CyberheistNews Vol 3, # 29



CyberheistNews Vol 3, # 29
KnowBe4
Stu Sjouwerman's New Security Newsletter Don't miss the Fave Links! Case Studies Resources About Us Contact Us
Facebook LinkedIn Blog Twitter YouTube YouTube
 

CyberheistNews Vol 3, 29

Editor's Corner

KnowBe4

Scam Of The Week: Mugshot Removal

There is a new racket going on and there are two very different variations to be aware of. First is a growing number of websites that scrape existing, real mugshots out of public databases, and contact these people.

Arrestees pay sometimes hundreds of dollars to remove their mugs from general search engines because they feel embarrassed or threatened that their friends and/or employers will find out. Sites like this are being sued for extortion in a lawsuit testing the bounds of the First Amendment, but in the meantime there are victims. An example is over at:
www.mugshots.com

The second flavor is even more evil, and it's a heads-up of social engineering scams people can expect in their inbox. In this attack, people that weren't arrested in the first place are being targeted with an email that claims their mugshot is easy to find on the Internet and if they want to see this embarrassing picture, "Click Here Now". The link leads them to a legit site that has been compromised and infects their PC with a drive-by attack, laying down a Trojan on the hard disk making the PC a zombie. Textbook example of social engineering using the "prevent a negative consequence" trick.

Warn your users to "Think Before They Click" and delete emails that mention mugshots of anyone; themselves, friends, family or co-workers!

Quotes of the Week

"It is said that no one truly knows a nation until one has been inside its jails. A nation should not be judged by how it treats its highest citizens, but its lowest ones." - Nelson Mandela

"I was kind of excited to go to jail for the first time and I learnt some great dialogue." - Quentin Tarantino


Thanks for reading CyberheistNews! But if you want to unsubscribe, you can do that right here

Thanks for reading CyberheistNews! Warm Regards, Stu Sjouwerman | Email me: feedback@knowbe4.com
Facebook LinkedIn Blog Twitter YouTube YouTube
KnowBe4

Organizations have five ways to do Security Awareness Training:

1: "Do Nothing" and count on users to not click on phishing links. A surprising 25% of organizations still rely on this tactic.

2: "The Break Room", herd all users into the break room once a year with donuts and coffee and give them a death by PowerPoint session. Rinse and Repeat after 12 months.

3: "The Monthly Security Video", where users are being given short videos that each cover a topic related to keeping the network and organization safe and secure.

4: "The Phishing Test", where (usually an internal) team selects a group of users and sends them a simulated phishing attack. Employees that fail are asked to do a short remedial training.

5: "The Human Firewall", pre-test all users to find out your organization’s Phish-prone percentage, next you train all employees to resist important attack vectors, and then continue to send simulated phishing attacks to all users year-round. Fully automated, super simple, very little time required.

Find out now how affordable Option 5 really is. Get a Quote for your organization now:
http://www.knowbe4.com/get-a-quote-kmsat/

KnowBe4

In His Own Words: Confessions Of A Cyber Warrior

Roger Grimes in his InfoWorld Security Adviser Column reported on an an interview with an old friend of his, who is now part of a team of (hear this) 5,000 U.S. Cyber Warriors. Very interesting to read!
http://www.infoworld.com/d/security/in-his-own-words-confessions-of-cyber-warrior-222266?page=0,0&source=IFWNLE_nlt_blogs_2013-07-09

KnowBe4

7 Reasons For Security Awareness Failure

Ira Winkler and Samantha Manke just wrote a great article at the CSO site about why security awareness programs fail. They started out with: "There is a great dichotomy in Security Awareness. Just about all of the CSOs we talk to believe that one of their top priorities is to improve their organization's security culture — in other words, the behavior of their users. Similarly, we see article after article and study after study talking about how humans are the primary attack vector for advanced attacks.

Some studies indicate that human exploitation is the key enabler in as many as 90 percent of attacks. Buzzphrases, such as protecting and attacking "Layer 8" have emerged.

Yet we periodically see the media entertain notions that challenge the value of security awareness. While there are notable security awareness failings, awareness, like all security efforts, is about risk mitigation not complete prevention and needs to be implemented properly."

The Seven Awareness Failures are:

1) Not understanding what security awareness really is
2) Reliance on "checking the box"
3) Failing to acknowledge that awareness is a unique discipline
4) Lack of engaging and appropriate materials
5) Not collecting metrics
6) Unreasonable expectations
7) Relying upon a single training exercise

Their conclusions: "Most security awareness programs are doomed from the start, but it doesn't have to be that way. You can implement the successful habits that we previously identified, but you first have to remove any impediments to success. By setting the proper foundation, you will be able to implement a program that has a true return on investment and mitigates what is described as the top vulnerability exploited by advanced attacks."

Here at KnowBe4, we could not agree more! So read their article and learn about the awareness program pitfalls that might trap you:
http://www.csoonline.com/article/736159/7-reasons-for-security-awareness-failure?

KnowBe4

Social Engineering Plagues Bank Call Centers

Tim Wilson over at DarkReading wrote: "A caller phones the customer service center at a regional bank and gives just enough information to authenticate himself as a customer. Then he starts asking the service representative for information he's "forgotten" -- and he keeps dialing the call center until he's got enough information to open a new account somewhere else.

"This form of telephone-based social engineering -- an emerging type of phone fraud -- is becoming a popular method for attackers to collect the information they need to steal identities and commit new account fraud, according to a report by the Aite Group, a research firm that focuses on the financial services industry."

Banks and credit unions are where these things start first, because that is where the money is, but you can expect this to happen in your own call center as well, and it's a really good idea to have all employees working in your call center trained in security awareness:
http://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/

KnowBe4

Cyberheist 'FAVE' LINKS:

* This Week's Links We Like. Tips, Hints And Fun Stuff.

The French Aerobatic Team flies in formation with an A320 Airbus in celebration of Air France's 60th Birthday. Gorgeous ballet high in the sky:
http://www.flixxy.com/french-aerobatic-team-escorts-air-france-a320-airbus.htm

From the weird Japanese Video Department. Exoskeleton presented by a guy who looks like a zombie, with a schoolgirl running the thing:
http://www.gizmag.com/power-jacket-mk3-jumps-off-the-pages-of-comic-books-into-real-life/28189/

"Drone-It-Yourself". This kit lets you make a drone of just about anything. Cool:
http://vimeo.com/jasperl/diy

Coming soon! 10 tech blockbuster movies (just waiting to be made). There are a few good (fun) ones in there !
http://www.infoworld.com/slideshow/109902/coming-soon-10-tech-blockbuster-movies-222478

The X-47B Unmanned Combat Air System demonstrator put another page in the history books on Wednesday with its first unmanned arrested-wire carrier landing. (In other words, drone lands on aircraft carrier):
http://www.youtube.com/watch?feature=player_embedded&v=cPaH8CCtRVU#action=share

SpaceX continues to push the boundaries of vertical rocket take-off and landing:
http://www.flixxy.com/aerial-view-of-space-x-grasshopper-rocket-take-off-and-landing.htm

The Russians have just discovered what we knew 40 years ago. If you need to remove rust from your car’s bumper, don’t buy expensive cleaners – use Coca-Cola instead:
http://www.flixxy.com/coca-cola-rust-removal.htm

Yasha and Daniela have been dancing together since they were three years old!
http://www.flixxy.com/yasha-and-daniela-amazing-kid-dancers-americas-got-talent.htm

Norway's finest package is the one that means a lot to the person receiving it. Check out this cute ad:
http://www.flixxy.com/norways-finest-package.htm

We (even cats) could learn a lot from dogs - to them life is amazing:
http://www.flixxy.com/be-more-dog.htm

Guess what the Russian Secret Service is using to make sure they are not being spied on? Yup. Old fashioned type writers! LOL
http://www.focus.de/politik/ausland/schutz-vor-spionage-russischer-geheimdienst-setzt-auf-schreibmaschinen-_aid_1041494.html

DARPA has revealed the completed ATLAS humanoid robot, which is to star in the upcoming DARPA Robotics Challenge. Terminator, here we come:
http://www.youtube.com/watch?v=zkBnFPBV3f0&feature=player_embedded#action=share

On June 13th, 2013, the AeroVelo Atlas Human-Powered Helicopter captured the long standing AHS Sikorsky Prize with a flight lasting 64.1 seconds and reaching an altitude of 3.3 metres:
http://www.flixxy.com/muscle-powered-helicopter.htm

 
KnowBe4
Facebook LinkedIn Blog Twitter YouTube YouTube



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews