CyberheistNews Vol 2, #20
Editor's Corner
[caption id="attachment_1367" align="alignleft" width="150" caption="Stu"][/caption]
Scam Of The Week: Fake Storage Upgrades
Phishers are now offering fake storage upgrades. This is getting pretty
sophisticated. I suggest you warn your users that this new scam is going
on.
In April 2012, Symantec observed phishing pages that mimicked popular email
services in an attempt to dupe users with attractive storage plans. Customers
were flooded with fake offers of free additional storage space for services
such as email, online photo albums, and documents.
In the first example, the phishing site was titled “Welcome to New [BRAND
NAME] Quota Verification Page”. According to the bogus offer, the additional
storage plan ranged from 20 GB to 1 TB per year, at no extra cost. The
phishing page boasted that the free additional storage plan will help
customers prevent loss of data and the inability to send and receive emails
due to exhausted storage space." Here is the Symantec blog post:
http://www.symantec.com/connect/blogs/phishers-offer-fake-storage-upgrades
And as always, your users really need Internet Security Awareness Training
to make sure they do not fall for criminal tricks like this. You know,
often the attackers go after employees at the house, compromise those
PCs first, and then use the data obtained to attack the office.
Quotes of the Week
"For to be free is not merely to cast off one's chains, but to live in a
way that respects and enhances the freedom of others." - Nelson Mandela
“None are more hopelessly enslaved than those who falsely believe they
are free." ” - Johann Wolfgang von Goethe
Please tell your friends about CyberheistNews! They can subscribe here:
http://www.knowbe4.com/about-us/cyberheist-news/
Did you know? KnowBe4 Does Vulnerability Scanning!
Whether we like it or not, we are all potential targets if we are connected to the Internet. There is a very good chance that your website is being scanned for vulnerabilities right now by the bad guys, looking for low-hanging fruit that they can use to break in. Better be the one who does that scan first, and fix any holes that cyber criminals might use to penetrate your network. We can help you with that!
Get a Quote Now:
http://www.knowbe4.com/products/vulnerability-scanning/
How To Land A Cybersecurity Job
Just found an article in NetworkWorld by Carolyn Duffy Marsan that is
very interesting. Here is a snippet: "One specific skill related to cloud
security that's in demand: SAML. The Security Assertion Markup Language
is an emerging standard that allows enterprises to extend their directory,
authentication and identity management systems into cloud-based applications."
"You can learn SAML very quickly, and it's incredibly applicable because
almost all the [Software-as-a-Service] companies support a SAML interface,"
Frymier says. "We've implemented a SAML product in the last year and half
or so. It allows us to create an interface to an LDAP store like Microsoft
Active Directory and in a secure manner expose account information from
Active Directory to SaaS applications. We can do account management
inside our Active Directory and have that immediately reflected in our
SaaS applications." Here is the article:
http://www.networkworld.com/article/2188252/access-control/how-to-land-a-cybersecurity-job.html
Understanding Security Hype
HP is promoting a white paper about securing virtualized data centers. Some
terms they used looked unfamiliar, so I decided to take a look. Here is the
paragraph where they are used. Turns out these are concepts mostly cooked up
by marketing folks, so don't fall for this kind of hype.
"While there are real challenges to deploying applications securely in a
virtual environment, there is also a fair amount of hype surrounding the
topic. While some of the areas of vulnerability and possible attack scenarios
that have been identified are realistic possibilities, they are not a practical
reality. Many of these potential attacks are not being encountered with any
frequency, or at all. Those being discussed include:
• Hyper-jacking: Attacks targeted at subverting or layering a rogue hypervisor
on a virtual server
• VM Escape: An exploit that enables a hacker to move from within a VM to
the hypervisor
• VM Hopping: An instance in which one VM is able to gain access to another VM
• VM Sprawl: The proliferation of virtualized server workloads
Only the last one is something that is happening regularly, and not a
real security risk but an organizational problem.
The Average Cyberespionage Attack Goes On For 416 Days
WIRED Mag has a great article by Kim Zetter. It boils down to the fact
that high-level hackers are able to get and stay in your network. And
even if you are able to kick them out, they unleash a spear-phishing
campaign on your users, and they are right back in. Here is a bit of a
shocker: “According to Richard Bejtlich, Chief Security Officer for computer
security firm Mandiant, which has helped Google and many other companies
conduct forensics and clean up their networks after an attack, the average
cyberespionage attack goes on for 416 days, well over a year, before a
company discovers it’s been hacked. That’s actually an improvement over
a few years ago, he says, when it was normal to find attackers had been
in a network two or three years before being discovered.” The solution?
Analyze and segment your network and keep the truly confidential data
completely off any network segment with public access. Expensive, but
effective. Here is the (warmly recommended) article:
http://www.wired.com/threatlevel/2012/05/everyone-hacked/
Symantec Report Says User Behavior is Root of Most Breaches
Tracy Kitten over at BankInfoSecurity spotted something interesting in
Symantec’s recent Internet Security Threat Report. This is the upshot:
“Which Internet security threats pose the greatest risks to organizations
in 2012 and beyond? Symantec has just released its Internet Security Threat
Report, which reveals some surprising trends. While the number of Internet
vulnerabilities identified and tracked by Symantec dropped 20 percent in
2011, malicious attacks waged against online users jumped 81 percent.
Liam O Murchu, Manager of Operations at Symantec Security Response, says
hackers have altered their methods and modes of attack, relying more on
social media and spear-phishing than they have in the past. Here is the
article with a link to the PDF. Do I need to say anything about Security
Awareness Training? Methinks not:
http://www.bankinfosecurity.com/interviews.php?interviewID=1554&
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
Super Fave. A compilation of the "world's fastest everything" - from the
world's fastest cup stacker to the world's fastest clapper:
http://www.flixxy.com/worlds-fastest-everything.htm
'Jetman' Yves Rossy soars over Rio de Janeiro's iconic skyline, including
the famous 'Christ the Redeemer' statue:
http://www.flixxy.com/jetman-flies-over-rio-de-janeiro.htm
An incredible scene caught on camera: A polar bear doing a handstand in
the water with seagulls watching on the ice:
http://www.flixxy.com/polar-bear-does-handstand.htm
Neil Degrasse Tyson introduces you to one amazing K-9, who knows over 1,000 words:
http://www.flixxy.com/the-dog-who-knows-1000-words.htm
Who would have thought that a cat and dolphins could get along so well?
http://www.flixxy.com/cat-and-dolphins-playing-together.htm
'Doggles', seatbelt, fur flying in the wind and a big dog smile. It's a
beautiful day!
http://www.flixxy.com/its-a-beautiful-day.htm
Entitled "1944" this 8-minute film was Apple's in-house takeoff of the "1984"
Super Bowl Macintosh ad. The World War II-themed film was used to inspire
Apple's international sales team. Highlights include Steve Jobs as FDR:
http://www.flixxy.com/steve-jobs-plays-fdr-in-apple-macintosh-1944-ad.htm
Here is something cool: The ExoHand from Festo is an exoskeleton that can
be worn like a glove. The fingers can be actively moved and their strength
amplified; the operator's hand movements are registered and transmitted
to the robotic hand in real time. Nifty:
http://www.youtube.com/watch?v=EcTL7Hig8h4