CyberheistNews Vol 1, #13
Editor's Corner
[caption id="attachment_1367" align="alignleft" width="150" caption="Stu"][/caption]
WSJ: "What's a Company's Biggest Security Risk? You."
Yesterday, September 26, 2011. The Wall Street Journal had a major article
which clearly makes the point that employees don't mean to be the primary
entry point for hackers. But they are.
Geoffrey Fowler is a senior special writer in The Wall Street Journal's
San Francisco bureau and he interviewed me (and quite a few other
security specialists) about hackers and social engineering.
He started out with: "Hacking attacks against companies are growing
bigger and bolderwitness a string of high-profile breaches this year
at Sony Corp., Citigroup Inc. and others. But gone are the days when
hackers would simply find holes in corporate networks to steal valuable
data. Large companies have grown wise to the threat of hacking, and
have spent the past 30 years hardening the perimeters of their networks
with upgraded technology.
"These days, criminals aren't just hacking networks. They're hacking us,
the employees. "The security gap is end users," says Kevin Mandia, chief
executive of security firm Mandiant Corp. The majority of corporate
security breaches his firm is currently investigating involve hackers
who gained access to company networks by exploiting well-intentioned
employees." He goes on with:
We Help Hackers Target Us
"Spies, fraudsters and confidence men have long engaged in what's called
social engineering to manipulate people into divulging confidential
information, often after completing thorough reconnaissance on their
victims. Now those tricks have been adapted for the Internet era. Today,
we make ourselves easy targets by posting troves of information about
ourselves and our jobs online."
"In a recent test, KnowBe4, a firm that provides security-awareness
training, set out to find what percentage of a group of companies would
be susceptible to phishing attacks. It sent phishing emails to employees
at 81 companies from a reputable and trusted server; 43% of them had
one or more employee click on the link in the emails. In a second test,
using unknown and untrusted servers that were filtered out by many
corporate email systems, still at least one person in 15% of the
companies clicked on the emails. "While this might only be one person
out of a thousand, from the point of malware, all it takes is one
person to fall for the trick and the damage is done," says Daimon
Geopfert, the leader of the security consulting practice at RSM
McGladrey Inc."
I strongly recommend reading this article, but WSJ puts it in their
archives after 7 days, so it goes away soon. Read this now!
http://online.wsj.com/article/SB10001424053111904836104576556421692299218.html?
Quotes of the Week
"A man begins cutting his wisdom teeth the first time he bites off
more than he can chew." Herb Caen
"Almost every wise saying has an opposite one, no less wise, to
balance it." - George Santayana
Please tell your friends about CyberheistNews! They can subscribe here:
http://www.knowbe4.com/about-us/cyberheist-news/
FBI, Victims and Banks Share Latest Views on Account Takeover
BankinfoSecurity had a good article about Account Takeover Fraud.
Account Takeover is the banking term for some one hijacking your
organization's bank account and stealing as much money as possible
by unauthorized transfers.
"Corporate account takeover: Is the problem getting better or worse?
Depends on whose perspective you hear - law enforcement's, financial
services leaders' or fraud victims'. At a recent congressional hearing
in Washington, D.C., Gordon Snow, assistant director of the Federal
Bureau of Investigation's Cyber Division, said his agency is currently
investigating more than 400 cases related to corporate account takeover
incidents - cases that involve cybercriminals' attempts to drain more
than $255 million from commercial bank accounts.
Mark Patterson, CEO of Maine-based PATCO Construction Inc., is one of
the more noted fraud victims. He sued his former bank after his company
lost more than $500,000 to fraudsters. "The FBI realizes this is a
huge threat to our businesses and government entities," he says,
pleased that this topic has made its way to Congress. "The laws
need to be changed to hold the transferring agencies, i.e., the
banks, accountable for the ACH fraud."
But William Nelson, president and CEO of the Financial Services
Information Sharing and Analysis Center (FS-ISAC), says banks are
already moving in that direction, without legal mandates. He cites
the new FFIEC Authentication Guidance as a step in the right direction
by banking regulators and the industry. "The FFIEC guidance really raises
the bar for banks and credit unions to increase the amount of security,
in terms of having an in-depth layer of security," he says. "And they're
going to be examined on that next year." MORE:
http://www.bankinfosecurity.com/articles.php?art_id=4083&rf;=2011-09-21-eb&elq;=76fbe566cbb84ec48f18f901e016832a&elqCampaignId;=404
'Right-to-Left Override' Aids Email Attacks
Brian Krebs is a leading computer and Internet security journalist,
he writes about cyber crime, and wrote for The Washington Post '95-'09
This is an interesting technical trick the scammers use, and worth
checking out.
"Computer crooks and spammers are abusing a little-known encoding method
that makes it easy to disguise malicious executable files (.exe) as
relatively harmless documents, such as text or Microsoft Word files.
The "right to left override" (RLO) character is a special character
within Unicode, an encoding system that allows computers to exchange
information regardless of the language used. Unicode covers all the
characters for all writing systems of the world, modern and ancient.
It also includes technical symbols, punctuations, and many other
characters used in writing text. For example, a blank space between
two letters, numbers or symbols is expressed in Unicode as U+0020?.
More at:
http://krebsonsecurity.com/2011/09/right-to-left-override-aids-email-attacks/
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
Heathrow Airport in London has unveiled the future of public transportation
with these new shuttle pods. Laser-guided and battery-operated, they go
25 miles per hour and are said to be impossible to crash:
http://www.flixxy.com/driverless-airport-pods.htm
The evolution of womens hair styles over the centuries. Interesting!:
http://www.flixxy.com/woman-hair-style-evolution.htm
Wingsuit skydiver Jeb Corliss became the first man to fly through the
Tianmen Cave an actual hole through a mountain in central China:
http://www.flixxy.com/jeb-corliss-flies-through-tianmen-mountain-cave.htm
Take a 3 minute 'vaca' to France today with this beautiful short film about
the moment of magic that happens when you emerge from the depths of the
Paris subway system. Music by Duke Ellington:
http://www.flixxy.com/sub-city-paris-short-film.htm
Amazing HD footage of skiing, snowboarding, surfing, skateboarding, BMX, car racing, flying and cliff jumping - all taken by a tiny GoPro HD camera:
http://www.flixxy.com/gopro-2011-highlights-you-in-hd.htm