CyberheistNews #13



CyberheistNews Vol 1, #13







Editor's Corner



[caption id="attachment_1367" align="alignleft" width="150" caption="Stu"]cybercrime[/caption]

WSJ: "What's a Company's Biggest Security Risk? You."



Yesterday, September 26, 2011. The Wall Street Journal had a major article

which clearly makes the point that employees don't mean to be the primary

entry point for hackers. But they are.







Geoffrey Fowler is a senior special writer in The Wall Street Journal's

San Francisco bureau and he interviewed me (and quite a few other

security specialists) about hackers and social engineering.









He started out with: "Hacking attacks against companies are growing

bigger and bolder—witness a string of high-profile breaches this year

at Sony Corp., Citigroup Inc. and others. But gone are the days when

hackers would simply find holes in corporate networks to steal valuable

data. Large companies have grown wise to the threat of hacking, and

have spent the past 30 years hardening the perimeters of their networks

with upgraded technology.





"These days, criminals aren't just hacking networks. They're hacking us,

the employees. "The security gap is end users," says Kevin Mandia, chief

executive of security firm Mandiant Corp. The majority of corporate

security breaches his firm is currently investigating involve hackers

who gained access to company networks by exploiting well-intentioned

employees." He goes on with:







We Help Hackers Target Us









"Spies, fraudsters and confidence men have long engaged in what's called

social engineering to manipulate people into divulging confidential

information, often after completing thorough reconnaissance on their

victims. Now those tricks have been adapted for the Internet era. Today,

we make ourselves easy targets by posting troves of information about

ourselves and our jobs online."







"In a recent test, KnowBe4, a firm that provides security-awareness

training, set out to find what percentage of a group of companies would

be susceptible to phishing attacks. It sent phishing emails to employees

at 81 companies from a reputable and trusted server; 43% of them had

one or more employee click on the link in the emails. In a second test,

using unknown and untrusted servers that were filtered out by many

corporate email systems, still at least one person in 15% of the

companies clicked on the emails. "While this might only be one person

out of a thousand, from the point of malware, all it takes is one

person to fall for the trick and the damage is done," says Daimon

Geopfert, the leader of the security consulting practice at RSM

McGladrey Inc."







I strongly recommend reading this article, but WSJ puts it in their

archives after 7 days, so it goes away soon. Read this now!


http://online.wsj.com/article/SB10001424053111904836104576556421692299218.html?









Quotes of the Week









"A man begins cutting his wisdom teeth the first time he bites off

more than he can chew."
– Herb Caen







"Almost every wise saying has an opposite one, no less wise, to

balance it."
- George Santayana







Please tell your friends about CyberheistNews! They can subscribe here:


http://www.knowbe4.com/about-us/cyberheist-news/



KnowBe4






FBI, Victims and Banks Share Latest Views on Account Takeover







BankinfoSecurity had a good article about Account Takeover Fraud.

Account Takeover is the banking term for some one hijacking your

organization's bank account and stealing as much money as possible

by unauthorized transfers.







"Corporate account takeover: Is the problem getting better or worse?

Depends on whose perspective you hear - law enforcement's, financial

services leaders' or fraud victims'. At a recent congressional hearing

in Washington, D.C., Gordon Snow, assistant director of the Federal

Bureau of Investigation's Cyber Division, said his agency is currently

investigating more than 400 cases related to corporate account takeover

incidents - cases that involve cybercriminals' attempts to drain more

than $255 million from commercial bank accounts.







Mark Patterson, CEO of Maine-based PATCO Construction Inc., is one of

the more noted fraud victims. He sued his former bank after his company

lost more than $500,000 to fraudsters. "The FBI realizes this is a

huge threat to our businesses and government entities," he says,

pleased that this topic has made its way to Congress. "The laws

need to be changed to hold the transferring agencies, i.e., the

banks, accountable for the ACH fraud."





But William Nelson, president and CEO of the Financial Services

Information Sharing and Analysis Center (FS-ISAC), says banks are

already moving in that direction, without legal mandates. He cites

the new FFIEC Authentication Guidance as a step in the right direction

by banking regulators and the industry. "The FFIEC guidance really raises

the bar for banks and credit unions to increase the amount of security,

in terms of having an in-depth layer of security," he says. "And they're

going to be examined on that next year." MORE:


http://www.bankinfosecurity.com/articles.php?art_id=4083&rf;=2011-09-21-eb&elq;=76fbe566cbb84ec48f18f901e016832a&elqCampaignId;=404













KnowBe4






'Right-to-Left Override' Aids Email Attacks







Brian Krebs is a leading computer and Internet security journalist,

he writes about cyber crime, and wrote for The Washington Post '95-'09

This is an interesting technical trick the scammers use, and worth

checking out.







"Computer crooks and spammers are abusing a little-known encoding method

that makes it easy to disguise malicious executable files (.exe) as

relatively harmless documents, such as text or Microsoft Word files.







The "right to left override" (RLO) character is a special character

within Unicode, an encoding system that allows computers to exchange

information regardless of the language used. Unicode covers all the

characters for all writing systems of the world, modern and ancient.

It also includes technical symbols, punctuations, and many other

characters used in writing text. For example, a blank space between

two letters, numbers or symbols is expressed in Unicode as “U+0020?.

More at:

http://krebsonsecurity.com/2011/09/right-to-left-override-aids-email-attacks/







KnowBe4






Cyberheist 'FAVE' LINKS:







* This Week's Links We Like. Tips, Hints And Fun Stuff.





Heathrow Airport in London has unveiled the future of public transportation

with these new shuttle pods. Laser-guided and battery-operated, they go

25 miles per hour and are said to be impossible to crash:


http://www.flixxy.com/driverless-airport-pods.htm





The evolution of women’s hair styles over the centuries. Interesting!:


http://www.flixxy.com/woman-hair-style-evolution.htm





Wingsuit skydiver Jeb Corliss became the first man to fly through the

Tianmen Cave – an actual hole through a mountain – in central China:


http://www.flixxy.com/jeb-corliss-flies-through-tianmen-mountain-cave.htm





Take a 3 minute 'vaca' to France today with this beautiful short film about

the moment of magic that happens when you emerge from the depths of the

Paris subway system. Music by Duke Ellington:


http://www.flixxy.com/sub-city-paris-short-film.htm





Amazing HD footage of skiing, snowboarding, surfing, skateboarding, BMX, car racing, flying and cliff jumping - all taken by a tiny GoPro HD camera:


http://www.flixxy.com/gopro-2011-highlights-you-in-hd.htm




Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews