CyberheistNews Vol 1, #26
Editor's Corner
[caption id="attachment_1367" align="alignleft" width="150" caption="Stu"][/caption]
A hacker's treasure trove that is... our Email Exposure Check (EEC)
dug up email addresses and user names out of a login/password dump,
created by hackers. Undeniable evidence that those credentials were
compromised. Another EEC we did this week found email addresses and
passwords for porn sites, a list that was made public by lulsec,
and is available to anyone that knows where it is. Very embarrassing
for an end-user in your organization to be found on a list like that,
to say the least. A firing offense in many organizations.
What is the EEC? A free service we provide to any organization that
is interested to know what their email attack surface actually is.
We do a special 'deep search' into the four major search engines,
and dig out any and all email addresses that are found floating
around on the Internet. Most organizations are surprised how many
we find out there.
The problem of course is that the bad guys can do this too, then do a
bit of research on the organization, and send a custom spear-phishing
attack just to that organization. A good example would be an email
'from the CEO' about a change in the employee benefits program. A
simulated attack we recently did for a customer got a more than 40%
click-through (meaning Phish-prone) rate. Ouch. Your network would
no longer be your own.
Now, we don't dig up treasures like that every day, but it makes a
lot of sense to have a monthly check of what emails are floating out
there, and make sure that these accounts have very strong passwords!
You can request your own free EEC over here. The turnaround time is
usually less than one working day:
http://www.knowbe4.com/eec/
TechEd Harley Phatboy Winner Announced
KnowBe4 had a Harley Phatboy in the TechEd booth this year, but
anyone that did a Phishing Security Test during 2012 was eligible
to win. Kevin Batch was the lucky winner!
"I attended TechEd in Atlanta this year, and visited the KnowBe4 booth.
User security and cyber-crime training is difficult, but if you had
some great training and testing materials to assist in this vulnerability
then your company would be a step ahead. If you can train users and make
them security aware using tools sent via email to explain and prepare
them to not get caught in the phishing net – that would be a great tool.
Since email is often how users get attacked with social engineering
and you guys can help reduce this – that is just awesome!"
-- Kevin Batsch, Messaging Architect, IT Infrastructure
And here is a picture of the winner on the Phatboy!!
https://s3.amazonaws.com/knowbe4-images/WINNER_LO.jpg
Quotes of the Week
"You may delay, but time will not." - Benjamin Franklin
"Long ago, when men cursed and beat the ground with sticks, it was
called witchcraft. Today it's called golf." - Will Rogers
"New ideas pass through three periods: 1) It can't be done. 2) It
probably can be done, but it's not worth doing. 3) I knew it was a
good idea all along!" - Arthur C. Clark
Please tell your friends about CyberheistNews! They can subscribe here:
http://www.knowbe4.com/about-us/cyberheist-news/
"We Discovered A Serious Human Vulnerability"
"I'm a system administrator and we regularly get user's workstations
infected with malware. Then Microsoft reported that 45% of the infections
are caused by the users being 'social engineered', so we decided to test it
out for ourselves."
"First we did the Email Exposure Check. Out of our 197 users, 87 email
addresses were found on the Internet. Then we did the Phishing Security
Test, and sent these 87 a relatively simple simulated phishing attack,
that could have been sent by any bad guy."
"We were shocked to see that our spam filters and antivirus did not
catch the phishing email, and that 24 of these 87 clicked on the link.
We discovered a serious human vulnerability." -- P.H. System Admin
Find out for yourself how big this human security hole is in your
organization. Fill out this form, you will get the results for free:
http://www.knowbe4.com/eec/
Remind Your Users: Typosquatters Target Christmas Shoppers
The CSO site had a good story about this. "As online shoppers rush to buy
presents in the run up to Christmas, security researchers have put out
a warning to beware of "typosquatters," who prey on clumsy typists
that misspell domain and website names. For example customers of major
British high-street brands such as Argos, Debenhams, and John Lewis are
falling victim to cybercriminals that target mistyped web addresses, and
this typosquatting is becoming an extremely lucrative business, especially
in the U.S.
"Websense claims to have discovered nearly 2,000 typosquatted domains,
including: "debenahams", "johlewis" and "argoss." Typing these domains
often leads to a page imitating the retailer in question, and encourages
users to enter their credit card information. Alternatively, the site might
inject malware or infect the user's system with spyware.
"Cybercriminals are scary smart at enticing Christmas shoppers to unwanted
sites," said Elad Sharf of Websense Security Labs. "Whilst this looks like
a consumer problem, typosquatting also puts company confidential data at
risk as many employees shop from work computers at lunchtime."
Warn your users to double-check when they enter domain names. More:
http://www.csoonline.com/article/696501/typosquatters-target-christmas-shoppers-websense?
Kim Jong Il Malicious Spam Now Active
The Trendmicro Blog was on the ball. "The death of Korean leader Kim Jong
Il resulted in an outpour of reactions from many people all over the world.
Some people were saddened by the loss, while some were quite jubilant,
saying that Kim Jong Il was "a repressive leader".
Cybercriminals, on the other hand, only had one reaction to the incident- to
take advantage of it. Our researchers found spammed messages with email
subjects mentioning the death of Kim Jong Il. The messages arrive with a
.PDF attachment. The said file is of course malicious. More:
http://blog.trendmicro.com/kim-jong-il-malicious-spam-found/
How Secure -IS- that password?
There are sites out there that offer you to enter your password, and
then tell you how strong it is. That's interesting, but who are they?
If I were a bad guy, that's one of the first things I would throw on
a website and get my SEO optimized so that a lot of people would enter
their password. I would then track their IPs and it would not be too
hard to get into their network. Here is an example of a site that
tests passwords. Note, these guys may be totally fine, but who knows?
They might even be compromised and not know it!
http://howsecureismypassword.net/
Another site is this one, and they are a bit smarter - more over, they
provide the source code. If you would run that inside your own domain
on an Intranet, I would feel more secure:
http://www.passwordmeter.com
http://www.passwordmeter.com/js/pwdmeter.js
For your end-users however, this could be a fantastic social engineering
attack via email, which would make them enter their passwords. So create
some policy or train your end users to never, EVER type in their
password into one of these sites!
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
Security tips from a legendary hacker. Kevin Mitnick interviewed on CBS News:
http://www.cbsnews.com/8301-505143_162-57344282/security-tips-from-a-legendary-hacker/
Join National Geographic photographer Mattias Klum as he tries to capture
images of the wily little mammal of the Kalahari Desert known as the meerkat:
http://www.flixxy.com/revenge-of-the-meerkat.htm
Now you can transform your patio into a swimming pool in 2 minutes at the
touch of a button:
http://www.flixxy.com/transform-your-patio-into-a-swimming-pool.htm
Awesome Gifts for the Geek in Your Life:
http://www.networkworld.com/slideshows/2011/120911-geeky-gifts.html?
Japanese researchers develop six-legged "Asterisk" robot that can pick up
objects. Check out the video, some people are going to think: "Scary!":
http://www.gizmag.com/six-legged-japanese-robot-can-pick-up-objects/20895/
An hour-long BBC documentary about Steve Jobs with on-camera interviews with
Woz, Stephen Fry, Tim Berners-Lee, John Sculley and many others.:
http://www.flixxy.com/steve-jobs-billion-dollar-hippy.htm
Use the Google Chrome browser? This is a cool little "Easter Egg":
https://www.google.com/search?site=&q;=let+it+snow
Amazing Christmas display with 176 channels and 45,000 lights! The show is
so popular that it requires a crew of 3 people to manage the traffic:
http://www.flixxy.com/best-christmas-lights-display.htm
If you are a space junkie, this is great stuff. A brief recount of the
progress made by a company formerly known as "Space Exploration Technologies
Corp.". The video at the bottom of the article is worth the price of admission:
http://latimesblogs.latimes.com/money_co/2011/12/spacex-nasa-space-station-docking.html
Young Chinese acrobat performs amazing balancing acts on a "slackwire":
http://www.flixxy.com/wire-balancing-acrobatics.htm