CyberheistNews #4.5



CyberheistNews Vol 1, #4.5







Editor's Corner



KnowBe4


[caption id="attachment_1367" align="alignleft" width="150" caption="Stu"]cybercrime[/caption]

Why Your Security Sucks



No, I did not come up with this title myself. That was Eric Knorr over at

InfoWorld. But when I read the article, I thought to myself, great idea,

how come I never came up with this?. He said: "The maddening thing is that

simple measures, well known for years, would prevent most attacks. According

to Roger Grimes (InfoWorld's security expert), 90 percent of exploits involve

users downloading and installing items they shouldn't. Often, these exploits

begin with scareware messages that tell users their system has been

compromised and that they should install an antivirus program to remove

the infection, which of course turns out to be malware itself.







"It's hard to train users to ignore fake alerts, Roger says, especially when

they don't know what a real virus alert looks like. I've asked every company:

Do you give a picture to your employees of what your antivirus program looks

like when it finds a virus? Never. They never do. Ever. If this is the No. 1

problem in most environments today -- and it is -- why are we as defenders

not even doing the simple stuff? Is it too hard to take a picture and tell an

end-user, "this is what your product looks like?" It's not. I'm not sure if

it's lethargy or what. Every company I've ever said that to ... none of them

have ever taken the picture. They're like "Oh, you're right, good idea,"

and then they don't do anything."









So, take a screenshot of what it looks like when your existing antivirus

product finds malware, and send it to all users. Like... now?!







Here is the whole article, which is warmly recommended:


http://www.infoworld.com/t/security/why-your-network-security-sucks-630










ISAT Version 1.5 Released!







We are happy to announce the release of Version 1.5. There

is some good news for all our customers and people that are

in the process of running the Phishing Security Test.







1. An account can now have more than one account owner.

This is very handy if you want two people to be able to

manage the site, e.g. adding users. The first account

owner can navigate to the Users page and make any user

an account owner by clicking on 'Make owner' link.

Any account owner can revoke the account owner privileges

to any account owner (except to the first account owner

who opened the account)







2. Users can now be bulk imported by an account owner.

The account owner can navigate to the Users page, click on

the Import Users link, enter user email addresses (one per line)

and click import. All users will be imported. Optionally,

the account owner can provide a password in the "password"

field. If the password is specified, all the users will

have the same password, and they can log in without the

need to register, by following the link:


https://training.knowbe4.com







Note: If the password is not specified, users still need

to go through the self-register sign-up process at:


https://training.knowbe4.com/signup







3. An account owner can see users that never signed in.

On the Users page, there's a new column in the table

"Last sign-in" containing the date when the user last

signed in. Also the table has a column "Joined on"

representing the date the user registered for training.







4. The 20-question test at the end has been updated with

answers that point the employee to existing policy on what

to do with spam and phishing that made it through the filters.







5. We have a new campaign: "Security Hints and Tips". You

can schedule this via the same Phishing Security Test option,

and it allows you to send ready-made templates with security

best practices.







6. You can now have a custom landing page where you can

have employees wind up after they fail a phishing test. This

page can be created by your own team, and lives on your

own website.







We are excited to announce V1.5 is now available! Existing

customers, contact support regarding upgrading to this new version.


support@knowbe4.com







Bank Gets Sued Over $2,000,000 Cyberheist





A judicial decision came down last week from a District Court in Michigan.

Experi-Metal fell victim to a major cyberheist and then sued their bank

(Comerica) over a nearly $2,000,000 (two-million dollars) loss. The two

major factors that led to this cybercrime were a well-crafted phishing

email message and a gullible employee.







The Experi-Metal employee fell for a phishing scam email that was disguised

as a legitimate notification from Comerica and gave the log-in credentials

to cybercriminals who then logged in to Experi-Metal’s commercial Comerica

bank account and began transferring out their funds. More at the KnowBe4 blog:


http://blog.knowbe4.com/2011/06/20/bank-gets-sued-over-2000000-cyberheist/









Quotes of the Week









"A nation that expects to be ignorant and free... expects what never was

and never will be."
- Thomas Jefferson.









"A positive attitude causes a chain reaction of positive thoughts, events and outcomes. It is a catalyst and it sparks extraordinary results."

- Wade Boggs







Please tell your friends about CyberheistNews! They can subscribe here:


http://www.knowbe4.com/about-us/cyberheist-news/





Need more IT security budget? Give This Book To Your Boss







"The book is well crafted and an intoxicating read - I couldn't put it down." - Paul Wright







"Anyone who uses a computer connected to the Internet needs to know this information to protect themselves." - H. Heller







"As both an IT Pro and a businessman, I highly recommend this book for anyone concerned about online threats." - C. Contor







"Stu Sjouwerman informs in a way that managers can understand, and "techies" can relate to. He goes in detail about the oft-overlooked (and in my opinion THE most dangerous) part of online security: The Human Element." - Robert Folden







"If you fall victim to a cyberheist after reading Sjouwerman's book, shame on you." -- Dirk A. D. Smith







Buy and Read Cyberheist!


http://www.cyberheist.com/





KnowBe4












Selected Dataloss Incidents This Week







Not many people are aware of the excellent work that the people at the www.datalossdb.org do. They gather all cyber security events and put these in a database, free for everyone to query. Here are some selected incidents of last week. There are a lot more, varying from records dumped instead of shredded to stolen laptops with confidential information.







Do yourself a favor, and take a minute to review this 'Defense-In-Depth'

page. It clearly shows and explains the six areas you need to defend,

and how it all -starts- with Policies, Procedures & Awareness.
http://www.knowbe4.com/resources/defense-in-depth/





Selected Incidents:







Reported Date: 2011-06-17


Summary: Hackers acquire 1,290,755


users' names, emails addresses, dates


of birth and encrypted passwords.


Organization: SEGA


http://datalossdb.org/incidents/3870







Reported Date: 2011-06-17


Summary: 43,000 consumers' health


information 35,000 personal representatives'


contact information on stolen laptop.


Organization: Area Agency on Aging, Inc.


http://datalossdb.org/incidents/3867





Reported Date: 2011-06-16


Summary: 18,000 user account names,


passwords, email addresses, and birth


dates accessed by hacker.


Organizations: BioWare, Electronic Arts (EA)


http://datalossdb.org/incidents/3862







Reported Date: 2011-06-13


Summary: 200,000 usernames, email


addresses and passwords acquired by hacker.


Organization: Bethesda Softworks


http://datalossdb.org/incidents/3839







Reported Date: 2011-06-11


Summary: Virus may have exfiltrated


12,000 alumni, faculty, and staff Social


Security Numbers


Organization: Penn State Altoona


http://datalossdb.org/incidents/3837







Reported Date: 2011-06-11


Summary: 300,000 workers’ compensation


applicants’ names and Social Security


Numbers were exposed on Internet.


Organization: Southern California


Medical-Legal Consultants.


http://datalossdb.org/incidents/3836







Reported Date: 2011-06-10


Summary: 26,000 email addresses


and passwords of porn site users


acquired by hackers; some posted online.


Organization: pron.com


http://datalossdb.org/incidents/3849







Reported Date: 2011-06-09


Summary: Email addresses and


encrypted passwords of forum users


acquired by hacker.


Organization: Epic Games


http://datalossdb.org/incidents/3856



---------------------





You can find all of them at:




http://datalossdb.org/












KnowBe4






The Cyberheist Closest To You







We now have a Google map, with many hundreds of cyberheist incidents, and

the place where they happened. Check out the cyberheist closest to you, and

find out what was stolen - cash straight from the bank account or files

that contained confidential data:


http://www.knowbe4.com/resources/cyberheist-map/



KnowBe4






Loose Keystrokes Sink Cybersystems



In the Wall Street Journal of June 15, Richard Clarke wrote an op-ed about

China's cyberassault on America. John Moynihan, President of Minuteman

Governance, wrote in and said: "The breaches referenced by Mr. Clarke had a

common signature: They were caused by the actions of employees who worked

within the "hacked" organization.





"Organizations have traditionally addressed the cyber threat by focusing on

myriad technological controls, while often neglecting critical nontechnical

measures. The implementation of clear acceptable-use policies, a comprehensive

employee training program and ongoing risk assessments are central to an

information-security strategy. Although firewalls, virus protection and

encryption must be part of a company's security approach, the most

sophisticated of these technologies are neutralized by the arbitrary keystroke

of an untrained or unwitting employee.





"I have remediated dozens of data security incidents that were caused by

either an employee, contractor or vendor who worked within the victimized

organization. By opening infected email links, using compromised USB drives,

accessing sensitive data without authorization, visiting nonbusiness websites,

using mobile devices irresponsibly and opening attachments from unknown

sources, employees routinely expose our financial system, military, government

agencies and critical infrastructure to cyber attack.





"Data breaches will continue to occur, likely with increased frequency, until

there is widespread recognition that technology alone is insufficient to

protect the nation's critical systems."





We could not agree more.





KnowBe4






Cyberheist 'FAVE' LINKS:





* This Week's Links We Like. Tips, Hints And Fun Stuff.







Parahawking adventure over the skies in Nepal. Birds of prey fly with


paragliders guiding them to thermals in exchange for food:


http://www.flixxy.com/parahawking-over-nepal.htm





A new $60 Chinese watch (fake “Diesel” brand) records HD video with four

infrared lights for shooting in complete darkness. It shoots 1080p at 30

frames per second, and stills at a max of 4,032 x 3,024 pixels. Wow:




http://www.etronixmart.com/hd-1080p-ir-night-vision-waterproof-dvr-spy-watch-4gb-p-846.html









Nic Case broke the world speed record for radio-controlled cars at the Rockingham

Dragway with a 161.76 mph run:




http://www.flixxy.com/worlds-fastest-rc-car-161-mph.htm







In a galaxy far, far away, the board of the Tripartium corporation meet to decide the fate of planet Earth. A clever and funny, but thought-provoking ad.


http://www.flixxy.com/planet-earth-ad.htm





The Grand Rapids LipDub Video was filmed with 5,000 people, and involved a

major shutdown of downtown Grand Rapids, which was filled with marching bands,

parades, weddings, motorcades, bridges on fire, and helicopter take offs. It

is the largest and longest LipDub video, to date and it’s all in one take.

Roger Ebert even called it "The Greatest Music Video Ever Made":


http://www.flixxy.com/greatest-music-video-grand-rapids.htm




Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews