CyberheistNews Vol 3, # 40

CyberheistNews Vol 3, # 40
Stu Sjouwerman's New Security Newsletter Don't miss the Fave Links! Case Studies Resources About Us Contact Us
Facebook LinkedIn Blog Twitter YouTube YouTube

CyberheistNews Vol 3, 40

Editor's Corner


Scam Of The Week: Affordable Health Care "Advisers"

Today, Tuesday October 1, 2013, the first stage of the new health care act kicks in. You can start shopping for policies on new insurance "marketplaces". There is going to be an enormous amount of confusion about this law, starting with whether you even need to buy a new policy or not. The federal government website,, is the best place to start, but the bad guys have already figured out dozens of ways to scam people.

Variations on a Scheme

Bad guys are now sending spam and phishing emails with subjects like "We can get you a great deal right now," or "We can help you get signed up." There are also the scams that use the social engineering tactic 'prevent a negative consequence' to coerce an employee to give out personal information or even send money with subjects like "You are going to get in trouble if you don't sign up.", or "You will get fined by the Federal Government if you don't comply." There are even scams that use the guise of a (non-existent) 'New Health ID Card' or 'Discount Cards'.

An example is a scammer who will claim to be calling or sending a phishing email on behalf of Medicare and will ask for your Social Security number, driver’s license number, bank account number or credit card information for your new "National Insurance Card."

Tell your employees to delete any email related to this, and hang up the phone if they get a live cold call or a robo-call promoting a toll-free hotline promising they can be signed up right now. Especially if scammers ask for a wire transfer over the phone, hang up. Those are all Red Flags and these new marketplaces and exchanges are a hotbed for scams. It would not surprise me if completely fake health care exchange websites will be promoted in the coming days. Stay safe out there and STOP - LOOK - THINK before you click!

Your Employees' Identity Has Been Stolen

There is the expression that there are two kinds of companies. The ones that know they are hacked and the ones that don't. It's safe to assume your network has already been compromised and that you really need to focus on Incident Response skills like detection and remediation.

The same is true of your employees. They really are the weak link and that link has been substantially weakened with news that came out this week. The major data brokers like Lexis-Nexis, Dun & Bradstreet and Kroll have been owned by the bad guys for a (very) long time.

Stealing a few hundred million records when you have pwned the network is not all that hard. So here is the bad news. It is highly likely that your very own and all your employees' identities have been compromised, but the bad guys just have not gotten around to them yet.

The upshot? Highly personalized spear-phishing attacks that use very personal data to make the victim click on a link. Think about an email coming from the correct health insurer, offering a special low-cost health plan for people with more than three kids to someone that has four children. Hard not to click on.

You REALLY need to get in front of your employees and impress upon them the fact that they need to STOP - LOOK - THINK before they click, and that is true for the office but also at house. The article is at Brian Krebs's site. Excellent ammo for your awareness program:

October: National Cyber Security Awareness Month

The yearly national Cyber Security Awareness month is a great opportunity to engage your users to participate in a safe, secure, and resilient cyber environment. Everyone has their role to play in cybersecurity. Cybercrime moves at lightning speed and we all need to keep up.

Cyberspace is woven into the fabric of our daily lives and the world is more interconnected today than ever before. We enjoy the benefits and convenience that cyberspace provides as we shop from home online, bank using our smart phones, and interact with friends from around the world through social networks. The Department of Homeland Security is committed to raising cybersecurity awareness across the nation and to working across all levels of government, the private sector, and internationally to protect against and respond to cyber incidents.

Through a series of events and initiatives across the country, National Cyber Security Awareness Month engages public and private sector partners to raise awareness and educate Americans about cybersecurity, and increase the resiliency of the Nation and its cyber infrastructure.

This 10th anniversary, National Cyber Security Awareness Month dedicates each week to a different cybersecurity issue. Here they are:

Quote of the Week

"Whether you call it Buddhism or another religion, self-discipline, that's important. Self-discipline with awareness of consequences." - Dalai Lama

"What is necessary to change a person is to change his awareness of himself." - Abraham Maslow

Note: Links are no longer redirected. You can now hover the links and see exactly where they go.

Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here

Thanks for reading CyberheistNews! Warm Regards, Stu Sjouwerman | Email me:
Facebook LinkedIn Blog Twitter YouTube YouTube

Exactly -Which- Employees Are The "Weak Link" In Your IT Security?

Today, your employees are exposed to Advanced Persistent Threats. Trend Micro reported that 91% of successful data breaches started with a spear phishing attack. IT Security specialists call it your 'phishing attack surface'. The more email addresses that are exposed, the bigger your attack footprint is, and the higher the risk. Let's find out. How?

ONE: We run the (free) Email Exposure Check for you. That gives you all the email addresses out there available on the Internet from your own domain. It's often surprising how many addresses can be found and whose.

TWO: You create (again free) an account on our website, upload the addresses found in step ONE, and 5 minutes later they receive a simulated phishing attack! You will immediately know your phishing attack surface, your Phish-prone percentage and your highest risk employees. Fabulous ammo to get more security budget, fun to do and it takes less than 10 minutes. Let's Find Out!


NEW Kevin Mitnick VIDEO: The Word Document Exploit

Check out a brand new 3:25 min Kevin Mitnick video where he shows live how an infected Word document allows a hacker to steal the employee's user name and password. This is just one of the videos in the new Kevin Mitnick Security Awareness Training 2014 that KnowBe4 is releasing at the moment.


7 Service Requests That Make IT Support Folks Cry

"Every day, in organizations around the globe, the IT team supports requests that range from common usage requirements to the downright bizarre. When you work in IT, you move from one fire, to putting out to the next. But sometimes, those requests and emergencies just make one want to scream. CSO reached out to a few sources for stories about support incidents that made security managers and IT folks cry." Interesting stories in this slide show at CSO:


Spear Phishing Poses Threat To Industrial Control Systems

Hackers don't need Stuxnet or Flame to turn off a city's lights, say security experts. Good old targeted spear phishing does the job to get engineers click on links that infect their workstation. Tyler Klinger, a researcher with Critical Intelligence, recalled an experiment he conducted with several companies on engineers and others with access to Supervisory Control and Data Acquisition (SCADA) systems in which a whopping 26 percent of the spear phishing attacks on them were successful. Full article:


The New PCI Standard V3: How To Align Your Security Program

August 2013, the PCI Security Standards Council published a heads-up about the new Version 3 and what is going to change. The standard will be introduced November 2013, but version 3.0 will introduce more change than version 2.0 which will remain in effect until December 2014.

What drove the change from V2 to V3?

The PCI Standards are updated based on feedback from the industry, per the standards development lifecycle as well as in response to current market needs. Areas that were a challenge for everyone are:

- Lack of education and awareness
- Weak passwords, authentication
- Third-party security challenges
- Slow self-detection, malware
- Inconsistency in assessments

To quote the report: "Lack of education and awareness around payment security and poor implementation and maintenance of the PCI Standards leads to many of the security breaches happening today". One piece of this puzzle of course is security awareness training.

Other pieces are training on changing default passwords, users using strong passwords for authentication and protecting their credentials. I recommend you have a look at this document. It's just 9 pages and gives you a good overview:


Cyberheist 'FAVE' LINKS:

* This Week's Links We Like. Tips, Hints And Fun Stuff.

SUPER FAVE. Five different Ferrari Formula One cars (from 1952 to 2003) take to the streets of Rome, New York, Rio de Janeiro, Hong Kong and Monaco in a Shell ad with brilliant positioning:

Amazing mind reader reveals his gift. It's a known one but still very good!

Is this Hilarious Car Accident Voicemail Real? If not, it's still a good laugh!

This SonicWall Phishing IQ test is a nice resource to send to users:

A 1920s vintage Dodge Brothers sedan drives down muddy roads and across muddy fields to get to the gushing oil well. Advertising The Old Way:

Mercedes 'Magic Body Control' scans the road 50 feet forward of the car and adapts the suspension to the road conditions ahead:

Bill Gates on Control-Alt-Delete: "Eh, it was a mistake.":

From the Weird Japanese Department: U.S. Celebrities in Japanese Commercials Compilation:

Facebook LinkedIn Blog Twitter YouTube YouTube

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews