CyberheistNews Vol 2, #41
Editor's Corner
[caption id="attachment_1367" align="alignleft" width="150" caption="Stu"]
[/caption]
Scam Of The Week: Customer Satisfaction Survey
If the bad guys would use their energy and inventiveness in a more
productive way, the world economy would be a lot healthier. So this week,
there is a popular social engineering attack doing the rounds where people
get promised a $50 or EUR50 voucher/gift certificate if they answer a quick
5-question customer satisfaction survey. Major brands are used, in Europe
it's Tesco and Woolworth. The attack is launched via Facebook.
Two other scams are also worth mentioning. To start with, an email disguised
as a voicemail notification from Microsoft Exchange Server tries to get
users to double click a link to listen to the voicemail. The second one
is an email that appears to come from the FDIC and tries to get users to
follow a link to download a new security version.
https://s3.amazonaws.com/knowbe4.cdn/SocialEngineeringRedFlags.pdf
1-Minute-Internet-Security-Survey
Could you do me a big favor? Spend one minute! Kevin and I are working
on internet security awareness training for families. First we asked
people which things they thought were important for Internet Security at
the house. In other words, what they thought was needed to protect their
family online. Please indicate how important you think the following items
are for families to stay safe online. We added one short bonus question.
If these topics would be covered in a course that all family members
could take, what would be a good name (title) for that course?)
Here is the link to the survey and thanks so much in advance!
https://www.surveymonkey.com/s/9RL7VPM
My Top 3 Security Sites
A customer asked me what my three top security websites are. I had to
think for a bit, and then had to conclude that these three were my faves.
You might like these too, so here thay are, not necessarily in order of
importance, however I have been reading InfoWorld since 1981. My Top 3
fave security sites are:
1) http://www.infoworld.com/d/security
2) http://www.virusbtn.com/vb100/index
3) http://www.csoonline.com/
Please Forward This Newsletter To Your Friends
There are 40,000 people getting CyberheistNews every week, but
we need to get the word out to many more, to protect everyone's
network. Please forward this newsletter to people you know, that can
benefit. Here is the link to subscribe:
http://www.knowbe4.com/cyberheist-news/
Quotes of the Week
"There are in fact two things, science and opinion; the former begets
knowledge, the latter ignorance." - Hippocrates
"The reality of the world today is that grounding ethics in religion
is no longer adequate." - DalaiLama
Please tell your friends about CyberheistNews! They can subscribe here:
http://www.knowbe4.com/cyberheist-news/
NEW: Full Free Preview of the Kevin Mitnick Security Awareness Training!
You May Qualify For A Full Free Preview. You know that your employees
are the weakest link in your organizations IT security. You are looking
for a high-quality approach that will be effective in protecting your
network against phishing attacks. This free preview gives you access to
the full 30-40 minute training. The preview is free, and after you decide
to sign up, your yearly subscription allows you to both train all employees,
and to schedule simulated phishing attacks to all employees, with tracking
of who clicks when. Sign Up For Your Free Preview Now:
http://www.knowbe4.com/free-preview-kevin-mitnick-security-awareness-training/
"People Are The Key to Every Lock"
Now here is a fascinating story about a very young hacker called 'Cosmo'.
Wired has the story, and it's a great write-up by Mat Honan, who recently
was badly hacked himself. What caught my attention in the middle of the
story was the header "People Are The Key to Every Lock", because he used
social engineering for most of his hacks. Read it and learn:
"Cosmo is huge 6 foot 7 and 220 pounds the last time he was weighed, at a
detention facility in Long Beach, California on June 26. And yet hes getting
bigger, because Cosmo also known as Cosmo the God, the social-engineering
mastermind who weaseled his way past security systems at Amazon, Apple,
AT&T;, PayPal, AOL, Netflix, Network Solutions, and Microsoft is just 15
years old. He turns 16 next March, and he may very well do so inside a
prison cell. Cosmo was arrested along with dozens of others in a recent
multi-state FBI sting targeting credit card fraud. It is the day before
his court date, but he doesnt know which task force is investigating him
or the name of his public defender. He doesnt even know what hes been
charged with. Its tough to narrow it down; he freely admits to participation
in a wide array of crimes." Full story is called 'Cosmo, the Hacker God
Who Fell to Earth':
http://www.wired.com/gadgetlab/2012/09/cosmo-the-god-who-fell-to-earth/all/
5 BYOD Deployment Rules
1) To start off with, have a BYOD project leader that has the authority
to enforce the required policies, procedures, and training to get BYOD
implemented securely.
2) Create clear and concise policy regarding BYOD for both IT and the
end-users in your organization. Next, create computer-based end-user
mobile security training that lays out these security policies and
step all users through this training. That will create a higher
understanding and compliance level as having someone read and sign a
paper document is a recipe for security breaches.
3) Enforce a strong password policy, which has been part of the end-user
training in step 2. For confidential data, implement two-factor
authentication. However, to prevent password fatique, deploy Single
Sign On (SSO) or use a password manager like LastPass which for
the end-user has a similar functionality. Ideally you implement
a so called 'Federated ID' which allows users to log in across all
systems and applications they are authorized for with the same user
name and password.
4)Deploy secure remote access using a VPN that runs on SSL. Now that
you have an authenticated user, you need a secure connection. With
a VPN employees can connect to the office without worries their
datasteam will be caught and broken into by the bad guys. A VPN
does not provide 100% security but it provides a much harder target
to crack.
5) Onboarding and Termination needs to be managed tightly. When an
employee gets hired, they need to get stepped through your security
awareness training and mobile security training as part of the
onboarding process. When an employee leaves, their network access
should be terminated at the very same time. You need management
software that controls devices from the organization's side, which
allows you to take away access in a few seconds.
KnowBe4 and ITIC are working on a much more detailed BYOD security
guide, stay tuned for that announcement.
Microsoft Finds New Computers In China Preinstalled With Malware
Brand-new laptop and desktop computers sold in China contain preinstalled
malicious software, which has infected millions of computers around the
world, according to an investigation by Microsoft revealed on Thursday:
http://cwonline.computerworld.com/t/8227105/987374514/581730/0/
Want Better Security? Assume You've Already Been Hacked
Nimmy Reichenberg at SecurityWeek presents a healthy viewpoint,
from my perspective: 'Assume you've been hacked and now map out
your security policy.' Here is how he presents this approach:
"Information security practitioners have always considered "keeping
the bad guys out" a core element of their profession, but the flood
of highly-publicized security breaches (together with an unknown
but likely higher number of unpublicized breaches) clearly demonstrates
that we are not excelling at this task, to put things lightly.
Simply put, the bad guys currently have the upper hand in the
never-ending game of cat and mouse. Those of us with enough years
in the business have witnessed the ups and downs at times, security
technology catches up with the latest threats and provides a good
level of protection, and at other times, the bad guys' tools and
techniques seem to have the advantage. We are currently living at
these "other times". More:
http://www.securityweek.com/want-better-security-assume-youve-already-been-hacked
What is Your Phishing Attack Surface?
Want to stop Phishing Security Breaches? Did you know that many of the
email addresses of your organization are exposed on the Internet and
easy to find for cybercriminals? With these addresses they can launch
spear-phishing attacks on your organization. This type of attack is
very hard to defend against, unless your users are highly security
awareness trained. IT Security specialists call it your phishing
attack surface. The more of your email addresses that are floating out
there, the bigger your attack footprint is, and the higher the risk is.
Find out now which of your email addresses are exposed with the free
Email Exposure Check (EEC). An example would be the email address and
password of one of your users on a crime site. Fill out the form and
we will email you back with the list of exposed addresses. The number
is usually higher than you think.
Sign Up For Your Free Email Exposure Check Now:
http://www.knowbe4.com/email-exposure-check/
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
Bard Canning spent four weeks working frame-by-frame to produce the ultimate
Mars Curiosity descent video: 30fps true motion-flow interpolation, color and
detail enhanced, 1080p and sound. Watch this full screen in HD!:
http://www.flixxy.com/the-ultimate-mars-curiosity-descent-video-30fps-real-time-1080p.htm
It is possible that Mars once was as lush as Earth is today. So, what happened?
http://www.flixxy.com/how-planet-mars-may-have-lost-its-atmosphere.htm
Fifty cities In Michigan sing: "Its Always A Good Time": Love this one.
Only in the U.S. of A !!
http://www.flixxy.com/fifty-cities-in-michigan-sing-its-always-a-good-time.htm
Do a simple test ... Watch this video and count the red cards in the deck:
Dang they got me:
http://www.flixxy.com/count-the-red-cards.htm
DARPA releases video of new-and-improved LS3 quadruped robots. Getting eery:
http://youtu.be/40gECrmuCaU
Aussie-made sci-fi short film looks incredible:
http://www.cnet.com.au/aussie-made-sci-fi-short-film-looks-incredible-339341569.htm
The Flying Bicycle: On 9 November 1961, Derek Piggott was the first person
to become airborne on a bicycle-powered aircraft:
http://www.flixxy.com/the-flying-bicycle-1962.htm
Dilbert on Network Monitoring. Hehe:
http://www.dilbert.com/strips/comic/2012-09-04/
Slideshow: The 12 most dreaded help desk request:
http://www.infoworld.com/slideshow/64713/the-12-most-dreaded-help-desk-requests-202273
Taking the bus has never been cooler than in this funny Danish TV commercial.
http://www.flixxy.com/epic-bus-ad-from-denmark.htm
Have you ever seen a supersonic aircraft roar right over your head? A driver
in Russia had this exact experience when an Su-24 jet flew just a few dozen
meters over his car:
http://www.flixxy.com/russian-su-24-fighter-jet-buzzes-highway-drivers.htm
To celebrate its 20th birthday, Classic FM London decided to bring the world's
greatest music to an unsuspecting Britsh public...
http://www.flixxy.com/supermarket-handel-flash-mob.htm
Bertrum Thumbcat and his army of clever cats are out to 'catnap' milkmen.
A funny commercial by Cravendale, a British dairy:
http://www.flixxy.com/cat-napped.htm
