CyberheistNews Vol 3, # 41

CyberheistNews Vol 3, # 41
Stu Sjouwerman's New Security Newsletter Don't miss the Fave Links! Case Studies Resources About Us Contact Us
Facebook LinkedIn Blog Twitter YouTube YouTube

CyberheistNews Vol 3, 41

Editor's Corner


Inside The Adobe Databreach Disaster

Last week Adobe announced probably the worst news ever for a tech company. Both their source code and customer lists had been stolen. EPIC FAIL!

An excerpt from the email that was sent to customers: "We recently discovered that attackers illegally entered our network. The attackers may have obtained access to your Adobe ID and encrypted password. If you have placed an order with us, information such as your name, encrypted payment card number, and card expiration date also may have been accessed. Please visit to create a new password."

"We also recommend that you monitor your account for incidents of fraud and identity theft, including regularly reviewing your account statements and monitoring credit reports. If you discover any suspicious or unusual activity on your account or suspect identity theft or fraud, you should report it immediately to your bank. You will be receiving a letter from us shortly that provides more information on this matter.

Source code for ColdFusion and possibly its Acrobat family of products were stolen. MAJOR OUCH. What adds insult to injury is that this was discovered by investigative reporter Brian Krebs working together with researcher Alex Holden at Hold Security. They discovered a veritable treasure trove of 40 GB source code stashed on a server used by the same cyber mafia that hacked into Lexis-Nexis, Dunn & Bradstreet and Kroll. This must have been one sophisticated gang.

The attackers likely got in by exploiting some type of out-of-date software; potentially Adobe's own ColdFusion website hosting code. If you run ColdFusion, the safest thing to do is assume your website has been compromised, and fire up your detection and remedy procedures. The whole horror story is at Brian Krebs' site. Hope and pray this does not happen to you, so make sure you update your public facing code religiously! More at:

And here is a comic that is highly ironic since Adobe seems to have not updated its own software:

PS: Just for giggles, go to Google and type in: confidential "not for distribution" filetype:pdf

NEW BETA INVITATION: Online Compliance Manager

Are you dealing with the headache of managing (multiple) compliance requirements? Need to satisfy auditors that all controls are in place? Have to produce all the evidence regularly? It's a pain to keep all that in spreadsheets, especially if you need to comply with PCI and another regulation like HIPAA.

Well, check out what we have been working on the last 18 months. It currently has a generic code name "OCM" for Online Compliance Manager. OCM effectively reduces the number of controls and requirements you need to satisfy, leading to less time and money spent dealing with compliance. We are looking for BETA participants that will run OCM in-house and help us fine-tune the process. This page shows some of the features and has a form at the end you can fill out if you are interested in giving it a spin:

Quote of the Week

"Always bear in mind that your own resolution to success is more important than any other one thing." - Abraham Lincoln

"Success is how high you bounce when you hit bottom." - George Smith Patton

Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here

You can read CyberheistNews online at our Blog!:

Thanks for reading CyberheistNews! Warm Regards, Stu Sjouwerman | Email me:
Facebook LinkedIn Blog Twitter YouTube YouTube

Exactly -Which- Employees Are The "Weak Link" In Your IT Security?

Today, your employees are exposed to Advanced Persistent Threats. Trend Micro reported that 91% of successful data breaches started with a spear phishing attack. IT Security specialists call it your 'phishing attack surface'. The more email addresses that are exposed, the bigger your attack footprint is, and the higher the risk. Let's find out. How?

ONE: We run the (free) Email Exposure Check for you. That gives you all the email addresses out there available on the Internet from your own domain. It's often surprising how many addresses can be found and whose.

TWO: You create (again free) an account on our website, upload the addresses found in step ONE, and 5 minutes later they receive a simulated phishing attack! You will immediately know your phishing attack surface, your Phish-prone percentage and your highest risk employees. Fabulous ammo to get more security budget, fun to do and it takes less than 10 minutes. Let's Find Out!


Want to Evade NSA Spying? Don’t Connect to the Internet

Bruce Schneier wrote a new article over at WIRED. It has a few very good technical hints and tips on how not to get hacked by the NSA but more in general some excellent security measures you can apply. Here is how he started:

"Since I started working with Snowden’s documents, I have been using a number of tools to try to stay secure from the NSA. The advice I shared included using Tor, preferring certain cryptography over others, and using public-domain encryption wherever possible.

I also recommended using an air gap, which physically isolates a computer or local network of computers from the internet. (The name comes from the literal gap of air between the computer and the internet; the word predates wireless networks.) But this is more complicated than it sounds, and requires explanation.

Since we know that computers connected to the internet are vulnerable to outside hacking, an air gap should protect against those attacks. There are a lot of systems that use — or should use — air gaps: classified military networks, nuclear power plant controls, medical equipment, avionics, and so on. Osama Bin Laden used one. I hope human rights organizations in repressive countries are doing the same.

And here is his list of 10 things I would look at and apply some for the PC of the person who is your Controller or wears the CFO hat:


John McAfee On New Healthcare Websites: "This Is A Hacker’s Dream"

On Fox Business Network’s "Cavuto" on Wednesday, computer programmer and founder of McAfee, Inc. John McAfee said the online component of Obamacare "is a hacker’s wet dream" that will cause "the loss of income for the millions of Americans who are going to lose their identities."

For starters, McAfee said the way it is set up makes it possible for fake websites be set up to fool people to think they’re signing up for Obamacare.

"It’s seriously bad," McAfee said. "Somebody made a grave error, not in designing the program but in simply implementing the web aspect of it. I mean, for example, anybody can put up a web page and claim to be a broker for this system. There is no central place where I can go and say, "OK, here are all the legitimate brokers, the examiners for all of the states and pick and choose one.’" Video at:


More Likely to Fall for a Phishing Scam If You’re a Neurotic Woman?

Softpedia published an article I have a problem with. There is so much wrong with this that I don't even know where to start. They started out with:

"Researchers at the Polytechnic Institute of New York University (NYU-Poly) have conducted an experiment to determine if there is a link between an individual’s personality and the chances that they would fall victim to a phishing scam."

That is the first problem right there. Labeling people as having "different personalities" is fraught with ambiguity as people change moods and perspectives all the time. Today I might feel great. Next week I might have a headache, the boss yelling, and other messes stuck at me. Is my "personality" going to determine if I am Phish-prone? I'm sure not. FAIL 1.

Next: "100 students from an undergraduate psychology class were selected and asked about their online habits and beliefs. They’ve been also asked to rate the likelihood of having their passwords stolen or other similar negative things that could happen to them online. In addition, they took a multidimensional personality assessment survey."

Only 100 test subjects? And all of them college students? Not nearly a large enough number to create a true statistically significant sample and a far too homogeneous to draw any kinds of valid results and extrapolate as far as they did. FAIL 2.

"Once this phase of the experiment was over, they were sent phishing emails that promised them prizes in return for some personal information. The researchers made sure that the emails contained spelling and grammar errors, and other clues that can usually help users determine if an offer is legitimate or not. "

Offering "prizes" is only a very small part of the whole gamut of social engineering. Testing with prizes is like testing cats with a piece of raw chicken. A few may eat it but many others would sniff at it, wrinkle their nose and walk away. FAR from enough testing was done to draw any kind of conclusions about why people really fall for phishing scams. FAIL 3.

They went on with: "17% of the students fell for the scam. Interestingly, the group had considerable computer knowledge. Most of the victims were women. However, researchers have determined that women who, according to the personality assessment they took, were neurotic, were most likely to fall for the scam."

The real number of people falling for phishing is between 20 and 30%. Hundreds of tests over hundreds of thousands of employees done at KnowBe4 show this to be a much more reliable number, and the clicks are evenly distributed between men and women. FAIL 4.

"The study hasn’t found any link between men’s personalities and their vulnerability to phishing attacks. Also, no correlation has been found between computer security knowledge levels and the likelihood of being phished."

That's because there IS no correlation between personality and being Phish-prone. And there is no correlation between computer security knowledge and phish-prone percentage because they were not trained effectively and tested, tested, tested afterward. FAIL 5.

"These results tell us that personality characteristics may exert considerable influence when it comes to choices about online behavior, and that they may even override awareness of online threats,” said James Lewis, instructor in the NYU-Poly Department of Science, Technology and Society.

Lewis added, “In the moment, it appears that computer users may be more focused on the possibility of winning a prize or the perceived benefits of sharing information on Facebook, and that these gains distract from potentially damaging outcomes.”

Those are completely unwarranted conclusions. It only shows that the subjects were not given sufficient and effective security awareness training. Here is an open challenge: Give me these same 100 students. We will train them, and send them simulated phishing attacks for a month. Then Lewis can send another one of their tests. NOT ONE of them will fall for a phishing attack after that we train them! Full article here:


Cyberheist 'FAVE' LINKS:

* This Week's Links We Like. Tips, Hints And Fun Stuff.

Batman Tumbler: What It's Really Like To Drive, With Jay Leno:

James May (Top Gear) drives the new Range Rover at Nevada's Automotive Test Center for the ultimate challenge against an unmanned ground vehicle - the TerraMax:

Martial-arts master Genki Sudo and his band 'World Order' welcomes us to the 2020 Summer Olympics with an amazing slow-mo choreography tour through Tokyo:

Tired of long walks from terminal to terminal? Here is some clever hand luggage that is designed to help you move effortlessly through airports:

Aidyn Israfilov and Gosha the monkey perform their amazing juggling act for the French television show 'The Worlds' Greatest Cabaret.':

Golfers at a course in Verbier, Switzerland have had an unusual interruption to their games:

What it was like to fly on the Concorde from New York to London in 3 hours and 15 minutes at twice the speed of sound. The good old days:

Facebook LinkedIn Blog Twitter YouTube YouTube

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews