CyberheistNews Vol 4, # 12 NSA's Secret Efforts To Hack System Admins



CyberheistNews Vol 4, # 12
KnowBe4
Stu Sjouwerman's New Security Newsletter Don't miss the Fave Links! Case Studies Resources About Us Contact Us
Facebook LinkedIn Blog Twitter YouTube YouTube
 

CyberheistNews Vol 4, 12

Editor's Corner

KnowBe4

Inside The NSA's Secret Efforts To Hack System Admins

Wow, it makes sense but it is not good news. Sysadmins have the keys to the kingdom, and that has turned them into targets of the NSA for simply doing their jobs. According to a newly released secret document provided by Edward Snowden, the NSA tracks down the private email and Facebook accounts of admins so they can hack their machines and get network access. Yikes.

The document that Snowden released has several posts in it, one of them titled "I hunt sys admins" – and were published in 2012 on an internal discussion board hosted on the agency’s classified servers. More at Hackbusters, where there is a link to the full article as well:
http://www.hackbusters.com/news/stories/31591-inside-the-nsa-s-secret-efforts-to-hunt-and-hack-system-administrators

Scam Of The Week: You Owe Taxes, Pay Now Or Else

This scam uses a combination of phishing emails and spoofed Caller ID scam calls. The scammers intimidate the victim, threaten with arrest, deportation or loss of a business or driver's license.

The Treasury Inspector General for Taxpayer Administration this week issued a warning about it. "This is the largest scam of its kind that we have ever seen," said J. Russell George, the Treasury Inspector General for Tax Administration. Over 20,000 victims have collectively paid more than $1 million as a result of the scam.

Scammers claiming to be from the IRS tell people they owe taxes and must pay using a pre-paid debit card or wire transfer. The truth is that the IRS usually first contacts people by mail - not by phone - about unpaid taxes. Here are some Red Flags you need to watch out for:

- The callers use common names and fake IRS badge numbers.
- The perpetrators know the last four digits of your Social Security Number.
- Caller ID looks like it is the IRS calling.
- The criminals send bogus IRS e-mails to support their scam.
- Many fraudsters call a second time claiming to be the police or department
  of motor vehicles, and the caller ID again supports their claim.


The IRS recently warned consumers of this and other ongoing scams that tend to peak during tax season when many taxpayers could be on edge. The scams come in many variations, from scams where callers say the victims owe money or are entitled to a huge refund. More at Treasury.gov:
http://www.treasury.gov/tigta/

FBI Has A Cyber Crime "Ten Most Wanted List."

Have you seen this criminal hacker? Help the FBI find Cyber's 10 Most Wanted. They are offering a reward of up to $100,000 for information leading to the arrest of Alexsey Belan who is on the #1 spot. You can even download PDF posters which you could use for your security awareness programs. And they are -real-! There is also a list with Federal cyber crime most wanted, and surprisingly 4 of these 10 are women. All of them are Eastern European cyber criminals. Click on the blue shield with "federal cyber crime charges" for those, and then click on Get Poster:
http://www.fbi.gov/wanted/cyber

Flash Survey: 3 Security Awareness Training Questions

Would you take 30 seconds and answers these three multiple choice questions for me? I'd be surprised if the whole thing took more than 30 seconds, really. Thanks so much in advance! Here is the link at SurveyMonkey:
https://www.surveymonkey.com/s/58XYCSR

Quotes of the Week

"We hold these truths to be self-evident: that all men are created equal; that they are endowed by their Creator with certain unalienable rights; that among these are life, liberty, and the pursuit of happiness." Thomas Jefferson - Founding Father & US President (1743 - 1826)

"We feel and know that we are eternal." - Spinoza - Philosopher (1632 - 1677)

"When strong winds blow, don't build walls, but rather windmills:... turn every bit of adversity into fuel for improvement." - Nassim Taleb.

Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here

Thanks for reading CyberheistNews! Warm Regards, Stu Sjouwerman | Email me: feedback@knowbe4.com
Facebook LinkedIn Blog Twitter YouTube YouTube
KnowBe4

KnowBe4 Compliance Manager Reviewed By eSecurityPlanet

Instead of me tooting our horn, why don't you have a look at what Security Editor Matt Sarrel at eSecurityPlanet has to say about KCM after he tested it. He started out with: "Many security managers would likely place security tasks associated with regulatory compliance on their lists of "most hated" job requirements because they must wrestle with so many difficulties and problems surrounding compliance."
http://www.esecurityplanet.com/network-security/review-knowbe4-compliance-manager.html If you want a 30-day trial or a 15-minute web demo, fill out the form: http://info.knowbe4.com/knowbe4-compliance-manager-14-03-25

KnowBe4

The Unbearable "Bear Escape" Analogy

Gartner analyst Ben Tomhave posted this thought on his blog that I thought would be very useful for IT people when they need to explain the need for IT security budget.

"You don't have to run faster than the bear to get away. You just have to run faster than the guy next to you." The problem with this analogy is that we're not running from a single bear. It's more like a drone army of bears, which are able to select multiple targets at once (pun intended). As such, there’s really no way to escape "the bear" because there's no such thing." (Bears are a good analogy for the Russian cyber mafia BTW) [snip]

"But, how do you get to that point of a healthy, robust risk management program? Where do you start? How do you prioritize your work? Here's the priority stack I've been using lately:

1) Exercise good basic security hygiene
2) Do the things required of you by an external authority (aka "things that will get you fined/punished")
3) Do the things you want to do based on sound risk management decisions

"What this stack should tell you is two key things. First, a reasonable standard has to consider a basic set of security practices applied across the board. It would probably be comprised of policies, awareness programs, [patching] and other foundational practices."

"For instance: Did a breach occur because a system wasn't up to full patch level? If so, is a reasonable patch mgmt program in place? If so, why wasn't this patch applied? What does the supporting risk assessment show about why this particular patch was not applied?

"Obviously, more could be said but, hopefully this stub gets you started thinking about how the business may need to protect itself from legal claims in the future, and how an evolved standard for "reasonable care" (as determined in court) may impact security practices and expectations for security performance." MORE:
http://blogs.gartner.com/ben-tomhave/incomplete-thought-the-unbearable-bear-escape-analogy/

KnowBe4

SC Congress London: Bottom-Up Security Awareness Has C-Level Benefits

LONDON, UK - A stellar panel of infosec experts told a packed audience at SC Congress London on Thursday that security awareness can play an integral role in educating C-suite on threats coming from inside and outside the company.

The panel, entitled "Inside, outside, upside-down: Staying ahead of the threat" comprised Brian Brackenborough, CISO of Channel 4, Frank Florentine, director of LilyCo, and Daniel Schatz, director of information security threat and vulnerability management at Thomson Reuters. MORE:
http://www.scmagazineuk.com/sc-congress-london-bottom-up-security-awareness-has-c-level-benefits/article/339219/

KnowBe4

Many Companies Still Not Disclosing Breaches or Sharing Attack Information

Some 60 percent of organizations worldwide have an incident response team and plan in place to prepare for an attack, new report finds. According to a report from Arbor Networks and The Economist Intelligence Unit, many companies still do not publicly acknowledge data security breaches.

 

While 77 percent of organizations responding to the survey said they had experienced a breach in the past year, 57 percent said they do not voluntarily disclose breaches that are not required to be disclosed by laws. Just over one-third of respondents said they share breach information with others in their industry. MORE:
http://www.darkreading.com/attacks-breaches/many-organizations-dont-go-public-with-d/240166693

KnowBe4

Cyberheist 'FAVE' LINKS:

* This Week's Links We Like. Tips, Hints And Fun Stuff.

Users got you down? Just watch this !! A supercut of some of the best HAPPY videos from all around the world selected by Pharrell Williams for the International Day Of Happiness, March 20 every year:
http://www.flixxy.com/i-am-happy-supercut.htm?utm_source=4

This is an alternative to a job in IT. This guy rides on the outside of a helicopter and then climbs off onto the high-voltage power cables to maintain them. An amazing clip from an IMAX documentary:
http://www.flixxy.com/helicopter-cable-inspector.htm?utm_source=4

Ted Talk by James Lyne: Everyday cybercrime. This is fabulous ammo to send to your executives that need to OK IT security budget:
https://www.ted.com/talks/james_lyne_everyday_cybercrime_and_what_you_can_do_about_it

Four days, an electric screwdriver, $41,000 and a piece of land is all you need to build the structure of this beautifully designed pop-up house:
http://www.flixxy.com/sustainable-home-built-in-4-days-using-screwdrivers.htm?utm_source=4

Why holding your remote key fob against your head extends its range - explained by Professor Roger Bowley:
http://www.flixxy.com/car-key-fob-head-trick-explained.htm?utm_source=4

F1 Car driver Daniel Ricciardo takes on F/A-18 Hornet pilot Michael Keightley in an epic demonstration of speed on the ground and in the air.
http://www.flixxy.com/formula-one-car-vs-fa-18-hornet.htm?utm_source=4

Thanks to modern technology, one of your most dangerous childhood dreams just came true. A Jet-Powered Merry-go-round. Woo hoo!
http://www.flixxy.com/jet-powered-merry-go-round.htm?utm_source=4

Japanese modern dance group 'World Order' does it again with a fascinating roboto-style music video in Tokyo's Akihabra district.
http://www.flixxy.com/genki-sudo-world-order-have-a-nice-day.htm?utm_source=4

The Mercedes SLS AMG ED is a fully electric supercar with independent motors for each wheel that are computer controlled for best performance and handling:
http://www.flixxy.com/worlds-first-electric-supercar-mercedes-sls-amg-electric-drive.htm?utm_source=4

 
KnowBe4
Facebook LinkedIn Blog Twitter YouTube YouTube



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews