|
CyberheistNews Vol 3, 47
Editor's Corner
Edward Snowden Used Social Engineering To Hack NSA
Ex-NSA contractor Edward Snowden used user names and passwords that colleagues at a spy base in Hawaii gave him, to access some of the classified material he exfiltrated. Around 20-25 agency employees who gave their login details to Snowden were tracked down, questioned and taken off the job, said a source close to several U.S. government investigations into the damage caused by the leaks.
Snowden social engineered these people by telling them he needed their login to do his job as a computer systems administrator. It is highly surprising that people -within- the NSA would fall for a basic hacker trick like this.
The fact that Snowden was able to do this shows NSA's policy and procedures were totally inadequate and caused the worst breach of classified data in the super-secret eavesdropping agency's 61-year history. Snowden worked at the Hawaii site last spring, during which he got access to and downloaded tens of thousands of secret NSA documents.
It is loud and clear that the employees broke a bunch of basic security rules by giving Snowden their passwords, and it's clear that even in highly secure environments employees want to help each other and are eager to please co-workers, causing security breaches. This is something that can easily be prevented with security awareness training, which must have been sorely lacking at the NSA.
Embarrassing, to say the very least. My partner Kevin Mitnick tweeted: "I guess NSA employees need some training too. LOL!" Here's the new 2014 Kevin Mitnick Security Awareness Training course:
http://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/
Test Your Users With Philippines Typhoon Haiyan
The international aid effort in parts of the Philippines devastated by Typhoon Haiyan is starting to have a major impact, with tens of thousands of victims receiving supplies. Haiyan, which hit eight days ago, has killed more than 3,600 people and left about half a million homeless.
We have a new template which thanks people for their Red Cross donation of $400.00 regarding the Philippines Disaster Fund. Test your users with this new Phishing Security Test that you will find at the Current Events Templates group in your KnowBe4 Admin Console. Remember that yesterday's solutions are no match for today's attacks, you need to train your users and keep them on their toes constantly.
These are the Top 5 "best" performing templates. This is an opportunity to compare your employee's scores with the average. Over hundreds of thousands of templates being sent, these notorious five are the ones people fall for the most:
1) LinkedIn Inmail = 19.9%
2) IT Password = 18.8%
3) Amazon = 13.7%
4) UPS = 11.2%
5) FedEx = 9.0%
Quotes of the Week
"It is proverbial that generals always prepare for the last war..."" - James A. Field, Jr.
"In a battle all you need to make you fight is a little hot blood and the knowledge that it's more dangerous to lose than to win." - George Bernard Shaw
Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here
|
Can Phishing Attacks Spoof Your Domain? Find Out Now:
91% of successful data breaches began with a “spear-phishing” email, research from security software firm Trend Micro shows. Are -you- vulnerable? Find out now if your email server is configured correctly, many are not!
KnowBe4 offers you a free 'Domain Spoof Test', which shows if outsiders can send you an email coming from someone within your own domain. It's quick, easy and often a shocking discovery. The single thing we do is just send one email from the outside directly to you, but we spoof someone in your own domain.
Can hackers send all your employees an email 'from your CEO'? Find out now:
http://info.knowbe4.com/domainspooftest-13-09-10-0
Hackers Steal 'Full Credit Card Details' Of 376,000 People
OK, here is a lesson to be learned. The Register reported a recent cyberheist in Ireland. Read the following 5 paragraphs and note the epic security fail...
A hack attack against an Irish loyalty program firm, Loyaltybuild, has led to the theft of the full credit card details of at least 376,000 consumers, says the country's data protection watchdog.
According to the results of a preliminary investigation by the Office of the Data Protection Commissioner (ODPC), credit card and – contrary to all payment storage rules - CVV details were held unencrypted on Loyaltybuild's systems in the run-up to attacks in the middle of October.
CVV - Card Verification Value - numbers are the three-digit security code found on the back of a credit or debit card, used to prove that a customer making an online purchase has physical possession of the card. They are an important anti-fraud measure.
The ODPC said it had also found that the personal details of a further one million people had been swiped. It is not known why the loyalty card scheme was retaining customers' credit card payment data.
The inspection team confirmed the extent of the breach in which the full card details of over 376,000 customers were taken of which over 70,000 were Supervalu Getaway customers and over 8,000 were AXA Leisure Break customers. The details of an additional 150,000 clients were potentially compromised. The inspection team also confirmed that name, address, phone number and email address of 1.12 million clients were also taken. The initial indications are that these breaches were an external criminal act.
Unencrypted CVV details? Oh boy. Double check your own procedures, and the ones of your vendors. The breach impacted LoyaltyBuild, but it also impacted the data belonging to the companies who outsourced their loyalty programs to LoyaltyBuild. The PCI standards are there for a reason! More:
http://www.theregister.co.uk/2013/11/14/irish_loyalty_card_breach/
10 Mistakes Companies Make After A Data Breach
In a recent presentation for The International Association of Privacy Professionals (IAPP) Privacy Academy, Michael Bruemmer of Experian Data Breach Resolution outlined some the common mistakes his firm has seen as organizations deal with the aftermath of a breach.
The aftermath of a data breach, such as the one recently experienced by Adobe, can be chaotic if not dealt with properly. The result of such poor handling could see organizations facing a hit to reputation, or worse, financial and legal problems. Read on for advice on what NOT to do in the event that your organization is hit. Slideshow at CSO:
http://www.csoonline.com/slideshow/detail/128442/10-mistakes-companies-make-after-a-data-breach?
Kaspersky: Stuxnet Infected Russian Nuclear Plant
Eugene Kaspersky, CEO of the Russian Kaspersky anti-virus company, during an interview at Australia's National Press Club last week, claimed that apart from the Iranian Natanz facility, Stuxnet also infected the IT network of a Russian nuclear plant. Yikes.
Ed Skoudis, co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, and on the Editorial Board of the SANS Newsbytes said: "A few years ago, Marcus Sachs mentioned to me an intriguing idea. He said, someday, it is possible that pretty much every system will have some malware on it, just as our bodies are chock full of viruses and bacteria.
"But, our bodies handle it OK as long as the infection doesn't get out of hand and cause damage. The notion was that it will be impossible to be 100% clean, but you can in fact still be operational if you have good defenses (like the body's immune system). I didn't like hearing what he had to say then, as it sounded defeatist. But, stories like this remind me of that view of the future and make me wonder if we are heading there."
Well, I have two comments regarding this. One is that evolution took its sweet old time to build biological resistance and immunity. Compared to the human body, the Internet has existed for about 1 minute and its complexity is like a single cell organism. Second, it would be a disaster if all servers and workstations on the Internet would be infected. There are ways to prevent that from happening, Application Control (aka whitelisting) is a good example. More about Kaspersky at:
http://www.scmagazine.com//eugene-kaspersky-stuxnet-struck-russian-nuclear-plant/article/320454/
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
Awesome people doing the most breathtaking and amazing things. November 2013:
http://www.flixxy.com/people-are-awesome-november-2013.htm
An incredible, never been done before stunt by Jean-Claude Van Damme (53) with two massive Volvo trucks going backwards. Filmed in one take:
http://www.flixxy.com/jean-claude-van-damme-and-2-volvo-trucks-epic-split.htm
Meet The 10 fastest supercomputers on Earth. Slideshow at Network World:
http://www.networkworld.com/slideshow/128969/the-10-fastest-supercomputers-on-earth.html?
Street-legal Batmobile replica up for auction. Just 145K, I want one. Video:
http://www.gizmag.com/batmobile-auction/29786/
Michael Schlemmer impresses with his super sized remote-controlled Airbus A380 at a model airshow in Switzerland. Wow:
http://www.flixxy.com/huge-remote-controlled-airbus-a380.htm
Jumpy the Border Collie knows a lot of cool tricks. This dawg is awesome:
http://www.flixxy.com/jumpy-the-dog.htm
I bet you don't know what the inside of a birdhouse looks like. Watch this funny TV spot from the UK to find out:
http://www.flixxy.com/inside-a-birdhouse.htm
|
