CyberheistNews Vol 2, #10
Editor's Corner
[caption id="attachment_1367" align="alignleft" width="150" caption="Stu"]
[/caption]RSA Post-mortem: Massive Human Component To Security
George Hulme wrote on the CSO site: "There was an unusual level of
gloom at the RSA Conference this year, and for good reason: a number
of the biggest and most respected security firms have been very
recently breached, including RSA Security, VeriSign, and Symantec.
"Stefan Savage, professor at the department of computer science and
engineering, University of Calif., San Diego, observed that many of
the perceived failures of IT security may be because the industry,
largely, views security as a technical problem.
"There is a massive human component to security. While there are
lots of technical things behind spam and botnets, there are people
behind all of that, and then there are people who make mistakes
that many times let them [spammers and botnets] through," said Savage.
He acknowledges the point I have been making these last few years.
Yes, you need security software, and we will release something
ourselves shortly, but you also need to train the weak link in
your IT security: humans! Here is the article:
rsa-conference-2012-post-mortem-it-security-in-a-precarious-spot-?">http://www.csoonline.com/article/701390/
rsa-conference-2012-post-mortem-it-security-in-a-precarious-spot-?
Message For The Owner: "Your Bank Account Emptied By Cyber Thieves"
You own your own business. You worked hard to build it up. It’s your
life to a large extent, and you spend well over 40 hours a week building
it. Your employees are often like family (for better or for worse!)
They count on you to be their ‘fearless leader’ in many instances.
Over time you have put enough money aside so that you have a buffer
when times get bad. It sits in your corporate savings account over
at the bank. You think it is safe. Think again.
First of all, your corporate money is NOT INSURED by the FDIC against
fraud. Your personal accounts are, but business accounts are not
insured, except for one bank: JP Morgan Chase. Every other bank,
if cyber thieves hack into your network, take over your bank account,
and transfer money out of the country, you are NOT INSURED. Call your
bank, they will reluctantly acknowledge this fact. (You may have to
insist on getting an answer from the right person, because even many
bank employees are not aware of this.) Banks are working on additional
cyber defenses, but at the moment this is the situation.
Now, cybercrime has gone ‘pro’ in the last 5 years. They have lots of
resources, lots of smart people, and they hack into businesses like
yours all day long, using your employees to get in. How? It’s called
‘social engineering’ which means manipulating someone to divulge
confidential information. Getting a password out of someone can take
just 3 minutes over the phone, or 3 seconds if an employee clicks on
a phishing email.
Apart from all the IT security measures your organization has taken,
you need one more additional security layer: People. Your employees
are in urgent need to get trained so they don’t fall for these scams.
Extremely affordable and something you cannot do without. It’s called
Security Awareness Training, and every organization needs to do it.
KnowBe4 tests your employees for free, so you know up front the
percentage that is vulnerable. The first thing we recommend is the
free Email Exposure Check, that shows you how many of your email
addresses are out there on the Internet, available for the bad guys
to attack your employees. Fill out the free Email Exposure Check form
at KnowBe4:
http://www.knowbe4.com/email-exposure-check/
ACH Fraud and the Courts
To illustrate that I'm talking about real threats, BankInfoSecurity has a
very interesting article about the current legal cases where money -has-
been stolen out of company bank accounts. Here is their intro:
"It's been nearly three years since hackers rerouted more than $540,000
from a small business account owned by Maine-based PATCO Construction
Inc.. Still, legal wrangles between PATCO and Peoples United Bank
[formerly known as Ocean Bank] linger.
In May 2011, a U.S. District Court magistrate recommended the court deny
PATCO's motion for a jury trial. That recommendation was later affirmed
by a District Court judge. But PATCO appealed the ruling, and Mark
Patterson, co-owner of PATCO, this week says the case is expected to
appear before an appellate court sometime next month. "Wish us luck,"
he said."
http://www.bankinfosecurity.com/articles.php?art_id=4546&rf;=2012-03-01-eb
Quotes of the Week
"Computers are magnificent tools for the realization of our dreams,
but no machine can replace the human spark of spirit, compassion,
love, and understanding." - Louis Gerstner, former CEO of IBM
"Amnesia is what causes financial crises." - Timothy Geithner
Secretary of the U.S. Treasury.
Please tell your friends about CyberheistNews! They can subscribe here:
http://www.knowbe4.com/about-us/cyberheist-news/
Stop Phishing Security Breaches
Are you aware that many of the email addresses of your organization are exposed on the Internet and easy to find for cybercriminals? With these addresses they can launch (spear-) phishing attacks on your organization. This type of attack is very hard to defend against, unless your users are highly ‘security awareness’ trained.
IT Security specialists call it your ‘phishing attack surface‘. The more of your email addresses that are floating out there, the bigger your attack footprint is, and the higher the risk is. It’s often a surprise how many addresses are actually out there.
Find out now which of your email addresses are exposed. The Email Exposure Check (EEC) is a one-time free service. KnowBe4 customers with a Gold package get an EEC sent to them regularly so they can address the issues that are found. An example would be the email address and password of one of your users on a crime site. Fill out the form and we will email you back with the list of exposed addresses. The number is usually higher than you think.
Sign Up For Your Free Email Exposure Check Now
http://www.knowbe4.com/20120228-Primary/
CSO's Ultimate Guide to Social Engineering
"A comprehensive view of social engineering methods and prevention.
Social engineering attacks security at its weakest link: People. Preying
on employees' best intentions, social engineers gain unauthorized access
to systems and information. So how do you secure people against these
tactics? Storytelling, education, processes, and other methods all come
into play. CSO's Ultimate Guide to Social Engineering, gathered from
CSO's popular interviews with social engineering experts, provides a
complete look at common techniques in both attack and defense.
This 13-page pdf is available for download by registered CSO Insiders.
What's in the Ultimate Guide:
- Social engineering defined
- How social engineers work and the psychology they rely on
- Awareness and prevention techniques
- Lots of examples of social engineering in action
DOWNLOAD THE REPORT HERE: CSO's Ultimate Guide to Social Engineering
http://www.csoonline.com/article/701042/cso-s-ultimate-guide-to-social-engineering?
Smartphone Hacking Linked To Rise In Identity Fraud
This is something you might want to send to your users as a reminder,
since it's got some TV footage that makes the point for you. Nearly 12
million Americans were victims of identity theft in 2011, an increase
of 13 percent over 2010, according to a recent report released by the
research firm Javelin Strategy & Research:
http://www.kfoxtv.com/news/news/smartphone-hacking-linked-rise-identity-fraud/nK6MS/
This Malware Talks! (It writes to you via live chat)
SANS reported that a new piece of malware dubbed Shylock is being used to
conduct man-in-the-middle attacks on customers who use online banking
services. The attacks have focused mainly on business banking customers.
Shylock hijacks sessions after users log in to their accounts; it pops up
a live chat session window in which users are told the session has been
suspended for one reason or another, and then the attacker poses as a
customer service representative, who transmits information to the bank
and steals funds. The live chat session seeks the information necessary
to carry out the fraudulent transaction. More:
http://www.trusteer.com/blog/speaking-devil-%E2%80%93-malware-adds-live-chat-commit-fraud
Stuxnet On TV
60 Minutes yesterday had a segment on Stuxnet, showing that the genie is
out of the bottle, and that this malware can now be re-used for a plethora
of cyber attacks that will be hard to defend against. Send this link to your
management, if you want the give them a quick update on the state-of-the-art
of malware.:
http://www.youtube.com/watch?v=6WmaZYJwJng
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
Here is a very funny Windows 8 graphic, at the macguru site. Not much
has changed, LOL !
http://www.macguru.biz/images/Windows-8-Vs-Windows-1.0-Not-Much-Has-Changed-%28Humor%29.jpg
Very few people understand how "public key encryption" works. Here is
a simple explanation using paint mixing:
http://www.flixxy.com/how-encryption-works-in-your-web-browser.htm
A Russian cat mastered sign language and is using it to ask for food:
http://www.flixxy.com/cat-asks-for-food-using-sign-language.htm
OK, security is important but this weaponized iPhone case may be a bit
overboard:
https://www.geek.com/apple/weaponized-iphone-case-may-be-a-bit-overboard-1469437/
While walking amidst white mountaintops and cozy ski lodges, Simon Beck
creates enormous works of snow art that look like giant wintry crop circles.
Believe it or not, the immense snow patterns are made entirely by foot:
http://inhabitat.com/artist-makes-giant-wintry-crop-circles-just- by-walking-in-the-snow/simon-beck-snow-art2/?extend=1
As one of the VIPRE's daddies, this makes me feel gooood:
http://www.gfi.com/blog/snake-on-a-plane/
12 seriously cool “toys” for big boys and girls:
http://www.networkworld.com/slideshow/34427?
Avi Rubin, Professor of Computer Science at Johns Hopkins University, talks
about the security risks in medical devices and modern cars:
http://www.flixxy.com/avi-rubin-all-your-devices-can-be-hacked-ted-2011.htm
15 high-tech wristwatches that would make Dick Tracy jealous:
http://www.networkworld.com/slideshow/35048?
Mercedes has built a car that uses LED lights to make itself "invisible":
http://www.flixxy.com/mercedes-benz-creates-invisible-car.htm
