CyberheistNews vol 2, #2



CyberheistNews Vol 1, #27







Editor's Corner



KnowBe4


[caption id="attachment_1367" align="alignleft" width="150" caption="Stu"]cybercrime[/caption]

Social Engineering Attacks On Enterprises Trending Upward



Linda Musthaler at Network World had a chat with Amit Klein, CTO at

security company Trusteer. She started out with something funny:

"Here's an updated proverb for the Information Age: "Give a man a fish

and you'll feed him for a day. Teach a man to fish and you'll feed

him for a lifetime. Allow a man to phish and you'll give him your

identity, your bank account, your intellectual property ..."







Trusteer has more than 26 million agents installed on devices in the

field and they all feed into Trusteer's intelligence systems. Trusteer

is scanning for malware, spyware and viruses in the wild, and the

information they collect allows Klein to make his predictions with a

high degree of confidence. The following is one of his observations

for the year ahead: Personal information, disclosed on social networks,

will be used in social engineering attacks against the enterprise.

Fraudsters, all too aware of the valuable intelligence freely available

on social networks, are starting to mine these data sources, capturing

the personal details needed to successfully complete social engineering

attacks. Trusteer predicts this will manifest itself over the coming

year as an enterprise issue."







Well, it's already an issue. Cybercrime is using this as we speak, to

craft spear-phishing attacks on enterprises. The news really is that

the trend is moving upward, and what you are going to see is that mining

data from social networking sites (especially LinkedIn) will get automated

to a high degree and used for malicious purposes. It will be malware that

criminals simply can buy, and get tech support for. Here is the story:


http://www.networkworld.com/newsletters/techexec/2012/010612bestpractices.html



Survey: How Long Should Awareness Training Be?





In a business environment, for an employee, what would you think is the

ideal length in minutes to do their yearly online Security Awareness

Training? It should be long enough to get them trained as per the

requirements, but not too long to exceed their span of attention.

Vote here, this will take about 20 seconds:


https://www.surveymonkey.com/s/traininglength



Quotes of the Week





"Don't be a spectator, don't let life pass you by." -

- Lou Holtz







"Death is no more than passing from one room into another. But

there's a difference for me, you know. Because in that other room I

shall be able to see."
- Helen Keller







Please tell your friends about CyberheistNews! They can subscribe here:


http://www.knowbe4.com/about-us/cyberheist-news/





"We Discovered A Serious Human Vulnerability"







"I'm a system administrator and we regularly get user's workstations

infected with malware. Then Microsoft reported that 45% of the infections

are caused by the users being 'social engineered', so we decided to test it

out for ourselves."







"First we did the Email Exposure Check. Out of our 197 users, 87 email

addresses were found on the Internet. Then we did the Phishing Security

Test, and sent these 87 a relatively simple simulated phishing attack,

that could have been sent by any bad guy."







"We were shocked to see that our spam filters and antivirus did not

catch the phishing email, and that 24 of these 87 clicked on the link.

We discovered a serious human vulnerability." -- P.H. System Admin







Find out for yourself how big this human security hole is in your

organization. Fill out this form, you will get the results for free:




http://www.knowbe4.com/eec/





KnowBe4






Passwords Aren't Dead, Though Maybe Yours Should Be









"It's 2012. The password is dead. Long live the password. Perhaps the

division in the IT world is not quite that stark, but there is indeed

division. Some think it is past time to retire passwords, for what they

say is the obvious reason: They don't protect users, since they are so

easily hacked. All the talk about making passwords more secure is

ignoring the elephant in the room: they simply cannot be made secure.

Besides, there are other, better, authentication options, like biometrics,

since nobody has your fingerprints, eyes and DNA.





But others say not so fast; that biometrics are not duplicate proof, and

that passwords would still be fairly effective if users didn't make them

so easy to hack and if password authentication systems were improved."

Story at CSO online:




passwords-aren-t-dead-though-maybe-yours-should-be?">http://www.csoonline.com/article/697667/

passwords-aren-t-dead-though-maybe-yours-should-be?






KnowBe4






IBM, HP, Microsoft Are Patching Laggards







Computerworld just wrote up a good story from TippingPoint. "IBM, HP and

Microsoft led the list of companies that failed to patch vulnerabilities

within six months of being notified by the world's biggest bug bounty

program, according to HP TippingPoint's Zero-Day Initiative (ZDI).





During 2011, TippingPoint -- a division of HP -- released 29 "zero-day"

advisories that provided information on vulnerabilities it had reported

to vendors six or more months earlier. Ten of the 29 were bugs in IBM

software, six in HP's own software and five were in Microsoft products.

Other companies on the list of late-to-patch vendors included CA, Cisco

and EMC. Here is the story:




IBM_HP_Microsoft_lead_patching_laggards_says_bug_buyer">http://www.computerworld.com/s/article/9222829/

IBM_HP_Microsoft_lead_patching_laggards_says_bug_buyer






KnowBe4






Virtual Sweatshops Defeat Bot-or-Not Tests



Jobs in the hi-tech sector can be hard to find, but employers in one corner

of the industry are creating hundreds of full-time positions, offering workers

on-the-job training and the freedom to work from home. The catch? Employees

will likely work for cybercrooks and may make barely enough money in a

week to purchase a Happy Meal at McDonald's. So here is how your Capchas

get defeated. Story at Krebs on Security:


http://krebsonsecurity.com/2012/01/virtual-sweatshops-defeat-bot-or-not-tests/





KnowBe4






My Experience With A Facebook Hacker





Here is an experience of a hacking attempt that I thought was quite

interesting. Lucas Mearian wrote: "As I lay in a sugar comatose one morning

after the holidays last week, my stupor was interrupted by a series of

phone calls from friends alerting me that I'd contacted them through a

Facebook chat session and told them I'd been mugged in the U.K. while on

vacation and needed money. "Hey, Luke. Are you okay?" one friend frantically

asked over the phone. "What's going on? Have you been mugged, and what

are you doing in the U.K.?" Another friend called to tell me, "Hey buddy,

I think your Facebook password has been hacked. I'm getting IMs from you

telling me you've been mugged and need money." I ran over to my computer

and saw half a dozen "chat" conversations that basically went like this."

Story at ComputerWorld:


http://blogs.computerworld.com/19509/facebook_chat_hack_it_can_happen_to_you_too?





KnowBe4






Cyberheist 'FAVE' LINKS:







* This Week's Links We Like. Tips, Hints And Fun Stuff.





Anyone who’s seen sci-fi movies like Minority Report or Iron Man 2 knows

that gesture-control looks really cool. Wave to command your devices. But

imagine providing tech support for this?


http://www.youtube.com/watch?feature=player_embedded&v;=J3Aa4Wx-_8o





Love the Blade Runner movie? This is an exclusive Sketchbook made in 1982

for the movie design. Gorgeous:


http://issuu.com/futurenoir/docs/bladerunner_sketchbook





This footage of Earthrise over the moon was taken from the Apollo 10 mission

in 1969. Amazing!:
http://www.flixxy.com/apollo-earthrise.htm





A compilation of the most awesome bicycle, snowboard, ski, snowmobile,

parkour, diving, rally car and skate sports clips of 2011. I like:
http://www.flixxy.com/awesome-sports.htm





Cockpit view of an incredible aerobatic display with the C130J Hercules

transport plane at Paris Airshow 2011:
http://www.flixxy.com/c130-super-hercules-paris-airshow-2011-cockpit-view.htm





Normally, this would be too long to be a newsletter Fave, but is one is

quite interesting - the Top Gear India Special (90 Min):
http://www.flixxy.com/top-gear-india-special.htm




Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews