CyberheistNews Vol 1, #27
Editor's Corner
[caption id="attachment_1367" align="alignleft" width="150" caption="Stu"][/caption]
Social Engineering Attacks On Enterprises Trending Upward
Linda Musthaler at Network World had a chat with Amit Klein, CTO at
security company Trusteer. She started out with something funny:
"Here's an updated proverb for the Information Age: "Give a man a fish
and you'll feed him for a day. Teach a man to fish and you'll feed
him for a lifetime. Allow a man to phish and you'll give him your
identity, your bank account, your intellectual property ..."
Trusteer has more than 26 million agents installed on devices in the
field and they all feed into Trusteer's intelligence systems. Trusteer
is scanning for malware, spyware and viruses in the wild, and the
information they collect allows Klein to make his predictions with a
high degree of confidence. The following is one of his observations
for the year ahead: Personal information, disclosed on social networks,
will be used in social engineering attacks against the enterprise.
Fraudsters, all too aware of the valuable intelligence freely available
on social networks, are starting to mine these data sources, capturing
the personal details needed to successfully complete social engineering
attacks. Trusteer predicts this will manifest itself over the coming
year as an enterprise issue."
Well, it's already an issue. Cybercrime is using this as we speak, to
craft spear-phishing attacks on enterprises. The news really is that
the trend is moving upward, and what you are going to see is that mining
data from social networking sites (especially LinkedIn) will get automated
to a high degree and used for malicious purposes. It will be malware that
criminals simply can buy, and get tech support for. Here is the story:
http://www.networkworld.com/newsletters/techexec/2012/010612bestpractices.html
Survey: How Long Should Awareness Training Be?
In a business environment, for an employee, what would you think is the
ideal length in minutes to do their yearly online Security Awareness
Training? It should be long enough to get them trained as per the
requirements, but not too long to exceed their span of attention.
Vote here, this will take about 20 seconds:
https://www.surveymonkey.com/s/traininglength
Quotes of the Week
"Don't be a spectator, don't let life pass you by." -
- Lou Holtz
"Death is no more than passing from one room into another. But
there's a difference for me, you know. Because in that other room I
shall be able to see." - Helen Keller
Please tell your friends about CyberheistNews! They can subscribe here:
http://www.knowbe4.com/about-us/cyberheist-news/
"We Discovered A Serious Human Vulnerability"
"I'm a system administrator and we regularly get user's workstations
infected with malware. Then Microsoft reported that 45% of the infections
are caused by the users being 'social engineered', so we decided to test it
out for ourselves."
"First we did the Email Exposure Check. Out of our 197 users, 87 email
addresses were found on the Internet. Then we did the Phishing Security
Test, and sent these 87 a relatively simple simulated phishing attack,
that could have been sent by any bad guy."
"We were shocked to see that our spam filters and antivirus did not
catch the phishing email, and that 24 of these 87 clicked on the link.
We discovered a serious human vulnerability." -- P.H. System Admin
Find out for yourself how big this human security hole is in your
organization. Fill out this form, you will get the results for free:
http://www.knowbe4.com/eec/
Passwords Aren't Dead, Though Maybe Yours Should Be
"It's 2012. The password is dead. Long live the password. Perhaps the
division in the IT world is not quite that stark, but there is indeed
division. Some think it is past time to retire passwords, for what they
say is the obvious reason: They don't protect users, since they are so
easily hacked. All the talk about making passwords more secure is
ignoring the elephant in the room: they simply cannot be made secure.
Besides, there are other, better, authentication options, like biometrics,
since nobody has your fingerprints, eyes and DNA.
But others say not so fast; that biometrics are not duplicate proof, and
that passwords would still be fairly effective if users didn't make them
so easy to hack and if password authentication systems were improved."
Story at CSO online:
passwords-aren-t-dead-though-maybe-yours-should-be?">http://www.csoonline.com/article/697667/
passwords-aren-t-dead-though-maybe-yours-should-be?
IBM, HP, Microsoft Are Patching Laggards
Computerworld just wrote up a good story from TippingPoint. "IBM, HP and
Microsoft led the list of companies that failed to patch vulnerabilities
within six months of being notified by the world's biggest bug bounty
program, according to HP TippingPoint's Zero-Day Initiative (ZDI).
During 2011, TippingPoint -- a division of HP -- released 29 "zero-day"
advisories that provided information on vulnerabilities it had reported
to vendors six or more months earlier. Ten of the 29 were bugs in IBM
software, six in HP's own software and five were in Microsoft products.
Other companies on the list of late-to-patch vendors included CA, Cisco
and EMC. Here is the story:
IBM_HP_Microsoft_lead_patching_laggards_says_bug_buyer">http://www.computerworld.com/s/article/9222829/
IBM_HP_Microsoft_lead_patching_laggards_says_bug_buyer
Virtual Sweatshops Defeat Bot-or-Not Tests
Jobs in the hi-tech sector can be hard to find, but employers in one corner
of the industry are creating hundreds of full-time positions, offering workers
on-the-job training and the freedom to work from home. The catch? Employees
will likely work for cybercrooks and may make barely enough money in a
week to purchase a Happy Meal at McDonald's. So here is how your Capchas
get defeated. Story at Krebs on Security:
http://krebsonsecurity.com/2012/01/virtual-sweatshops-defeat-bot-or-not-tests/
My Experience With A Facebook Hacker
Here is an experience of a hacking attempt that I thought was quite
interesting. Lucas Mearian wrote: "As I lay in a sugar comatose one morning
after the holidays last week, my stupor was interrupted by a series of
phone calls from friends alerting me that I'd contacted them through a
Facebook chat session and told them I'd been mugged in the U.K. while on
vacation and needed money. "Hey, Luke. Are you okay?" one friend frantically
asked over the phone. "What's going on? Have you been mugged, and what
are you doing in the U.K.?" Another friend called to tell me, "Hey buddy,
I think your Facebook password has been hacked. I'm getting IMs from you
telling me you've been mugged and need money." I ran over to my computer
and saw half a dozen "chat" conversations that basically went like this."
Story at ComputerWorld:
http://blogs.computerworld.com/19509/facebook_chat_hack_it_can_happen_to_you_too?
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
Anyone whos seen sci-fi movies like Minority Report or Iron Man 2 knows
that gesture-control looks really cool. Wave to command your devices. But
imagine providing tech support for this?
http://www.youtube.com/watch?feature=player_embedded&v;=J3Aa4Wx-_8o
Love the Blade Runner movie? This is an exclusive Sketchbook made in 1982
for the movie design. Gorgeous:
http://issuu.com/futurenoir/docs/bladerunner_sketchbook
This footage of Earthrise over the moon was taken from the Apollo 10 mission
in 1969. Amazing!:
http://www.flixxy.com/apollo-earthrise.htm
A compilation of the most awesome bicycle, snowboard, ski, snowmobile,
parkour, diving, rally car and skate sports clips of 2011. I like:
http://www.flixxy.com/awesome-sports.htm
Cockpit view of an incredible aerobatic display with the C130J Hercules
transport plane at Paris Airshow 2011:
http://www.flixxy.com/c130-super-hercules-paris-airshow-2011-cockpit-view.htm
Normally, this would be too long to be a newsletter Fave, but is one is
quite interesting - the Top Gear India Special (90 Min):
http://www.flixxy.com/top-gear-india-special.htm