CyberheistNews Vol 3, 46
Editor's Corner
Scam Of The Week: "Facebook Hottie"
The oldest trick in the world still works: the honeytrap. It's very well known in the spy business and has been used for centuries to social engineer people. Today, it's even easier to trap people with this because you do not need a live good looking woman anymore. It's all done virtually. Here is a good example you can send to all employees, a real story about a government agency compromised by a fake Facebook hottie. Remind them that they need to THINK BEFORE THEY CLICK: This is the link to the ZDnet article: http://www.zdnet.com/government-agency-compromised-by-fake-facebook-hottie-7000022700/
Adobe Arrogance: Anatomy Of A Password Disaster
By now you all know that Adobe was completely owned and all their accounts were stolen by hackers. The total number of passwords they got away with has again increased. A huge dump of the offending customer database was recently published online, weighing in at 4GB compressed, or just a shade under 10GB uncompressed, listing not just 38 million breached records, but 150 million! Our friends at Sophos commented: "As breaches go, you may very well see this one in the book of Guinness World Records next year, which would make it astonishing enough on its own. But there's more. We used a sample of 1,000,000 items from the published dump to help you understand just how much more." The internal IT team at Adobe must have thought that they would never get hacked, and that they would be able to get away with a relatively simple form of encryption. They made the baffling mistake to not use any "salting" in their encryption process. In short, these passwords are as easy to find as solving a crossword puzzle. This cartoon explains it in a very humorous way: http://xkcd.com/1286/ The moral of this story is to not fall into the same trap. Do not be arrogant and think the bad guys will never get in. Assume that your network will be (or has already been) breached, and do everything you can to be the hardest target possible. Learn from Adobe's mistakes, do not let this happen to you, and read the blog post at Sophos. Very instructive: http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/
Quotes of the Week
"Confidence quickly curdles into arrogance; smarts turn to smugness, charm turns to smarm." - Jeffrey Kluger "Pretend inferiority and encourage his arrogance." - Sun Tzu Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe, you can do that right here
|
Your end-users are the weak link in your network security
Today, your employees are exposed to Advanced Persistent Threats. Trend Micro reported that 91% of successful data breaches started with a spear phishing attack. IT Security specialists call it your 'phishing attack surface'. The more email addresses that are exposed, the bigger your attack footprint is, and the higher the risk.
It's often a surprise how many of your email addresses can be found by the bad guys. Find out now which of your email addresses are exposed. The Email Exposure Check (EEC) is a one-time free service. We often show surprising results. An example would be the credentials of one of your users on a crime site. Fill out the form and we will email you back with the list of exposed addresses and where we found them.
Sign Up For Your Free Email Exposure Check Now: http://info.knowbe4.com/free-email-exposure-check-13-11-12
More Than Half Of Corporate Breaches Go Unreported
More than half of corporate breaches go unreported, according to study In a survey of 200 security professionals who deal with malware analysis for U.S. businesses, 57 percent revealed they investigated or addressed a data breach their company never disclosed.
The October study, “Malware Analysts Have the Tools to Defend Against Cyber-Attacks, But Challenges Remain,” was put out this Wednesday by cyber defense firm ThreatTrack Security and was conducted by research agency Opinion Matters.
“While it is discouraging that so many malware analysts are aware of data breaches that enterprises have not disclosed, it is no surprise that the breaches are occurring,” Julian Waits, ThreatTrack CEO.
Some of the reasons Waits is not shocked is because almost half of the respondents reported not having enough highly skilled security staffers and, furthermore, a lot of their time is spent ameliorating simple and easily avoidable infections stemming from higher-ups in the company.
Following malicious links in phishing emails, downloading malicious apps, sharing computers with family and visiting pornographic websites are just some of the reasons that executives are infecting their company's networks with malware.
“This study reveals that malware analysts are acutely aware of the threats they face, and while many of them report progress in their ability to combat cyber attacks, they also point out deficiencies in resources and tools,” Waits wrote.
The majority of analysts pointed to intricacies of the malware, the sheer amount of it and the futility of anti-malware solutions as the primary difficulties in defending corporate networks. Additionally, only a small percent reported having the ability to analyze new malware in less than a couple of hours. Story at SC Magazine: http://www.scmagazine.com//more-than-half-of-corporate-breaches-go-unreported-according-to-study/article/320252/
DHS Boss: "No Effective Warning System For Cyber Events"
Stephen Northcutt, highly respected cyber security expert and board member of SANS, commented on this and stated: "It freaks me out that the conversations that we were having in 1997 are still being repeated with the exact same words in 2013. Some how, we need to move forward." And he is so right!
According to an October 24 report from the US Department of Homeland Security (DHS) Office of the Inspector General (OIG), the US government lacks a digital warning system for cyber incidents; there is no means of sharing alerts about computer breaches between agencies or with private industry. There is a system to distribute event reports and another for distributing response information, but the two are not connected. The IG's report makes seven recommendations, including acquiring or developing tools and technologies that can link situational awareness products to cyber incidents. Here is a summary at the Nextgov site: http://www.nextgov.com/cybersecurity/2013/11/ig-government-has-no-digital-cyber-warning-system/73199/?oref=ng-channelriver
And this is a link to the PDF itself: http://www.oig.dhs.gov/assets/Mgmt/2014/OIG_14-02_Oct13.pdf
SC Magazine Readers Trust Awards Finalists Announced
Once a year, SC Magazine polls its readers for Readers Trust finalists and asks them for a vote for ultimate winners in a series of major security product and service categories. It is always interesting to see which vendors float up into these polls, because it's a combination of marketing, product quality and support excellence. If you are looking for security tools, this page should be in your bookmarks because your shortlists are all right here: http://www.scmagazine.com//2014-sc-awards-us-finalists/section/3694/
New November Issue Of OUCH!
Lance Spitzner, Training Director, SANS Securing The Human Program wrote: "We are excited to announce the November issue of OUCH! This month, led by Guest Editor Lenny Zeltser, we cover how to shop online securely.
With the big shopping holidays coming up for many of you, we felt this would be a good time to remind families and friends about shopping online securely. As always, we encourage you to download and share OUCH! with others.
English Version (PDF) http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201311_en.pdf
English Version (.epub -- tablets only) http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201311_eneb.epub
In addition, we have a new video of the month: Encryption. Encryption is often emphasized as one of the key methods to secure data, yet many people do not understand what it is or how it works. This video explains encryption using simple and easy to understand terms." Adobe, you should have a look too: http://www.securingthehuman.org/resources/ncsam
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
Jokke Sommer and friends fly like birds between the mountains, meadows and trees of Hintisberg, Switzerland. Looks like an incredible adrenaline rush. Also looks pretty deadly when you screw it up. LOL: http://www.flixxy.com/proximity-flying-in-switzerland.htm
One of the top magicians in Australia, James Galea made his US television debut with some unbelievable magic. You have GOT to see this one, twice!: http://www.flixxy.com/australian-magician-james-galeas-unbelievable-trick.htm
The band 'Walk Off The Earth' turns a VW Beetle into a percussion instrument for their new song 'Gang of Rhythm.' This one is going viral: http://www.flixxy.com/band-turns-beetle-convertible-into-percussion-section.htm
The Writer, a 240-year-old automaton in the form of a boy created by Swiss clockmaker Pierre Jaquet-Droz in 1774, has about 6,000 parts, is programmable and is a distant ancestor of the modern programmable computer. Unbelievable: http://www.flixxy.com/the-writer-automaton-by-pierre-jaquet-droz-1774.htm
What is innovation? This is a very well made 2:30 min video that applies to IT very nicely. Fun to watch: http://vimeo.com/77911159
A huge remote-controlled Concorde plane flown during the R/C Air Show 2012 in Ohlsdorf, Austria. Wow: http://www.flixxy.com/huge-concorde-rc-plane-powered-by-two-turbines.htm
World's first 3D printed metal gun blows through 50 rounds: http://www.pcworld.com/article/2062246/worlds-first-3d-printed-metal-gun-blows-through-50-rounds.html
|