CyberheistNews Vol 2, #19
Editor's Corner
[caption id="attachment_1367" align="alignleft" width="150" caption="Stu"]
[/caption]Scam Of The Week: 'The Evil Unsub'
An ordinary piece of spam slips through the filters, and you see a
gorgeous sandy beach with palm trees. It's an enticing ad for a
vacation to a tropical island, basically a big picture with just one
button that allows you to learn more. You click on that button and
you wind up on the legitimate website of the travel agency that
sells the vacation package. So what's the angle? The poison comes
in when you click the unsub button, which installs a nasty Trojan
that hides itself really well. You think you do the right thing
and unsub from the spam, but remember, ANYTHING you click on in
the wrong email is a potential way to get infected with malware!
This is why we have so much success with our continued Phishing
Security Tests. Here are some real-life 12-month results of our
training. Spend ONE minute and look at these graphs!
http://www.knowbe4.com/visible-proof-the-knowbe4-system-works/
Six Steps To Successful Security Awareness Training
If you would schedule an event to teach people about Internet Security,
and make it optional to attend, only about 5% of your entire office
population will show up. And guess what, those 5% are probably the
people that need it least.
Here are the six elements of a successful Internet Security Awareness
Training Program
1) Formulate, and make easily available a written Security Policy. Each
employee needs to read the document and sign it as an acknowledgment
they understand the policy and will apply it.
2) Give all employees a mandatory (online) Security Awareness Course,
with a clearly stated deadline. It is highly recommended to explain to
them in some detail why this is necessary.
3) Make this Security Awareness Course part of the onboarding process
of each new employee.
4) Keep all employees on their toes with security top of mind, by
continued testing. Sending a simulated phishing attack once a week is
extremely effective to keep them alert.
5) Never publicly identify an employee that fails a simulated attack, let
their supervisor or HR take this up privately. Give a quarterly prize
for the three employees with the lowest fail-rate.
6) If you use posters, stickers and or screensavers, change the pictures
or messages monthly. After a few weeks people simple dont see them
anymore. Its more effective to send them regular Security Hints & Tips
via email.
Quotes of the Week
"Always bear in mind that your own resolution to succeed is more important
than any other." - Abraham Lincoln
Success is a lousy teacher. It seduces smart people into thinking they
can't lose. - Bill Gates
Please tell your friends about CyberheistNews! They can subscribe here:
http://www.knowbe4.com/about-us/cyberheist-news/
Prevent Email Phishing
Want to stop Phishing Security Breaches? Did you know that many of the
email addresses of your organization are exposed on the Internet and easy
to find for cybercriminals? With these addresses they can launch
spear-phishing attacks on your organization. This type of attack is very
hard to defend against, unless your users are highly security awareness
trained.
IT Security specialists call it your phishing attack surface. The more
of your email addresses that are floating out there, the bigger your attack
footprint is, and the higher the risk is. Find out now which of your email
addresses are exposed with the free Email Exposure Check (EEC). An example
would be the email address and password of one of your users on a crime
site. Fill out the form and we will email you back with the list of exposed
addresses. The number is usually higher than you think.
Sign Up For Your Free Email Exposure Check Now
http://www.knowbe4.com/email-exposure-check/
Video: How A Crimepack Works
Cybercriminals are as organized and industrious as any legitimate
business. Case in point: exploit kits, also known as crimepacks, which
bad guys can purchase and which make infecting computers with malware
as simple as point and click. The software, often available for purchase
for only a few hundred dollars, also gives the criminal comprehensive,
real-time information about the machines it has impacted.
With an exploit kit, criminals can get new malware, infect web sites,
build business intelligence and manage an overall malicious campaign,
according to James Lyne, director of technology strategy for security
firm Sophos. Here is the video:
http://www.csoonline.com/article/704055/video-how-a-crimepack-works?
8 Dirty Secrets Of The IT Security Industry
Bill Brenner at CSO Magazine is quoting IBM ISS Security Strategist
Joshua Corman who has been on a crusade with his 8 Dirty Secrets
campaign. Dirty Secret #5 rang oh so true:"
Dirty Secret 5: There is more to risk than weak software
Corman said the lion's share of the security market is focused on software
vulnerabilities. But software represents only one of the three ways to
be compromised, the other two being weak configurations and people.
Unfortunately, he said, the latter two are far more dangerous risks
than the big bad software security flaw of the week.
"While we need to find and patch vulnerabilities, we also must understand
an organization is only as strong as its weakest link. More attention
needs to be paid in mitigating the other two ways beyond software,"
Corman said. Read here about the other seven dirty little secrets:
8-dirty-secrets-of-the-it-security-industry?page=1">http://www.csoonline.com/article/499815/
8-dirty-secrets-of-the-it-security-industry?page=1
And obviously Internet Security Awareness Training is part and parcel
of strengthening your weakest link: users.
Spoiler Alert: Your TV will be hacked
"Last week you may have read a headline that blared "100 million TVs will
be Web-connected by 2016." Regular readers of this blog know I'm always
on the lookout for new threats, so the question naturally arises: Will
Internet TVs will be hacked as successfully as previous generations of
digital devices? Of course they will!" Read Roger Grimes' article at
InfoWorld here:
http://www.infoworld.com/d/security/spoiler-alert-your-tv-will-be-hacked-191013
Fake Skype Encryption
You don't like Big Brother snooping, and looking into your Skype
conversations. Could be you are discussing highly confidential
product features or legal strategy. Another possibility is that you
live in a country where repression of free Internet communication
is the norm (Syria, Iran, China to name a few). In either case you
are looking to encrypt your Skype sessions. You might be tempted
to Google for software that does that. Careful, as there is now
malware that purports to provide encryption for Skype, but in reality
it's the DarkComet V3.3 malware. Moreover, Skype actually uses
AES encryption, and here is their FAQ describing how that works
and what is covered by their encryption:
https://support.skype.com/en-us/faq/FA31/Does-Skype-use-encryption?
Large Twitter Spam Campaign
According to security researchers at Kaspersky, during the last few days,
a large spam campaign on Twitter directed users to infected/malicious
websites that exploited vulnerabilities in browser plug-ins to infect
their computers with rogue antivirus programs. Kaspersky's researchers
counted 4,148 tweets containing malicious links being sent from 540
compromised Twitter accounts. "Our analysis is just a snapshot at a
given time, and is lower than reality," said Kaspersky Lab senior malware
researcher Nicolas Brulez in their blog. The spam tweets contained
messages like "online virus check," "proven anti-virus," "excellent
anti-virus," and links to websites with .TK and .SU domain names. More:
New_Spam_campaign_on_Twitter_Leads_to_Rogue_AV">http://www.securelist.com/en/blog/208193477/
New_Spam_campaign_on_Twitter_Leads_to_Rogue_AV
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
SUPER FAVE: Ever wanted to take out those bad guys in a more permanent way? This crazy Russian
just built the tool for that. A quad rotor with a machine gun strapped to its belly. Check
out how this thing compensates for recoil !!
http://youtu.be/SNPJMk2fgJU
A new time-lapse video from the ISS gives you the best view in the solar
system of our home planet:
http://www.flixxy.com/the-best-view-in-the-solar-system.htm
Mark Dumas is the only man in the world who can swim with a polar bear:
http://www.flixxy.com/the-only-man-in-the-world-who-can-swim-with-a-polar-bear.htm
14-year-old Jake Foushee has become an Internet sensation with his
amazing movie trailer voice:
http://www.flixxy.com/14-year-old-has-amazing-movie-trailer-voice.htm
The NASA space shuttle Discovery took a spectacular last ride around
Washington DC this week on its way to the final stop at the Smithsonian:
http://www.networkworld.com/slideshow/42665
Evacuated Tube Transport could take you from New York to LA in 45 minutes:
http://www.flixxy.com/evacuated-tube-transport-around-the-world-in-6-hours.htm
Robot readable world on Vimeo shows us how life is through the eyes of machines:
http://vimeo.com/36239715
Wessley Cavalcante doesn't need an alarm clock - he has a cat named Boo.
Hilarious:
http://www.flixxy.com/cat-alarm-clock.htm
Inspired by "Where the Hell is Matt", Steve Kamb decided to self-fund a
16-country 120,000 mile 18-month adventure trip around the world. Fun!:
http://www.flixxy.com/exercising-around-the-world.htm
Frustrated by how long it takes for Windows to fully load after you've logged
in? So is just about every other Windows user on the planet. Now you can do
something about it with this new product called Soluto:
http://www.pcworld.com/downloads/file/fid,153446-order,4/description.html
One of these things is not like the others. Did you see it right away?
http://www.flixxy.com/one-of-these-things-is-not-like-the-others.htm
Sh*t I.T. Security Guys Say. Not Quite Safe For Work:
http://www.youtube.com/watch?feature=player_embedded&v;=GYbNNJklCFQ
A compilation of 104 fun wedding dances from around the world edited to
the song 'Losing My Religion' by R.E.M.
http://www.flixxy.com/wedding-dance-compilation.htm
