CyberheistNews Vol 4, # 02



CyberheistNews Vol 4, # 02
KnowBe4
Stu Sjouwerman's New Security Newsletter Don't miss the Fave Links! Case Studies Resources About Us Contact Us
Facebook LinkedIn Blog Twitter YouTube YouTube
 

CyberheistNews Vol 4, 02

Editor's Corner

KnowBe4

The 5 Most Dangerous Phishing Email Subjects

Websense has posted some interesting new phishing research a few days ago. They started out: "With cloud infrastructure easily scalable and rented botnets coming on the cheap, the cost of conducting massive phishing campaigns continues to decline for cybercriminals. Even if the return rate is small or the campaign is poorly executed, phishing can result in serious money for criminals. Phishing will never simply go away—meaning ongoing headaches for security professionals."

They listed the top 10 countries hosting Phishing sites, but also the most dangerous phishing subject lines, based on research conducted Jan-Sept 2013:

1) Invitation to connect on LinkedIn
2) Mail delivery failed: returning message to sender
3) Dear (insert bank name here) Customer
4) Important Communication
5) Undelivered Mail Returned to Sender


These results were confirmed by KnowBe4's own research which showed that the LinkedIn invites had the highest scores on our simulated phishing attacks. I suggest you send these 5 topics to your users and warn them.

You may not be aware that we offer a free phishing security test you can do on your own users, and find out what the Phish-prone percentage is of our own organization. It's often higher than expected. Create your free account here:
https://training.knowbe4.com/signup

The History Of Hacking In 5 Minutes For Dummies

What do you do when you need to explain the history of hacking to a busy non-technical manager in five minutes or less? Here is an attempt to make this extremely complex subject into a 5-minute "cliff-note". It's a new post on the KnowBe4 Blog. Let me know what you think:
http://blog.knowbe4.com/bid/367048/The-History-Of-Hacking-In-5-Minutes-For-Dummies

Target Databreach Now 110 Mil Cards - Neiman And Others Hacked Too

It goes from bad to worse. Target's initial 40 million turns out to be really 110 million. Apparently the forensics team discovered another 70 million cards exfiltrated. And then the news broke about Neiman-Marcus and three other major yet unknown retailers using similar techniques as the one on Target called RAM Scraping which looks at data while it travels through the memory of a computer.

Since these hacks seem to be date-coincident, you would assume that it's the same eastern European cyber mafia that was behind this record cyberheist. Next, the possibility comes to mind that these retail chains might even use the same point of sale vendor and that this vendor could have been penetrated even before both Target, Neiman-Marcus and the others.

Some conclusions: 1) If you process a lot of consumer data year-round, it is the safest play to assume you are already hacked and that you need to find and root out the perpetrators. 2) If one of your IT Vendors has been breached, you might very well become the adverse effect of that. Confirm they have achieved ISO 27001 certification and have successfully completed multiple SAS70 Type II audits. 3) It is assumed the Target hackers are eastern European since the stolen data surfaced there and is for sale by a man living in Odessa, Ukraine. That means they likely came in via spear-phishing and providing mandatory and effective security awareness training for -all- employees is becoming a -must-.

Why? "They steal and combine what was stolen in previous breaches," said Avivah Litan, a fraud analyst at technology research company Gartner. "There are warehouses of information on people and dossiers. Now we've got John's credit card, his address, his phone number... they do put it together and sell entire profiles on people." And those profiles can be used to create very convincing and sophisticated spear-phishing attacks.

I was interviewed on TV yesterday about this massive cyberheist by the Tampa CBS station. Here is the article and the video clip with yours truly:
http://www.wtsp.com/news/article/352707/250/Huge-cyberheist-means-millions-at-risk-for-identify-theft

Quotes of the Week

"Trust me, Wilbur. People are very gullible. They'll believe anything they see in print." - E.B. White, in Charlotte's Web

"It doesn't work the same way everywhere. The Americans are the most gullible, because they don't like to deny co-workers' requests. People in the former Soviet bloc countries are less trusting, perhaps because of their previous experiences with their countries' secret services." - Kevin Mitnick

Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here
 
 

Thanks for reading CyberheistNews! Warm Regards, Stu Sjouwerman | Email me: feedback@knowbe4.com
Facebook LinkedIn Blog Twitter YouTube YouTube
KnowBe4

Can Phishing Attacks Spoof -Your- Domain? Find Out Now:

91% of successful data breaches began with a "spear-phishing" email, research from security software firm Trend Micro shows. Are -you- vulnerable? Find out now if your email server is configured correctly, many are not!

KnowBe4 offers you a free 'Domain Spoof Test', which shows if outsiders can send you an email coming from someone within your own domain. It's quick, easy and often a bit of a shock. The single thing we do is just send one email from the outside directly to you, but we spoof your own email address, so if the email makes it through, it's from "you to you".

So, can hackers send all your employees an email 'from your CEO' about your organization's new health care plan? Find out now:
http://info.knowbe4.com/domainspooftest-14-01-14

KnowBe4

Senior Managers Fumble Security Much More Often Than Rank And File

Antone Gonsalves at CSO wrote: "Senior managers are the worst offenders of information security, because of a combination of job pressures, busy schedules and an attitude that they are above the rules, an expert says.

A recent study by Stroz Friedberg, which specializes in digital forensics and risk management, found that almost nine in 10 senior managers regularly uploaded work files to a personal email or cloud account.

In addition, more than half had accidentally sent the wrong person sensitive information and had taken files with them after leaving a job. The percentages, 58 percent and 51 percent, respectively, were much higher than for general office workers.

The reason why senior management skirts the rules is twofold. First, they tend to be under a lot of pressure due to their busy schedules, so they often have no patience for security measures that add time, Eric Friedberg, co-founder and executive chairman of the firm, said. In addition, many managers, particularly in large organizations, travel a lot and often find themselves in countries or hotels where Internet access is subpar." More at:
http://www.csoonline.com/article/745703/senior-managers-fumble-security-much-more-often-than-rank-and-file?

KnowBe4

Ouch! January 2014

SANS announced the new issue of their newsletter called OUCH!

"This month, led by Guest Editor Kevin Johnson, we discuss how to secure your home network. We figured that since many of you may have new devices connecting to your home network, this would be an excellent time to review and update its security. As always, we encourage you to download and share OUCH! with others.

English Version (PDF)
http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201401_en.pdf

SANS also released a new security awareness poster called "Don't Get Hooked." Developed as a community project, the poster shows a common phishing email and explains the top indicators of a phish. Learn more at:
http://www.securingthehuman.org/resources/posters

KnowBe4

Why The Bad Guys Have An Easy Time

Stephen Northcutt, in his book Network Intrusion Detection: An Analysts’ Handbook stated: "Fewer than one in twenty security professionals has the core competence and the foundation knowledge to take a system all the way from a completely unknown state of security through mapping, vulnerability testing, password cracking, modem testing, vulnerability patching, firewall tuning, instrumentation, virus detection at multiple entry points, and even through back-ups and configuration management."

My comment: Yeah, it takes an impossible amount of time to learn all of that if you also are a system- or a network admin and work 60 hours a week just to keep everything up and running in a small or medium-size business. This is a real problem and not an easy one to solve, looking at the limited budgets of SMBs.

KnowBe4

Cyberheist 'FAVE' LINKS:

* This Week's Links We Like. Tips, Hints And Fun Stuff.

How much have we learned from history? How many people would still fall for the ancient Trojan Horse trick today?
http://www.flixxy.com/trojan-horse-today.htm

Guards are supposed to perform their duty precisely, ceremoniously and without showing any emotion or reaction, but once in a while something unexpected happens....
http://www.flixxy.com/ceremonial-guard-bloopers.htm

How do you make a tree float in the air? Graphic designer Daniel Siering and art director Mario Shu create magic using artistic inspiration:
http://www.flixxy.com/hovering-tree-illusion-painting.htm?

The most amazing stage magic ever - sawing a woman in half using clear see-through boxes:
http://www.flixxy.com/best-international-stage-magicians.htm?

Running, jumping and biking on 8,000 liters (2,100 gallons) of non-newtonian fluid (corn starch and water) in Kuala Lumpur, Malaysia:
http://www.flixxy.com/can-you-walk-on-water.htm

A starship is entering an area of space near our solar system. The crew is being briefed on the strange species called "humans":
http://www.flixxy.com/danger-humans-a-message-from-the-interstellar-safety-council.htm?

Would you like to learn the basics of the Chinese written language in 5 minutes? Interesting!
http://www.flixxy.com/chinese-made-easy.htm

12 famous passwords used through the ages, this is a fun slide show:
http://www.csoonline.com/slideshow/detail/135304/12-famous-passwords-used-through-the-ages?

 
KnowBe4
Facebook LinkedIn Blog Twitter YouTube YouTube



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews