KnowBe4 Security Awareness Training Blog

CyberheistNews Vol #5 #37 Scam Of The Week: Business Email Compromise

Posted by Stu Sjouwerman on Sep 1, 2015 9:37:52 AM

 
                                                                                                               
CyberheistNews Vol 5 #37 Sept 1, 2015

Scam Of The Week: Business Email Compromise

       
Last week, the FBI via their Internet Crime Complaint Center announced some  astounding numbers, worse than ransomware.

There is a 270 percent spike in victims and cash losses caused by a  skyrocketing scam in which cyber criminals spoof emails from executives  at a victim organization in a bid to execute unauthorized international  wire transfers.

According to the new FBI report, thieves stole nearly 750 million in such  scams from more than 7,000 victim companies in the U.S. between October  2013 and August 2015.

In January 2015, the FBI released stats showing that between Oct. 1, 2013  and Dec. 1, 2014, some 1,198 companies lost a total of 179 million in  business e-mail compromise (BEC) scams, (also known as “CEO fraud.”)

The figures show an incredible 270 percent increase in identified  victims and exposed losses. Taking into account international victims, the  losses from BEC scams total more than 1.2 billion dollars, according to the FBI. Here is the link:
http://www.ic3.gov/media/2015/150827-2.aspx

There is a clear pattern you need to watch out for. It often begins with  the scammers phishing an executive, dropping a Trojan, and gaining 24/7  access to that individual’s inbox. Then they research the organization  and monitor the email account for months until the right circumstances  arrive, then they pounce. They spoof the CEO's address and send messages  to employees in accounting from a look-alike domain name that is one  or two letters off from the target company’s true domain name.

Why worse than ransomware?

Normally the ransom is about 500 bucks. However, the FBI’s numbers indicate  that the average loss for a BEC victim is a whopping 100,000 dollars.  Some are much higher, earlier this month, tech firm Ubiquiti Networks  disclosed in a quarterly financial report that it suffered a whopping  46.7 million hit because of a BEC scam.

We have noticed that this scam is filtering down to the consumer level.  People that are in the process of buying a house and need to transfer  a sizable down payment are receiving an email from their lawyer or  realtor to transfer that down payment to a certain bank account. When  they call the next day to check if the money has arrived, the lawyer  tells them they did not send any transfer requests, but the money has  disappeared in the meantime. The same scam is done with spoofed  emails from financial brokers.

What you can do about it:
    1. Alert all your employees, from the board level down to the mail room. These scams are getting more sophisticated by the month so be on the lookout.

    2. Grab this Social Engineering Red Flags PDF, print and laminate it, and give it to everyone. (free)
      http://cdn2.hubspot.net/hubfs/241394/Knowbe4-May2015-PDF/SocialEngineeringRedFlags.pdf?

    3. Have a dual-step process in place for bank wires, always verified by phone with trusted parties.
Send this email to all your users, friends and family. Edit if you want:

"Criminals on the Internet have cooked up a new scam. They get you to click on a phishing link and stealthily look at what happens on your computer. Specifically they monitor your email. When it looks like your CEO is out of town, the bad guys send emails that look like they come from the CEO, with urgent requests to wire a large amount of money. Organizations that were tricked by this have lost hundreds of thousands of dollars. 

Recently, this scam has filtered down to the consumer level. The FBI calls this an Email Account Compromise (EAC). At this very moment, bad guys could be looking at your email and patiently wait until the time is right. Be very careful when you make any large bank transfers, for instance when buying a house or putting money into investment accounts. ALWAYS, ALWAYS, ALWAYS initiate contact with the other party by phone and verify that the transfer instructions are correct before you transfer the money."


Obviously all your employees need to be stepped through effective security awareness training to prevent social engineering attacks like this from getting through.  Find out how affordable this is for your organization today.
http://info.knowbe4.com/kmsat_get_a_quote_now

Just 1% Of Employees Are Responsible For 75% Cloud Security Risks

Just 1 percent of employees are responsible for 75 percent of cloud-related  enterprise security risks, and companies can dramatically reduce their exposure  at very little additional cost by paying extra attention to these users.

According to newly-released research by CloudLock, which analyzed the behavior  of 10 million users during the second quarter of this year, these users are  sending out plain-text passwords, sharing files, accidentally downloading  malware, clicking on phishing links, using risky applications, reusing  passwords, and engaging in other types of dangerous behaviors.

These users include both rank-and-file employees as well as super-privileged  users, software architects, and non-human accounts used to perform automated  tasks. Here is an interesting article on this over at CSO:
http://www.csoonline.com/article/2975914/application-security/most-corporate-risk-due-to-just-1-of-employees.html

Report: Phishing Costs Average Organization 3.7M Per Year

If you extrapolate the total annual cost of phishing for the average  organization it comes to more than 3.7 million dollars. You could shave  that down by 1.8 million though, with the right security awareness  training, according to a new report.

More than 375 IT and IT security practitioners in U.S. organizations were  surveyed in "The Cost of Phishing & Value of Employee Training", which  was conducted by Ponemon Institute and sponsored by our friends at Wombat  Security Technologies.

In a Wednesday email correspondence, Joe Ferrara, Wombat's president and  CEO, told SC Mag that the biggest financial hit from these attacks comes  from loss of productivity. Full story and links to the report at our Blog:
http://blog.knowbe4.com/report-phishing-costs-average-organization-3.7-million-per-year

Are You In DevOps and/or Use Docker?

Fill out this quick Docker survey and get entered to win a 100 dollars  gift certificate from Amazon. These are friends of ours and good people:
https://goo.gl/2cexTN
Warm Regards,
Stu Sjouwerman

Quotes Of The Week
 
       
"In dwelling, live close to the ground. In thinking, keep to the simple. In  conflict, be fair and generous. In governing, don't try to control. In work,  do what you enjoy. In family life, be completely present." - Lao Tzu (Philosopher - 6th century BC)

"True happiness comes from the joy of deeds well done, the zest of  creating things new."  - Antoine de Saint-Exupéry - Writer (1900 - 1944)
 Thanks for reading CyberheistNews

Security News
 

This Week's Five Most Popular HackBusters Posts

    1. Apple will host next iPhone launch Sept. 9:
      http://www.hackbusters.com/news/stories/372532-apple-will-host-next-iphone-launch-sept-9

    2. The Funk Awakens in Darth Punk 'Star Wars'/Daft Punk mashup:
      http://www.hackbusters.com/news/stories/371579-the-funk-awakens-in-darth-punk-star-wars-daft-punk-mashup

    3. Microsoft Releases Updates To Spy On Windows 7, 8 and 8.1 Users:
      http://www.hackbusters.com/news/stories/370371-microsoft-releases-updates-to-spy-on-windows-7-8-and-8-1-users

    4. PayPal Vulnerability Allows Hackers to Steal All Your Money
      http://www.hackbusters.com/news/stories/372344-paypal-vulnerability-allows-hackers-to-steal-all-your-money

    5. 'Star Trek Beyond' cast delivers touching tribute to Leonard Nimoy
      http://www.hackbusters.com/news/stories/371005-star-trek-beyond-cast-delivers-touching-tribute-to-leonard-nimoy

Here’s How Iran Resets Your Gmail Password

Tehran’s hackers are getting trickier—and finding new ways to get into your  Gmail, using social engineering. Learn how this sophisticated phishing attack gets around Google’s two-step verification system.

The Citizen Lab’s John Scott-Railton and Katie Kleemola explained a new  way that Iranian hackers can compromise the accounts of political  dissidents, or basically anyone. High-end hacking gangs will use this trick as well for Business Email Compromise attacks.

"Their targets are political, and include Iranian activists, and even a  director at the Electronic Frontier Foundation," said Scott-Railton. "In  some cases they even pretend to be Reuters journalists calling to set  up interviews."

It's obvious that attacks on political targets are not new. Neither are two-factor authentication (2FA) attacks. They were relatively few and far between though. What you can count on now is that this methodology is going to go up massively and that you need to train users to not fall for it if you use Gmail as your corporate email platform. Here are the details:
https://citizenlab.org/2015/08/iran_two_factor_phishing/

IBM: Corporations Could Be The Next Target For Ransomware Attacks

Doug Olenick at SC Magazine reported on something noteworthy: "The growing  threat posed by ransomware and the possibility that cybercriminals will  graduate from extorting end users to large corporations topped the worry  list of IBM's X-Force threat team in its Q3 threat intelligence report.

The "August 2015 IBM Security IBM X-Force Threat Intelligence Quarterly,  3Q 2015," issued Monday, included a look at an increasing number of attacks  coming from the dark web that employ Tor to steal intellectual property.

While ransomware has been a menace for years, John Kuhn, senior threat  researcher, IBM Security X-Force, told SCMagazine.com it has progressed  from attackers using simplistic scams, such as WinLocker, that simply  annoyed people to well-organized attempts to steal money. More at our Blog:
http://blog.knowbe4.com/ibm-corporations-could-be-the-next-target-for-ransomware-attacks

Target Agrees To Pay Visa 67 Million Dollars For 2013 Data Breach

On Tuesday, Target and Visa confirmed that they had reached a settlement  in which Target would pay up to 67 million dollars to Visa card issuers  for a security breach in 2013 that left 40 million customer credit card  numbers compromised. Visa brokered the deal and will pass the award on  to the card issuers that work within its network.

The settlement deal is considerably larger than the 19M settlement that  Target reached with MasterCard earlier in the proceedings. That settlement was  not approved because MasterCard issuers rejected it for being too low. The Wall  Street Journal reports that Target’s deal with Visa is much more likely to  succeed this time around because the agreement had "already received support  from Visa’s largest card issuers.” 

A representative from JP Morgan Chase & Co. told Ars in an e-mail that the  company was "pleased" with the settlement, but he would not go into detail  about specifics. It also seems that Target is working on a new deal with  MasterCard comparable to the one it cut with Visa. As you can see, these large hacks get extremely expensive, and now the FTC is going to pile on  as well. More at Arstechnica:
http://arstechnica.com/tech-policy/2015/08/target-agrees-to-pay-visa-card-issuers-up-to-67-million-for-2013-data-breach/

Gartner's Avivah Litan: Top New Threats to Banks

Extortionists and insiders operating as criminal "free agents" have emerged  as the top two cybercrime threats to banking institutions, says financial  fraud expert Avivah Litan, an analyst for the consultancy Gartner.

"Cyber-extortion is probably the hottest trend of 2015," she explains during  this exclusive interview with Information Security Media Group. A gang known as DD4BC, which stands for DDoS for Bitcoin, has been targeting  leading banking institutions with ransom schemes that blend malware and  distributed denial-of-service attacks, Litan says.

"They'll get malware on the network, extract information from files and then  threaten to publish it," she says. "Then they wage a denial-of-service  attack against the bank. So, this has been going on for a while, and  banks are paying out." Link:
http://www.cuinfosecurity.com/interviews/gartners-litan-top-new-threats-to-banks-i-2853

Cyberheist 'FAVE' LINKS:
 
Copyright © 2014-2015 KnowBe4 LLC, All rights reserved.

Our mailing address is: 33 North Garden Ave Suite 1200, Clearwater, Florida, 33755
Read More

Report: Phishing costs average organization $3.7 million per year

Posted by Stu Sjouwerman on Aug 29, 2015 12:14:00 PM

If you extrapolate the total annual cost of phishing for the average organization it comes to more than $3.7 million. You could shave that down by $1.8 million though, with the right security awareness training, according to a new report.

More than 375 IT and IT security practitioners in U.S. organizations were surveyed in “The Cost of Phishing & Value of Employee Training” (PDF), which was conducted by Ponemon Institute and sponsored by our friends at Wombat Security Technologies.

In a Wednesday email correspondence, Joe Ferrara, Wombat's president and CEO, told SC Mag that the biggest financial hit from these attacks comes from loss of productivity.

The new report calculates that productivity losses from phishing account for more than $1.8 million. “This is not only productivity loss for IT-related personnel, but also for the people that were phished while their machine is remediated, reimaged and recertified,” Ferrara said. The report noted that employees waste an average of roughly four hours annually due to phishing scams.

Read More

IBM: Corporations could be the next target for ransomware attacks

Posted by Stu Sjouwerman on Aug 29, 2015 10:53:00 AM

Doug Olenick at SC Magazine reported on something noteworthy: "The growing threat posed by ransomware and the possibility that cybercriminals will graduate from extorting end users to large corporations topped the worry list of IBM's X-Force threat team in its Q3 threat intelligence report.

The "August 2015 IBM Security IBM X-Force Threat Intelligence Quarterly, 3Q 2015," issued Monday, included a look at an increasing number of attacks coming from the dark web that employ Tor to steal intellectual property.

While ransomware has been a menace for years, John Kuhn, senior threat researcher, IBM Security X-Force, told SCMagazine.com it has progressed from attackers using simplistic scams, such as WinLocker, that simply annoyed people to well-organized attempts to steal money.

“We found ransomware is now so much more sophisticated with CryptoLocker and Cryptowall [software] and we see more people in the Deep Web buying Cryptolocker-type software, which will make it even easier for a beginner to get started,” Kuhn said.

Read More

What Is Worse Than Ransomware? Business Email Compromise

Posted by Stu Sjouwerman on Aug 28, 2015 9:31:00 AM

You are getting your Scam Of The Week early. 

Yesterday, the FBI via their Internet Crime Complaint Center announced some shocking numbers.

There is a 270 percent spike in victims and cash losses caused by a skyrocketing scam in which cyber criminals spoof emails from executives at a victim organization in a bid to execute unauthorized international wire transfers.

According to the new FBI report, thieves stole nearly 750 million in such scams from more than 7,000 victim companies in the U.S. between October 2013 and August 2015. 

In January 2015, the FBI released stats showing that between Oct. 1, 2013 and Dec. 1, 2014, some 1,198 companies lost a total of 179 million in business e-mail compromise (BEC) scams, (also known as “CEO fraud.”)

Yesterday's figures show an incredible 270 percent increase in identified victims and exposed losses. Taking into account international victims, the losses from BEC scams total more than 1.2 billion dollars, the FBI said. 

There is a clear pattern you need to watch out for. It often begins with the scammers phishing an executive, dropping a Trojan, and gaining 24/7 access to that individual’s inbox. Then they research the organization and monitor the email account for months until the right circumstances arrive, next they pounce. They spoof the CEO's address and send messages to employees in accounting from a look-alike domain name that is one or two letters off from the target company’s true domain name. 

Why worse than ransomware?

Read More

CyberheistNews Vol 5 #36 Breaking News: Got Hacked...The FTC Can Now Sue You

Posted by Stu Sjouwerman on Aug 25, 2015 9:31:30 AM

 
                                                       
CyberheistNews Vol #5 #36 Aug 25, 2015

Breaking News: Got Hacked...The FTC Can Now Sue You

For organizations that get hacked like Anthem, Target and recently Ashley Madison, the problems are only starting. Apart from towering legal fees and a damaged reputation, now an appeals court has confirmed that the FTC can slap you with fines as well. This is excellent ammo to get more IT security budget.

Yesterday, the third U.S. Federal circuit court ruled that the Federal Trade Commission (FTC) has the power to take action against organizations that employ poor IT security practices. The ruling was part of a lawsuit between the FTC and hotel chain Wyndham. This court decision affirms the FTC’s role as a digital watchdog with real-life teeth.

This Is A Big Deal

In 2008 and 2009, Wyndham was hacked three times, losing credit card data for more than 619,000 customers and causing 10.6 million dollars in loss due to fraud. Originally, the FTC sued them in 2012 over the lack of security that led to its massive hack. The hotel chain appealed to a higher court to dismiss it, arguing that the FTC didn’t have the authority to punish the hotel chain for its breach. Wrong move. Yesterday's decision states that Wyndham’s breach is exactly the sort of “unfair or deceptive business practice” the FTC is empowered to stop. This means Wyndham now needs to go back and confront the FTC’s lawsuit in a lower court.

The circuit court also stated that the FTC does not have to detail any specific best practices that Wyndham did not apply. The FTC did however, and it's not a pretty picture. Here are some of the highlights: Wyndham allowed its partner hotels to store credit card information in plain text, allowed easily guessable passwords in property management software, failed to use firewalls to limit access to the corporate network, and failed to restrict third-party vendors from access to its network. 

Data Insecurity As ‘Unfair’ Business Practice

The FTC argued that “taken together, they unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” In a statement to Ars, FTC Chairwoman Edith Ramirez wrote, “Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.” 

The upshot?

This appellate ruling establishes an important precedent for the legal consequences of a data breach. Berkely Law professor Chris Hofnagle said: "Had Wyndham won at the third circuit, it would have called into question the FTC’s ability to police privacy and security”. Well, now we know that the U.S. Government in the form of the FTC can and most likely will jump in and add even more cost to a super expensive data breach.

It's not clear how the hackers got into the hotel chain, but it would not surprise me if it was another phishing email that an employee clicked on. With easy to guess passwords, it is clear that they did not step employees through effective security awareness training. Having that in place is an IT best practice that has great ROI and is a crucial part of your defense-in-depth. 

It is clear that educating your users about these risks is very important. If you have not done so already, find out how affordable Kevin Mitnick Security Awareness Training is for your organization, and be pleasantly surprised:
http://info.knowbe4.com/kmsat_get_a_quote_now

Stop The AshMad Insanity!

First a 10Gig dump with the full database, then a 20Gig dump with their whole Github repository, and then to top it all off a 300G(!) dump. In an interview  with Motherboard, the hackers claimed to have data which includes employee  emails, internal documents, nude photographs, and private chats between  members. However, the Impact Team said it would not release explicit photos  of AshMad customers, but did not rule out publishing the private chats and  other photographs posted through the adultery website.

When asked about AshMad security, they said "Nobody was watching. No security", when it broke into their servers repeatedly over the past few years. One hacker  said, "[We] got in and found nothing to bypass."

The release last Tuesday contained customer data belonging to U.S. government  officials, British civil servants and high-level executives at European and  North America corporations. We have a copy and are researching it for  security purposes. 

Should You Check For Employees' Emails?

Well, this is a field mired in MANY problems. It's not a can of worms,  it's a can of scorpions. First, it depends on your organization. Any  government employee that has a clearance (and that is true for many  government contractors as well) is in immediate risk of losing that  clearance if they are found to have been engaged in infidelity, as they  become a target for blackmail. Adultery can be a criminal offense under  the Uniform Code of Military Justice.

Apparently not everyone was smart enough to obscure their real-life  identity using a webmail address. Robert Hansen, VP of WhiteHat Security found well over 13,000 email addresses from .MIL and .GOV  domains and a handful of congressmen among the hacked data. He also  identified a substantial number of addresses from various Fortune 500  companies like Microsoft, Cisco, Apple, and Bank of America. Perhaps  the most shocking revelation is that Hansen found three accounts using  Vatican.com email addresses.

The legal repercussions of scanning the database for email addresses with  an organization's domain name need to be clarified and well-understood  before that scan is done, each corporate lawyer will have to look into  that based on their individual organizational situation. 

After that determination, IT and/or HR can look into this database, and see  if any organizational email has been used or compromised, which then would  have to be deleted and a new email address issued to that user, either with  mentioning the reason (or omitting it) again based on Legals advice. 

I could envision you scanning the AshMad database for your domain name, and issuing new creds to employees found, simply with a generic mention  that the address was compromised.

A major risk is end-users going to websites that claim to show if their name  is in the list. Many of these sites will be phish-bait and anything typed in will  be used for a variety of nefarious purposes and/or infect the workstation. Any  organization should warn their users to watch out for attacks like that.  See my recent blog post with a real example of AshMad extortion:
http://blog.knowbe4.com/phishing-alert-warn-your-users-against-ashley-madison-scams-now

"100,000 Refrigerators Attack Bank Of America"

This nightmare headline was voiced by Vint Cerf, father of the Internet when he was asked what his greatest fear was about the future Internet of Things in an interview by WashingtonExec: 

"Ensuring that devices, including household appliances that now make up the Internet of Things, are properly configured so that uncontrolled or unauthorized access is denied. The nightmare headline for me is, ‘100,000  Refrigerators Attack Bank of America’. That is going to take some serious thinking not only about basic security technology but also how to configure devices at scale, no one wants to spend their entire weekend typing IPV6  addresses for each and every household device."

This is a good InfoSec read, warmly recommended and not too long:
http://www.washingtonexec.com/2015/08/exclusive-father-of-the-internet-vint-cerfs-forecast-for-internet-of-things/

What CIOs Can Learn About Security Threats From 4 Recent Hacks

John Brandon at CIO came out with a good story you should read and forward to your C-Level execs. The media and the public are finally waking up to the fact that almost all organizations are at risk of  getting hacked. Analyzing a few recent high-profile breaches might just help you prevent the same thing from happening at your company.

There are four examples that each show the problem and the mitigation, I am quoted in two of the solutions:
http://www.cio.com/article/2972263/security/what-cios-can-learn-about-security-threats-from-4-recent-hacks.html 
Warm Regards,
Stu Sjouwerman

Quotes Of The Week
 
       
"There is nothing on this earth more to be prized than true friendship."
- Thomas Aquinas - Philosopher (1225 - 1274)

"If you want to go fast - go alone. If you want to go far - go together."  - African Proverb

     Thanks for reading CyberheistNews

Security News
 

Compliance In Half The Time At Half The Cost

I'm sure you will agree, compliance has become a major headache. It is a HUGE burden on already limited IT resources. Yearly audits have become major projects. They are expensive in both dollars and your IT staff time.

Imagine an environment in which your organization is completely compliant  24/7/365, and where all employees work together as a team without nagging and tons of emails. KnowBe4 Compliance Manager (KCM) can help you to achieve  that state. It is an IT compliance workflow automation tool that allows  you to:
    • Manage all of your specific regulatory requirements in one location (PCI-DSS, HIPAA, GLBA, SOX, etc...).

    • Eliminate duplication of effort.

    • Assign the Directly Responsible Individual (DRI) for a control.

    • Direct your auditors to one location for evidence of compliance controls being in place and up to date.

    • NEW: Auditor Role, your auditor can log in remotely and save you billable hours.
Go to this link for more info and to request a web demo:
http://info.knowbe4.com/_kcm_pci_30-0

This Week's Five Most Popular HackBusters Posts

    1. Hackers Finally Post Stolen Ashley Madison Data:
      http://www.hackbusters.com/news/stories/367508-hackers-finally-post-stolen-ashley-madison-data

    2. 'Doctor Who' Weeping Angel string lights will terrify your guests:
      http://www.hackbusters.com/news/stories/368922-doctor-who-weeping-angel-string-lights-will-terrify-your-guests

    3. Windows 10 can find and disable pirated games:
      http://www.hackbusters.com/news/stories/366355-windows-10-can-find-and-disable-pirated-games

    4. Top 10 Popular Programming Languages used on GitHub:
      http://www.hackbusters.com/news/stories/369390-here-s-top-10-popular-programming-languages-used-on-github

    5. Fallout 4 could be more successful than Skyrim, says Bethesda:
      http://www.hackbusters.com/news/stories/369448-fallout-4-could-be-more-successful-than-skyrim-says-bethesda

Off With Their Heads! Execs Get The Ax For Data Breaches

Until last year, executives were able to pass the buck to IT in case a data breach hit the organization. However, several recent high-profile resignations are now putting the focus on board members. Here are a few examples:

US Office of Personnel Management head Katherine Archuleta was forced to resign over a massive hack that exfiltrated well over 20 million highly confidential personal records of government employees. Thomas Meston, CFO of the London-based hedge fund Fortelus, also lost his job following a cyber hack that emptied $1.2 million from the fund’s bank account.

And those are just the two latest victims. The trend began for real last  year when Target's CEO stepped down in the wake of a disastrous data  breach that compromised 40 million shoppers’ credit cards and 70 million customers’ personal data. Steinhafel had little choice but to resign as the CEO of the US 40 billion company. 

The important thing for board members to realize is that they can do little to mitigate the damage after the data has been exfiltrated. Once the data breach has happened, they will find themselves held responsible for, and accused of prior negligence. At that point it's up to the CEO and the board to defend themselves against these claims and that all appropriate measures had been taken to protect the organization’s data. 

Up to a few years ago, it sounded reasonable for boards to delegate the defense against hackers to the IT department. They relied to a large degree on traditional firewalls and antivirus. However, the last few years antivirus (AV) has shown to fall behind badly. With hundreds of thousands of new malware flavors being released in the wild every day, bad guys are overwhelming AV and often get through. 

Today, it is seen as the task of the Board to prioritize and make IT security budget budgets available so that defense-in-depth can be done the right way.

In order to protect not only their own careers but also the future of the organizations they lead, senior executives must now understand that the buck stops with them and securing their data, almost always their organization’s most valuable asset, is paramount.

Thomas Meston, hedge fund Fortelus' CFO was forced to resign after falling victim to a social engineering attack over the phone. The attack however, had all the hallmarks of a professional job. It was clear the hacker had done their homework and researched Meston in  great detail, a technique also used in spear-phishing attacks, which are sometimes followed up with very real-sounding phone calls.

Meston fell for the hacker's scam, but whatever the form of the  attack, it is clear that today the cyber security buck stops at the board level. To prevent "human hacks" (which are the weak link of  IT security), stepping all employees through effective security awareness training is a very cost-effective way to prevent a large percentage of data breaches.
   
Cyberheist 'FAVE' LINKS:
 
Copyright © 2014-2015 KnowBe4 LLC, All rights reserved.

Our mailing address is: 33 North Garden Ave Suite 1200, Clearwater, Florida, 33755
Read More

Breaking News: Got Hacked? The FTC Can Now Sue You

Posted by Stu Sjouwerman on Aug 25, 2015 7:50:00 AM

For organizations that get hacked like Anthem, Target and recently Ashley Madison, the problems are only starting. Apart from towering legal fees and a damaged reputation, now an appeals court has confirmed that the FTC can slap you with fines as well. This is excellent ammo to get more IT security budget.

Yesterday, the third U.S. Federal circuit court ruled that the Federal Trade Commission (FTC) has the power to take action (PDF) against organizations that employ poor IT security practices. The ruling was part of a lawsuit between the FTC and hotel chain Wyndham. This court decision affirms the FTC’s role as a digital watchdog with real-life teeth.

This Is A Big Deal

In 2008 and 2009, Wyndham was hacked three times, losing credit card data for more than 619,000 customers and causing $10.6 million in loss due to fraud. Originally, the FTC sued them in 2012 over the lack of security that led to its massive hack. The hotel chain appealed to a higher court to dismiss it, arguing that the FTC didn’t have the authority to punish the hotel chain for its breach. Wrong move. Yesterday's decision states that Wyndham’s breach is exactly the sort of “unfair or deceptive business practice” the FTC is empowered to stop. This means Wyndham now needs to go back and confront the FTC’s lawsuit in a lower court.

The circuit court also stated that the FTC does not have to detail any specific best practices that Wyndham did not apply. The FTC did however, and it's not a pretty picture. Here are some of the highlights: Wyndham allowed its partner hotels to store credit card information in plain text, allowed easily guessable passwords in property management software, failed to use firewalls to limit access to the corporate network, and failed to restrict third-party vendors from access to its network. 

Data Insecurity As ‘Unfair’ Business Practice

Read More

Stop The AshMad Insanity!

Posted by Stu Sjouwerman on Aug 22, 2015 10:24:00 AM

First a 10Gig dump with the full Ashley Madison database. Then a 20Gig dump with their whole Github repository, and then to top it all off a 300G(!) dump. In an interview with Motherboard the hackers claimed to have data which includes employee emails, internal documents, nude photographs, and private chats between members. However, the Impact Team said it would not release explicit photos of AshMad customers, but did not rule out publishing the private chats and other photographs posted through the adultery website. 

When asked about AshMad security, they said "Nobody was watching. No security", when it broke into their servers repeatedly over the past few years. One hacker said, "[We] got in and found nothing to bypass."

The release last Tuesday contained customer data belonging to U.S. government officials, British civil servants and high-level executives at European and North America corporations. We have a copy and will make it available for security purposes. However...

Should You Check For Employees' Emails?

Read More

Phishing Alert: Warn Your Users Against Ashley Madison Scams Now

Posted by Stu Sjouwerman on Aug 20, 2015 10:30:00 AM

Your end-users saw this in the news yesterday, or will read about it today. The hackers who stole more than 36 million records from the Ashley Madison site (which makes it easy to cheat on your spouse), have now posted all the records for everyone to see. This is a bad one.

Cyber criminals are going to leverage this event in a lot of different ways: (spear-) phishing attacks, bogus websites where you can "check if your spouse is cheating on you", or ways to find out if your own extramarital affair has come out.

Any of these 36 million registered users are now a target for a multitude of social engineering attacks. People that have (had) straight or gay extramarital affairs can be made to click on links in emails that threaten to out them.

I have already seen the phishing emails that claim people can go to a website to find out if their private data has been released. This is a nightmare that will be exploited by spammers, phishers and blackmailers who are now gleefully rubbing their hands, let alone the divorce lawyers and private investigators that are pouring over the data now.

Here is one of the first real examples of AshMad extortion: 

Unfortunately, your data was leaked in the recent hacking of Ashley Madison and I now have your information.

If you would like to prevent me from finding and sharing this information with your significant other send exactly 1.0000001 Bitcoins (approx. value $225 USD) to the following address:

1B8eH7HR87vbVbMzX4gk9nYyus3KnXs4Ez [link added]

Sending the wrong amount means I won't know it's you who paid.

You have 7 days from receipt of this email to send the BTC [bitcoins]. If you
need help locating a place to purchase BTC, you can start here.....


What To Do About It

I suggest that you take immediate preventive action. It only takes one second for a worried end-user (or admin) to click on a link in an email and expose the network to attackers. I recommend you send something like this to your friends, family and end-users. Feel free to edit.

"Yesterday 36 million names, addresses and phone numbers of registered users at the Ashley Madison site (which makes it easy to cheat on your spouse) were posted on the Internet. All these records are now out in the open, exposing highly sensitive personal information.

Internet criminals are going to exploit this in many ways, sending spam, phishing and possibly blackmail messages, using social engineering tactics to make people click on links or open infected attachments. Be on the lookout for threatening email messages which slip through spam filters that have anything to do with Ashley Madison, or that refer to cheating spouses and delete them immediately, in the office or at the house."

Read More

Off With Their Heads! Execs get the ax for data breaches

Posted by Stu Sjouwerman on Aug 19, 2015 5:28:00 PM

Until last year, executives were able to pass the buck to IT in case a data breach hit the organization. However, several recent high-profile resignations are now putting the focus on board members. Here are a few examples:

US Office of Personnel Management head Katherine Archuleta was forced to resign over a massive hack that exfiltrated well over 20 million highly confidential personal records of government employees. Thomas Meston, CFO of the London-based hedge fund Fortelus, also lost his job following a cyber hack that emptied $1.2 million from the fund’s bank account.

And those are just the two latest victims. The trend began for real last year when Target's CEO stepped down in the wake of a disastrous data breach that compromised 40 million shoppers’ credit cards and 70 million customers’ personal data. Steinhafel had little choice but to resign as the CEO of the 40 billion company. Sony Pictures America co-chairman Amy Pascal stepped down in February after last year’s devastating breach at Sony Corp’s Hollywood studio. 

The important thing for board members to realize is that they can do little to mitigate the damage after the data has been exfiltrated. Once the data breach has happened, they will find themselves held responsible for, and accused of prior negligence. At that point it's up to the CEO and the board to defend themselves against these claims and that all appropriate measures had been taken to protect the organization’s data.

Up to a few years ago, it sounded reasonable a boards to delegate the defense against hackers to the IT department. They relied to a large degree on traditional firewalls and antivirus. However, the last few years antivirus (AV) has shown to fall behind badly. With hundreds of thousands of new malware flavors being released in the wild every day, bad guys are overwhelming AV and often get through. Today, it is seen as the task of the Board to prioritize and make IT security budget budgets available so that defense-in-depth can be done the right way.

Read More

CyberheistNews Vol 5 #34 Scam Of The Week: Massive WebAd Poisoning

Posted by Stu Sjouwerman on Aug 18, 2015 9:17:21 AM

                                                       
CyberheistNews Vol 5 #34 Aug 18, 2015

Scam Of The Week: Massive WebAd Poisoning

The same cybercrime lowlifes that infected the Yahoo website a few weeks ago have struck again, this time infecting sites like DrudgeReport.com and Weather.com. Both sites have hundreds of millions of visitors per month, and were serving poisoned web ads which either dropped CryptoWall ransomware or infected the PC with adware.

Internet users at the house, or employees who browse the web during their lunch break do not understand the mechanics of modern ad networks. Once an ad network is subverted, hundreds of millions of poisoned ads are displayed in real-time. Many of these ads initiate a drive-by attack without the user having to do anything. The attack does a few redirects, kicks in a U.S. and Canada-focused Exploit Kit which checks for vulnerabilities (usually in Flash) and can infect the workstation literally in seconds.

What To Do About It

This is a hard one to defend against, because they hide behind an SSL at Microsoft's Azure Cloud which makes it difficult to detect, but there are definitely things you can do. First of all, I would send this to your users. Edit if you want:

Scam of The Week Warning - You need to understand something about poisoned ads on websites which might infect your computer. Here is the situation in a nutshell: Advertisers do not sell their ads to websites one at a time. Websites that want to make money sell their advertising space to an ad network. Advertisers sign contracts with that ad network which then displays the ads on the participating websites. The ad network sits in the middle between the advertisers and the websites and manages the traffic and the payments.

There is the problem. Cybercriminals fool the ad network into thinking they are a legit advertiser, but the ads which are displayed on major websites are poisoned. If you browse to a page with a poisoned ad on it, that is enough to run the risk your PC will be encrypted with ransomware, which may cost 500 dollars to get your files back.

So here are a few things you can do about this. First, disable Adobe Flash on your computer - or at least set the Adobe Flash plug-in to "click-to-play" mode - which blocks the automatic infections. Second, keep up-to-date with all security patches and install them as soon as they come out. Third, download and install Ad Blocker plug-ins for your browser, these prevent the ads from being displayed in your browser to start with. These ad blockers are getting very popular, hundreds of millions of people use them.


In a network, you could do two things:
    1. Get rid of Flash all together, we see this happen a lot, or

    2. Deploy ad blockers using group policy, here is a forum post at the AdBlock Plus site where it is explained how this can be done. I use Adblock Plus in Chrome and am a happy camper. Link:
      https://adblockplus.org/forum/viewtopic.php?t=29880
Good luck and stay safe out there.

IT Confessions: The Six Deadly Sins Of Data Security

Massive hacks continue to fill the front page of major media outlets. The recent hack of the Federal Office of Personnel Management (OPM) by Chinese state-sponsored hackers again showed how vulnerable we are.

But what are the main attack vectors with apparent holes which are not being addressed? Last week, KnowBe4's Chief Hacking Officer Kevin Mitnick was asked: "What do you believe are the most serious cyber threats facing businesses today? Here is his answer on Vimeo, (0:33) where he summarizes social engineering and vulnerable web applications:
https://vimeo.com/136377919

If you break that down into more technical detail, here are your Six Deadly Sins of Data Security in terms of potential for data breaches:
  1. Social Engineering end-users who are low-hanging fruit
  2. Injection Vulnerabilities
  3. Buffer Overflows
  4. Sensitive Data Exposure
  5. Broken Authentication and Session Management
  6. Security Misconfiguration
Let's have a quick look at each one of these.

1) Social Engineering end-users who are low-hanging fruit

Despite all the funds you may have spent on state-of-the-art security software, the bad guys are just one gullible user click away from staging an all-out invasion. To make matters worse, that user might well be you! Recent surveys show that executives can be some of the biggest culprits when it comes to clicking on phishing links and opening malicious email attachments.

Yet by far the most effective in combating these attacks is also one of the most poorly implemented – security awareness training. The long list of “worst practices” for user education is almost endless – break room briefings while people eat lunch and catch up on email; short instructional videos that provide no more than superficial understanding; and the time-honored practice of hoping for the best and doing nothing.

2) Injection Vulnerabilities

Every time an application sends untrusted data to an interpreter, you have an injection vulnerability. There are many flavors of this type of vulnerability, but the  most popular ones affect SQL, LDAP, XPath, and XML parsers.

Obviously, you want to prevent these during the coding of your app, because finding them when the app is already deployed is hard and can be difficult to fix. Despite  that, you should have outside pentesters check your internet-facing web apps on a regular basis. If you don't do it, the hackers will.

3) Buffer Overflows

A buffer overflow vulnerability exists when an app writes more data in a buffer than that buffer can hold. That allows a hacker to overwrite the content of adjacent  memory attempting to execute their malicious code. Buffer overflow attacks are quite common, but they are harder to exploit than injection attacks.

4) Sensitive Data Exposure

This happens any time a hacker gets access to user sensitive data. Sensitive data exposure is defined as access to data at rest or in transit, including backups and  user browsing data.

Some examples are hacking of data storage, intercept data transfers between a server and the browser, or by tricking an e-commerce application to change things in a  cart. The main cause is no encryption of data at all, or badly implemented encryption mechanisms. And of course destruction of storage media in the proper way is also  a very important factor, and that includes thumb drives.

5) Broken Authentication and Session Management

You can exploit broken authentication and session management when an attacked user leaks account data, passwords, or session IDs which allows the attacker to  impersonate that user.

There are several ways to try to hack into authentication mechanisms, for instance by "brute-forcing” the targeted account, grabbing a session identifier from an URL, reusing an already used session token or compromising a user’s browser.

Web developers need to carefully look at all Cross-Site Scripting (XSS) flaws and deploy all necessary countermeasures to fix them because XSS is one of the most  common methods to steal session IDs and impersonate other users.

6) Security Misconfiguration

This category of vulnerability is actually very common and one of the most dangerous. It's easy to discover web servers and apps that have been misconfigured resulting  in simply letting the bad guys in. Here are some typical examples of security misconfigurations:

  • Running outdated software
  • Apps still running in debug mode or that still include debugging modules
  • Running unnecessary services on the system
  • Allowing access to server resources and services
  • Not changing default settings like keys and passwords
  • Use of default accounts
Badly configured Internet of Things devices could easily be turned into a large "ThingNet" owned by the bad guys. Think paying micro-ransoms before you can get to Game  of Thrones or get in your car. Defense-in-depth is the answer to the risks of losing your data.

The place to start, with the biggest immediate impact is end-user education which affects every aspect of your organization’s security profile. That is why it is so  important that you step all end-users through effective Security Awareness Training, and enforce compliance. Find out now how affordable this is for your organization  today and be pleasantly surprised.
http://info.knowbe4.com/kmsat_get_a_quote_now

Scan PCs for Security Problems? Nope, Scan the Users

To build a car, you need thousands of nuts, bolts, screws, and other components. Which of these is the most dangerous? According to an old joke, it's the nut behind  the wheel. The very best security system in the world will fail if a fast-talking stranger convinces you to turn it off.

Penetration testers and security analysts scan for system vulnerabilities, and very effectively, too. Laura Bell, founder and lead consultant at SafeStack, explained  to Black Hat attendees that we need to test the human side of security as well.

"I've been told that we've conquered the security problem," said Bell. "Hah! People are the path of least resistance. Why mount a $100,000 attack when you can give  someone $100 to let you in?"

Great article and interview by our friend Marcin Kleczynski, Founder and CEO of Malwarebytes where he interviews Neil Rubenking, lead security analyst at PCMag.com:
http://www.pcmag.com/article2/0,2817,2489250,00.asp?
Warm Regards,
Stu Sjouwerman

Quotes Of The Week
 
"In the realm of ideas everything depends on enthusiasm... in the real world all rests on perseverance." - Johann Wolfgang von Goethe (1749 - 1832)

"I am always doing things I can't do, that's how I get to do them."
- Pablo Picasso (1881 - 1973)
Thanks for reading CyberheistNews

Security News
 

Compliance In Half The Time At Half The Cost

I'm sure you will agree, compliance has become a major headache. It is a HUGE burden on already limited IT resources. Yearly audits have become major projects. They  are expensive in both dollars and your IT staff time.

Imagine an environment in which your organization is completely compliant 24/7/365, and where all employees work together as a team without nagging and tons of emails.  KnowBe4 Compliance Manager (KCM) can help you to achieve that state. It is an IT compliance workflow automation tool that allows you to:
    • Manage all of your specific regulatory requirements in one location (PCI-DSS, HIPAA, GLBA, SOX, etc...).

    • Eliminate duplication of effort.

    • Assign the Directly Responsible Individual (DRI) for a control.

    • Direct your auditors to one location for evidence of compliance controls being in place and up to date.

    • NEW: Auditor Role, your auditor can log in remotely and save you billable hours.
Go to this link for more info and to request a web demo:
http://info.knowbe4.com/_kcm_pci_30-0

Ransomware Hostage Rescue Slideshow

KnowBe4's Adam Alessandrini wrote our Ransomware Hostage Rescue Manual, it is a smash hit. We presented it to the CIO Insight website and they made a slideshow out of it, which summarizes the rescue manual, and added some useful information... this is pretty awesome.

Check it out at:
http://www.cioinsight.com/security/slideshows/your-organization-is-infectednow-what.html

Don’t be taken hostage by ransomware. Download now and forward/share to your friends, this is good stuff:
http://info.knowbe4.com/ransomware-hostage-rescue-manual-0

This Week's Five Most Popular HackBusters Posts

  
    1. Win10 Doesn't Stop Spying You, Even After Disabling It's Creepy Features:
      http://www.hackbusters.com/news/stories/364466-windows-10-doesn-t-stop-spying-you-even-after-disabling-it-s-creepy-features

    2. Lenovo Caught Using Rootkit to Secretly Install Unremovable Software:
      http://www.hackbusters.com/news/stories/363848-lenovo-caught-using-rootkit-to-secretly-install-unremovable-software

    3. Researchers Develop Glasses To Protect You from Facial Recognition:
      http://www.hackbusters.com/news/stories/362191-researchers-develop-glasses-to-protect-you-from-facial-recognition

    4. Facebook Fired An Intern After He Exposes How to Track Users' Location:
      http://www.hackbusters.com/news/stories/364596-facebook-fired-an-intern-after-he-exposes-how-to-track-users-location

    5. Kaspersky Accused of Producing Fake Malware to Sabotage Competitors:
      http://www.hackbusters.com/news/stories/365281-kaspersky-accused-of-producing-fake-malware-to-sabotage-competitors

Harvard CISO Shares Pearls Of IT Security Wisdom

Bob Brown reported on Harvard's CISO Christian Hamer who mentioned 5 security points, two of them concerning your users:

1) "Best practices for security awareness among end users: “We’re going to be rolling out a campaign very soon focused around four best practices:
    1. We want them to apply updates whether that’s on their phone, on their operating system on their computer, or for the individual pieces of software. That’s probably one of the single best ways to protect yourself.

    2. We want them to use strong passwords, and that means unique and difficult to guess. But we also want to offer them tools, whether it’s things like password managers [Harvard has done an extensive pilot with LastPass via Internet2] or pieces like 2-step verification.

    3. We want to make sure that people click wisely, going back to phishing issues. If we can get the user to recognize that there might be something a little off about this and not go there.

    4. The last piece is about knowing your data. It’s really important to understand what do you have, whether it’s on your machine or a file share. Why do you have it? If you really still need it, and if you don’t, how can you get rid of it securely.”
2) Convincing users to buy into best practices: “[One] way to enforce the point is that these are just good practices that people should use in their online life whether it’s at work, as a student or faculty member, or just at home. There ought to be a lot of self interest there.”

You can find the other points at the article in ComputerWorld:
http://www.computerworld.com/article/2956036/security/harvard-ciso-shares-pearls-of-it-security-wisdom.html

Investors Pour Billions In To Cybersecurity Firms

Venture capital firms and corporate investors have put a record amount of money in to cybersecurity companies over the past year, and there's no end in sight. CSO  said: "Last week we reported that the cybersecurity market is white hot, and we shared a list of mergers and acquisitions in the space. We promised to follow up this  week with VC and corporate investment deals, so here it comes.

"Before we give you the list of deals, let's set the stage with some cyber market figures and goings-on. The worldwide cybersecurity market is defined by market sizing  estimates that range from $77 billion in 2015 to $170 billion by 2020. We broke these numbers down in a previous blog. Globally, venture-backed cybersecurity companies  raised $1.9 billion last year, a record, according to Dow Jones VentureSource":
http://www.csoonline.com/article/2968438/security-industry/investors-pour-billions-in-to-cybersecurity-firms.html?

Cyberheist 'FAVE' LINKS:
 
Copyright © 2014-2015 KnowBe4 LLC, All rights reserved.

Our mailing address is: 33 North Garden Ave Suite 1200, Clearwater, Florida, 33755
Read More

Subscribe To Our Newsletter

Subscribe To Our Blog



Follow Me