CyberheistNews Vol 1, #14
Editor's Corner
[caption id="attachment_1367" align="alignleft" width="150" caption="Stu"][/caption]
Phishing Target Of The Week: Your Spouse
Chris Larsen, head of Blue Coat Systems' research lab, outlined a
recent attack where the bad guys targeted executives of a major
corporation through their spouses. The logic was that at least one
executive would have a poorly secured PC at home shared with a
non-tech savvy spouse, which would then provide the backdoor needed
to compromise the executive and gain access into the target company.
This type of attack is called 'whaling', going after all the
executives of an organization. And often, their email addresses
are easy to find. KnowBe4 provides a one-time free service called
Email Exposure Check. We will do a 'deep search' on the Internet
and report back to you which email addresses with your domain name
are floating out there on the Net. Request your free EEC here:
http://www.knowbe4.com/eec/
This Is National Cyber Security Awareness Month!
The Department of Homeland security and the National Cyber Security
Alliance are sponsoring this yearly event. The idea is to raise
awareness and oh boy it's needed. October is a great month to get
budget for your security awareness training.
The point to make is that awareness is a continuous process. You might
be able to check a compliance box if you subject all employees to
a death-by-powerpoint once a year, but you are shooting yourself in
the foot by doing so.
You really need to ding in security awareness on a constant basis.
Humans need education, education, education. Use it or lose it is
very much applicable here, and you simply cannot afford employees
clicking on phishing links, infecting workstations and let hackers
in freely.
"What's a Company's Biggest Security Risk? You."
A bunch of people did not get to read the article about social
engineering in the Wall Street Journal where KnowBe4 is mentioned
on page two, column one. We got a PDF version of it, which you can
now read. See the full version by clicking:
Click Here To Read The Entire The Wall Street Journal Article:
http://www.knowbe4.com/about-us/knowbe4-in-the-news/
Quotes of the Week
"A vigorous five-mile walk will do more good for an unhappy but
otherwise healthy adult than all the medicine and psychology in
the world." - Paul Dudley White
"If it werent for the fact that the TV and the refrigerator are
so far apart, some of us wouldnt get any exercise at all." Joey Adams
(Maybe this one should be updated to change "TV" to "computer). Tip 'o the Hat to Deb Shinder.
Please tell your friends about CyberheistNews! They can subscribe here:
http://www.knowbe4.com/about-us/cyberheist-news/
5 More Dirty Tricks: Social Engineers' Latest Pick-Up Lines
Joan Goodchild, Senior Editor of Chief Security Officer Magazine did
a good job identifying the most recent scams. "From a new twist on
tech support to playing the odds with a large number of desperate job
seekers, today's social engineers are getting very specific in their
plans to manipulate their marks.
"You may now be savvy enough to know that when a friend reaches out
on Facebook and says they've been mugged in London and are in desperate
need of cash, that it's a scam. But social engineers, the criminals
that pull off these kinds of ploys by trying to trick you, are one step
ahead.
Mark Patterson, CEO of Maine-based PATCO Construction Inc., is one of
the more noted fraud victims. He sued his former bank after his company
lost more than $500,000 to fraudsters. "The FBI realizes this is a
huge threat to our businesses and government entities," he says,
pleased that this topic has made its way to Congress. "The laws
need to be changed to hold the transferring agencies, i.e., the
banks, accountable for the ACH fraud."
Social engineering attacks are getting more specific, according to
Chris Hadnagy author of Social Engineering: The Art of Human Hacking.
"Targeted attacks are earning social engineers better results," he said.
What that means is they may need to do more work to find out personal
information, and it may take longer, but the payoff is often larger.
"Attacks now are not just a broad spam effort, sending out a million
emails with an offer for Viagra," said Hadnagy. "These are now individual
attacks where they are going after people one by one." Here are five
new scams circulating that employ much more individual involvement"
1) "This is Microsoft support we want to help"
2) "Donate to the hurricane recovery efforts!"
3) "About your job application..."
4) "@Twitterguy, what do you think about what Obama said on #cybersecurity?"
5) "Get more Twitter followers!"
Read more details about each scam here:
5-more-dirty-tricks-social-engineers-latest-pick-up-lines?">http://www.csoonline.com/article/690451/
5-more-dirty-tricks-social-engineers-latest-pick-up-lines?
Government Security Incidents Soar by 650% in 5 Years
It was all over the news this week, but Eric Chabrow over at the
GovInfo Security site had a good write-up. The Government Accountability
Office blames weaknesses in security controls at 24 major agencies
for the skyrocketing statistics.
"Security incidents reported over the past five years have placed the
confidentiality, integrity and availability of sensitive government
information and information systems at risk, an annual GAO review
reveals.
"In its annual review required by the Federal Information Security
Management Act, the GAO blames weaknesses in information security
controls at 24 major federal agencies for creating the risk environment.
"Agencies have not fully implemented their information security
programs," Gregory Wilshusen, GAO director of information security
issues, writes in the 49-page report. "As a result, they have limited
assurance that controls are in place and operating as intended to
protect their information resources, thereby leaving them vulnerable
to attack or compromise." Yowser, look at those ugly graphs. Read
the rest of the article here:
http://www.govinfosecurity.com/articles.php?art_id=4114
Analysis: Dim Prospects For Cybersecurity Law In 2011
And the irony is that the state of Infosec Legislation in Congress
is not good at all. There are many bills floating around, but not
much progress in getting any of them written into law. Melissa
Hathaway at GovInfo Security sat down and counted all the pending
cybersecurity bills. There are 32, excluding intelligence and defense
authorization bills. Here is a table with all the initiatives and
their status:
http://www.govinfosecurity.com/articles.php?art_id=4100
Invitation: Server Hardware, Database Reliability Survey
KnowBe4 and ITIC are teaming up to conduct an online survey on Server
hardware and Database Reliability. The aim of this survey is to gauge
user satisfaction with the reliability and uptime of your major server
and DB platforms and your satisfaction with the pricing, service and
support you receive from your vendors. Are the hardware and databases
performing up to expectations? Are they too expensive or too hard to
use? Tell us what you think.
As always, we know that youre busy. This survey should take only a
few minutes to complete. All responses are kept confidential. The
survey is for informational purposes only. No one will call or Email
you with any sales pitches.
Once again, ITIC and KnowBe4 are giving away a free iPad and a free
iPod to the survey respondents who provides the most insightful
response to the final essay question. So be sure to leave your Email
address along with your comment within the Essay question response.
Once the survey is finalized, we'll publish the Executive Summary
and survey highlights in the Cyberheist newsletter. To further show
our appreciation, anyone who completes the survey can get a
complimentary copy of the Report once it's published by Emailing:
ldidio@itic-corp.com.
Once again, ITIC and KnowBe4 are giving away a free iPad and a free
iPod to the survey respondents who provides the most insightful
response to the final essay question. So be sure to leave your Email
address along with your comment within the Essay question response.
Once the survey is finalized, we'll publish the Executive Summary
and survey highlights in the Cyberheist newsletter. To further show
our appreciation, anyone who completes the survey can get a
complimentary copy of the Report once it's published by Emailing:
ldidio@itic-corp.com.
Heres the link to the survey:
https://www.surveymonkey.com/s/26HR5TY
Monster Spam Campaigns Lead to Cyberheists
Phishers and cyber thieves have been casting an unusually wide net lately,
blasting out huge volumes of fraudulent email designed to spread
password-stealing banking Trojans. Judging from the number of victims who
reported costly cyber heist in the past two weeks, many small to medium
sized organizations took the bait. More at the Brian Krebs Blog:
http://krebsonsecurity.com/2011/10/monster-spam-campaigns-lead-to-cyberheists/
Well Organized, Sophisticated, Fast' Cybercriminals Scare US Banks
The CSO website had a very interesting interview with Paul Smocer, the
U.S. Financial industry's IT policy arm new leader. He's an expert in
email security and authentication.
Smocer is taking the lead of BITS at a time when financial services
firms are responding to the emergence of new technologies -- including
social networking, mobile computing and cloud computing -- while
remaining under attack from ever-savvier cybercriminals. BITS is
coordinating efforts by the U.S. banking industry to create new
top-level domains -- such as .bank, .insure and .invest -- that would
be restricted to financial services firms and could offer consumers
extra protection from phishing, malware and other attacks.
They interviewed Smocer about the online threats and opportunities that
he is most concerned about. Here are excerpts from the conversation:
http://www.csoonline.com/article/690922/
-well-organized-sophisticated-fast-cybercriminals-scare-us-banks?
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
Prairie dogs love to ride around the house on an "iRobot Roomba"
vacuum cleaner:
http://www.flixxy.com/prairie-dogs-on-irobot-roomba.htm
"Easy Rider" on the streets of Poland with a powered paraglider engine
on his back:
http://www.flixxy.com/propeller-bike.htm
Russian biker and musician Alexander Ishutin mounts a drum kit on his
motorcycle and takes the show on the road:
http://www.flixxy.com/russian-motorcycle-bandwagon.htm
Loosecubes is a community marketplace for workspace. They connect people
who have great workspace with people who need it. Great concept:
http://www.loosecubes.com/
Italian kid loves Led Zeppelin (with English subtitles). You gotta
see this:
http://www.flixxy.com/italian-kid-loves-led-zeppelin.htm