Why Your Brain Shuts Down When You See A Security Alert
Been mystified why end-users do not seem to get it? Their eyes glazing over when a security alert pops up on their screen? Brand new neuroscience research using MRI shows a dramatic drop in attention when a computer user is subjected to just two security warnings in a short time.
A group of researchers from Brigham Young University, University of Pittsburgh, and Google, used functional magnetic resonance imaging (fMRI) to see if different (polymorphic) warning messages could prevent users from becoming accustomed to security alerts and simply click through them.
In a paper scheduled to be presented next month at the Association for Computing Machinery's CHI 2015 conference, they will present data that maps regions of the brain responsible for visual processing. The MRI images show a "precipitous drop" in visual processing after even one repeated exposure to a standard security alert and a "large overall drop" after 13 of them.
The problem has been given a fancy label: "habituation" but is of course a known phenomenon. We have known about this in IT for a long time and was the driving factor behind the moves between Vista and Windows 7.
The initial results seem to be positive: polymorphic warnings help reduce "habituation" making users more likely to pay attention to the warnings and not dismiss them outright. The ones that work best are animated, jiggled or zoomed in.
The researchers said: "Because automatic or unconscious mental processes underlie much of human cognition and decision making, they likely play an important role in a number of other security behaviors, such as security education, training, and awareness (SETA) programs, password use, and information security policy compliance." Here is a link to the PDF with original research:
Sure, animated security alerts that jump in your face may help for a while, but you will get the same problem over time. There is only one real solution to "habituation"; filter out all the noise and only show the user security alerts that are really important. Too bad neuroscience can't help with that.
In the meantime, stepping users through effective security awareness training and sending them frequent simulated phishing attacks using different templates all the time is a very good way to keep them on their toes and ward off habituation. Find out how affordable this is for your organization today.
"Premera And Anthem Both Hacked Using Shrewd Social Engineering
Health records are the new credit cards. They have a longer shelf life and are often easier to get. There are more opportunities for fraud. No wonder that bad guys are after them with a vengeance. However, there may be even more to the recent 11 million-record Premera Blue Cross hack.
It looks like it was attacked using the same methods employed against health insurer Anthem, suggesting that it's part of the Chinese cyber army (a group called Deep Panda) behind Premera. In that case the Chinese were after the health records of U.S. Government employees which could subsequently be used for highly targeted spear-phishing attacks.
The Anthem attackers created a bogus domain name, "we11point.com," (based on WellPoint, the former name of Anthem and note the "1" instead of "l") that was likely used in phishing attacks. Companies are supposed to use security awareness training to educate employees not to fall for such social engineering tricks but are not always successful.
One of Deep Panda's attack methods is to create fake websites that imitate internal corporate services. In Anthem's case, the attackers set up several subdomains based on "we11point.com," created as clones of real services such as Anthem's HR, a VPN and a Citrix server.
By targeting Anthem employees with phishing emails and luring them to the fake sites, it was possible for the attackers to collect the logins and passwords and tunnel into the insurer's real systems. ThreatConnect, an Arlington, Virginia-based security company, found that Premera appears to have been targeted by the same style of attack.
On Feb. 27, ThreatConnect wrote a blog post describing its research into the Anthem attacks. In the course of that work, ThreatConnect found a suspicious domain name -- "prennera.com."
Anthem and law enforcement have yet to say who they believe may be responsible, and the Premera investigation is in its early stages. If an attacker is named, it could put further pressure on the U.S. government, which has shown less and less tolerance for what are classified as state-sponsored attacks. More detail at ComputerWorld:
Scam Of The Week: Banking Regulator Issues New Phishing Alert
The National Credit Union Administration, (NCUA) warns netizens about phishing emails containing links to a fraudulent website that resembles the NCUA are being pushed to consumers.
NCUA says the phishing emails originate from what appears to be a legitimate website managed by an Australian financial services company called National Credit Union that claims to offer financial products and services to consumers in the U.S. and Europe.
The phishing emails try to trick consumers to provide personal information, such as Social Security numbers, account numbers, log-in information and a request to transfer large amounts of money.
The NCUA emphasizes that it has no affiliation with the “National Credit Union” and that it would never ask consumers for such information. At the KnowBe4 Blog you will find the section: "What To Do About It" which you can copy and paste and send to your users:
Quotes of the Week:
" Do not be embarrassed by your failures, learn from them and start again. " - Richard Branson
" An optimist may see a light where there is none, but why must the pessimist always run to blow it out? " - Rene Descartes - Philosopher (1596 - 1650)
Thanks for reading CyberheistNews!
Please forward to your friends. But if you want to unsubscribe, you can do that right here.
You can read CyberheistNews online at our Blog!
You Can Finally Escape From Compliance Excel Hell
It's time to get and stay PCI DSS 3.0 compliant.
Now that the new 3.0 standard has gone into effect, it's a great time to start using a new tool that will save you half the time and half the cost becoming compliant: KnowBe4 Compliance Manager 2015.
It comes with a pre-made PCI DSS 3.0 template that you can use immediately to get compliant and maintain compliance in a business-as-usual process.
Escape from Excel-hell!
Most organizations track PCI compliance using spreadsheets, MS-Word, or proprietary self-maintained software. This is inefficient, error prone, costly, and a risk in itself. Get and stay PCI DSS 3.0 compliant in half the time and at half the cost with KnowBe4 Compliance Manager™.
Get a short, live web-demo, and we will show you how easy and affordable this is.
China Finally Admits It Has A Hacker Army
China finally admits it has special cyber warfare units — and a lot of them. This is the "advanced persistent threat" cyber security experts have been talking about. Well, why are we not surprised.
For years China has been suspected by U.S. and many other countries for carrying out several high-profile cyber attacks, but every time the country strongly denied the claims. However, for the first time the country has admitted that it does have cyber warfare divisions – several of them, in fact.
In the latest updated edition of a PLA publication called The Science of Military Strategy, China finally broke its silence and openly talked about its digital spying and network attack capabilities and clearly stated that it has specialized units devoted to wage war on computer networks.
An expert on Chinese military strategy at the Center for Intelligence Research and Analysis, Joe McReynolds told TDB that this is the first time that China has explicitly acknowledged that it has secretive cyber-warfare units, on both the military as well as civilian-government sides.
"It means that the Chinese have discarded their fig leaf of quasi-plausible deniability," McReynolds said. "As recently as 2013, official PLA [People's Liberation Army] publications have issued blanket denials such as, 'The Chinese military has never supported any hacker attack or hacking activities.' They can't make that claim anymore." Full story at TheHackerNews:
Despite Mobile App Risks Enterprise Does Not Have Mobile Security Policy
Here is the disconnect: 82 percent of IT pros think that BYOD in the workplace has “very significantly” or “significantly” increased IT security risks, but less than half of organizations have a security policy in place to define acceptable use.
A Ponemon Institute survey of a whopping 19K U.S. IT pros shows that while the mobile apps risks are well-known, many enterprises are not following up or dedicating the resources to combating the threat. On average, $34 million is spent on mobile app development, but only $2 million of that budget is allotted to security, according to “The State of Mobile Application Insecurity,” sponsored by IBM.
“It's just an indicator that we [the security community] have a problem, [or] a risk issue that isn't necessarily being met, at least not with respect to training and awareness,” said Larry Ponemon, chairman and founder of the Ponemon Institute, in an interview with SCMagazine.com.
To add to the problem, less than half of organizations test their mobile apps, but those who did found that 30 percent contained vulnerabilities. This, Ponemon said, makes testing all the more essential.
“The secure coding issue is a big problem because we build apps that rely on other apps that were built earlier on, instead of building apps from scratch,” he said. “Some of the bad stuff might lie in the old stuff. Testing will help you identify and prevent the really bad stuff that seems to be happening right now.”
A majority of 77% blamed a “rush to release” for why vulnerabilities existed in mobile applications. 73% said a lack of understanding and training on secure coding practices could be the reason.
Ponemon stressed that most breaches are occurring at the app layer of security, not the network level. This study demonstrates a need to slow down and be more thoughtful with app development, he said.
“Train developers so they understand what secure coding really means, so they understand their ethical responsibilities to create codes that are safe.” he said. “Create awareness because this could be a big problem.”
Security awareness training is not only for end-users. Developers would also benefit from stepping through effective mobile security training to make them aware of the risks out there.
Kaspersky AV Has Close Ties to Russian Spies
It's a real spy world tit-for-tat. Kaspersky recently revealed a U.S. based high-level hacking group. Now they have been attacked in Bloomberg for ties to the KGB (now called FSB). Here is a quote:
"Founder and Chief Executive Officer Eugene Kaspersky was educated at a KGB-sponsored cryptography institute, then worked for Russian military intelligence, and in 2007, one of the company’s Japanese ad campaigns used the slogan “A Specialist in Cryptography from KGB.”
The sales tactic, a local partner’s idea, was “quickly removed by headquarters,” according to Kaspersky Lab, as the company recruited senior managers in the U.S. and Europe to expand its business and readied an initial public offering with a U.S. investment firm.
In 2012, however, Kaspersky Lab abruptly changed course. Since then, high-level managers have left or been fired, their jobs often filled by people with closer ties to Russia’s military or intelligence services. Some of these people actively aid criminal investigations by the FSB, the KGB’s successor, using data from some of the 400 million customers who rely on Kaspersky Lab’s software, say six current and former employees who declined to discuss the matter publicly because they feared reprisals.
This closeness starts at the top: Unless Kaspersky is traveling, he rarely misses a weekly banya (sauna) night with a group of about 5 to 10 that usually includes Russian intelligence officials. Kaspersky says in an interview that the group saunas are purely social: “When I go to banya, they’re friends.” Yeah, right. More at Bloomberg:
What Are Our Customers Saying?
"I was nervous implementing our training program, because people tend to be very resistant to change here, but I have had overwhelmingly positive feedback from my users, and therefore positive feedback from our managers."
"Multiple people have commented that they were blown away by the information in the training course. They said they had no idea that criminals did that sort of thing, or how much of a problem one little email could be. Many users have also said they’ve applied their new security knowledge to their home browsing habits, and many expressed interest in re-taking the training at home with their family members present."
"Personally, I’m very impressed with the program. I went through it on one of our admin accounts, and there’s a lot of good information in there. I like that it’s presented in a way that anyone can understand regardless of their level of comfort/ability with computers. It’s definitely had a positive effect on our environment."
"Our CFO (my boss) was a very big advocate for getting the other execs to actually go through the training, and at some point people started taping their completion certificates up in his office."
"Currently, we still need to assure the last 20% of our employees take the training, and after that we will be opening up the other courses we received with our subscription for people to take at their leisure. This training course is an excellent course for users, and definitely an excellent value." - C.P. Desktop Support
Cyberheist 'FAVE' LINKS:
This Week's Links We Like. Tips, Hints And Fun Stuff.
Aerobatic pilot Sebb Stratta took his friends into the skies and filmed their reactions to the aerobatic maneuvers they experienced for the first time:
Eagle cam captures stunning footage of an imperial eagle descending over 2,700 ft (830 m) from the world’s tallest building, the Burj Khalifa, in Dubai:
You know you're having a bad day at the office or in route when you wish you had a bulletproof laptop bag – as in proof against actual bullets. This Bulletproof laptop bag can stop a .44 Magnum round. I want one!
The Sokolov Troupe from Moscow is defying gravity with their most amazing teeterboard act:
Take an incredible drone flight through the world's biggest cave. Amazing:
Fishing on a little pond can be very boring. Except in Russia, where there is apparently never a dull moment:
In this eye-opening talk, investigative journalist Sharyl Attkisson shows how 'astroturf.' or fake grassroots movements, manipulate and distort media messages:
Gladys Ingle of the '13 Black Cats' changes planes and fixes new landing gear on a disabled plane in mid-air. Note: NO PARACHUTE
Three Shetland ponies save the day by chasing off a wild boar when it starts running at full speed towards Marc Polet and his wife: