|
CyberheistNews Vol 3, 25
Editor's Corner
Scam Of The Week: CIA Prism Watchlist
Just this morning, a researcher discovered an email uploaded to Virustotal called CIA's_prism_Watchlist_.eml. The content refers to Snowden, and the attachment is called Monitored List1.doc which exploits a known vulnerability. This particular attack was focused on Tibetans in India, which means the Chinese are behind it, but this thing is going to spread far and wide.
Warn your users that when they get emails with subjects like "You Are On The CIA Prism Watchlist", or refer to CIA or NSA Prism lists they are on, to delete the email and not open the attachment. There will be variants without attachments that make people click on a link to an infected website as well.
Since Prism has been all over the press recently, this is a prime social engineering tactic bad guys use, manipulating people to avoid a negative consequence. This is only the first version of the email which will have many similar iterations as long as Prism stays in the press.
If you want to test your users with a very similar simulated phishing attack, use the one called "Video showing CIA searching your personal data" which you'll find in the 'current events' campaign.
Kevin Mitnick And I Were on FOX TV Wednesday
We were both interviewed on FOX TV about how to fight hackers, and what hackers are after these days. You will see Kevin, me, the KnowBe4 office and some of the KnowBe4 team. It's less than 3 minutes so have fun!
http://blog.knowbe4.com/bid/303980/Kevin-And-I-Were-on-FOX-TV-Wednesday
Your IT Pro Opinion On What The NSA Is Doing
IT system administrator Edward Snowden, recently leaked word of the NSA's blanket surveillance programs – the "whistleblower" reportedly detailed the NSA's practice of secretly obtaining court orders to track telephone calls and emails. According to a new Washington Post survey, a majority of Americans agree with the NSA's security procedures.
I had the suspicion that the general public does not understand the severity of the issue and I conducted a survey of 1,300 IT pros and the findings were dramatically different from the Washington Post's poll. The results of the Post survey show that most Americans back the NSA's secret tracking of phone records and online activity:
- 56% of Americans said the practice is "acceptable;"
- 45% said the government should be allowed to go further than it already is;
- 45% said the government should be able to monitor "everyone's email and other online activities".
In direct contrast, our own survey (an exact mirror of the original survey by the Washington Post) displays the thoughts of IT professionals:
- 70% said the practice is "unacceptable";
- 63.7% said the government should not be allowed to intrude on personal privacy even if it limits the ability to investigate threats;
- 77.4% said the government should not be allowed to monitor the public's email and online activities.
Here is the full Press Release:
http://newsle.com/article/0/79907151/
Quotes of the Week
"Myths which are believed in tend to become true." - George Orwell
"Myths are public dreams, dreams are private myths." - Joseph Campbell
Thanks for reading CyberheistNews! But if you want to unsubscribe, you can do that right here
You can read CyberheistNews online at our Blog!:
http://blog.knowbe4.com/bid/300533/CyberheistNews-Vol-3-24
|
NEW: 'Attack' Your Own Users
 Since the survey shows that users indeed are a pain in your neck, here is something you can do that is both useful and a bit of fun. Over here at KnowBe4, we call it the one-two punch.
ONE: We run the (free) Email Exposure Check for you. That gives you all the email addresses out there available on the Internet from your own domain. It's often surprising how many addresses can be found and whose.
TWO: You create (again free) an account on our website, upload the addresses found in step ONE, and 5 minutes later they receive a simulated phishing attack! You will immediately know your phishing attack surface and the Phish-prone percentage of the highest risk employees. Fabulous ammo to get more security budget and fun to do!
Sign Up For Your Free Email Exposure Check To Start With:
http://info.knowbe4.com/free-email-exposure-check-0-1-2-0-1-1-0-1
NEW: 10 IT Security Myths That Put You At Risk
Gartner Analyst Jay Heiser explained that in InfoSec, there are a lot of "misperceptions" and "exaggerations" about both the threats you face and the solutions you use to protect your networks. All this false data boils down to "security myths" which are widely known and regularly used to explain things. Here are the ten myths, and a link to Ellen Messmer's article in InfoWorld where each of them gets busted and/or the cure is provided. This is a good read!
Myth #1: "It won't happen to me"
Myth #2: "InfoSec budgets are 10 percent of IT spend."
Myth #3: "Security risks can be quantified"
Myth #4: "We have physical security (or SSL) so you know your data is safe"
Myth #5: "Password expiration and complexity reduces risk"
Myth #6: "Moving the CISO outside of IT will automatically ensure good security"
Myth #7: "Adhering to security practices is the CISO's problem"
Myth #8: "Buy this tool and it will solve all your problems"
Myth #9: "Let's get the policy in place and we are good to go"
Myth #10: "Encryption is the best way to keep your sensitive files safe"
NOT SO! Check out the answers at InfoWorld:
http://www.infoworld.com/d/security/top-10-it-security-myths-putting-businesses-risk-220570
Data Breach Costs: 10 Ways You're Making It Worse
Inadequate response plans and poorly executed procedures caused data breach costs to rise significantly at some businesses, according to the Ponemon Institute. Mistakes, negligence and glitches are more likely to be responsible for computer-related security breaches than cyber attacks, according to a Ponemon report released last week sponsored by Symantec.
The research firm interviewed more than 1,400 individuals in 277 companies as part of its "2013 Cost of Data Breach Study: Global Analysis." The study, sponsored by Symantec, estimated the costs of data breaches in nine countries. The breach costs varied by region, but Ponemon Institute researchers found a number of common costly errors.
One short quote: "Building a sense of security into end users cannot happen with one-off training programs -- there needs to be a systematic and consistent security program over an extended period of time, according to the Ponemon Institute". Here is the slide show:
http://www.crn.com/slide-shows/security/240156226/data-breach-costs-10-ways-youre-making-it-worse.htm?pgno=1
Success Story: Email Exposure Check
"I wanted to let you know that the service you all provide concerning how our email address is used out in the wild has paid off. The report you provided led us to find data concerning our company posted on a technical web site at one of our contractors. This was helpful in that we have requested our data be removed from that site by the contractor. We were in negotiations with them on a new contract and will ensure we cover this area in that contract.
Thanks for the service." - G.S. CISSP IAM IEM
IT Security Administrator
Insurance Company
Today's Hidden IT Vulnerability: Deadly Social Engineering Vices
The Seven Deadly Social Engineering Vices (that drive support tickets out the roof) has been viewed well over 11,000 times and has gone viral. That's why we created a (much prettier) SlideShare version for you which you can see here at their site:
http://www.slideshare.net/StuSjouwerman/7-social-engineeringvices-23111743
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
Your Five Minute Virtual Vacation! Beautiful shots of the arches and red rocks in Utah and Arizona captured and uploaded in 4K resolution. The music and sights are just breathtaking:
http://www.flixxy.com/utah-and-arizona-in-4k-ultra-hd.htm
The most splashing way to discover Amsterdam - with the amphibious bus 'The Floating Dutchman.' This is new and looks like a lot of fun!:
http://www.flixxy.com/amsterdam-splash-bus-drives-into-canals.htm
Are you a sailor, pilot, do you like whitewater Kayak, or mountain climbing? This Breitling watch has you covered in an emergency:
http://youtu.be/IwrAkNoNYbo
While we are looking at watches, here is what they call the world's smartest watch...it's called "Agent" and a cool kickstarter project:
http://www.kickstarter.com/projects/secretlabs/agent-the-worlds-smartest-watch
A chipmunk will store over 6,000 acorns - but he needs to keep an eye out for pickpockets:
http://www.flixxy.com/dont-mess-with-a-chipmunks-nuts.htm
Breathtaking crossbow performance by Ben Blaque at the French TV show "The Worlds's Greatest Cabaret" hosted by Patrick Sebastien:
http://www.flixxy.com/awesome-crossbows.htm
The Tesla Supercharger plan is pretty cool. A 200 miles charge in about 20 minutes. Not too shabby! Free long distance travel, forever!
http://youtu.be/TszRyT8hjJE
A step-by-step guide on how to fold a shirt in under 2 seconds. WOW that is a great time saver:
http://www.flixxy.com/how-to-fold-a-shirt-in-under-2-seconds.htm
A flying bicycle invented by three Czech companies successfully completed its first test flight, just like a Star Wars Jedi hover-bike:
http://www.flixxy.com/flying-bicycle.htm
Check out the massive acceleration of these top-of-the line electric racing motorcycles at the recent Isle of Man championship:
http://blog.motorcycle.com/2013/06/11/motorcycle-news/not-a-fan-of-electric-motorcycles-this-might-change-your-mind/
A network of balloons traveling on the edge of space, designed to connect people in rural and remote areas, help fill in coverage gaps and bring people back online after disasters. Looking for a Tech Support job with Challenges?:
http://www.flixxy.com/balloon-powered-internet-access.htm
|
