CyberheistNews Vol 2, #13
Editor's Corner
[caption id="attachment_1367" align="alignleft" width="150" caption="Stu"][/caption]
Do You Comply With The New PCI 2.0 Standard?
We recommend you copy and paste this section, and send it to your
executive team, with a warning that they might be targeted with
spear-phishing attacks. They need to 'Stop, Look, Think' when they
get emails like this. Or, instead of cut and paste, you can send your
execs this Permalink to the KnowBe4 blog post here:
http://blog.knowbe4.com/the-top-5-executive-spear-phishing-scams/
No. 5 "Complaint from the Better Business Bureau". A few execs get this
official-looking complaint that a customer supposedly has filed, or
more recently one that states: 'Your company is accused of supporting
illegal business'. They claim your business is involved in identity theft.
Reply within 7 days, and click on this link with the complaint ID. If
the exec clicks, the PC will be infected with malware.
No. 4 "New Security App For Your Smartphone". Bad guys go to your website
and figure out who your CFO and CEO are. They spoof an email from the
CEO to the CFO and get the CFO to click on something. The CFO's PC is now
infected with a keylogger. This way they know who you are banking with,
and that the bank uses two-factor authentication using the CFO's mobile
phone. Next, they spoof an email 'from the bank' to the CFO that instructs
the CFO to download and install a new security app on their phone, but
this is actually malware under control of the bad guys. Now they have
access to the normal banking logon credentials, but they also control
the two-factor text message sent to the CFO, which opens the door to
all kinds of (expensive) trouble.
No. 3 "Unfortunately, you are part of a layoff". Cybercrime takes
advantage of the current economic conditions and spoofs an email
that supposedly comes from either the CEO or from Human Resources. It
states the employee has been laid off, and please click on this link
so you can claim your severance pay. The link leads to a page that
looks just like the company website and asks for the first name, last
name and SSN# to verify who they are and make sure that they are in
the queue for severance. Double whammy: the PC is infected and the
employee's identity has been compromised.
No. 2 "Free Dinner At Your Favorite Restaurant". The CEO of a company is
singled out for a spear-phishing attack. The attackers do their research
using social media and find that the CEO is active in an anti-cancer
charity as one of the CEO's family members is a survivor. They also
figure out that the CEO has a favorite restaurant about 20 miles away.
They spoof an email from the charity's chief fund-raiser with an
attached PDF that promises a free dinner and please open the PDF with
the new fund raising campaign they need feedback on. One click, the
PC is infected and the network compromised. (Hat Tip to Chris Hadnagy.)
No. 1 "We've been sued". Bad guys go to your company website, look at the
'Executive Team' page and find out who is your In-House Legal Counsel.
Then they do a deep search on the Internet for all email addresses of
your company and find out the address conventions (e.g. first letter
first name, followed by last name). Then they spoof the email address of
your counsel, and attach an infected PDF that pretends to be
about new or pending litigation and send it to two or three execs.
They open it and bingo, your network is compromised.
Attacks like this happen all the time. There are still many organizations
that do not have Sender Policy Framework (SPF) enabled. Having SPF
configured correctly blocks most spoofing attacks in the examples
above. And of course Security Awareness Training for all staff,
especially the execs is a -must-, as they are prime targets. Here is
a link to more data on SPF:
http://en.wikipedia.org/wiki/Sender_policy_framework
Tax Season
Apart from the above, warn everyone that 'Tax Scam Season' is upon us,
and that no one should respond to anything tax-related via email.
The IRS does not use email or social media, don't fall for refund
offers that promise the world, and never click on links in email to
help you fill out your taxes, even it's for TurboTax. Always and
only use your Web browser bookmarks instead!
Quotes of the Week
"Management is doing things right; leadership is doing the right things." Peter Drucker
"Dont tell people how to do things; tell them what to do and let them
surprise you with the results." George S. Patton
"The price of greatness is responsibility." Winston Churchill
Please tell your friends about CyberheistNews! They can subscribe here:
http://www.knowbe4.com/about-us/cyberheist-news/
Stop Phishing Security Breaches
Are you aware that many of the email addresses of your organization are exposed on the Internet and easy to find for cybercriminals? With these addresses they can launch (spear-) phishing attacks on your organization. This type of attack is very hard to defend against, unless your users are highly security awareness trained.
IT Security specialists call it your phishing attack surface. The more of your email addresses that are floating out there, the bigger your attack footprint is, and the higher the risk is. Its often a surprise how many addresses are actually out there.
Find out now which of your email addresses are exposed. The Email Exposure Check (EEC) is a one-time free service. KnowBe4 customers with a Gold package get an EEC sent to them regularly so they can address the issues that are found. An example would be the email address and password of one of your users on a crime site. Fill out the form and we will email you back with the list of exposed addresses. The number is usually higher than you think.
Sign Up For Your Free Email Exposure Check Now
http://www.knowbe4.com/20120228-Primary/
It's not WHO you trust, but HOW you trust
A snippet from the new Version 2 of our Security Awareness Training,
expected in the next month or so:
Remember your security ground rules, and apply these three levels of risk:
Any email with a hyperlink or attachment could be dangerous. Ask yourself,
"Do I ordinarily receive this type of email from this person or company?"
LOW-RISK: Attachments or emails that contain links sent from people in
your own organization should be considered low risk.
LOW to MODERATE RISK: Attachments or emails that contain links sent from
people you know should be considered a low to moderate risk. Don't open
the attachment or click any link until you verified with the sender it
was legitimate.
HIGH-RISK: Attachments or emails that contain links sent from people
you don't personally know, or from outside organizations.
Hacked Inboxes Lead to Bank Fraud
Hacked and phished email accounts increasingly are serving as the
staging grounds for bank fraud schemes targeting small businesses.
The scams are decidedly low-tech and often result in losses of just
a few thousand dollars, but the attacks frequently succeed because
they exploit existing trust relationships between banks and their
customers. Last month, scam artists hijacked private email accounts
belonging to three different customers of Western National Bank, a
small financial institution with seven branches throughout Central
and West Texas. In each case, the thieves could see that the victim
had previously communicated with bank personnel via email. Read this
story at:
http://krebsonsecurity.com/2012/03/hacked-inboxes-lead-to-bank-fraud/
5 Big Security Mistakes You're Probably Making
Roger Grimes has a short list that is oh-so-true. "Companies get
hacked so often you'd think it was magic, but it really stems from
chronic inability to follow basic security".
How vulnerable are most companies to hacking? So vulnerable that hackers
claim they can point their systems at pretty much any target and be
guaranteed of breaking in fairly quickly. Most run-of-the-mill
vulnerability testers I know can break into a company in a few hours
or less. It must be child's play for professional criminals. It
doesn't have to be this way. The problem is that most IT admins
are making the same huge mistakes over and over."
No. 1 - Assuming that patching is good enough
No. 2 - Failing to understand what apps are running
No. 3 - Overlooking the anomalies
No. 4 - Neglecting to ride herd on password policy
No. 5 - Failing to educate users about the latest threats
Please read this article:
http://www.infoworld.com/d/security/5-big-security-mistakes-youre-probably-making-188517
Passwords Are The Weakest Link In Enterprise IT Security: Study
Joe McKendrick at ZDNet had the best summary of this news: "Eighty percent
of the security incidents studied by Trustwave were due to the use of
weak administrative credentials.
Organizations are spending millions of dollars to beef up their data,
application and network security, but still keep overlooking one obvious
area of exposure: user passwords. The Trustwave 2012 Global Security
Report has just been published, identifying areas of vulnerabilities
that persist within organizations, and threaten data security. The
reports authors studied more than 300 data breaches that occurred
during the year 2011 across 18 countries. The report observes that cyber
attacks continue to rise unabated, and hackers are increasingly going
after businesses customer records. The risk is even greater for
businesses frequented by consumers and brand name chains. More:
http://www.zdnet.com/blog/service-oriented/passwords-are-the-weakest-link-in-enterprise-it-security-study/8682
Search Engine With An Eye For Privacy
KnowBe4 customer Craig Fosburg sent me a very useful heads-up about
search engines and privacy concerns. Here is the upshot: the big search
engines store increasing amounts of data about you, and start to change
their search results based on that data. This creates a filter (call
it a bubble) that eliminates information based on what it perceives
you might want/need. See this website that does an excellent job to
illustrate the problem. It boils down to the fact the different people
get different search results, which is potentially harmful. See it here:
http://dontbubble.us/
With this in mind, you might want to change your search engine for a
while and see what this one comes up with, as their their policy is
that they do NOT store ANY personal information or search information.
http://www.DuckDuckGo.com
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
Top Gear Italy put spiked tires on a Peugeot 207 Super 2000 and took it
to the ski slopes. Not only did they manage to find a way to bypass
the ski lifts to get up to the top, you absolutely have to watch the
Peugeot take on fearless downhill skier Anna Andreussi in a one-to-one
race down the Italian Alps:
http://www.flixxy.com/mountain-race-car-vs-ski.htm
A tour boat near Wilhelmina Bay, Antarctica noticed an enormous iceberg in
the distance that was started to softly crumble. Just as one of the tourist
asked, "Why dont we just stay here and watch it?" the iceberg started to
give way, and completely imploded:
http://www.flixxy.com/enormous-iceberg-implodes-in-antarctica.htm
Two Golden Retrievers play the 'flea waltz' on the piano in perfect response
to the notes played to them on an ocarina:
http://www.flixxy.com/dogs-with-a-perfect-pitch.htm
Extreme radio-controlled airplane flying over Monument Valley with HD cockpit
camera video-feed. It's like wingsuit-flying without the risk:
http://www.flixxy.com/extreme-rc-plane-flying-monument-valley.htm
Clip from the Apollo 16 Video Library. Charlie drives the penetrometer into
the soil and, leaning down on it as it descends, he falls forward to the
ground. It takes three attempts for him to get back up by doing press-ups:
http://www.hq.nasa.gov/alsj/a16/video16.html
If you are in IT, and are solving problems for other people as one of your
hats, you might like this observation:
http://WhatHaveYouTried.com/
Rio's 2011 Carnival gets "tilt-shifted" in the stunning short film "The City
of Samba":
http://www.flixxy.com/rio-de-janeiro-2011-carnival-tilt-shift.htm
Peruvian national champion mountain bike rider Alejandro Paz takes his helmet-cam for a fast ride down a rocky mountain trail:
http://www.flixxy.com/extreme-mountain-biking-in-peru.htm
Have you ever told your parents and friends they should stop using Internet Explorer? You aren't alone:
http://www.flixxy.com/the-browser-you-loved-to-hate.htm