CyberheistNews Vol 3, 34
Editor's Corner
Are Your Email Addresses On A Russian Phishing Site?
We are finding many U.S. commercial email addresses at the Russian emailsworld-dot-boommer-dot-ru website. It is really a 'staging' area for emails to be posted by the criminal underground. They use WordPress as the blogging platform, and the cyber-mafia use robots to post harvested email addresses to it, which puts them on the web. Sadly, Google indexes this site and it makes for easy searching. Unfortunately there is nothing you can do to get emails taken down from this site, but you should be aware of what is out there. This is an aspect of your cyber situational awareness. Most organizations have no good idea -where- they stand. The KnowBe4 Email Exposure Check (EEC) helps to give you a better understanding of your security posture in regards to exposed email addresses on the Internet. Call it your 'email attack surface'. The emails on this Russian site are more commonly spear-phished. You can use the free EEC report to 'sinkhole' these email addresses so that you can better tune your spam traps and to monitor for email based attacks. And obviously you specifically need to give security awareness training to the employees with those exposed email addresses. Sign up for a one-time free Email Exposure Check here: http://info.knowbe4.com/free-email-exposure-check-130820
IT Security Is Broken Bad
With the TV show Breaking Bad in its last season, this seems to be a fun title. However, the topic is not all that much fun. You should realize it's not a question of -when- you will be compromised. It is a question of when you will -discover- you have been compromised. That means IT security is really about if you can detect, respond and quickly resolve compromises. It is actually a safe bet to assume that your network is already owned, you just don't know about it (yet). To protect your network against monitoring by either foreign attackers or rogue agencies in your own country, you are going to need a top-down security culture, and not rely on just your run-of-the-mill IT security hardware and software. For instance, you're going to have to have a serious look at wall-to-wall encryption. It is tough to get your wits wrapped around the fact that highly likely -each- of your IT security software and hardware appliances all have dozens and possibly hundreds of vulnerabilities that -some- people know about and can exploit. All this means your C-Level execs need to be aware of the risks, your whole defense-in-depth stack needs to be in place and that means you also need to pay (a lot of) attention to Policy, Procedure and Awareness which is the outer layer of defense-in-depth. Here is a 1-minute explanation: http://www.knowbe4.com/resources/defense-in-depth/ Being lax with the Policy and Procedure layer is what caused the NSA to get #snowdened. Going forward in the future and being reasonably sure that your databases and intellectual property is not compromised means getting your IT Security fundamentals in place and getting it -right-. We are soon releasing a 15-minute security awareness training for C-level Execs and Middle Management about APT and how they can protect themselves against this type of attack. It will help to make them aware of the need for a Top-down security culture. Stay tuned!
Quotes of the Week
"Better to be despised for too anxious apprehensions than ruined by too confident a security." - John Bunyan "Happiness is a perfume you cannot pour on others without getting a few drops on yourself." - Ralph Waldo Emerson Thanks for reading CyberheistNews! But if you want to unsubscribe, you can do that right here
|
Whitepaper: Legal Compliance Through Security Awareness Training
This new whitepaper from Michael R. Overly shows you the common threads in compliance laws and regulations. Did you know that "CIA" means Confidentiality, Integrity, and Availability, and how lawmakers incorporated that language in infosec regulations?
Are you familiar with the concept of Acting “Reasonably” or taking “Appropriate” or “Necessary” measures? Find out how this can keep you from violating compliance laws or regulations.
Know you are supposed to "scale security measures to reflect the threat"? We have some examples of the Massachusetts Data Security Law and HIPAA to explain what is required. Download this new whitepaper here: http://info.knowbe4.com/whitepaper-overly-kb4-13-08-20
The Business Behind A Hacked Email Account
Most end-users have no clue why their email accounts are hacked consistently. It would be good to inform them about things like: "What is the commercial value of a hacked email account in the underground? How do cybercriminals use a compromised email account? Why do they have to hit me?"
Pierluigi Paganini on his securityaffairs blog wrote: "Brian Krebs has recently published a valuable post on the commercial value for a hacked email account. During one of my last TV shows the journalist asked me why hackers target email accounts of ordinary people, this post could help to understand how cybercrime monetizes a hacked email account."
"A hacked Email account is very attractive for cyber espionage to gather information on other accounts directly connected, it could also be used for spamming malicious code or for fraud based on social engineering technique. Some examples of pricing in the criminal underground:
- iTunes account for $8 - Continental.com and United.com accounts for $6. - Hosting provider Godaddy.com for $4 - ATT.com, Sprint.com, Verizonwireless.com, and TMobile.com for $4. - Facebook and Twitter for $2.50.
The market for stolen credentials is very prolific, active accounts at dell.com,overstock.com, walmart.com, tesco.com, bestbuy.com and target.com are sold for 1$ to 3$ each." More: http://securityaffairs.co/wordpress/15205/cyber-crime/business-hacked-email-account.html
Spear-phishing Attackers Vandalize CNN, TIME and WashPost
You would think that by now journalists and people in media and advertising would be on the alert for social engineering red flags. But no. Syrian hacktivists sent a spear-phishing attack to all employees of a company called Outbrain which caused some of those employees to give their username and password. Outbrain provides services to newspapers with content-recommendation widgets, which are embedded into media web pages, and help Internet publishers boost traffic.
The hacktivists call themselves the Syrian Electronic Army (SEA) and is a hacker group supporting President al-Assad. They started their disruption campaign mid-2011, and they run the gamut of DDoS attacks, spear-phishing, pro-Assad website vandalizing, and spamming anyone they believe to be hostile to the Syrian government.
SEA are especially known for spear-phishing attacks attempting to compromise Twitter accounts of media people and use those hacked credentials to push pro-Assad propaganda. Recent victims include Associated Press, BBC, the Daily Telegraph, the Financial Times, the Guardian, Human Rights Watch, National Public Radio, Thompson Reuters and others.
Providing employees of these organizations with effective security awareness training so that they can spot social engineering seems to be the logical thing to do. Why is this not happening?
Forbes: IT Security Industry To Expand Tenfold
Richard Stiennon, Forbes contributor makes a stunning prediction. He claims that most organizations have woefully underspent for IT Security and now that governments around the world have commandeered the Internet, effective creating a surveillance state, the $60 billion IT Security industry is going to explode. Why? Because organizations are going to spend to counter their networks and communications being monitored.
He said: "Look at the numbers. The very best IT organizations report spending 6-8% of their budget on security. That is going to have to double in the short term to counter the threat of the surveillance state, just to account for the deployment and management of encryption everywhere. Telecom costs will rise dramatically to pay for the new infrastructure to obfuscate traffic. Those are the thought leading enterprises. All the rest have to play catch up. Gartner sizes the entire IT spend at $3.3 trillion and security infrastructure spending at $60 billion in 2012 with an 8.4% growth rate. In order to counter the surveillance state that growth rate will need to quadruple to 24%.
Extrapolated to ten years IT security spending will be $639 billion by 2023 – a tenfold increase." Here is a link to his post, a great article to send up the flagpole with a request for budget: http://www.forbes.com/sites/richardstiennon/2013/08/14/it-security-industry-to-expand-tenfold/
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
40 Maps That Will Help You Make Sense of the World. This is fascinating: http://twistedsifter.com/2013/08/maps-that-will-help-you-make-sense-of-the-world/
My business partner Kevin Mitnick's "lockpick business card" really works! VIDEO: http://www.youtube.com/watch?v=WzQY3KgOT8E&sns=em
What it would look like if other planets were at the same distance as our Moon: http://www.flixxy.com/if-other-planets-were-at-the-same-distance-as-our-moon.htm
A close encounter of Swedish and Norwegian navy patrol boat crews having some (risky) fun off the coast of Lebanon. Yowser: http://www.flixxy.com/swedish-navy-vs-norwegian-navy-off-the-coast-of-lebanon.htm
Toyota previews 400-hp Hybrid-R Concept ahead of Frankfurt Motor Show: http://www.gizmag.com/toyota-400-hp-hybrid-r-concept-frankfurt/28687/
Bad posture is a sneaky workplace risk. Learn some simple ways to stay healthy during your daily office life: http://www.flixxy.com/office-posture-matters-an-animated-guide.htm
This clever little dog in Kobe, Japan, throws his ball in upstream, and catches it downstream over and over and over! http://www.flixxy.com/little-dog-uses-river-to-play-fetch-by-himself.htm
A compilation of people all over the world helping animals in trouble: http://www.flixxy.com/people-saving-animals.htm
To end off, here is some pure car lust. The Pagani Huayra is the fastest street-legal car ever to go round the Top Gear Test Track, setting a time of 1 minute 13.8 seconds: http://www.flixxy.com/fire-fighting-airplane-cools-off-traffic-accident.htm
|