CyberheistNews #26



CyberheistNews Vol 1, #26







Editor's Corner



KnowBe4


[caption id="attachment_1367" align="alignleft" width="150" caption="Stu"]cybercrime[/caption]



A hacker's treasure trove that is... our Email Exposure Check (EEC)

dug up email addresses and user names out of a login/password dump,

created by hackers. Undeniable evidence that those credentials were

compromised. Another EEC we did this week found email addresses and

passwords for porn sites, a list that was made public by lulsec,

and is available to anyone that knows where it is. Very embarrassing

for an end-user in your organization to be found on a list like that,

to say the least. A firing offense in many organizations.







What is the EEC? A free service we provide to any organization that

is interested to know what their email attack surface actually is.

We do a special 'deep search' into the four major search engines,

and dig out any and all email addresses that are found floating

around on the Internet. Most organizations are surprised how many

we find out there.







The problem of course is that the bad guys can do this too, then do a

bit of research on the organization, and send a custom spear-phishing

attack just to that organization. A good example would be an email

'from the CEO' about a change in the employee benefits program. A

simulated attack we recently did for a customer got a more than 40%

click-through (meaning Phish-prone) rate. Ouch. Your network would

no longer be your own.







Now, we don't dig up treasures like that every day, but it makes a

lot of sense to have a monthly check of what emails are floating out

there, and make sure that these accounts have very strong passwords!







You can request your own free EEC over here. The turnaround time is

usually less than one working day:

http://www.knowbe4.com/eec/







TechEd Harley Phatboy Winner Announced











KnowBe4 had a Harley Phatboy in the TechEd booth this year, but

anyone that did a Phishing Security Test during 2012 was eligible

to win. Kevin Batch was the lucky winner!







"I attended TechEd in Atlanta this year, and visited the KnowBe4 booth.

User security and cyber-crime training is difficult, but if you had

some great training and testing materials to assist in this vulnerability

then your company would be a step ahead. If you can train users and make

them security aware using tools sent via email to explain and prepare

them to not get caught in the phishing net – that would be a great tool.

Since email is often how users get attacked with social engineering

and you guys can help reduce this – that is just awesome!
"


-- Kevin Batsch, Messaging Architect, IT Infrastructure







And here is a picture of the winner on the Phatboy!!


https://s3.amazonaws.com/knowbe4-images/WINNER_LO.jpg



Quotes of the Week









"You may delay, but time will not." - Benjamin Franklin







"Long ago, when men cursed and beat the ground with sticks, it was

called witchcraft. Today it's called golf."
- Will Rogers







"New ideas pass through three periods: 1) It can't be done. 2) It

probably can be done, but it's not worth doing. 3) I knew it was a

good idea all along!"
- Arthur C. Clark







Please tell your friends about CyberheistNews! They can subscribe here:


http://www.knowbe4.com/about-us/cyberheist-news/



KnowBe4






"We Discovered A Serious Human Vulnerability"







"I'm a system administrator and we regularly get user's workstations

infected with malware. Then Microsoft reported that 45% of the infections

are caused by the users being 'social engineered', so we decided to test it

out for ourselves."







"First we did the Email Exposure Check. Out of our 197 users, 87 email

addresses were found on the Internet. Then we did the Phishing Security

Test, and sent these 87 a relatively simple simulated phishing attack,

that could have been sent by any bad guy."







"We were shocked to see that our spam filters and antivirus did not

catch the phishing email, and that 24 of these 87 clicked on the link.

We discovered a serious human vulnerability." -- P.H. System Admin







Find out for yourself how big this human security hole is in your

organization. Fill out this form, you will get the results for free:




http://www.knowbe4.com/eec/





KnowBe4






Remind Your Users: Typosquatters Target Christmas Shoppers









The CSO site had a good story about this. "As online shoppers rush to buy

presents in the run up to Christmas, security researchers have put out

a warning to beware of "typosquatters," who prey on clumsy typists

that misspell domain and website names. For example customers of major

British high-street brands such as Argos, Debenhams, and John Lewis are

falling victim to cybercriminals that target mistyped web addresses, and

this typosquatting is becoming an extremely lucrative business, especially

in the U.S.








"Websense claims to have discovered nearly 2,000 typosquatted domains,

including: "debenahams", "johlewis" and "argoss." Typing these domains

often leads to a page imitating the retailer in question, and encourages

users to enter their credit card information. Alternatively, the site might

inject malware or infect the user's system with spyware.







"Cybercriminals are scary smart at enticing Christmas shoppers to unwanted

sites," said Elad Sharf of Websense Security Labs. "Whilst this looks like

a consumer problem, typosquatting also puts company confidential data at

risk as many employees shop from work computers at lunchtime."







Warn your users to double-check when they enter domain names. More:


http://www.csoonline.com/article/696501/typosquatters-target-christmas-shoppers-websense?





KnowBe4






Kim Jong Il Malicious Spam Now Active







The Trendmicro Blog was on the ball. "The death of Korean leader Kim Jong

Il resulted in an outpour of reactions from many people all over the world.

Some people were saddened by the loss, while some were quite jubilant,

saying that Kim Jong Il was "a repressive leader".







Cybercriminals, on the other hand, only had one reaction to the incident- to

take advantage of it. Our researchers found spammed messages with email

subjects mentioning the death of Kim Jong Il. The messages arrive with a

.PDF attachment. The said file is of course malicious. More:


http://blog.trendmicro.com/kim-jong-il-malicious-spam-found/





KnowBe4






How Secure -IS- that password?





There are sites out there that offer you to enter your password, and

then tell you how strong it is. That's interesting, but who are they?

If I were a bad guy, that's one of the first things I would throw on

a website and get my SEO optimized so that a lot of people would enter

their password. I would then track their IPs and it would not be too

hard to get into their network. Here is an example of a site that

tests passwords. Note, these guys may be totally fine, but who knows?

They might even be compromised and not know it!


http://howsecureismypassword.net/







Another site is this one, and they are a bit smarter - more over, they

provide the source code. If you would run that inside your own domain

on an Intranet, I would feel more secure:


http://www.passwordmeter.com


http://www.passwordmeter.com/js/pwdmeter.js


For your end-users however, this could be a fantastic social engineering

attack via email, which would make them enter their passwords. So create

some policy or train your end users to never, EVER type in their

password into one of these sites!







KnowBe4






Cyberheist 'FAVE' LINKS:







* This Week's Links We Like. Tips, Hints And Fun Stuff.





Security tips from a legendary hacker. Kevin Mitnick interviewed on CBS News:


http://www.cbsnews.com/8301-505143_162-57344282/security-tips-from-a-legendary-hacker/





Join National Geographic photographer Mattias Klum as he tries to capture

images of the wily little mammal of the Kalahari Desert known as the meerkat:


http://www.flixxy.com/revenge-of-the-meerkat.htm





Now you can transform your patio into a swimming pool in 2 minutes at the

touch of a button:
http://www.flixxy.com/transform-your-patio-into-a-swimming-pool.htm





Awesome Gifts for the Geek in Your Life:
http://www.networkworld.com/slideshows/2011/120911-geeky-gifts.html?





Japanese researchers develop six-legged "Asterisk" robot that can pick up

objects. Check out the video, some people are going to think: "Scary!":
http://www.gizmag.com/six-legged-japanese-robot-can-pick-up-objects/20895/





An hour-long BBC documentary about Steve Jobs with on-camera interviews with

Woz, Stephen Fry, Tim Berners-Lee, John Sculley and many others.:
http://www.flixxy.com/steve-jobs-billion-dollar-hippy.htm





Use the Google Chrome browser? This is a cool little "Easter Egg":
https://www.google.com/search?site=&q;=let+it+snow





Amazing Christmas display with 176 channels and 45,000 lights! The show is

so popular that it requires a crew of 3 people to manage the traffic:
http://www.flixxy.com/best-christmas-lights-display.htm





If you are a space junkie, this is great stuff. A brief recount of the

progress made by a company formerly known as "Space Exploration Technologies

Corp.". The video at the bottom of the article is worth the price of admission:
http://latimesblogs.latimes.com/money_co/2011/12/spacex-nasa-space-station-docking.html





Young Chinese acrobat performs amazing balancing acts on a "slackwire":
http://www.flixxy.com/wire-balancing-acrobatics.htm




Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews