KnowBe4 Security Awareness Training Blog

RansomWeb: Cyber Criminals Hold Whole Website Hostage

Posted by Stu Sjouwerman on Jan 28, 2015 4:41:27 PM

Now this is a whole new wrinkle in criminal ransomware. Malicious hacker crews have started taking over whole websites, injecting some code to file-by-file first encrypt and then decrypt all information on-the-fly in real time, so that after some months the whole website is encrypted and decrypted with a key that the bad guys own. The website owner sees nothing strange happening, all the traffic is https, and apparently it is fast enough to not create a performance hit.

website-backdoor-database-crypt

Then, one day when the encryption process is (close to) complete, the bad guys pull the plug and ask for a ransom to turn things back on. Moreover, during the period they owned the website; they tunneled into the network and deleted or overwrote all backups so that these do not exist. Swiss security firm High-TechBridge investigated the breach in December 2014 and reported on it here.

Professor Alan Woodward, security expert from the University of Surrey’s Department of Computing, said “The next step might well be the modern equivalent of protection rackets – threatening companies with being either taken offline or having their databases frozen unless they pay a regular fee.”

Brian Honan, security consultant, said the modus operandi of the RansomWeb hackers was similar to ransomware attacks against a number of SMBs he had worked with, whereby the criminals broke into the server of the victim, overwrote backups with either the encrypted data or blank data, and at a later date returned to encrypt the server. “At this stage the backups are no longer useful as they contain no workable data to restore the systems, thus leaving the victim companies with the choice of either losing all their data and rebuilding it from scratch, or paying the ransom.”

So, make sure you make regular backups, regularly test your restore function, and at least weekly make off-site backups so that you can restore if you need to!

And obviously, your employees often let these bad guys in unwittingly by clicking on a link in a phishing email, so stepping them through effective security awareness training is a must.  Find out how affordable this is for your organization today. 

Get A Quote Now

 

Hat Tip to Thomas Fox-Brewster at Forbes

 

 

Scam Of The Week Child Predator Phishing Scam

Posted by Stu Sjouwerman on Jan 28, 2015 3:07:00 PM

Child Predator Phishing Scam Preys On Parents Fears

Please send a link to this blog post to your friends and family right away?

http://blog.knowbe4.com/scam-of-the-week-child-predator-phishing-scam

Just when you think phishing criminals cannot sink any further, you get confronted with a "new low". This phishing scam preys a on parent's fear.The scam email looks like a warning for parents about a child predator that moved into their zipcode area, but it’s a really low phishing scam.

You receive an email with a subject line like: “Alert: There is a child predator living near you!” This information is based on your “local area zip code.”  But you don’t remember signing up for such a service. 

When you open the email, it "warns" you that a predator has moved into your area and it provides a link for more information. As you by now know, clicking the link infects your computer with malware that will try to steal your passwords, credit information, your passwords up to and including your identity.

If you might click on the link, you are redirected through several sites to land on the Kids Live Safe website, which is a service that sells localized reports on sex offenders. But this phishing attack is not from that website, it just sends victims there to try to look credible and distract your attention from the fact your computer is now infected with malware.  Here is an example of how this scam looks:

 

pred-scam

Cyber criminals are getting more sophisticated by the month. It is really a must to step employees through effective security awareness training and send them simulated phishing attacks on a regular basis. Find out how affordable this is for your organization today.

Get A Quote Now

 

Hat Tip to the BBB

CyberheistNews Vol 5 #4 Jan 27, 2015 Scam Of The Week: LinkedIn Support Phishing Emails

Posted by Stu Sjouwerman on Jan 27, 2015 9:31:00 AM

 

                                                                                                               

CyberheistNews Vol 5 #4 Jan 27, 2015  

                                                       
                                       
                               
    
                                                            
                                                                                                                                          
                                                                                                                                       

Scam Of The Week: LinkedIn Support Phishing Emails

The scam is at least 15 years old if not more, but unfortunately this type  of social engineering still works. Remind your users one more time that  emails like this can hit their inbox at any time, because some modern spam  techniques are able to bypass all the mail filters you have in place. I  would send them this, or something close to it. Feel free to edit and send  it to all employees and friends. (You could suggest they turn on LinkedIn's  two-factor authentication).

Recently, scammers are attacking people with LinkedIn accounts using phishing e-mails claiming to be a LinkedIn Tech Support message. In these fake e-mails it  is stated that "irregular activities" are happening on your LinkedIn account  which require a mandatory security update of your account.

Obviously this is all a scam, and the purpose of the emails is to get you to  fill out an attached HTML form which is a spoofed LinkedIn login page. What  you fill out does not get you logged into the site but gets sent to the  bad guys who then own your account.

You can recognize this scam because the email uses a lowercase "i" instead  of a capital "I" when spelling “Linkedin”. To see what the scam email looks like, check the picture at the KnowBe4 Blog. Remember: "When in doubt, throw it out!"
http://blog.knowbe4.com/scam-of-the-week-linkedin-support-phishing-emails

Despite all the software and hardware protection layers in place, things slip  by on a regular basis. The bad guys have their own labs and run all the  popular spam filters in-house, so they can test until they have a phishing  attack that makes it through.

You really need a "human firewall" in place so stepping your users through  effective security awareness training is a must these days.


Warm Regards,
Stu Sjouwerman



Quotes Of The Week

 

Quotes of the Week:

" You can tell more about a person by what he says about others than you  can by what others say about him.  "  - Audrey Hepburn

" If you can't explain it simply, you don't understand it well enough. "  - Albert Einstein

 


 

 

Thanks for reading CyberheistNews!

 

 

Security News

 

Can Bad Guys Impersonate Your Executives?

Can the bad guys impersonate one of your co-workers or your C-level execs? In other words, can your domain be spoofed? KnowBe4 can help  you find out in one minute with our free Domain Spoof Test.

The Domain Spoof Test sheds light on a major potential vulnerability;  email servers not being correctly configured. Bad guys using your organization's publicly available email addresses can attack your employees by impersonating (spoofing) a co-worker or executive.

We offer a free one-time Domain Spoof Test (DST) that verifies whether  a hacker can disguise a malicious phishing email as a normal message  from someone within your organization, such as a manager or CEO. If  this is possible, hackers can easily launch a spear-phishing attack.

The only thing we do is send one email TO you, FROM you, (spoofed). If you  receive this email, bad guys can spoof your domain too. It takes 1  minute, so request the free domain spoof test for your own domain  name. Click here and fill out the form:
http://info.knowbe4.com/domainspooftest-15-01-27

Exciting New Features We Recently Released

It's been a while since we released a full list of all recently added  Kevin Mitnick Security Awareness Training features. It's getting to be a pretty exciting list! And know this is purely based on feedback you have given us in your earlier survey answers. This is everything you need and nothing  you don't. "For admins by admins", and as lean as possible. Check it out,  you may not yet know about some new feature that you could use!
http://www.knowbe4.com/security-awareness-training-2015-features/

Which New Training Modules Would You Like?

As part of our 2015 development roadmap, you told me that you were interested  in additional training modules for your employees. Please take a minute and  let me know what modules are the most important?

Also, we have an "other" field and feel free to specify exactly what you would like to see as additional awareness training modules! Here is the link to  SurveyMonkey. This should literally take one minute or less. 

Thanks so much in advance!
https://www.surveymonkey.com/s/newmodules

Focus On Security Obscures Rise Of "Shadow IT"

Nearly three-quarters of IT security professionals are unaware of  the amount of “shadow IT” within their organizations, according to a  recent survey by the Cloud Security Alliance.

Shadow IT, according to CSA, is technology spending and implementation  that occurs outside the IT department, including cloud apps adopted  by individual employees, teams and business units. “Employees are  more empowered than ever before to find and use cloud applications,  often with limited or no involvement from the IT department,”  according to the survey report, which interviewed 212 participants  around the world in professional IT security roles.

Some organizations block certain cloud services altogether, such as  those from Dropbox, Facebook, Apple iCloud, Tumblr, but that can be  even riskier if employees seek out alternatives that have less  mature security controls, CSA said.  More:
http://gcn.com/articles/2015/01/20/shadow-it.aspx?s=gcntech_210115

Harvard Business Review Cybersecurity Article

President Obama’s new raft of proposals aim to address the growing  concern that America is not taking tough-enough action against the  increasing cybersecurity problem of nation-states and criminals  (usually criminal gangs) attacking U.S. consumers and organizations. 

The evildoers’ motivation for doing so is most often money, but  intellectual property is also being filched, and the internet is  also being used for anything from identity theft to illicit  political objectives.

Good message at the end of this Harvard article: "Most important is  education: Everyone — individuals, employees, companies, and boards  of directors — needs to understand the new dangers." More:
http://hbr.org/2015/01/the-flaws-in-obamas-cybersecurity-initiative 

You have seen jets flying in formation. Now watch the Spanish Acrobatic  Team Patrulla Aguila (Eagle Patrol) also landing them in formation:
http://www.flixxy.com/jets-landing-in-formation.htm?utm_source=4

Some other streamlined bodies in formation; Victoria's Secret Super Bowl Commercial 2015:
http://www.flixxy.com/victorias-secret-super-bowl-commercial-2015.htm?utm_source=4

This amazing brick carrier from Khulna, Bangladesh stacks 22 bricks on his head!
  http://www.flixxy.com/the-amazing-brick-carrier-of-bangladesh.htm?utm_source=4

Watch two women fall in love with Tesla Model S P85D:
http://www.autoblog.com/2015/01/20/watch-two-women-in-love-tesla-model-s-p85d-video/

OK, try not to smile when you see this video. Laughter really _is_ contagious!
http://www.flixxy.com/laughter-is-contagious.htm?utm_source=4

His mother had always told him that he was the cutest monkey in the zoo.  And he believed her until one day when he was playing with a mirror:
http://www.flixxy.com/monkey-sees-himself-in-the-mirror-for-the-first-time.htm?utm_source=4

May The Best Robot Win! The new DARPA challenge - see this new hardware:
http://youtu.be/27HkxMo6qK0

Technically Funny #29: CES 2015 - The Running of the Nerds:
http://sideshownetwork.tv/podcastsEpisode.cfm?podcastid=97&episodeID=6549

Codebases - how many millions of lines of code in which product? Enlightening!
        http://www.informationisbeautiful.net/visualizations/million-lines-of-code/

Centuries ago, master archers were able to perform incredible feats of archery. These  skills have long since been forgotten, but the Danish archer Lars Andersen is recovering  this lost technology. He can now split an incoming arrow in two. Amazing:
http://www.flixxy.com/lars-andersen-rediscovers-ancient-archery-skills.htm?utm_source=4

                                                                       
                                                                   
                                                       
                                           
                                                                   
                                                                                                                                                                                                                       
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               
                                                                                                                                                           
                                                            Copyright © 2014-2015 KnowBe4 LLC, All rights reserved.                                                            
                                                                                                                       
                                                           
                                                            Our mailing address is:                                                            
                                                            601 Cleveland St. Suite 930, Clearwater, Florida, 33760                                                        
                                                        Unsubscribe here                                                                                                                      
                                                           
                                                                                                               
                                           
                                                                   
                                           
       
       

Scam Of The Week: LinkedIn Support Phishing Emails

Posted by Stu Sjouwerman on Jan 25, 2015 12:15:11 PM

The scam is at least 15 years old if not more, but unfortunately this type of social engineering still works. Remind your users one more time that emails like this can hit their inbox at any time, because some modern spam techniques are able to bypass all the mail filters you have in place. I would send them this, or something close to it. Feel free to edit and send it to all employees and friends. (You could suggest they turn on LinkedIn's two-factor authentication).

"Recently scammers are attacking people on LinkedIn with phishing e-mails claiming to be a LinkedIn Tech Support message. In these fake e-mails it is stated that "irregular activities" are happening on your LinkedIn account which require a mandatory security update of your account.

Obviously this is all a scam, and the purpose of the emails is to get you to fill out an attached HTML form which is a spoofed LinkedIn login page. What you fill out does not get you logged into the site but it gets sent to the bad guys who then own your account.

You can recognize this scam because the email uses a lowercase "i" instead of a capital "I" when spelling “Linkedin”. Here is how the scam email looks. Remember: "When in doubt, throw it out!"

linkedin-email-scam

Despite all the software and hardware protection layers in place, things slip by on a regular basis. The bad guys have their own labs and run all the popular spam filters in-house, so they can test until they have a phishing attack that makes it through.

You really need a "human firewall" in place so stepping your users through effective security awareness training is a must these days. Find out how affordable this is for your organization today.

Get A Quote Now

 

Hat Tip to Stanam Narang at Symantec.

 

FBI Alert: Ransomware Infection Leads To Wire Transfer Fraud

Posted by Stu Sjouwerman on Jan 24, 2015 4:05:00 PM

FBI-logo-webOK, Heads-up! Here is the deal. The FBI and the Internet Crime Complaint Center (IC3) two days ago warned about a new version of a man-in-the-middle scam that targets your CEO, CTO, CFO, and/or Controller. I would send these people a link to this blog post immediately. Better safe than sorry. 

The FBI calls it the "Business E-Mail Compromise" (BEC), and this is the scam: Your C-level exec receives a business email from an existing, well-known vendor who request a wire transfer to a specific bank account. The email looks legit, it comes from a known, trusted business associate, and is about a recent delivery or transaction. 

And the whole thing is bogus. The bad guys have penetrated your network and have been monitoring and studying what went on for considerable time, because they can accurately identify the individuals and protocols to perform wire transfers within your specific business environment. The last 14 months there were 1198 victims in the U.S with a total loss of 180 million dollars. The wire transfers get rapidly forwarded and usually wind up at banks in Hong Kong so you are dealing with the Chinese cyber mafia here. 

The FBI said: "Victims may also first receive “phishing” e-mails requesting additional details of the business or individual being targeted (name, travel dates, etc.) Some victims reported being a victim of various scareware or ransomware cyber intrusions, immediately preceding a BEC scam request."

It looks to be fairly obvious what goes on. Initial phishing emails and/or ransomware attacks drop keyloggers and trojans on the workstation of an employee. With these credentials they tunnel into the network and put keyloggers on C-level exec workstations. After studying the traffic, the bad guys craft an email that is carefully spoofed to look as legit as possible. There are a few different versions of this scam which the IC3.gov site specifies, link in Point 3.

What you can do about it:

  1. Alert your execs. These scams are getting more sophisticated by the month and be on the lookout.
  2. Grab this Social Engineering Red Flags PDF, print and laminate it, and give it to your C-level execs. (free)
  3. Read the IC3 Alert in full, and apply their Suggestions For Protection

Obviously all your employees need to be stepped through effective security awareness training to prevent social engineering attacks like this from getting through.  Find out how affordable this is for your organization today.

Get A Quote Now

 

 

 

 

Scam Of The Week: ISIS Attack / 12Mil New Malwares Per Month

Posted by Stu Sjouwerman on Jan 20, 2015 9:38:00 AM

                                                            Scam Of The Week: ISIS Attack / 12Mil New Malwares Per Month                                                                                                                     Email not displaying correctly?
View Knowbe4 Blog.                                                        
                                
                                                                                                               

CyberheistNews Vol 5 #3 Jan 20, 2015  

                                                       
                                                                                                               
                                                                                                                                       

Scam Of The Week: ISIS Attack

It is a mystery that bad guys have not jumped on this in higher volume. However, a major malware phishing campaign claiming ISIS attacks, has been found in Australia. 

What you may not know is that several cyber gangs use very modern  techniques like Agile software development, beta testing and more. English speaking countries like Australia and the U.K. are used to test and fine-tune malware campaigns which are then unleashed on the U.S. of A.

So, thank you mister bad guy for the advance warning. We now have  a heads-up about something that is going to happen in America in the  very near future: malware campaigns claiming that ISIS will attack  landmarks like the White House, Wall Street, or the new World Trade  Center in New York. It's only a matter of time. So, let's inoculate  our employees ahead of time! Send them this:

"Cyber criminals are using hoax "breaking news" events more and more  to get people to click on links or open attachments. At the moment there is a scam email which claims that ISIS has warned Australian  Police about new attacks in Sydney during 2015. The email tells  recipients to open an attached Word document to read a detailed news  story about the supposed attack threats.

"The claims in the email are bogus and the attached document is  infected with malware. There are no credible news or police reports  about such a warning from ISIS. You are very likely to get scam  emails claiming ISIS attacks like this at the house or in the office.  Do not open them, do not click links, do not open attachments and delete these emails. Remember: "When in doubt, throw it out!"

For KnowBe4 customers, we have a new template in Current Events, with the title: "Breaking News: ISIS Announces When and Where They Will Attack the US" 

AV-Test: "There Are Now 12 Million New Malware Variants Per Month"

The AV-Test site reported that they found 143 Million new malware  samples in 2014 and 12 million new variants per month.

The Independent IT security institute AV-Test regularly publishes a  great statistic about the number of malware strains. Their new report  reveals there are now a whopping 12 million new variants per month.

The AV-TEST Institute registers over 390,000 new malicious programs  every day. These are examined using their proprietary analysis tools and  classified according to their characteristic. Visualization programs  then transform the results into diagrams that are updated regularly  and produce current malware statistics.

Looking at the last year, the month with the greatest number of new  threats was August, when over 18 million new samples were identified  by AV-Test. No wonder that the average antivirus detection lag has expanded from 6 hours to 2 days. Antivirus is not dead but it cannot keep up anymore. See graph here:
http://blog.knowbe4.com/antivirus-isnt-dead-it-just-cant-keep-up  

The stats reported a total amount of 143 million new malicious software in 2014  , an amazing amount that shows this is automated on  a (criminal) industrial scale. The data shows an exponential growth  in new cyber threats recorded over the years. Mobile malware is also up 75% for 2014 compared to the year before, largely due to the  proliferation of new ransomware campaigns such as ScarePakage. The  number of new malware strains in 2014 is significantly higher than  earlier years. Here are some graphs that illustrate all this at the  KnowBe4 Blog. (By the way, you should subscribe to the blog and get  these alerts real-time.)
http://blog.knowbe4.com/av-test-there-are-now-12-million-new-malware-variants-per-month  

These numbers show again that you need to work hard on your  defense-in-depth. And to start out with, by far the best bang for  your IT security budget is effective security awareness training.  Find out how affordable this is for your organization now:
http://info.knowbe4.com/kmsat_get_a_quote_now

Train Employees And Cut Cyber Risks Up To 70 Percent

It's a well-known fact that employees are the weakest link in IT security.  There is good news though! New research from our friends at Wombat Security  Technologies and the Aberdeen Group gives a solid foundation to the anecdotal  evidence that end-user education cuts down on data breaches. When they are  exposed to cyber risks like phishing, social media, and other attack vectors,  security awareness training can reduce your organization's risk by as much as  70 percent.

The newly published report concludes that despite soft and hardware protection  being in place, the vast majority of security incidents are caused by actions  of untrained company employees. This new report clearly demonstrates that your  relatively low investment in security awareness training helps you to  significantly improve your level of defense-in-depth. It's a great tool  to get budget allocated.

"It's important for security teams to communicate clearly about the risks that  organizations are accepting when their employees' response to cyber threats  is not addressed," says Derek Brink, VP and Research Fellow for Aberdeen Group,  at Harte Hanks Company. "While the public disclosures of the past several  months have provided some startling examples about what can happen when  security awareness and training is ignored, Aberdeen and Wombat have developed  this model to address the most basic and logical question that security teams  so often struggle to address: How does an investment in changing end user  behavior through innovative security education solutions actually reduce the  organization's risk?"

The report concludes that creating budget for security awareness training is  effective in changing employee behavior and measurably reduces security-related  risks by between 45 and 70 percent. Well, I'm glad someone did the homework  and came up with some hard numbers. You can get access at this report for  FREE at the Aberdeen group or Wombat, but you do need to register.
http://www.aberdeen.com/research/9910/RR-Changing-User-Behaviors.aspx/content.aspx


Warm Regards,
Stu Sjouwerman



Quotes Of The Week

 

Quotes of the Week:

" A lie has to be tended, watched and guarded. A truth you send out  on its own.  "  - Rick Reilly, American sportswriter.

" He who dares not offend cannot be honest. "  - Thomas Paine

 

 

 

Security News

 

Are Your Email Addresses On A Russian Phishing Site?

We are finding many U.S. commercial email addresses at a Russian  phishing website. It is really a 'staging' area for emails to be  posted by the criminal underground. Sadly, Google indexes this site  and it makes for easy searching. Unfortunately there is nothing  you can do to get emails taken down from this site, but you should  be aware of what is out there.

The (free) KnowBe4 Email Exposure Check (EEC) helps to give you a  better understanding of your security posture in regards to exposed  email addresses on the Internet. Call it your 'email attack surface'.  The emails on this Russian site are more commonly spear-phished.  You can use the EEC report to flag these email addresses so that  you can better tune your spam traps and to monitor for email based  attacks. And obviously you specifically need to give effective  security awareness training to the employees with those exposed  email addresses.

Sign up for a one-time free Email Exposure Check here:
http://info.knowbe4.com/free-eec-15-01-20

Quick Reminder: InfoSec World Conference & Expo 2015

Put this in your calendar: March 23-25, 2015 - InfoSec World 2015,  coming to Disney’s Contemporary Resort this March, is now just 2  months away!  Don’t miss this 7-track event featuring a lineup  of conference sessions, workshops and summits that address the  most pressing matters in information security today. And, just  for being Cyberheist News subscriber, register with the special  discount code OS15/CHN and you'll receive 10% off the conference  registration fee. To register, simply call the Customer Service  department who can sign you up over the phone: 508-879-7999 ext. 501,  and don't forget to mention your discount code - OS15/CHN!
www.misti.com/infosecworld

SMBs Are Now The Preferred Cybercrime Target

I have a great article that you can send to C-level execs in your constant quest for more IT security budget. The main message is simple and communicates a clear and present danger:

"Small and midsized businesses are now the preferred targets for  cybercriminals – not because they are lucrative prizes individually but  because automation makes it easy to attack them by the thousands, and  far too many of them are easy targets."

Taylor Amerding at CSO magazine nailed it: "Does the size of your  enterprise really matter to cybercriminals? Well, yes and no.

"Most experts would agree with Jody Westby, CEO of Global Cyber Risk,  when she says, 'it is the data that makes a business attractive, not  the size – especially if it is delicious data, such as lots of customer  contact info, credit card data, health data, or valuable intellectual  property.'

"But, most experts also say the reality is that Small and Midsized  Businesses (SMB) are more attractive targets because they tend to be  less secure and because automation allows modern cyber criminals to  mass produce attacks for little investment. Here is the article:
http://www.csoonline.com/article/2866911/cyber-attacks-espionage/why-criminals-pick-on-small-business.html?

IBM: "Human Error" Contributing Factor In 95% Of Incidents

And once again, the strongest IT safeguards often don't do any  good preventing a data breach if a person makes a mistake: In  its 2014 Cyber Security Intelligence Index, IBM found "human  error" to be a contributing factor in 95% of all incidents investigated. Here is the article:
http://www.computerworld.com/article/2867411/the-risks-of-a-big-man-made-it-disaster-are-on-the-rise.html?

Obama: "Report Data Breach Within 30 days"

President Obama on Monday outlined a proposal that would require  companies to inform their customers of a data breach within 30 days  of discovering their information has been hacked. But depending on  what is put in and left out of any implementing legislation, the effort  could well could lead to more voluminous but less useful disclosure.  Here are a few thoughts about how a federal breach law could produce  fewer yet more meaningful notice that may actually help prevent  future breaches. Article by the venerable Brian Krebs:
http://krebsonsecurity.com/2015/01/toward-better-privacy-data-breach-laws/

NASA has finally designed a REAL spaceship - suitable for longer space  journeys of up to 2 years. Watch Full Screen HD and till the end!!
http://www.flixxy.com/nautilus-x-a-real-spaceship-by-nasa-at-last.htm?utm_source=4

"How To Pick Up The Woman Of Your Dreams." Advertising campaigns try  to convince you that this is so - but would you really want a woman  who does not care for who you really are?
http://www.flixxy.com/how-to-pick-up-the-woman-of-your-dreams.htm?utm_source=4

Holy Moly. This guys is gooood. Skiing Perfection At Val Blanc France  By Candide Thovex:
http://www.flixxy.com/skiing-perfection-at-val-blanc-france-by-candide-thovex.htm?utm_source=4

The world's oldest still-running car. The De Dion is capable of reaching 38  mph, much faster than a horse-drawn carriage. Older than Daimler or Benz:
http://www.flixxy.com/the-worlds-oldest-running-car.htm?utm_source=4

WOW You have to see this, 3D Printer that prints entire drone in  a single print including some electronics, super cool:
https://medium.com/the-letters/3d-printed-drones-are-finally-here-c76811cf7ee4

Introducing Meccanoid G15KS. Your personal robot from the Meccano guys, known in the U.S. as the Erector set. This is great for kids!
http://youtu.be/Q03nIupGAIQ

Olga Korbut performing the most difficult move in Gymnastics at the  1972 Olympics in Munich. Enjoy the backward somersault - it's spectacular!
http://www.flixxy.com/olga-korbut-1972-olympics-uneven-bars.htm?utm_source=4

Golden retriever is a fan of guitar music - moving his head in rhythm and  making sad faces whenever the music stops. Cute!
http://www.flixxy.com/golden-retriever-loves-guitar-music.htm?utm_source=4

Huge Hippo Chases Safari Speedboat in Botswana. These large beasts can move  a lot faster than you might think:
http://www.flixxy.com/huge-hippo-chases-safari-speedboat-in-botswana.htm?utm_source=4

Not only do users write their passwords on sticky notes at their desk, they  also apparently will tell Jimmy Kimmel. Enjoy shaking your head in disbelief.  (these people did NOT get security awareness training!!!)
https://www.youtube.com/watch?v=opRMrEfAIiI?

                                                                       
                                                                   
                                                       
                                           
                                                                   
                                                                                                                                                                                                                       
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               
                                                                                                                                                           
                                                            Copyright © 2014-2015 KnowBe4 LLC, All rights reserved.                                                            
                                                                                                                       
                                                           
                                                            Our mailing address is:                                                            
                                                            601 Cleveland St. Suite 930, Clearwater, Florida, 33760                                                        
                                                        Unsubscribe here                                                                                                                      
                                                           
                                                                                                               
                                           
                                                                   
                                           
       
       

Scam Of The Week: ISIS Attack

Posted by Stu Sjouwerman on Jan 19, 2015 5:19:52 PM

It is a mystery that bad guys have not jumped on this in higher volume. However, a major malware phishing campaign claiming ISIS attacks is out in the wild at the moment in Australia.

What you may not know is that several cyber gangs use very modern techniques like Agile software development, beta testing and more. English speaking countries like Australia and the U.K. are used to test and fine-tune malware campaigns which are then unleashed on the U.S. of A.

So, thank you mister bad guy for the advance warning. We now have a heads-up about something that is going to happen in America in the very near future: malware campaigns claiming that ISIS will attack landmarks like the White House, Wall Street, or the new World Trade Center in New York. It's only a matter of time. So, let's inoculate our employees ahead of time! Send them this:

ISIS-attacks"Cyber criminals are more and more using hoax "breaking news" events to get people to click on links or open attachments. At the moment there is a scam email which claims that ISIS has warned Australian Police about new attacks in Sydney during 2015. The email tells recipients to open an attached Word document to read a detailed news story about the supposed attack threats.

"The claims in the email are bogus and the attached document is infected with malware. There are no credible news or police reports about such a warning from ISIS. You are very likely to get scam emails claiming ISIS attacks like this at the house or in the office. Do not open them, do not click links, do not open attachments and delete these emails. Remember: "When in doubt, throw it out!"

For KnowBe4 customers, we have a new template in Current Events, with the title: "Breaking News: ISIS Announces When and Where they will Attack the US". If you are not a KnowBe4 customer yet, find out how affordable this is for your organization today.

Get A Quote Now

NY Times: North Koreans hacked Sony with spear-phishing attacks.

Posted by Stu Sjouwerman on Jan 19, 2015 1:53:12 PM

China-North-Korea-Chilbosan-HotelThe next revelation about the Sony Picture hack: The NSA was already inside the North Korean's networks and could have warned Sony about the pending attack.

I quote: "The N.S.A.’s success in getting into North Korea’s systems in recent years should have allowed the agency to see the first “spear phishing” attacks on Sony — the use of emails that put malicious code into a computer system if an unknowing user clicks on a link — when the attacks began in early September, according to two American officials."

And one more paragraph from the NY Times article: "The extensive American penetration of the North Korean system also raises questions about why the United States was not able to alert Sony as the attacks took shape last fall, even though the North had warned, as early as June, that the release of the movie “The Interview,” a crude comedy about a C.I.A. plot to assassinate the North’s leader, would be “an act of war.”

Interesting article, and continues to talk about the history and growing capability of North Korean cyber warfare teams. Here it is.

The picture at the right is the Chibosan Hotel from which the The North Korean Elite Unit-121 Hackers operate. The hackers love the 4-star hotel with 5-star amenities a lot. As one hotel reviewer said, the room itself was new, immaculately clean with tasteful touches... "Have Hotel Will Hack"

 

 

 

 

Review: Movie BlackHat go see it

Posted by Stu Sjouwerman on Jan 18, 2015 8:12:09 PM

Blackhat-movie-posterI've been looking forward to this one and I was not disappointed. If you like slow-burn high-tech thrillers please go see this movie in the theater because it is worth it. I give it an 8 out of 10. It's ambitious to try to visualize what happens during hacking and this is one of the few movies where it's not all Hollywood fluff.

The security technology used in the movie is realistic to a degree, commands entered on the screen were conventional Unix format and the syntax was correct. I heard an interview with the director Michael Mann and the movie was made after extensive research, The acting was good, and I do not understand people that did not like the casting.

If you are in IT, and do not mind a 2 h13 min run, this film will speak to you if you pay attention to the plot line. If you are not a geek, your mileage may vary because this is not a superhero movie. People are social engineered, it's got RATs, keyboard loggers, and some special NSA code. See it with some co-workers from the IT department and you are going to have a great time.

 

 

 

 

Train Employees And Cut Cyber Risks Up To 70 Percent

Posted by Stu Sjouwerman on Jan 18, 2015 12:26:00 PM

training-reduces-security-riskIt's a well-known fact that employees are the weakest link in IT security.
There is good news though! New research from our friends at Wombat Security Technologies and the Aberdeen Group gives a solid foundation to the anecdotal evidence that end-user education can change employee behavior. When they are
exposed to cyber risks like phishing, social media, and other attack vectors,
security awareness training can reduce your organization's risk by as much as 70 percent.

The newly published report concludes that despite soft- and hardware protection being in place, the vast majority of security incidents are caused by actions of untrained company employees. This new report clearly demonstrates that your relatively low investment in security awareness training significantly helps you to significantly improve your level of defense-in-depth. It's a great tool to get budget.

"It's important for security teams to communicate clearly about the risks that organizations are accepting when their employees' response to cyber threats is not addressed," says Derek Brink, VP and Research Fellow for Aberdeen Group, at Harte Hanks Company. "While the public disclosures of the past several months have provided some startling examples about what can happen when security awareness and training is ignored, Aberdeen and Wombat have developed this model to address the most basic and logical question that security teams so often struggle to address: How does an investment in changing end user behavior through innovative security education solutions actually reduce the organization's risk?"

The report concludes that creating budget for security awareness training is effective in changing employee behavior and measurably reduces security-related risks by between 45 and 70 percent.  Well, I'm glad someone did the homework and came up with some hard numbers. You can get access at this report for FREE at the Aberdeen group, but you do need to register. 

Find out how affordable Kevin Mitnick Security Awareness Training is for your organization. 

Get A Quote Now

 

Subscribe to Our Newsletter!

Subscribe to Blog

Follow Me