Knowbe4 - CyberheistNews Vol 3, #14


Stu Sjouwerman's New Security Newsletter Don't miss the Fave Links! Case Studies Resources About Us Contact Us
Facebook LinkedIn Blog Twitter YouTube YouTube

CyberheistNews Vol 3, 14

Editor's Corner


Scam Of The Week: Bogus Wedding Invitations

Yup, you gotta admit it, the bad guys -are- inventive! Getting a wedding invitation from someone you know and not clicking on it is hard to do! Bogus wedding invites are the latest spam and phishing trend, but also 'deja vu'. Our friends down the street (literally) at ThreatTrack Security warned everyone about this a few days ago.

Their researchers in the AV Labs captured a malicious spam appearing to be a wedding invitation purportedly from White Wedding Agency, a business entity in Prague. So warn your users, if they get email with a message body: "You are Cordially Invited to Celebrate the Our Wedding" (note the grammar error) delete that email, and don't save the date. More detail here:

Security Awareness Training Controversy

A post on the Slashdot site summarizes the controversy: "Security guru Bruce Schneier contends that money spent on user awareness training could be better spent and that the real failings lie in security design: 'The whole concept of security awareness training demonstrates how the computer industry has failed. We should be designing systems that won't let users choose lousy passwords and don't care what links a user clicks on,' Schneier writes in a blog post on Dark Reading. He says organizations should invest in security training for developers.

A storm of posts ensued, with all either arguing for or against. My take on this: "This is an artificially created problem, because it's not an either/or issue. It's 'do both' until the systems are highly secure. The problem is that the attacker is human, and so is the target. Until we can afford artificial intelligence systems like IBM's Watson to correctly identify spear-phishing attacks, we'd better give end-users security awareness training as a critical security layer in our defense-in-depth model." Here is a link to my Press Release with much more ammo about this:

Quotes of the Week

"Education is the most powerful weapon which you can use to change the world." - Nelson Mandela

"The only person who is educated is the one who has learned how to learn and change." - Carl Rogers

Please tell your friends about CyberheistNews! They can subscribe here:

You can read this newsletter online at the KnowBe4 Blog:

Thanks for reading CyberheistNews! Warm Regards, Stu Sjouwerman | Email me:
Facebook LinkedIn Blog Twitter YouTube YouTube

Stop Phishing Security Breaches

Your end-users are the weak link in your network security. Today, your employees are frequently exposed to advanced phishing attacks, and over 90% of data breaches start with a phishing attack.

IT Security specialists call it your 'phishing attack surface'. The more email addresses that are exposed, the bigger your attack footprint is, and the higher the risk. It's often a surprise how many of your addresses are actually out there, and who's.

Find out now which of your email addresses are exposed. The Email Exposure Check (EEC) is a one-time free service. KnowBe4 customers with a Gold package get an EEC sent to them regularly so they can address the issues that are found. An example would be the email address and password of one of your users on a crime site. Fill out the form and we will email you back with the list of exposed addresses. The number is usually higher than you think.

Sign Up For Your Free Email Exposure Check Now:


Your Social Network Profiles Are Like Catnip
To Cyber Crooks

Dan Tynan interviewed me at the site. He wrote a great article on March 28 and started off with:

"Could you say no to pictures of adorable kittens? Apparently, you’re not alone. Nearly half of all people who receive an email containing an image of a cute cat will automatically open it, according to security training firm PhishMe. But behind those fallacious felines lies danger – or at least, the potential for it.

The Wall Street Journal’s Geoffrey A. Fowler has a fascinating story today about how companies are using faux phishing attacks – including links to bogus cat videos -- to teach employees how to handle real ones. Per Fowler:

Many big network breaches begin not with brainy hacker code but with workers who are tricked by so-called social engineering, which manipulates people into revealing sensitive information. So companies are trying to get workers to act badly before the bad guys do.

Interestingly, last week I interviewed the CEO of a company that does just that. Stu Sjouwerman is CEO of KnowBe4, which trains employees at mostly small and medium size businesses to detect cyber attacks before they do any damage. Sjouwerman knows of what he speaks; he’s a founder of security software firm Sunbelt Software (now called ThreatTrack Security). More:


81% of IT Managers Believe Employees Willfully Ignore Security Rules

Lieberman Software's 2013 Information Security Survey reports the attitudes and opinions of IT security professionals regarding the behaviors of end-users, the state of unauthorized privileged access, and the likelihood of their own organizations withstanding data breaches. Highlights include:

- 81.4% of IT security staff think that staff tend to ignore the rules that IT departments put in place.

- 75.8% of IT personnel think that employees in their organization have access to information that they don't necessarily need to perform their jobs.

- 73.3% of respondents would not bet $100 of their own money that their company won't suffer a data breach in the next six months.

- 64.7% of respondents think that they have more access to sensitive information than colleagues in other departments.

- 54.7% of those respondents did not report their colleagues who accessed that information.

- 52.2% of the same respondents believe that staff would not listen more even if IT directives came from executive management, rather than IT.

- 38.3% of IT security personnel have witnessed a colleague access company information that he or she should not have access to.

- 32.3% of IT security professionals work in organizations that do not have a policy to change default passwords when deploying new hardware, applications and network appliances to the network.

The full report is available at Lieberman's website:


The IRS' Dirty Dozen Tax-Fraud Scams

It's Tax Time! April is here, and that can only mean one thing for folks in the United States: It is tax season. And for thieves, con men and tax evaders alike, it's high time for tax fraud. In an effort to curb some of this criminal activity, the Internal Revenue Service (IRS) this week released its list of the Dirty Dozen Tax Scams for 2013.

This annual list includes scams that can affect American taxpayers, and the IRS as well, at any time of year, but seem to grow more prevalent during tax filing season, and of course phishing is at the top. If you are a KnowBe4 customer, this is the time to send one of the templates you have in the Government Campaign. Go to your console, Choose; Create New Campaign, at Templates choose Government, and pull down the "Your Tax Return Was Accepted By The IRS. Click the Create Campaign button and 'Voila' - all your users receive it in a few minutes. Here is the link to the IRS Dirty Dozen::


Cyberheist 'FAVE' LINKS:

* This Week's Links We Like. Tips, Hints And Fun Stuff.

Worldometers - real time world statistics. Fascinating to see these numbers, you should really check this out for a moment, for instance 'Computers sold this year':

Can you figure out how he does it? It is based on a phenomenon known in mathematics as the 'missing square puzzle. Fascinating:

This short film was voted #1 for the special award at the Cannes 2008 Film Festival. With a stroke of the pen, a stranger transforms the afternoon for another man. Talk about the power of communication. Take these 4 minutes:

Google's famous follies: 10 favorite April Fools’ gags and Easter Eggs:

And here are Yesterday's Google April Fools Gags :

Weber Sportcars Faster One: Swiss supercar eats Bugatti Veyron's lunch:"

How 7 strange tech terms got their names:

Retronaut - Control Room of the Synchrophasotron, c.1975 This was a synchrotron-based particle accelerator for protons at the Joint Institute for Nuclear Research in Dubna that was operational from 1957-2003.”:

The Mystery of the 'Prince Rupert's Drop'. See glass explode at 130,000 fps:

The most epic R/C crash ever caught on camera at the Santa Clara County Model Aircraft Sky Park in Morgan Hill, California:

Professional SNOWMOBILE champion Daniel Bodin jumps 220 ft (67 meters) off a ski jump in Örnsköldsvik, Sweden:

Somersby Cider pokes fun at Apple by reminding us that their product is also completely wireless, easy to download, and works in direct sunlight:

Top 10 hacking failures in movies:

Facebook LinkedIn Blog Twitter YouTube YouTube

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews