Now...THIS is an airplane safety message I could see over and over:
http://youtu.be/DtyfiPIHsIg

Comic: Movie Hacking and Real Hacking:
http://www.smbc-comics.com/index.php?id=2526

Famous DJ Deadmau5 Does Uber In His McLaren 650S Spider:
http://www.motorauthority.com/news/1094415_deadmau5-does-uber-in-his-mclaren-650s-spider-video

Cardstone teamed up with ad agency Mullen to create a fake job description for a "Director of Operations" - aka "Mom." Priceless:
http://youtu.be/HB3xM93rXbY

Since chewing gum is a simple, no-frills product, Beldent wanted to highlight its social benefits. Great ad!
http://youtu.be/sk7A56KVNBY

The magician duo David and Leeman predict the winning combination of lottery numbers at America's Got Talent 2014:
http://www.flixxy.com/magician-duo-david-and-leeman-predict-winning-lottery-numbers-americas-got-talent-2014.htm?utm_source=4

Serial entrepreneur Mark Cuban explains a very common social media error - and what his company Cyber Dust is doing about it:
http://www.flixxy.com/the-biggest-mistake-people-make-on-social-media-mark-cuban.htm?utm_source=4

9 nightmare sci-fi virtual realities that are closer than you think:
http://www.infoworld.com/slideshow/163531/9-nightmare-sci-fi-virtual-realities-are-closer-you-think-250160

This dancer's body moves to the music almost too well. Really amazing:
http://digg.com/video/this-dancers-body-moves-to-the-music-almost-too-well

 
KnowBe4
Facebook LinkedIn Blog Twitter YouTube YouTube

Home Depot Hit By Same Russian Hackers As Target

 

Home Depot hit by same hackers at TargetRight after the Target Hack, C-level execs at Home Depot Inc. put together a task force to prevent being the victim of a similar attack. The task force recommended to fully encrypt payment card data at the chain's 2,200 stores, but it wasn't until many months later that they started the work.

You could ask yourself how could this happen, with the Target hack fresh in mind?

The reason is that they thought they could defend against a hack like this, and apparently gave the wrong priority to the the possibility they already had been breached. Instead of prevention, they should have focused on detection of the existing breach and getting the hackers out of their network. OK, hindsight is 20-20, but in this case it should have been obvious. 

The data breach is very similar to the breach at Target. The malware used to steal card data from Home Depot had the same code base as the tool used against Target, people who analyzed the code said. (The data is generally vulnerable in the brief moment it passes into the system's memory after the card is swiped.) After analyzing the malware, it was found that in both the code had Russian words in it.

Russian President Vladimir Putin allows cybercrime to continue, because he considers it a resource and now and then tells them to attack a country that is bothering Russia in some way. Imagine, cyber mafia as shock troops for the Russian government. Draw your own conclusions.

It would not surprise me if they got in the same way they got into Target, spear-phishing one of the Home Depot vendors. Another reason to step your users through effective security awareness training

All Posts