KnowBe4 Security Awareness Training Blog

CyberheistNews Vol 5 #30 How To Get The OK To Phish Your Own Employees

Posted by Stu Sjouwerman on Jul 28, 2015 8:51:00 AM

                                                                                                               
CyberheistNews Vol #5 #30 July 28, 2015

  How To Get The OK To Phish Your Own Employees

       
IT people responsible for network security talk to us all the time. Almost  all of them agree that end-users are their number one headache and managing  that problem continues to be a big challenge. Social engineering is by far the easiest way for hackers to get in, either tailgating through the side door or (spear) phishing employees using email and social media.

Cybercrime has gone pro. They are very well funded, hire the smartest people out of college, have state-of-the-art tech labs with the latest versions of most commercial security software and they test, test, test until their attacks get through. Phishing attacks last less than 6 hours, making it hard for security software to catch up if ever.

So, it seems smart to protect against a threat like that with end-user  education, driven by some "social pen-testing". The IT teams that get the approval from management to do this get great results. Apart from budget issues, sometimes there is resistance at the C-level to sending phishing tests to all employees, often driven by other departments like Legal or HR who claim "we should not trick our employees". IT in those situations runs  into political headwinds that scuttle the phishing project.

However, today you have to consider a new approach to securing your IT assets.  Security awareness training has moved from the lunch room to board room. You simply can’t afford to passively wait for attacks. Instead, you should  take a lean-forward approach that proactively prevents you from being "low-hanging fruit".

Here is some ammo to get that approval, and more important, air cover from the top of your organization.
    1. First of all, let's confront that "tricking employees" issue. If we  don't do it, the bad guys will. Let's head them off at the pass. We do not want to wind up like Sony, Target, JP Morgan or Home Depot to  name just a few and see our organization on the front page with a highly damaging data breach, a fired CEO and massive legal costs (more about that below).

    2. The next hurdle is this; most small and medium business owners think that they are not a target for cybercrime. Well, if you think you are safe because you are just a little fish in a big pond, think again. Cybercrime has chosen small and medium sized businesses (SMBs) as their prime attack targets. The reason is that many SMBs lack the expertise, budget and time to really defend their network like the big companies do. You are the low-hanging fruit and they can automate their attacks.

    3. New vicious ransomware might cause users to sit on their hands for days  because all their files are encrypted and backups failed.

    4. The Wall Street Journal reported that the Target, Home Depot and Sony  hacking incidents grabbed the attention of executives everywhere, bringing  home the reality that cybersecurity has become a top risk consideration in the board room. These days getting air cover from the Board is much easier.

    5. Employees are not stupid, they are just trained in another field than  IT. Once it has been communicated by the CEO that this is a company-wide ongoing training initiative which includes regular phishing tests and needs everyone's cooperation to become security-aware, after stepping through the training the employees almost always say: "Wow, I did not know it was that bad on the web. How do I share this with my family?" If you position (frame) this correctly as part and parcel of safe Internet usage which also helps them keep their family safe online, you will get mostly very positive feedback from end-users.
So, here are the steps I recommend:
    1. Using the above five points to get the OK to do a complimentary phishing security test and see how bad the employee Phish-prone percentage actually is. Usually an unpleasant surprise but great to get budget.

    2. Find out how affordable this is for your organization. This is normally the pleasant surprise and essentially a no-brainer.

    3. Start the campaign with support from (and an intro by) your CEO or another  C-level executive and provide a deadline and incentives for the initial training.

    4. Schedule frequent phishing security tests, one a month minimum, and  create a game where you compare the click-percentages from different groups of employees. (This is supported by the KnowBe4 Admin console.)

    5. Report regularly to both employees and executives about the positive results and show everyone graphs of the progress.
Doing it this way could even improve the status of the IT department and make end-users understand much better what massive challenges you are faced with on a day-to-day basis. Good luck! Here is the link to Step 1, your complimentary Phishing Security Test:
http://www.knowbe4.com/phishing-security-test-offer

 

Appeals Court Reinstates Neiman Marcus Hacking Liability

Last Monday, the US Court of Appeals reinstated a liability case against  Neiman Marcus (which had been dismissed earlier) for potential damage to consumers from the data breach of 350,000 Neiman Marcus customers. 

Neiman Marcus admitted that more than 9,000 of these hacked accounts later were used for fraud. This is the first time that an appeals court  has recognized the actual damage associated with consumers having to research and repair credit card accounts after data breaches.

This spells class-action lawsuits for every data breach and this area is the legal industry's number one growth market. SANS's Allen Paller said: "One likely consequence will be a demand among CEOs to get a  definitive answers to the pair of questions they have been asking  for nearly a decade: "What do I need to do to avoid liability, and how much is enough?"  

"The growing consensus is that the minimum standard of due care will  be measured around full and constantly monitored implementation of  the basic "critical controls" published by NSA, the Australian ASD and the Center for Internet Security, because those are the only benchmarks that can demonstrate their controls stop attacks."

One of these controls is an effective security awareness training program, building your "human firewall". Here is the WSJ blog post, excellent ammo to get IT security budget:
http://blogs.wsj.com/cio/2015/07/23/appeals-court-revives-neiman-marcus-data-breach-suit/

Whitepaper: Legal Compliance Through Security Awareness Training

Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information  Systems Security Management Professional (ISSMP), and Certified Risk and Information System Controls (CRISC) certifications. He is a partner at Foley & Lardner LLP.

This whitepaper shows you the common threads in compliance laws and  regulations. Did you know that "CIA" means Confidentiality, Integrity, and Availability, and how lawmakers incorporated that language in infosec regulations?

Are you familiar with the concept of Acting “reasonably” or taking  “appropriate” or “necessary” measures? Find out how this can keep you from violating compliance laws or regulations.

Know you are supposed to "scale security measures to reflect the threat"? We have some examples of the Massachusetts Data Security Law and HIPAA  to explain what is required. Download this whitepaper here:
http://info.knowbe4.com/whitepaper-overly-kb4

I Was Interviewed On TV About The Recent Ashley Madison Hack

I was interviewed on TV about the recent Ashley Madison Hack, and what the  security repercussions can be for people that have their personal information  exposed. The TV crew came over to our new office. Check it out:
https://vimeo.com/134351507

Talking about our new digs, we moved to a new 15,000 square feet office with expansion space for 100 KnowBe4 employees, and this week we had our logo mounted on the top of the building. This is a 30-second time-lapse of the  old logo coming off and the new one being put up. Click on the image to  see the video on YouTube. Enjoy, we sure did!
http://blog.knowbe4.com/out-with-the-old-and-in-with-the-new-knowbe4-logo

BOOK Review: Ghost Fleet

Here is your required summer reading: Ghost Fleet: A Novel of the Next  World War. Ghost Fleet is a speculative Tom Clancy-like thriller in the spirit of The Hunt for Red October. This novel by two leading  experts on the cutting edge of national security is unique in that every trend and technology featured in the novel — no matter how  sci-fi it may seem — is real, or could be soon. I'm reading it myself now, it's exciting and earns a "Stu's Warmly Recommended!"
http://amzn.com/B00LZ7GOI4
Warm Regards,
Stu Sjouwerman

Quotes Of The Week
 
"No act of kindness, no matter how small, is ever wasted."
- Aesop, Author (620 - 560 BC)

" Kindness is the language which the deaf can hear and the blind can see."  - Mark Twain
       
     Thanks for reading CyberheistNews!
   
Security News
 

A New Ransomware Hostage Rescue Manual

Get this informative and complete hostage rescue manual on ransomware. The 20-page manual is packed with actionable info you need to prevent  infections, and what to do when you are hit with ransomware. You also get a Ransomware Attack Response Checklist and Ransomware Prevention Checklist. 

You will learn more about:
    1. What is Ransomware?

    2. Am I Infected?

    3. I’m Infected, Now What?

    4. Protecting Yourself in the Future

    5. Resources
Don’t be taken hostage by ransomware. Download now and forward/share to your friends, this is good stuff:
http://info.knowbe4.com/ransomware-hostage-rescue-manual-0

Or, read the article in BetaNews first, and then download:
http://betanews.com/2015/07/10/how-to-protect-yourself-against-ransomware/

This Week's Five Most Popular HackBusters Posts

   
    1. Hackers Remotely Kill a Jeep on the Highway—With Me in It:
      http://www.hackbusters.com/news/stories/353296-hackers-remotely-kill-a-jeep-on-the-highway-with-me-in-it

    2. Online Cheating Site Ashley Madison Hacked:
      http://www.hackbusters.com/news/stories/352692-online-cheating-site-ashleymadison-hacked

    3. 600TB MongoDB Database 'accidentally' exposed on the Internet:
      http://www.hackbusters.com/news/stories/353818-600tb-mongodb-database-accidentally-exposed-on-the-internet

    4. Apple Mac OS X Vulnerability Allows Attackers to Hack your Computer:
      http://www.hackbusters.com/news/stories/354437-apple-mac-os-x-vulnerability-allows-attackers-to-hack-your-computer

    5. NASA: This planet is the closest thing to Earth yet:
      http://www.hackbusters.com/news/stories/354626-nasa-this-planet-is-the-closest-thing-to-earth-yet

The Social-Engineer Toolkit (SET) v6.5 "Mr Robot" Released

The next major revision of The Social-Engineer Toolkit (SET) v6.5  codename "Mr Robot" has just been released. The codename is in celebration of the TV show Mr Robot featuring SET in a recent episode.

Kudos to them for having some amazing tech writers and appreciate the shout out on the show. If you have not seen Mr Robot yet, you can get Season 1 on Amazon, warmly recommended. This is a good show.

Version 6.5 incorporates a new HTA web attack vector. This attack allows you to clone a website and inject an HTA file which compromises  the system. Here are the specs with a video that show how it works:
https://www.trustedsec.com/july-2015/the-social-engineer-toolkit-set-v6-5-mr-robot-released/

Tools To Scan For Hacking Team Malware Infections

Darlene Storm at ComputerWorld dug up several no-charge tools to find out if you have any devices that are infected with the Italian Hacking Team malware up to now used mostly by governments. Now that they have been hacked themselves and all their zero-day vulnerabilities exposed, several cyber  scum-suckers re-purposed Hacking Team’s malware. So here they are:

Rook Security offers Milano, a complimentary tool to scan your PC for any possible  Hacking Team malware infection. Facebook offers osquery to detect Hacking  Team’s Remote Control System on OS X. Lookout has mobile covered and can  detect surveillance malware on Android and iOS platforms. Here is Darlene's story with links to the downloads for these tools:
http://cwonline.computerworld.com/t/9234223/987374514/747887/20/

Cyberheist 'FAVE' LINKS:
 
Copyright © 2014-2015 KnowBe4 LLC, All rights reserved.

Our mailing address is: 33 North Garden Ave Suite 1200, Clearwater, Florida, 33755
Read More

Out With The Old And in With The New (KnowBe4 Logo)

Posted by Stu Sjouwerman on Jul 23, 2015 3:32:00 PM

 

We moved to a new 15,000 square feet office with expansion space for 100 KnowBe4 employees, and this week we had our logo mounted on the top of the building. This is a 30-second time-lapse of the old logo coming off and the new one being put up. Here is the picture of the building when we had the same top floor when we were Sunbelt Software. Click on the image to see the video on YouTube.  Enjoy, we did! (you may have to click twice)  

 

Read More

You Asked For Training Campaigns And We Built It For You

Posted by Stu Sjouwerman on Jul 21, 2015 9:33:00 AM

By far the most requested feature in the KnowBe4 console was Training Campaigns. We're excited to tell you they are here now, in version 5.2 of your console. When it comes to rolling out training for your users, this feature does the heavy lifting for you, saving time and effort associated with setup and chasing down users who need to finish their training for compliance purposes. Keep on reading for one really cool feature.

These new campaigns provide Learning Management System functionality which gives you an easy way to manage your security awareness training while providing sophisticated reporting. Training Campaigns allow you to create ongoing or deadline-based training campaigns for your employees. These campaigns can contain any or all of the courses and limit course availability by group.

Campaigns can be set up to automatically send e-mail invitations and signup links to users, prompting them (at various intervals) to complete training by a specified time-frame. This functionality also allows you to train a group of users in a classroom setting and pass them all at once.

Key features:

Read More

CyberheistNews Vol 5 #29 AshleyMadison: Second Nightmare Phishing Problem

Posted by Stu Sjouwerman on Jul 21, 2015 9:17:21 AM

      
CyberheistNews Vol #5 #29 July 21, 2015

AshleyMadison: Second Nightmare Phishing Problem

       
Again, we have a nightmare phishing scenario with the brand new AshleyMadison (AM) hack. A few months ago, the Adult Friend Finder (AFF) website was hacked, and now their biggest competitor.

AM is one of the most heavily-trafficked websites in the U.S. and has 37 million registered users, some will overlap with AFF though. A rough guess is that 10% of your users may be very worried at this time that their sexual preferences and/or activities are going to come out. These end-users are a security breach waiting to happen.

Large caches of data stolen from online cheating site AshleyMadison.com have been posted online by an individual or group that claims to have completely compromised the company’s user databases, financial records and other proprietary information. The still-unfolding leak could be quite damaging to the users of the hookup service, whose slogan is “Life is short. Have an affair.”

The data released by the hacker or hackers — which go by the name The Impact Team — includes sensitive internal data stolen from Avid Life Media (ALM), the Toronto-based firm that owns AshleyMadison as well as related hookup sites Cougar Life and Established Men.

Here Is The Problem

Any of these 37 million registered users is now a target for a multitude of social engineering attacks. Just one example: you can imagine that a man married to a woman but who is hunting down gay hookups on the side could easily be blackmailed or receive a spear phishing email with a poisoned link that infects his workstation.

People that have extramarital affairs can be made to click on links in emails that threaten to out them. I already see the phishing emails that claim people can go to a website to find out if their private data has been released. This is a nightmare that will be exploited by spammers, phishers and blackmailers who are now gleefully rubbing their hands.

Mass media has not jumped on this yet, but you can count on this breaking news hitting the press big time. If any of your users has registered on AM, they are going to be worried about it. This is a nightmare phishing scenario. Jilted spouses, divorce attorneys and private investigators are undoubtedly already going to pour over the data.

What To Do About It

I suggest that again you take immediate preventive action. It only takes one second for a worried end-user (or admin) to click on a link in an email and expose the network to attackers. I recommend you send something like this to your friends, family and end-users. Feel free to edit.

"A few months ago, news broke that the Adult Friend Finder website was hacked. Now it's AshleyMadison, their biggest competitor. These sites are for people who want to cheat on their spouse. The site has 37 million registered users, and these records are now out in the open, exposing highly sensitive personal information. Internet criminals are going to exploit this in many ways, sending spam, phishing and possibly blackmail messages, using social engineering tactics to make people click on links or open infected attachments. Be on the lookout for threatening messages like this that slip through and delete them immediately."

As you can see, stepping your users through effective security awareness training is an absolute must these days. For KnowBe4 customers, we have a new Social Networking template that lures people into clicking on a link to the "haveibeenpwned" website to see if their personal sensitive information was hacked. The subject of the template is "RE: Pictures from your Ashley Madison account were leaked".

I was interviewed on Channel 10 yesterday about this hack. You can see me and the new KnowBe4 office here:
http://www.wtsp.com/story/news/local/2015/07/20/hackers-threaten-to-pull-covers-off-online-cheating-website/30432261/

Blackhat 2015 Survey: End-User Wins Easily As IT's #1 Big Worry

According to the new 2015 Black Hat Attendee Survey, nearly three quarters  (73 percent) of top security professionals think it likely that their  organizations will be hit with a major data breach in the next 12 months --  but they won't have enough time, money, or skilled staff to handle the crisis.

The survey polled some 460 infosec professionals, 61 percent of whom carry  "security" as a full-time job title, and two thirds of whom carry a CISSP  or other professional security credentials. 

More than a third of the Black Hat survey respondents say that their time  is consumed by addressing vulnerabilities in internally-developed software  (35 percent) or in off-the-shelf software (33 percent). Meanwhile, their  budgets are often consumed by compliance issues (25 percent) or sealing  accidental leaks (26 percent), leaving them short of resources to fight  the real threats. (One way to save half the time and half the cost of an  audit is a compliance workflow automation tool like this very useful compliance manager:
http://info.knowbe4.com/knowbe4-compliance-manager_lp_14-04-15 )

Nearly a third (31 percent) of Black Hat attendees cited end users as the  weakest link in the security chain. "The biggest roadblock I have is a lack  of cultural importance on security," said one survey respondent. Here are  the survey results, and the #1 problem that needs to be managed is: "End  users who violate security policy and are too easily fooled by social  engineering attacks".

See the graph with all tabulated answers on the "Weakest Link in IT Defenses"
http://blog.knowbe4.com/blackhat-2015-survey-end-user-wins-easily-as-its-big-worry

Turn Your Weakest Link In Your Strongest Security Asset

Here is a quote from an article in the WSJ CIO Report by Steve Rosenbush:  "In The Art of War, Sun Tzu writes, the message is that one should 'avoid  what is strong and … strike at what is weak.' In cyberwar the weak are often  your users. Good, smart workers are conscripted by hackers after being lured  into opening an email attachment or following a dangerous link. Companies  need to better balance security tech investments and the education and  engagement of the workforce. By involving the workers in designing the  security policies, the firms generate buy-in and support."

That is a good tip. Get buy-in for your awareness training program by  surveying your users for input on things they observe as security  weaknesses and include these in the program, for instance as emailed  Security Hints & Tips.

New TeslaCrypt's Shrewd Disguise as CryptoWall

Security researcher Fedor Sinitsyn reported on the new TeslaCrypt V2.0.  This family of ransomware is relatively new, it was first detected in  February 2015. It's been dubbed the "curse" of computer gamers because it  targets many game-related file types. The attackers are focusing on the U.S.  and Germany using malvertising, which had record highs in June - more than in all the previous months this year combined. 

The malvertising (malicious ads on large sites like Yahoo, Drudge, CBSSports and HuffPost), is paid for by stolen credit cards. This is very hard to defend against. See the hotmap on our blog, more technical details  about how it attacks and suggestions about what you can do about it:
http://blog.knowbe4.com/new-teslacrypts-shrewd-disguise-as-cryptowall
Warm Regards,
Stu Sjouwerman

Quotes Of The Week
 
       
"Progress is impossible without change, and those who cannot change their  minds cannot change anything." - George Bernard Shaw

"Do not go where the path may lead; Go instead where there is no path  and leave a trail."
 - Ralph Waldo Emerson

"Most people spend more time and energy going around problems than trying  to solve them." - Henry Ford

     Thanks for reading CyberheistNews!

Security News
 

A New Ransomware Hostage Rescue Manual

           
Get this informative and complete hostage rescue manual on Ransomware. The 20-page manual is packed with actionable info you need to prevent  infections, and what to do when you are hit with ransomware. You also get  a Ransomware Attack Response Checklist and Ransomware Prevention Checklist. 

You will learn more about:
    1. What is Ransomware?

    2. Am I Infected?

    3. I’m Infected, Now What?

    4. Protecting Yourself in the Future

    5. Resources
Don’t be taken hostage by ransomware. Download now and forward/share to  your friends, this is good stuff:
http://info.knowbe4.com/ransomware-hostage-rescue-manual-0

Or, read the article in BetaNews first, and then download:
http://betanews.com/2015/07/10/how-to-protect-yourself-against-ransomware/

This Week's Five Most Popular HackBusters Posts

    1. Hacking Team Spyware preloaded with UEFI BIOS Rootkit to Hide Itself:
      http://www.hackbusters.com/news/stories/350687-hacking-team-spyware-preloaded-with-uefi-bios-rootkit-to-hide-itself

    2. How Hacking Team and FBI planned to Unmask A Tor User:
      http://www.hackbusters.com/news/stories/351137-how-hacking-team-and-fbi-planned-to-unmask-a-tor-user

    3. NSA Releases Open Source Network Security Tool for Linux:
      http://www.hackbusters.com/news/stories/351942-nsa-releases-open-source-network-security-tool-for-linux

    4. One Million Android Users Infected With Facebook Hacking Malware Apps:
      http://www.hackbusters.com/news/stories/349953-one-million-android-users-infected-with-facebook-hacking-malware-apps

    5. Like It Or Not... You Can't Disable Windows 10 Automatic Updates:
      http://www.hackbusters.com/news/stories/352326-like-it-or-not-you-can-t-disable-windows-10-automatic-updates

Poor Communication Can Cost You 52,140.60 Dollars

Marcin Kleczynski, CEO of MalwareBytes posted this blog post a few days ago.  Read it and forward it to your own CEO.

"Over the weekend, I received several cryptic e-mails from my CFO, Mark Harris,  asking if I had approved the wire template for “the wire I had requested.” We  were in the process of making a few wire transfers on Monday but I had already  approved those and communicated that to him. He repeated the question a few times, but I still didn’t think anything of it.

He asked me again in person this morning. That’s when I started to dig in." Check out what he found: Sophisticated Social Engineering:
http://blog.kleczynski.com/2015/07/poor-communication-can-cost-you-52140-60/

You Asked For Training Campaigns And We Built It For You

By far the most requested feature in the KnowBe4 console was Training Campaigns. We're excited to tell you they are here now, in version 5.2 of your console. When it comes to rolling out training for your users, this feature does the  heavy lifting for you, saving time and effort associated with setup and chasing  down users who need to finish their training for compliance purposes. Keep on reading for one really cool feature.

The new Training Campaigns provide Learning Management System functionality  which gives you an easy way to manage your security awareness training while  providing sophisticated reporting. Training Campaigns allow you to create  ongoing or deadline-based training campaigns for your employees. These campaigns  can contain any or all of the courses and limit course availability by group. 

Training Campaigns can be set up to automatically send e-mail invitations and  signup links to users, prompting them (at various intervals) to complete  training by a specified time-frame. This functionality also allows you to  train a group of users in a classroom setting and pass them all at once.

Key features of Training Campaigns allow you to:
  • Create ongoing (permanent) training campaigns for an organization
  • Set up campaigns with a specified deadline for training completion
  • Limit course availability for various groups of users
  • Automatically send enrollment emails to any number of users, inviting them to take the training
  • Automatically send follow up emails to nudge users who have yet to complete the training
  • Administrators can pass multiple users at once for group training environments
  • Auto-enroll new users who are added to a group or company (invite via email)
  • Customizable email notification templates for enrollments and follow-up
The training campaign dashboard also lets you monitor a campaign’s  status, completion percentage, and every individual’s progress at a  glance. Additionally, campaigns can be extended past their initial  deadline, and the amount of active campaigns is limitless.

And here is the one really cool feature:
  • Point-of-failure training auto-enrollment
With this, in no time, you set things up so that when anyone clicks on a Phishing Security Test URL they get automatically enrolled in a remedial campaign and they get an email right away that tells them to an awareness training module, and nudges them along until they have done it. All fully automated. Look ma, no hands. Want to see this in a one-on-one demo?

Fill out the form and we'll get you scheduled:
http://info.knowbe4.com/one-on-one-demo-new-training-campaigns

Cyberheist 'FAVE' LINKS:
 
               
Copyright © 2014-2015 KnowBe4 LLC, All rights reserved.

Our mailing address is: 33 North Garden Ave Suite 1200, Clearwater, Florida, 33755
Read More

AshleyMadison: Second Nightmare Phishing Problem

Posted by Stu Sjouwerman on Jul 20, 2015 8:06:00 AM

Again, we have a nightmare phishing scenario with the brand new AshleyMadison (AM) hack. A few months ago, the Adult Friend Finder (AFF) website was hacked, and now their biggest competitor.

AM is one of the most heavily-trafficked websites in the U.S. and has 37 million registered users, some will overlap with AFF though. A rough guess is that 10% of your users may be very worried at this time that their sexual preferences and/or activities are going to come out. These end-users are a security breach waiting to happen. 

Large caches of data stolen from online cheating site AshleyMadison.com have been posted online by an individual or group that claims to have completely compromised the company’s user databases, financial records and other proprietary information. The still-unfolding leak could be quite damaging to the users of the hookup service, whose slogan is “Life is short. Have an affair.”

The data released by the hacker or hackers — which go by the name The Impact Team — includes sensitive internal data stolen from Avid Life Media (ALM), the Toronto-based firm that owns AshleyMadison as well as related hookup sites Cougar Life and Established Men.

Here Is The Problem

Any of these 37 million registered users is now a target for a multitude of social engineering attacks. Just one example: you can imagine that a man married to a woman but who is hunting down gay hookups on the side could easily be blackmailed or receive a spear phishing email with a poisoned link that infects his workstation. 

Read More

New TeslaCrypt's Shrewd Disguise as CryptoWall

Posted by Stu Sjouwerman on Jul 18, 2015 12:41:00 PM

Security researcher Fedor Sinitsyn reported on the new TeslaCrypt V2.0. This family of ransomware is relatively new, it was first detected in February 2015. It's been dubbed the "curse" of computer gamers because it targets many game-related file types. The attackers are focusing on the U.S. and Germany. See the hotmap to the right.

The innovation rate of TeslaCrypt is furious, lots of changes are being made, including ripping off cryptowall's identity, which is a clear case of borrowing cryptowall's reputation, trying to make people pay as soon as possible. The encryption scheme has been improved again and is now even more sophisticated than before. Keys are generated using the ECDH algorithm. 

Early versions of TeslaCrypt were designed to check whether a Bitcoin payment had been successfully made on the blockchain.info site. If the payment was received, the malware reported this to the command server and received a key to decrypt the files. This scheme was vulnerable, since an expert could send a request to the C&C and get the necessary key without making a payment. This has been corrected / replaced with a completely new decryption feature.

The TeslaCrypt family gets distributed using Exploit Kits like Angler, Sweet Orange and Nuclear. It focuses on malvertising (malicious ads on large sites like Yahoo, Drudge, CBSSports and HuffPost), paid for by stolen credit cards. This is very hard to defend against.  Here is how that works: when a victim visits an infected website, the Exploit Kit scans the victim's browser and finds vulnerabilities (usually in plugins) and installs the Trojan in the system.

What To Do About It

Read More

Blackhat 2015 Survey: End-User Wins Easily As IT's Big Worry

Posted by Stu Sjouwerman on Jul 17, 2015 3:50:00 PM

According to the 2015 Black Hat Attendee Survey, nearly three quarters (73 percent) of top security professionals think it likely that their organizations will be hit with a major data breach in the next 12 months -- but they won't have enough time, money, or skilled staff to handle the crisis.

The survey polled some 460 infosec professionals, 61 percent of whom carry "security" as a full-time job title, and two thirds of whom carry a CISSP or other professional security credentials. 

More than a third of the Black Hat survey respondents say that their time is consumed by addressing vulnerabilities in internally-developed software (35 percent) or in off-the-shelf software (33 percent). Meanwhile, their budgets are often consumed by compliance issues (25 percent) or sealing accidental leaks (26 percent), leaving them short of resources to fight the real threats.

Nearly a third (31 percent) of Black Hat attendees cited end users as the weakest link in the security chain. "The biggest roadblock I have is a lack of cultural importance on security," said one survey respondent. Here are the survey results, and the #1 problem that needs to be managed is: " End users who violate security policy and are too easily fooled by social engineering attacks".

Read More

Aggressive New Tech Support Social Engineering Scam

Posted by Stu Sjouwerman on Jul 15, 2015 6:10:00 PM

The Tech Support Scams are getting worse by the month. Here is a horror story that was just shared today. I suggest you read it, and keep alert for Red Flags like these!  

"My dad almost got badly scammed by a guy who claimed he was from "IT Innovations" selling virus protection for computers. My very trusting dad who isn't at all computer savvy fell for this guys' pitch when he called my parents land line several months ago.

"The same man called back this past Saturday telling dad he had to refund the money because the company was going out of business. He convinced my dad to sign into some website that gave the scammer access to my parents' home computer.  Then he got dad to log into his credit union account online in order to make sure the money was back in his checking account.

"It was, plus an extra $2000. When my dad told the guy he said he had made a mistake and wanted my dad to wire the money back to him. Thank God my mom walked into the house and made my dad stop and power off the computer.

"At this point the guy was yelling and threatening my parents over the phone. My mom simply told him he wasn't getting his money back, that he is evil, and hung up on him (go mom!). Thank heavens my parents know the president of the credit union and they were able to get the accounts locked down immediately, get new accounts, and the guy didn't get a penny.

Here is the crux of the scam, pay attention to what happened! 

Read More

CyberheistNews Vol 5 #28 Scam Of The Week: Internet Capacity Warning

Posted by Stu Sjouwerman on Jul 14, 2015 8:55:55 AM

                                                       
CyberheistNews Vol #5 #28 July 14, 2015
                                                          

  Scam Of The Week: Internet Capacity Warning

       
OK, so here is the latest scam, possibly fueled by the recent news that we have run out of IPv4 addresses in the U.S. Employees receive an email  which claims to be from the "IT Services Support Department". Obviously  this is not legit, and a phishing scam tricking users so they enter their  email account login credentials.
 
It tells your user their Internet capacity has reached 70% and that is why  they need to contact support to avoid further problems. There is a "contact  us" link in the email message so that the user can resolve the issue. Clicking the link redirects the user to a bogus "Help Desk" webpage asking them to  submit their email account username and password, and when done a  Thank-You page appears.

The user may think the issue has been resolved, but the data has been  harvested by cyber criminals and they will try to hijack their email account  for other criminal purposes.

I suggest you send something like this to your friends, family and employees:

"There is a scam doing the rounds where you may get an email from 'IT Services Support Department' which claims your Internet capacity is at 70% and you need to contact support. Clicking the link you are asked to leave your user name and password at a Help Desk site. This is a scam and cyber criminals are trying to hijack your email account. These scam  emails may arrive in the office or at the house. 

"Sometimes in the past you might have gotten notifications from your  Internet provider about your email account exceeding its maximum storage  limit. However, the name of the service provider is always clearly  visible in these kinds of emails, and they never ask you to click on  a link to rectify the issue. So, Think Before You Click!"


For KnowBe4 customers, we have created a simulated attack like this you  can find at System Templates -> IT Group -> Internet Capacity Warning. Send this template to your users to inoculate them against this type of attack. 

If you are not a KnowBe4 customer yet, find out how affordable this is  and be pleasantly surprised:
http://info.knowbe4.com/kmsat_get_a_quote_now

OPM: 'Victim-as-a-Service' Provider

Unconscionable. I would even say callous and criminal negligence, all on  the current administration's watch, of the highly confidential and very private information of the people working for that same government.

An article by Mathew Schwartz on the databreachtoday site lays it out.  He points at a litany of errors, which resulted in the current OPM Director Katherine Archeluta's resignation. The problems started years before she even  came on board at OPM though, this is an inherited problem of long duration. Just have a look at this quote:

"Since 2007, the OPM Inspector General has continuously pointed out serious  deficiencies in OPM's cybersecurity posture. OPM's response has been glacial,"  says Rep. Jim Langevin, D-R.I., a senior member of the House Committee on  Homeland Security. The OPM's Office of the Inspector General issued a report  in 2012, highlighting numerous weaknesses. Most damning, however, was OIG  noting that it had been warning about "a material weakness in controls over  the development and maintenance of OPM's IT security policies" since 2007. 

"It repeated that warning in 2008, and added in 2009 that things were getting  worse - affecting the organization's entire information security governance  and management structure - after which it repeated the same warnings in 2010  and 2011. And in 2012, the OIG warned that the OPM's CIO office "continued  to operate with a decentralized IT security structure that did not have the  authority or resources available to adequately implement the new policies."


I really hope that whomever inherits the White House will take decisive action  to prevent this in the future! Here is the article:
http://www.databreachtoday.com/blogs/opm-victim-as-a-service-provider-p-1883

A New Ransomware Hostage Rescue Manual

Get this informative and complete hostage rescue manual on Ransomware. The 20-page manual is packed with actionable info you need to prevent  infections, and what to do when you are hit with ransomware. You also get  a Ransomware Attack Response Checklist and Ransomware Prevention Checklist.

You will learn more about:
    1. What is Ransomware?

    2. Am I Infected?

    3. I’m Infected, Now What?

    4. Protecting Yourself in the Future

    5. Resources
Don’t be taken hostage by ransomware. Download now and forward/share to  your friends, this is good stuff:
http://info.knowbe4.com/ransomware-hostage-rescue-manual-0

Or, read the article in BetaNews first, and then download:
http://betanews.com/2015/07/10/how-to-protect-yourself-against-ransomware/
Warm Regards,
Stu Sjouwerman

   
Quotes Of The Week
 
       
"People who say it cannot be done should not interrupt those who are  doing it."
- George Bernard Shaw

"Constant kindness can accomplish much. As the sun makes ice melt, kindness  causes misunderstanding, mistrust, and hostility to evaporate."  - Albert Schweitzer
       
     Thanks for reading CyberheistNews!

Security News
 

This Week's Five Most Popular HackBusters Posts

               
    1. Anonymous Is Relatively Much Bigger Than You Anticipated:
      http://www.hackbusters.com/news/stories/349355-anonymous-is-relatively-much-bigger-than-you-anticipated

    2. This Device Can Wirelessly Charge Your All Devices at Once From 15 Feet:
      http://www.hackbusters.com/news/stories/347892-this-device-can-wirelessly-charge-your-all-devices-at-once-from-15-feet

    3. Hacking Team Breach Shows A Global Spying Firm Run Amok:
      http://www.hackbusters.com/news/stories/347965-hacking-team-breach-shows-a-global-spying-firm-run-amok

    4. 17-Year-Old Lizard Squad Member Found Guilty Of 50,700 Hacking Charges:
      http://www.hackbusters.com/news/stories/348602-17-year-old-lizard-squad-member-found-guilty-of-50-700-hacking-charges

    5. Zero-Day Flash Player Exploit Disclosed in 'Hacking Team' Data Dump:
      http://www.hackbusters.com/news/stories/348458-zero-day-flash-player-exploit-disclosed-in-hacking-team-data-dump

CryptoWall Active Alerter / Scanner          

Microsoft has this on their TechNet website: Script will scan all shares  on a list of given servers to scan for files left by known variants of  CryptoWall (including latest CryptoWall 2.0 and 3.0 variants).

Can actively scan file  shares or end user computers for scheduled/automatic early detection of  CryptoWall evidence. Alerts by e-mail:
https://gallery.technet.microsoft.com/scriptcenter/Cryptowall-active-file-ad91b701

The Mob's IT Department - Don't Let This Happen To You 

An article at Bloomberg relates the story of two IT professionals who reluctantly teamed up with an organized criminal network in building a sophisticated drug smuggling operation. 

"The criminals were clever, recruiting the IT guys the way a spymaster  develops a double agent. By the time they understood what they were  involved in, they were already implicated. The pair were threatened,  and afraid to go to the police. They were asked to help with deploying  malware and building 'pwnies' — small computers capable of intercepting  network traffic that could be disguised as power strips and routers."

This is an interesting and instructive story for a lunch break, and do  not let this happen to you! Article here:
http://www.bloomberg.com/graphics/2015-mob-technology-consultants-help-drug-traffickers/

Cyberheist 'FAVE' LINKS:
 
Copyright © 2014-2015 KnowBe4 LLC, All rights reserved.

Our mailing address is: 33 North Garden Ave Suite 1200, Clearwater, Florida, 33755
Read More

KnowBe4: Security Awareness Training From Lunchroom to Boardroom

Posted by Stu Sjouwerman on Jul 13, 2015 4:16:29 PM

KnowBe4 has seen explosive growth for eight consecutive quarters. Massive data breaches in the first half of 2015 such as Anthem and OPM, affecting millions, have left C-level execs scrambling for a way to manage the problem of social engineering. Even the FBI sent an alert on June 23, 2015. As a result, security awareness training has gone from lunchroom-to-boardroom in priority, exceeding a billion in worldwide annual revenue.

Read More

Subscribe To Our Newsletter

Subscribe To Our Blog



Follow Me