CyberheistNews Vol 3, # 50

CyberheistNews Vol 3, # 50
Stu Sjouwerman's New Security Newsletter Don't miss the Fave Links! Case Studies Resources About Us Contact Us
Facebook LinkedIn Blog Twitter YouTube YouTube

CyberheistNews Vol 3, 50

Editor's Corner


10 Fun Short IT Horror Stories

Here are 10 predictions for 2014, all cyber attacks using social engineering to penetrate the network. Have fun reading, and I will try to report back in 12 months which ones came out as real.

---1) The Registry Hack ---

A mid-size Credit Union's controller shares on Facebook that she is expecting a baby. She has a detailed profile on LinkedIn, and also creates a baby registry at Amazon. She receives an email from Amazon's marketing department that they want to interview her about the registry and that she can choose one of her registry items for free. She clicks on the link. Her workstation gets infected with a Trojan and the bad guys transfer $495,000 to the Ukraine over a long weekend.

---2) Legal File Corruption ---

In-house counsel of a large defense contractor, working long days on a corruption lawsuit against a former VP Sales works closely with their outside attorneys when the case comes to trial. She receives an email from her counterpart who complains the email server of his office is down and if she can email him the case file immediately as he's on his way to court. The file is used by the competition to steal away a large deal.

---3) PCI Compliance Failure ---

A system administrator gets an email from their credit card merchant account processor that his company has failed their PCI compliance and that their card processing will be shut down in 24 hours unless he immediately reports on the recent vulnerability scan what was done. A link is provided to confirm which patches have been applied. The system admin clicks and his workstation gets infected with a zero-day exploit that gives the bad guys the keys to the kingdom: admin credentials!

---4) Underperformance Review ---

Dozens of employees in a healthcare company get an email from their CEO who is asking to participate in an anonymous "How Are We Doing?" survey. The CEO explicitly asks for feedback on herself, and also if the employee please rate the performance of their direct supervisor. 65% of the employees click on the link and all of their workstations get infected causing the IT team four days of twenty-hour frantic wipe & rebuild time.

---5) iPhone Pwned ---

A CEO of a non-profit shares on LinkedIn he really likes the new iPhone with fingerprint recognition. A few weeks later he gets a text message from Apple that there is an important update of the fingerprint software, and that he should do that as soon as possible. It will require a reboot of his phone though. He complies right away, but what gets installed is mobile malware that steals the credentials of his office VPN. Bad guys add phantom employees to their payroll and they lose $15,000 to money mules in Direct Deposit the next Friday.

---6) Celebrity Trap ---

The VP Sales of a large online ticket reservation site gets an email from the lead singer of his favorite band, inviting him to meet & greet backstage after the coming gig they have in his town. He's all excited and clicks on the link. That one click is enough to let the bad guys in, and exfiltrate their database with 275,000 full customer credit card transactions. Cha-Ching!

---7) Credit Card Security Con ---

The wife of a mid-size bank's President gets a phone call from their credit card company. The rep explains they are offering a new security service, to make sure their account is resistant against cyber attacks. This service will send a text to her phone if there is a fraudulent charge, so she can tap "no" on the phone if she wants to dispute the charge. The rep asks her to type a domain name in her browser so she can get her cell phone subscribed to the new service. The domain is malicious and drops a Trojan on her PC which allows the bad guys to take over the home network, and infect the laptop of her husband who plugs it in the bank's network during the week. The bank itself gets penetrated that way, and $2 Million gets transferred to Russia out of the bank's customer accounts.

---8) Broken Cloud ---

A few years ago, Chinese government-sponsored hackers opened a front office in the US and carefully developed it into a well-funded, up & coming cloud consultancy firm. They keep working at it, impressing cloud providers with whitepapers showing their in-depth knowledge of cloud security. They even hire unwitting US employees that have security clearance. Finally they get invited by Amazon for a possible contracting job. They get access to the premises, are invited for a tour of the data center and manage to plug a small device in the ethernet jack of a conference room phone for a few seconds. That allows them to subtly sabotage that data center and write another whitepaper describing the specific problem. Next, they sit back and wait until they are called. Finally the call comes, they move in to "assist" and obtain full ownership of the cloud.

---9) PDF Deception ---

The CIO of a large insurance company gets a call from an attractive sounding recruiter, stating that he's been selected for an interview to discuss a CEO position at an online competitor. He has not heard of the recruiting firm but checks out the rep on LinkedIn. It all seems legit and she's a looker. As part of the procedure, the CIO gets a PDF with a description of the company that is interested in him. The PDF does not open up for some reason and he closes the reader. He retries but the PDF fails again. You guessed it. There was a Trojan inside and his workstation is pnwed, allowing very valuable confidential information to be exfiltrated.

---10 Top Dog Social Engineer ---

A man crafts a new web portal and establishes trust with new users, helping them to get ahead socially by sharing personal and work details, habits, and preferences. He collects all of this data, allows targeted advertising, and even goes public. It's unbelievable that he gets away with this when identity theft has become rampant and not giving out personal information is top priority. In case you did not guess, the Top Dog social engineer is Mark Zuckerberg, founder and CEO of Facebook. A billion people fell for his ruse. Remember, if you don't -pay- for the product you -are- the product.

Quotes of the Week

"There will come a time when it isn't 'They're spying on me through my phone' anymore. Eventually, it will be 'My phone is spying on me'." - Philip K. Dick

"If a dictator ever took over, the NSA 'could enable [him] to impose total tyranny, and there would be no way to fight back.'" (1975) - Senator Frank Church

Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here

Thanks for reading CyberheistNews! Warm Regards, Stu Sjouwerman | Email me:
Facebook LinkedIn Blog Twitter YouTube YouTube

Your Network, Their Mobile Device – What Could Go Wrong?

We are excited to announce we have a new module available that you can use to give additional training to employees who use mobile devices. BYOD is increasingly becoming a vector for attack and infection. This module was developed to give employees additional training, and hints and tips regarding secure online behavior when they use their laptop, tablet or smartphone on the road. Find out more about the content and request a quote at this new page. The cost for add-on modules is super low:


Security Deployment Trends Survey Article Part 2

By Laura DiDio. Security Issues: Users Uncensored and Unplugged

Once again, a big thanks to all 500 of you who took the time to participate in the "ITIC/KnowBe4 2013 – 2014 Security Deployment Trends Survey."

This survey is the 15th Anniversary of the first survey that Stu and I did in November, 1998 and it marks the 74th time we’ve collaborated on an independent poll. For any trivia buffs out there, the first survey focused on Microsoft Windows Deployment Trends and Challenges.

To say that the high tech industry has changed a lot since 1998 is an understatement. Some things remain startlingly similar: security issues continue to confound and plague businesses, their IT departments and end users. In 1998 IT departments had a tough time keeping up with all the latest security vulnerabilities and getting management to give them the appropriate resources and budget to deal with security issues. That’s still the case as 2014 dawns.

And today, just like back in 1998, most organizations practiced security with 20-20 hindsight: adopting an attitude of: "If it isn’t broke, don’t fix it." Over 60% of you who responded to the survey took the time to leave an Essay comment. And what commentary! You weren’t afraid to express your opinions on security or the lack thereof in your organizations.

There were so many terrific comments, that we had a tough time choosing, but the winners for the best three (3) essay comments are:
• Michael Perkins - $250 Amazon gift certificate
• Jonathan Lefeber - $100 Amazon gift certificate
• Alex Baldwin - $50 Amazon gift certificate
Expect an Email from us shortly regarding your gift certificates.

We Have Met the Enemy and It is Us

Your observations fell into four main categories:

1) Getting caught in the middle of the security tug-of-war between end users who want all access, all the time and damn the consequences and upper management who expects you to secure the network on a shoestring budget, with few resources and little training

2) The difficulty and danger posed by end users left to their own devices – literally

3) The daily challenges and struggles of trying to secure systems and networks with limited IT resources and budget constraints

4) How to identify security risks and choose from an ever-expanding and confusing assortment of products

One comment that was continually repeated was how understaffed and underfunded most IT departments are. Many of you said security was a low priority – particularly in SMBs. "It all comes down to a lack of resources for us," noted one SMB administrator. "I’m a single person IT department responsible for the network as well as business applications, so staying abreast of a new technology is a challenge…IT spending is a low priority and it’s always a tough sell," he added.

An IT manager at another firm observed that there is an almost "overwhelming amount of information to process" to have even a minimal chance at detecting and thwarting basic attacks. "SMBs are simply not equipped to handle this risk effectively," he said. Compounding the problem is the large number of vendors and products; SMBs cannot afford to vet each one. "We’ve made significant improvements in our security posture but there critical elements where the path is not obvious," he added.

Another IT manager echoed the sentiments expressed by many survey respondents who said that as long as organizations don’t experience any significant security incidents, upper management is content to maintain the status quo.

"There is little desire from above to improve upon our current situation since we have not had any major incidents,” he said. The most pervasive theme throughout the survey was that careless end users constitute the biggest threat and risk to corporate security surpassing even the ever-present perils of malware, malicious organized hackers and disgruntled ex-employees. In other words: "We have met the enemy and it is us!"

"Users are the biggest security challenge," observed an IT manager at an SME. "You are only as strong as your weakest link. User training should be a priority when dealing with any security preparation or issue. I always like to send out a fake phishing scam just to see the number of users who are clicking on links that they shouldn’t be," he said.

An IT manager at another firm bluntly stated, "You cannot trust your end users. They will click ‘Yes’ to anything." (Note, unless they get effective security awareness training, that is...)


Ponemon: Phishing Part Of 50% of APT's

Kelly Jackson Higgins at DarkReading wrote: "Advanced persistent threat (APT)-style attacks may be even more pervasive than thought: Organizations have suffered an average of nine such targeted attacks in the past 12 months, a new study finds.

Even more chilling: Nearly half of those organizations say the attackers successfully stole confidential or sensitive information from their internal networks, according to a new report by the Ponemon Institute called "The State of Advanced Persistent Threats," which was commissioned by Trusteer. Ponemon surveyed 755 IT and IT security professionals who have had firsthand experience with prevention or detection of targeted attacks on their organizations."

The graph (see link) describes the way the top six attack methods the bad guys used got into the network. Very interesting to see that phishing and social engineering are well up there:

Some more highlights:

- Ponemon found that it took victim organizations painfully long periods of time to even discover they had been hit by these attacks. On average, these attacks went undiscovered for 225 days, and nearly 70 percent of them learn from a third party.
- 48 percent say targeted attacks have either rapidly increased or increased in same period.
- Current technology controls against APTs are not working. Seventy-two percent of respondents say exploits and malware have evaded their IDS and 76 percent say they have evaded their AV solutions.
- And not surprisingly, the root of much of the APT troubles in these organizations is lack of budget. Nearly 70 percent say their budgets are inadequate for fighting APTs. It would be highly beneficial to include effective security awareness training in that budget.

Trusteer's Tubin says the actual numbers of APT targeted attacks per year, as well as the percentage of successful ones that exfiltrate information, are probably even higher than the Ponemon report shows. "Newer attack techniques that bypass detection technologies are not being picked up," he says. This stuff is very stealthy ... it sits on the network for a very long time, so it's very likely these companies have additional APTs going on that they just haven't discovered yet."

You can register for and download the full report at Trusteer:

Full article called: "Businesses Suffer An Average Of 9 Targeted Attacks Per Year" and more data at DarkReading:


Data Security Laws And Penalties: Pay IT Now Or Pay Out Later

Thomas Zeno and Lindsay Holmes wrote a great article over at TechRepublic. You should really dig into it because it provides excellent ammo for more IT security budget. They started out with:


"The federal and state laws governing data privacy exact severe penalties on organizations that do not implement appropriate data security measures. Make sure you know what's at stake.


"AvMed recently paid $3.5 million to settle a data breach lawsuit in which class members could not prove actual damage. Will your organization be next? Plaintiffs’ lawyers, as well as federal and state governments, are likely to file “unjust enrichment” claims against organizations that do not ensure safe transmission and storage of personal data. Whether your organization handles financial or medical data, the price of IT compliance may be high, but the price of non-compliance is even higher.


"In 2009, AvMed, a Florida-based health insurer, reported the theft of two laptops containing unencrypted personal information of more than 1.2 million customers, including names, social security numbers, and health-related information. Class action litigation began in 2010. Based on the October 2013 settlement agreement, AvMed is required to implement data security measures it should have had in the first place, including mandatory security awareness training, new password protocols, upgrades to laptop security systems, facility security upgrades, and updates to security policies and procedures, all of which are set out in Health Insurance Portability and Accountability Act (HIPAA) regulations (45 CFR § 164).


"The striking part of the settlement requires that AvMed also forfeit the “unjust enrichment” it has received over the years by not spending sufficiently for the data security it should have provided. AvMed will reimburse “premium overpayments” of $10 for each year the customer paid AvMed insurance premiums with a $30 cap for each approved class member without a showing of actual harm. In addition, AvMed will pay actual, proven losses due to identity theft.


"The AvMed settlement proves that now is the time to implement data security measures that will protect your company, your patients, and your customers in the future. Although experts predict that data losses are likely inevitable, damage to your organization does not have to occur. Lost data does not automatically become a data breach. In AvMed’s case, for instance, encryption would have rendered the stolen information unreadable and no breach would have occurred.


"By implementing data security measures already suggested or required, your organization can avoid a host of problems. Whether your organization handles personal information now, or may do so in the future, federal and state laws are likely to set the standard by which unjust enrichment claims will be made and damages calculated. Below are examples of what is expected." Read the rest of the article here:

Cyberheist 'FAVE' LINKS:

* This Week's Links We Like. Tips, Hints And Fun Stuff.

This year's U.S. Thanksgiving Airspace Timelapse. Anthill anyone? LOL:

The United State Air Force Band surprises visitors of the National Air and Space Museum with a performance of Christmas classics a few days ago:

2-year-old Titus has the ability to hit basketball 'trick shots' like a pro:

Eskil Ronningsbakken rides his bicycle backwards - sitting on the handlebars - down the 10% incline of Trollstigen in Norway. Death Wish if you ask me:

Awesome video recorded by a camera being pulled behind a fishing boat with a rig of shark-bait. The video was edited, but not speeded up:

John Fisher, an English inventor from Farnham, Surrey, UK demonstrates his anti-theft briefcase:

The spectacular airport of the Greek island of Skiathos, where aircraft pass over the beach at head-height:

Boeing 777 missed landing at Birmingham Airport before being diverted to London Gatwick. Wow, scary:

Talking about scary, this is the real deal. Ric Elias had a front-row seat on the plane that did an emergency landing in the Hudson River. What went through his mind as the airliner went down?

Professional driver Ryan Tuerck shreds some tires on a dream road in the scenic Northwest. Beautiful curves:

Facebook LinkedIn Blog Twitter YouTube YouTube

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews