|
CyberheistNews Vol 4, 10
Editor's Corner
Sophisticated Scam Of The Week: Cell Phone Voucher
(Forward to your end-users. This is a nasty one.) There's a fresh, well thought-out social engineering scam sticking up its ugly head right now. The bad guys are promising cell phone users amounts of up to $100 in vouchers using a combination of Caller ID spoofing and a fake website. The quality looks like it's the Russian cyber mafia behind it. Here is how it works. You get a call, and the Caller ID looks like it comes from your cell phone company "Tech Support". The bad guys are targeting Verizon and AT&T, but watch out for variants using Sprint, T-Mobile and others. It's a robo-call stating you are eligible to receive a voucher for your account. The amounts vary up to $100, and you need to visit the website to claim your voucher. The URLs look like legit phone company websites, and they are changing these URL all the time to evade filters. For instance, they promise you a $59 voucher and want you to go to "verizonvoucher59-dot-com". You go to the pretty real looking website, (it has stolen all the original phone company logos) and the site wants you to "Verify My Account" and enter your cellphone number, your ID / password and to add insult to injury, the last four digits of your Social Security number. But if you enter that info, you won't receive a voucher, but your risk of identity theft has skyrocketed. This Scam's Red Flags: 1) Spoofed Caller ID. (Do not trust the Caller ID you see on -any- call). 2) The URL is made to look like the real phone company but isn't. 3) Never act on incoming calls like this, call the company at the 800 number found on their website or on your bill to verify. And oh, while we are at it, there is a very aggressive Netflix scam doing the rounds too. It starts with a fake Netflix site that states they detected unusual activity on your account, and to call Member Services at an 800-number. You call, a live person answers, and the scammers install spyware; request a photo of your ID and credit card, and at the end of the session the "agent" attempts to charge $400 – minus a "discount"...yeah sure. Here is the video, very interesting to watch and be warned: (Hat tip to Malwarebytes) http://vimeo.com/88296385#at=0
Do you recognize yourself in The Compliance Curve?
Have a look at the curve here. Do you recognize yourself? It's the process that many IT pros told us they go through on a regular basis, much like Groundhog Day. They tell us that regular audits take up too much of their time, they are stuck in "Excel hell" trying to manage compliance, and that there is a lot of duplicate effort going on. Regulatory compliance is mandatory, but the time, cost, and complexity associated with becoming compliant and maintaining compliance has increased and will continue to increase. Most organizations track compliance using spreadsheets, word processors or proprietary self-maintained software. Is Compliance The Enemy Of Security? Let's take PCI compliance for example. You're forced to do a bunch of things that are deemed to be keeping the network secure and protect credit card data. So once a year you have to take this hurdle, get compliant but soon afterward another 20 fires need to be put out and compliance goes out the window until next year. What we have to do vs. what we should do. The problem is that these days, you are a few hacks away from disaster. Just look at the recent Target databreach. It can happen to all of us if we do not have the right focus. You might be spending too much time getting compliant and not spending enough time to get your network actually secure. Compliance starts at the bottom of the pyramid. These are the things you simply have to do or otherwise you lose the right to take credit cards. Next up is what is called your "legally defensible" level of security. The law expects you to take reasonable security measures, similar to what other companies in your space do. Spending too much time at the bottom of the pyramid is going to cause trouble and could result is high legal fees. You should spend the minimum amount of time at the bottom, spend the majority of your time in the middle, and spend at least some time at the top, where you actually are in the area that moves the needle related to the bottom line. We all know that compliance is mainly a matter of “people and processes” and tools come second. But what if you could deploy a tool that would automate your people and processes problem? That makes "what you must do" an area that is under control, and allows you to move "up the pyramid". Up to now, these tools were only affordable for the Fortune 500, but KnowBe4 has developed the KnowBe4 Compliance Manager (KCM) as Software as a Service. KCM consolidates your audit management and regulatory compliance tasks into simple automated workflows which prevent overlap and eliminate gaps. “By admins for admins”, whether you are responsible for PCI in a 100-user site, or an MSP managing dozens of companies and thousands of seats. Available as a 30-day Trial Account with the SANS Top 20 You can test KCM for yourself, using the SANS Top 20 Controls loaded as an easy to follow template. This will give you a very quick idea how to deploy this new tool. Sign up here for the 30-day trial: http://info.knowbe4.com/knowbe4-compliance-manager-14-03-11
Quotes of the Week
"I worked hard. Anyone who works as hard as I did can achieve the same results." - Johann Sebastian Bach "Working hard is very important. You're not going to get anywhere without working extremely hard." - George Lucas Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe, you can do that right here
|
Exactly -Which- Employees Are The "Weak Link" In Your IT Security?
Today, your employees are exposed to Advanced Persistent Threats. Trend Micro reported that 91% of successful data breaches started with a spear phishing attack. IT Security specialists call it your 'phishing attack surface'. The more email addresses that are exposed, the bigger your attack footprint is, and the higher the risk. Let's find out. How?
ONE: We run the (free) Email Exposure Check for you. That gives you all the email addresses out there available on the Internet from your own domain. It's often surprising how many addresses can be found and whose.
TWO: You create (again free) an account on our website, upload the addresses found in step ONE, and 5 minutes later they receive a simulated phishing attack! You will immediately know your phishing attack surface, your Phish-prone percentage and your highest risk employees. Fabulous ammo to get more security budget, fun to do and it takes less than 10 minutes. Let's Find Out! http://info.knowbe4.com/which-employees-exactly-13-10-08
Sticking With WinXP? 10 Things You Must Do
I'm sure you know that April 8 2014, Microsoft will stop supporting Windows XP and stop creating security updates for XP as well. That means that when after April 8, 2014 another security bug is found in Windows XP, (a certainty) that bug cannot be patched anymore, and your PC or laptop that runs XP will be very easy for the bad guys to get into. Microsoft on their website states: “PCs running Windows XP after April 8, 2014, should not be considered to be protected.”
So now, if you are stuck with XP, here are 10 things you should do to make sure it's not going to be cake-walk for the bad guys to penetrate your network. It's already easy enough. My business partner Kevin Mitnick is always happy to hear that a penetration-test customer has XP running in their network, as that makes his job that much easier. Here are the 10 points:
1) Make sure you deploy the very latest XP update so that those machines start out their afterlife as "healthy" as possible.
2) Isolate the old XP devices on separate "dirty" networks to make sure the compromised XP boxes do not infect new machines.
3) Keep these XP machines behind a hardware firewall like a NAT router.
4) Reduce the attack surface and get rid of all unused (third-party) apps, and disable Internet Explorer.
5) Install Google Chrome, which supports XP until at least April 2015, Use the VIEW option of Chrome as much as possible.
6) Windows XP is especially vulnerable for all kinds of malware attacks so give these XP users effective security awareness training so they do not click on links that will infect their PC.
7) If you run MS Office on the box, fully patch it, and keep it patched. 8) Install Secunia (free), regularly scan for new versions of the remaining apps you are using and deploy updates.
9) Turn on the Windows Firewall, and turn on Microsoft Security Essentials. 10) Last but not least, consider deploying whitelisting (aka application control) which locks down the XP box and only allows known-good executables to run.
Are Modern Malware Threats Making Anti-Virus Software Mostly Useless?
CBC News had a pretty controversial headline today. They wrote that some computer consultants say the global malware threat has gotten so bad that conventional security measures, such as anti-virus software, are no longer adequate to fight them.
"Anti-virus programs are 'totally useless,' says Mohammad Mannan, an assistant professor at the Concordia Institute for Information Systems Engineering in Montreal."
I was quoted in the article as well. "Anti-virus software works on the principle of identifying malevolent files and infected sites. But because of the sheer volume of malware online nowadays, rather than blacklisting bad sites we should be "whitelisting" the good ones, says Stu Sjouwerman, founder and CEO of U.S.-based computer security consultancy KnowBe4.com.
The amount of malicious software — better known as “malware”— circulating on the web has grown significantly in the past decade. According to figures from virus detection sites, in 2002 there were an estimated 17 million known “good” executable files from various existing applications on the commercial Internet, while antivirus engines detected two million nefarious ones. By 2012, there were 40 million known good files and 80 million bad ones.
The major problem, says Concordia’s Mannan, is that anti-virus software is by nature reactive, which means that it responds to specific malware after it has been distributed. Should a malware writer change a few lines of code, however, that anti-virus solution suddenly becomes obsolete.
It’s the sheer number of malware variations that makes it impossible for anti-virus software to effectively combat the problem, says Mannan. To illustrate this, he points to the Storm botnet of 2007, a sophisticated piece of malware that affected millions of computers worldwide and generated 8,000 variations of itself every day. “How many updates or variants are you going to catch, if you’re an anti-virus company?” Mannan asks.
Is ‘whitelisting’ the answer?
Given these overwhelming threats, Sjouwerman believes whitelisting is vital to keep web surfers safe. The principle is similar to verified accounts on Twitter, which was a response to the proliferation of bogus accounts (usually ones pretending to belong to celebrities). Rather than identifying all the fake accounts, Twitter’s verification process simply certifies the legitimate one.
Whitelisting has been around for more than a decade, says Mannan, but only a few companies offer it right now. The way it works is that anytime you surf the web, the whitelist prompt appears in your browser. If you go to a website that has been penetrated by hackers, the browser pops up a stern warning telling you not to proceed to the site.
Google’s Chrome browser “has this to a degree, but that’s all based on blacklists,” says Sjouwerman. Whitelisting would keep a list of good sites on your workstation and in the cloud, which is a “sanity check” for the list on your computer.
Sjouwerman is convinced it’s the only way to deal with the growing malware threat. “We need to do a 180, and we need to stop "keeping the bad guys out", because you can’t keep up,” says Sjouwerman. That’s why I’m on an evangelizing rampage to tell people we need to go to whitelisting.” We need to start with only allowing "known-good" programs to run, much like a bouncer standing at the door and anyone who is "not on the list" simply is denied entry.
Pre-Installed Malware Turns Up On New Phones
A fake version of Netflix that steals personal data and sends it to Russia has been found on several phone models.
David Jevans, CTO and founder of Marble Security, recently received some bad feedback from a potential customer testing his company's product, which helps organizations manage and secure their mobile devices.
After taking a close look at the suspicious application, Jevans said they found it wasn't the real Netflix app. "We're like, yeah, this isn't the real Netflix," Jevans said "You've got one that has been tampered with and is sending passwords and credit card information to Russia."
Marble Security found the fake Netflix app on six devices from Samsung Electronics: the GT-N8013 Galaxy Note, the SGH-1727 Galaxy S III phone, the SCH-1605 Galaxy Note 2 phone, the SGH-1337 Galaxy S4 phone, the SGH-1747 Galaxy S III phone and the SCH-1545 Galaxy S4 phone. The fake app was also found on three Motorola Mobility devices, the Droid Razr, Droid 4 and Droid Bionic; two Asus tablets, the Eee Pad Transformer TF101 and the Memo Pad Smart MT301; and on LG Electronics' Nexus 5 phone.
The lesson? Check the security certificate of pre-installed apps to make sure they are not 'self-signed' by the bad guys. And especially, stay away from all "side-loading"; only download apps from Google Play.
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
This Insane New App Will Allow You To Read Novels In Under 90 Minutes: http://elitedaily.com/news/technology/this-insane-new-app-will-allow-you-to-read-novels-in-under-90-minutes/
30 Richest Techies In The World. Forbes came out with its list of billionaires and techies make an impressive showing on the list: http://www.networkworld.com/slideshow/143027/30-richest-techies-in-the-world.html?
This super catchy song about being happy by Pharrell Williams has already attracted over 97 million viewers and listeners on YouTube. Lyrics included: http://www.flixxy.com/happy-by-pharrell-williams.htm?utm_source=4
How to Pick a Lock With Hairpins - very instructive with a transparent lock: http://www.youtube.com/watch?v=cjuT_63Ioig
Watch a man get stunned by the Chaotic Unmanned Personal Intercept Drone: http://www.engadget.com/2014/03/07/stun-copter-video/
A clever and creative use of technology makes this display advertisement interact with the environment in a subway station in Stockholm, Sweden: http://www.flixxy.com/hair-raising-subway-ad-blows-away-the-competition.htm?utm_source=4
The "Towel Dance" by Cirque du Soleil performers Les Beaux Freres at the French TV Show "The World's Greatest Cabaret". Hilarious. Look at the reactions of the women: http://www.flixxy.com/towel-comedy-act-by-les-beaux-freres.htm?utm_source=4
The 'Boogie Woogie Twins' Dr. John and Jools Holland present an exhilarating performance at the TV show 'Night Music'. Awesome: http://www.flixxy.com/boogie-woogie-twins-dr-john-and-jools-holland.htm?utm_source=4
|
|