CyberheistNews vol2, #46

CyberheistNews Vol 2, #46

Editor's Corner

[caption id="attachment_1367" align="alignleft" width="150" caption="Stu"] cybercrime

[/caption]

Cybergeddon New Web Series Sponsored By Symantec

Not sure how I missed this, but on Sept 25th a new webseries was

released via Yahoo Screen. The creator is CSIs Anthony E. Zuiker,

and this new series indeed has Hollywood production values we have

not seen on the web yet. The 9 (mini) episode story is about an FBI

agent (easy-on-the-eyes star Missy Peregrym) who is framed for a massive

zero-day virus attack that threatens to shut down most of the Internet.

This is by far the most expensive Web series up to now at a cost of $6

million, triple the $2 million spent on Tom Hanks Electric City. They

translated it in 10 different languages and it was released in 25 countries.

The producers hope to get 20 million hits over time, as this thing has a long

shelf life. It has not gone viral yet, but for techies like us its fun to

watch, and you will recognize a lot of security terms that for a change are

correctly used. Must be that Symantecs malware warriors had a hand in the

script. I spent a pleasant Sunday Morning watching this. Here are the trailer

and links to the episodes:

http://screen.yahoo.com/cybergeddon/

If This Is Your First Issue Of CyberheistNews...

CyberheistNews is written for IT professionals that need to protect their

networks from penetration by the bad guys. It's published once per week by KnowBe4,LLC

which looks at IT security from the human side. We have partnered with

Kevin Mitnick to create next-gen Security Awareness Training combined with

regular simulated phishing attacks. In CyberheistNews we aim to help

you keep your network safe with hints, tips and relevant news so that you

know what is going on and can do something about it.

KnowBe4 lives 100% in the cloud, we use SalesForce as our CRM and via

their JigSaw service we licensed your address. Consider this your sample

issue. You can unsubscribe at any time (bottom-left), and you will stop receiving all

further email.

Fresh Twitter Attack

Helvetica, sans-serif;" align="left" valign="top">

A few days ago I received this attack supposedly from a 14-year business

relation of mine that I know well. Typical social engineering attack and

exactly the thing we have been warning against for a few years now. Note that

the email address is spoofed as postmaster.twitter.com, and that they are

pulling an old trick about me being in a video that might be embarrassing.

Wrong mark, guys! Warn your users that twitter accounts are being hacked

and used to send attacks. Here is the attack screenshot:

http://blog.knowbe4.com/fresh-twitter-attack/

Please Forward This Newsletter To Your Friends

There are 40,000 people getting CyberheistNews every week, but

we need to get the word out to many more, to protect everyone's

network. Please forward this newsletter to people you know, that can

benefit. Here is the link to subscribe:

http://www.knowbe4.com/cyberheist-news/

Quotes of the Week

"The defender needs to be perfect all the time. The attacker only needs

to succeed once." - Securosis Blog

"Hence that general is skillful in attack whose opponent does not know what

to defend; and he is skillful in defense whose opponent does not know what

to attack." - Sun Tzu

Please tell your friends about CyberheistNews! They can subscribe here:

http://www.knowbe4.com/cyberheist-news/

Get Your Free Full Copy Of 4-Star E-book 'Cyberheist'

Ben Rothke, an IT security specialist and author, recently reviewed my book 'Cyberheist' and gave it 4 stars! He ended off with:

At just under 200 pages, Cyberheist: The biggest financial threat facing American businesses since the meltdown of 2008 is not

the definitive text or the most comprehensive one on the topic. But for those looking for a brief and easy to read overview of the

topic, with a lot of real-world advice, Cyberheist makes for a good read.

DDoS Attacks Merely Precursors to Big Attacks

Ken Baylor from the NSS labs wrote an interesting article about

the recent attacks on the banks: "The DDoS attacks that are temporarily

wiping US banks off the Internet are very different than anything we

have seen before. Rather than being a temporary annoyance, they are

likely the precursor for much bigger things.

Last year's DDoS attacks emanated from so-called hacktivist groups

like LulzSec and Anonymous. These attacks were primarily targeting

banks' home pages and used basic tools such as the Low Orbit Ion

Cannon (LOIC). It was akin to attacking a heavily fortified building

(bank infrastructure) with foot soldiers. The attacks mostly failed, and

banks fortified themselves even further. For the hackivists, the outcome

was much worse: LOIC identified the attackers IP addresses and landed

many of them in trouble with law enforcement. The LulzSec leader, Sabu,

was a FBI informant and handed over hacktivist leaders to the FBI on

a plate. The attacks were a disaster.

This year's attacks, at first, sounded like more of the same. Operation

Ababil, led by the al-Qassam Cyber Fighters seemed doomed from the start.

The tools to be used by Muslims outraged by the YouTube Innocence of

Muslims video included some new ones, including the High Orbit Ion

Cannon (HOIC) from Anonymous. The world prepared to yawn as this unknown

hacktivist group threw digital stones at some of the world best fortified

banks. Then something strange happened: David fired and Goliath went down.

Hard." Ken explains the how and why:

https://www.nsslabs.com/blog/ddos-attacks-merely-precursors-big-attacks?

Service Sells Access to Fortune 500 Firms

Brian Krebs reported: "An increasing number of services offered in the

cybercrime underground allow miscreants to purchase access to hacked

computers at specific organizations. For just a few dollars, these

services offer the ability to buy your way inside of Fortune 500 company

networks.

All of the machines for sale have been set up by their legitimate owners

to accept incoming connections via the Internet, using the Remote

Desktop Protocol (RDP), a service built into Microsoft Windows machines

that gives the user graphical access to the host PCs desktop. More:

http://krebsonsecurity.com/2012/10/service-sells-access-to-fortune-500-firms/

So if you use RDP in your own networks, it makes sense to look into this

and make sure that there are no credentials that have been compromised.

Industrial Control Systems The Next Twin Towers?

Eugene Kaspersky a few days ago wrote a hair-raising blog post about the

reality of our Industrial Control Systems which are way more vulnerable than

the network in your office. Industrial Control Systems (ICS) are the software

that controls our nuclear power stations, transportation control and among

many others, oil refineries. He started out with bit of background on

vulnerable industrial systems and my mouth fell open.

Im quoting Kaspersky here: Though industrial IT systems and, say, typical

office computer networks might seem similar in many ways, they are actually

completely different beasts mostly in terms of their priorities between

security and usability. In your average company, one of the most important

things is confidentiality of data, and IT administrators are encouraged to

isolate infected systems from non-infected systems to that end, among others.

Thus, for example, if on the corporate file server a Trojan is detected,

the simplest thing to do is disconnect the infected system from the network

and then later start to tackle the problem.

In industrial systems that cant be done, since here the highest priority for

them is maintaining constant operation come hell or high water. Uninterrupted

continuity of production is of paramount importance at any industrial object

in the world; security is relegated to second place.

Another challenge to securing an always on environment arises due to software

at an industrial/infrastructural installation only being updated after a

thorough check for fault-tolerance so as to make sure not to interrupt

the working processes. And because such a check requires loads of effort

(yet still doesnt provide a guarantee of non-failure) many companies often

simply dont bother to update ICS at all leaving it unchanged for decades.(!)

(emphasis added)

Updating software might even be expressly forbidden by an

industrial/infrastructural organizations safety policy. Just recently I

read a nice piece about this, which listed 11 ICS security rules; rule #2

is Do not touch. Ever. What more of an illustration do you need?! [end quote]

The shodan search engine screen shot above is an illustration of the amount

of this type of ICS spread all over the world, seeking out vulnerable industrial

systems (including SCADA), whose owners decide to connect them to or forgot

to disconnect them from the Internet.

Even if an ICS is disconnected from the Internet, they can still be penetrated

by social engineering, as was shown in the Stuxnet attack in Iran, where the

ICS of their nuclear enrichment facility was corrupted with a simple thumbdrive

attack. All employees of these industrial facilities should be stepped through

some high quality security awareness training.

It was one of the comments that caused me some thought and was the inspiration

for the title of this blog post. Prof. Larry Constantine remarked: I was

talking with ICS security expert Ralph Langner yesterday. We agreed that

the biggest barriers to enhancing industrial cyber-security are not so much

technicalformidable though those may beas financial. In the absence of

government mandates there are no economic incentives for operators to

improve ICS security. The large investment has no near-term payoff; it is

costly and it complicates already complex systems. Until the industrial

equivalent of the Twin Towers, we are not likely to see great strides forward

in terms of protecting critical infrastructure from cyber-attacks. Even then,

it would not be too surprising if most of the effort went into initiatives

analogous to airport securityshowplace charades more about public reassurance

through the illusion of security than about the reality.

Click here for the full blog post with all links:

http://blog.knowbe4.com/industrial-control-systems-the-next-twin-towers/

Prevent Email Phishing

Want to stop Phishing Security Breaches? Did you know that many of the

email addresses of your organization are exposed on the Internet and

easy to find for cybercriminals? With these addresses they can launch

spear-phishing attacks on your organization. This type of attack is

very hard to defend against, unless your users are highly security

awareness trained. IT Security specialists call it your phishing

attack surface. The more of your email addresses that are floating out

there, the bigger your attack footprint is, and the higher the risk is.

Find out now which of your email addresses are exposed with the free

Email Exposure Check (EEC). An example would be the email address and

password of one of your users on a crime site. Fill out the form and

we will email you back with the list of exposed addresses. The number

is usually higher than you think.

Cyberheist 'FAVE' LINKS:

* This Week's Links We Like. Tips, Hints And Fun Stuff.

This week's 3-minute virtual vacation: San Francisco's most iconic

landmarks with an extra; photoshopped empty of tourists and traffic!:

http://www.flixxy.com/empty-san-francisco.htm

Explore a Google data center with Street View:

https://www.youtube.com/watch?feature=player_embedded&v;=avP5d16wEp0

And here is a gallery with more data center goodness - LOL:

http://www.google.com/about/datacenters/gallery/#/all/18

The best skiers, surfers, divers, bikers, kayakers and pilots filmed

with the newly released GoPro Hero3 camera:

http://www.flixxy.com/the-best-of-gopro-hero3.htm

Here is a link to the T-Shirt: Social Engineering Specialist:

http://www.jinx.com/p/social_engineering_t_shirt.html?catid=

This up-tempo piece from the second Animusic DVD features a band of

five robots jamming on their futuristic instruments as their musical

starship cruises through outer space:

http://www.flixxy.com/animusic-starship-groove-1080p-hd.htm

Fantastical creatures from classic fairy tales come to live in this

magical piece that will get you in the mood for Halloween:

http://www.flixxy.com/the-green-ruby-pumpkin-halloween-short-film.htm?utm_source=4

From the kung-fu-bear to the marching geese and the dancing cows,

animals are awesome, too!:

http://www.flixxy.com/animals-are-awesome-too.htm

World Champion Of Magic For A Reason: Transparent Cups And Balls:

http://www.flixxy.com/world-champion-of-magic-transparent-cups-and-balls.htm?utm%2Bsource=fb

How To Pick Up A Girl At The Gym :

http://www.youtube.com/watch?v=xyXplN23ALM