CyberheistNews Vol 5 #24 Scam Of The Week: Resume Ransomware & The Truth About The OPMgate Hack

CyberheistNews Vol 5 #24 June 16, 2015

Scam Of The Week: Resume Ransomware

The SANS InfoSec Forums noted that since Monday May 25th new CryptoWall 3.0 ransomware attacks started, using both malicious spam and the Angler exploit kit (EK). The attack wave has increased significantly since Monday June 8th, and the use of the Angler EK appears to have started around the same time.

Both campaigns are active as of Friday June 12th. SANS published a flow chart that shows the path to infection, and you can see it at our blog.
http://blog.knowbe4.com/annoying-new-ransomware-attack-uses-girl-resumes

I would send an email to your friends and employees, something like this, edit if you want:

"Warning: there is a ransomware phishing attack going on which uses attachments with fake girl resumes, and this attack also uses compromised websites to infect your computer.

Do NOT open any attachments that look anything like a zipped resume, and be careful to not go to unknown websites. Make sure that all the applications on your computer are up to date. (for friends and family you could add that they can go to Secunia to download the free Secunia PSI which scans for old versions of software that need to be updated.)"
http://secunia.com/vulnerability_scanning/personal/

It's important to inoculate your users against this new infection tactic. There is a new template that was shared to the community templates, into a new category called ransomware. Go to Phishing -> Email Templates -> Community Templates -> Ransomware and choose "Resume". Use that to send to all your users sooner rather than later.

By the way, if you created a template yourself that turned out to be very successful (high Phish-prone percentage) you can share it with your peers at the Community Templates section.

BREAKING NEWS - LastPass Hacked

There was no time to get this into the newsletter just before publishing deadlines, but here is a blog post with what happened and what you can do about it:

http://blog.knowbe4.com/lastpass-hacked-be-alert-for-phishing-attacks

The Truth About The Massive OPMgate Hacking Scandal

The recent U.S. Government Office of Personnel Management hack is getting worse by the day. In Saturday's Wall Street Journal they revealed that apart from more than 4 million personal records including SSN, now their security clearance database also has been exfiltrated.

The two security clearance forms, known as Standard Form 85 and 86 contain extensive information about family members, mental health, drug use, police record and credit history, and lists of foreign contacts -- people that a person might know abroad. These forms have more data than a mortgage application. Because of the unforgivable error that the data was not encrypted, this is now a full-blown scandal and deserves the hashtag OPMgate.

How Could This Happen?

Well, here is a bit of history. Early 2011 the Immigration & Customs Enforcement Agency (ICE), part of DHS, noticed a significant uptick in "mail infections and privacy spills" in its networks. It determined that the spike was due to ICE employees accessing their personal webmail accounts from office computers. ICE senior managers then terminated webmail access in September 2011 as a hacking security precaution.

I would say that was the right thing to do, agreed? Not so fast. The American Federation of Government Employees filed a grievance with a federal arbitrator, claiming that any change in access to private email must first be collectively bargained with the union.

HUH? Yup.

ICE showed the arbitrator evidence of the keyloggers, Trojans and other malware that foreign intelligence services had been able to drop on government employee workstations through (spear) phishing attacks. However, the arbitrator dismissed ICE’s security arguments in a mere 75 words, stating that the law didn’t give federal agencies "exclusive discretion" to manage its IT systems; so ICE had to give the union a say. You can guess what happened. Today, many federal agencies allow personnel to check their webmail from their government workstations. Unconscionable.

Two Things To Do About It Now

If you have a security clearance, assume all your highly personal data is in the hands of the Chinese and might be used to gain leverage in a multitude of ways. The expression that the price of freedom is constant vigilance and willingness to fight back is truer than ever.

In an office environment, analyze the different types of data you have, determine the sensitivity levels of that data, and start encrypting your crown jewels both at rest and in flight ASAP. Make this a TOP priority.
Formulate and disseminate security policy that forbids employees to check their webmail in the office. Explain why, and tell them they should use their smartphone for that. Block webmail portals in your firewalls and/or other network edge devices. There are lists available you can copy and paste.

And oh, stepping all employees through new school security awareness training would not hurt either. That way they will truly understand why security policies are put in place. Find out how affordable this is for your organization. Ask for a quote here and you will be pleasantly surprised:
http://info.knowbe4.com/kmsat_get_a_quote_now

Warm Regards,
Stu Sjouwerman
feedback@knowbe4.com

Quotes Of The Week

" The truth is like a lion. You don't have to defend it. Let it loose. It will defend itself."
- St. Augustine

" Three things cannot be long hidden: the sun, the moon, and the truth." - Buddha

Thanks for reading CyberheistNews!

Security News

Compliance In Half The Time At Half The Cost

I'm sure you will agree, compliance has become a major headache. It is a HUGE burden on already limited IT resources. Yearly audits have become major projects. They are expensive in both dollars and your IT staff time.

Imagine an environment in which your organization is completely compliant 24/7/365. We have a new product, KnowBe4 Compliance Manager (KCM), that can help you to achieve that state. It is an IT compliance workflow automation tool that allows you to:

Manage all of your specific regulatory requirements in one location (PCI-DSS, HIPAA, GLBA, SOX, etc...).
Eliminate duplication of effort.
Assign the Directly Responsible Individual (DRI) for a control.
Direct your auditors to one location for evidence of compliance controls being in place and up to date.

New Features:

Auditor Role, your auditor can log in remotely and save you billable hours.
Manager Approvals - Now, each Control can be assigned a user responsible, and a manager responsible.
Each Control can now have a level of evidence required in order for it to be submitted to the approving manager.

Go to this link for more info and to request a web demo:
http://info.knowbe4.com/_kcm_pci_30-0

10 Highest-Paying IT Security Jobs

High-profile security breaches, data loss and the need for companies to safeguard themselves against attacks is driving salaries for IT security specialists through the roof. Here are the 10 highest-paying security roles, including a good short description of what each of these jobs is responsible for.

Interesting slide show over at the CSO site. Check it out, holy schmoly these salaries are high. Problem is, most of these jobs are in areas that are extremely expensive and have major traffic problems. You can make oodles of money, but prepare not to have a life and permanent lack of sleep:
http://www.csoonline.com/article/2933416/infosec-careers/10-highest-paying-it-security-jobs.html?

Gone Phishing: How I Taught My Users To Stop Clicking Everything

Familiar with SpiceWorks? It's the world's largest IT Admin community. One user wrote the 392nd entry in their Spotlight on IT. This is the story. There is a link at the end to the comments which are a must-read too.

"We have a problem in our company: people click on EVERYTHING. A file isn’t opening? Keep clicking on it. A web page isn’t loading? Click on it a few dozen times. An email comes in from a sender you don’t recognize? Better click on the links to see what’s in them.

During 2014, we started getting pounded with a ton of spam messages. Luckily our Barracuda Spam Firewall caught most of them, but we were getting upwards of 3,000–5,000 spam messages per day when previously we were getting 600–800 or less. This wave of spam was fairly constant throughout most of the year, and as a result more spam messages were making their way through the filter — which meant more malicious emails were making their way into users’ mailboxes.

By Q3, we’d had around 80 malicious emails get through our spam filter, some of which went to multiple users. A few CryptoLocker attachments got through, but luckily our AV caught them when users tried to open them.

At this point, I’d been begging my boss to let me do a phishing test. I first brought it up in late 2013 when I noticed our users’ habit of clicking everything, but I was shot down. He still wasn’t sold on the idea of doing a phishing test even after the spammy year 2014 was becoming.

Then it happened...

Read the story at our blog:
http://blog.knowbe4.com/gone-phishing-how-i-taught-my-users-to-stop-clicking-everything

Execs Oblivious To Security Threats: Survey

This is good ammo if you run into resistance when you ask for IT security budget. Send them a link to this article that reports on some recent surveys.

"Surveys conducted by two cybersecurity firms reveal C-level overconfidence, uncertainty and inattentiveness in regards to network security and insider threats increases the potential for a breach at many organizations.

The Sunnyvale, Calif.-based cybersecurity analytics company RedSeal’s study uncovered a high level of confusion regarding security issues in the network infrastructure. Nearly 60% of the 350 C-level executives surveyed believe they can truthfully assure the board beyond a reasonable doubt that their organization is secure.

However, upon closer examination, the RedSeal study highlighted that less than a third of all respondents (32%) claim they have full visibility into their global network. On top of that, 86% of the respondents acknowledge gaps in their ability to see and understand what’s really happening inside the network.

At the same time, 79% admit they can’t effectively secure what they can’t see or understand. When asked if they “know for a fact that their network is currently under attack by hackers,” 29% said yes.

See the discrepancy? Read the article here:
http://www.cutimes.com/2015/06/11/execs-oblivious-to-security-threats-survey

Cyberheist 'FAVE' LINKS:

This Week's Links We Like. Tips, Hints And Fun Stuff.

Boeing’s expert crew rehearses the flying display that will be performed at the 2015 Paris Air Show. WOW. Watch full screen in HD:
http://www.flixxy.com/boeing-787-9-dreamliner-impressive-take-off.htm?utm_source=4
The 2015 Triple Crown winner American Pharaoh ran the sixth-fastest Belmont Stakes ever, but what if he were to race against Secretariat in 1973:
http://www.flixxy.com/american-pharoah-2015-vs-secretariat-1973.htm?utm_source=4
Michael John astounds the audience and judges of America's Got Talent 2015 with his magic:
http://www.flixxy.com/michael-john-does-magic-at-americas-got-talent-2015.htm?utm_source=4
A touching and romantic story about a man, a woman, flowers and the little things that make us fall in love with someone:
http://www.flixxy.com/a-declaration-of-love.htm?utm_source=4
Apple Watch turns magical at WWDC:
https://m.youtube.com/watch?v=5zcbQC8wd3M
It's Summer! Here is an easy, fast, and clean way to cut a watermelon:
http://www.flixxy.com/the-easiest-fastest-and-cleanest-way-to-cut-a-watermelon.htm?utm_source=4
A white rabbit runs for its life across an avalanche, manages to stay on top of it and emerges unharmed at the other side. Unbelievable:
http://www.flixxy.com/rabbit-vs-avalanche.htm?utm_source=4
What happens in your body when you switch from eating conventional food to organic? Dang...
http://www.flixxy.com/the-organic-effect.htm?utm_source=4
Some of the funniest bloopers in the history of golf. Hilarious:
http://www.flixxy.com/best-golf-bloopers.htm?utm_source=4
1964 Johnny Seven Oma Toy Gun Commercial. Boy how things have changed since then:
https://youtu.be/GPhZsauluXM
Out of the archives: Known as one of best tumblers in the world, Angel Rice has made her mark in power tumbling as well as All-Star Cheerleading:
http://www.flixxy.com/cheerleader-impresses-with-acrobatic-routine.htm?utm_source=4