CyberheistNews Vol 4, 13
Editor's Corner
It's The XPOCALYPSE!... But Is It?
I'm sure you know that next week April 8th, Microsoft will stop supporting Windows XP which means they will stop distributing security updates for XP for free. You can still get them but have to pay through the nose. For the vast majority of us, when after April 8th another security bug is found in XP, (a certainty) that bug cannot be patched anymore, and the workstation that runs XP will be very easy for the bad guys to get into. Microsoft on their website states: "PCs running Windows XP after April 8, 2014, should not be considered to be protected." What most of you may -not- know, is that the bad guys have been hoarding XP zero-day vulnerabilities, patiently waiting for next week, so that they can either use them or sell them. There are estimates that there are now hundreds of known holes that are waiting to be exploited. This -is- something to be worried about. The least you can do is give end-users that still run XP some effective security awareness training, and I have 9 other things you can do to secure XP, see the link below. Despite Microsoft's continuous warnings, Redmond does not see a stampede toward Win7 or 8. David Rodger, commercial lead for the Windows Business Group at Microsoft, said there was no sense of "panic" from firms about moving off XP. He stated: "We’re not seeing a stampede. Many organizations will have looked at this from a ‘T-minus’ perspective and are probably now seeing their plans come together." So now, if you are stuck with XP, here are 10 things you should do to make sure it's not going to be cake-walk for the bad guys to penetrate your network. It's already easy enough. My business partner Kevin Mitnick is always happy to hear that a penetration-test customer has XP running in their network, as that makes his job that much faster. Here is the link to the KnowBe4 blog: http://blog.knowbe4.com/bid/377532/sticking-with-winxp-10-things-you-must-do
Scam Of The Week: HR Department
To start with, you should copy/paste this and send it to your HT team. We have another Scam Of The Week for all employees below. Companies that are recruiting new employees are being targeted through Monster Jobs. The bad guys are using malware called Gameover Zeus, security firm F-secure reported in a fresh blog post which mentioned that the attack started with CareerBuilder and has been expanded to Monster. First, a (spear-) phishing attack takes over the workstation using social engineering and infects the machine with the Gameover malware. The Gameover grabs information from website forms, very similar to a keylogger, and the username and passwords are stolen as they are typed. The attack comes in two stages. The second step of the attack, the bad guys try to get the HR employee to give out the information they miss to completely take control of the Monster or CareerBuilder account. They use a bogus security check form, and ask for the answer to their security question. It is obvious that the bad guys are targeting specifically HR departments for two reasons:
1. Take over their workstations, penetrate the HR software and implant phantom employees so that they can cash in on payments to these fake employees which were set up. 2. If the account is tied to a bank account and has a spending budget, it's a target for banking Trojans.
People in HR that use Monster and CareerBuilder should keep an eye out for Red Flags related to these websites and do some effective security awareness training. And it would be advisable if both sites would implement 2-factor authentication. Here is a free job-aid you can ask HR to print out and stick on the wall of their office or cubicle: https://s3.amazonaws.com/knowbe4.cdn/SocialEngineeringRedFlags.pdf
Quotes of the Week
"Yesterday is but today's memory, and tomorrow is today's dream." Khalil Gibran - Writer (1883 - 1931) "Obstacles are those frightful things you see when you take your eyes off your goal." - Henry Ford - Industrialist Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe, you can do that right here
|
NEW: Full Free Preview of the 2014 Kevin Mitnick Security Awareness Training!
You May Qualify For A Full Free Preview. You know that your employees are the weakest link in your organization’s IT security. You are looking for an effective approach that will protect your network against phishing attacks. This free preview gives you access to the full new 2014 version of the 30-40 minute training. The preview is free, and after you decide to sign up, your yearly subscription allows you to both train all employees and to schedule simulated phishing attacks to all employees, with tracking of ‘who clicks when’. You can also check out the 15-minute APT version in 9 languages and the modules Mobile Device Security, PCI Compliance Simplified, and Handling Sensitive Information. Sign Up For Your Free Preview Now: http://info.knowbe4.com/kmsat-preview-14-04-01
Scam Of The Week: Homicide Suspect
The same cybergang that was sending alarming emails about people being evicted from their homes, and are to appear in court, have a new variant of their racket. It's a community "alert" service email coming from purportedly Critical Reach about a homicide suspect but is bogus.
As you guessed, the email is not from Critical Reach and the attachment does not contain a police bulletin about a homicide suspect. Instead, the attached zip file contains a malicious executable file.
So far, the emails claim to come from Huntington Park Police in Los Angeles, but you can count on this being adapted to other areas so don't be surprised if this seems to come from a police station close to where you live.
Attacks Give Lift to Cyber Insurance
Last week in the Wall Street Journal, reporter Leslie Scism quoted Bloomberg News that "Target's data breach 'was the equivalent of 10 free Super Bowl ads."
"The holiday hacker attack on Target was a nightmare for the retailer, but it has delivered a giant gift to insurers that sell policies covering the costs of cyberintrusions.
"With vulnerability to hacking in stark relief, insurance brokers say sales of cyberinsurance have picked up sharply this year. The interest is coming from a diverse mix of customers, including public schools. Many policies cover the costs of investigations, customer notifications and credit-monitoring services, as well as legal expenses and damages from consumer lawsuits.
"Kevin Kalinich, a senior executive at Aon Risk Solutions, said inquiries from potential buyers have tripled since the recent hackings and a greater portion of callers are buying. Before, "we were selling 1.2 policies for every 10 inquiries," he added. "Since, it is 4.2 for every 10 inquiries."
I would recommend getting one of these cyber insurance policies, but you should also ask for a discount if you are running an effective security awareness training program since that will cut down the risk of a data breach significantly. Remember that Trend Micro reported a few months ago that 91% of successful data breaches started with a spear-phishing attack. http://online.wsj.com/news/article_email/SB10001424052702304688104579463573924846000-lMyQjAxMTA0MDIwNzEyNDcyWj
C-Level Execs Need To Rethink IT Security
Here is some ammo for your higher-ups that may need more data so that they can decide about IT security budgets.
Michael Kassner at TechRepublic wrote: "Researchers advise C-level executives need to rethink IT security: make it a key component of overall company strategy. Until then, more data breaches are inevitable.
Target’s data breach has sent the message "we need to talk" to C-level executives and IT managers throughout the business world. To get things moving, Syed Ali, Vishy Padmanabhan, and Jim Dixon of the management consultancy Bain and Company co-authored the report Why cyber security is a strategic issue: http://www.bain.com/publications/articles/why-cybersecurity-is-a-strategic-issue.aspx
In the report, the authors start the ball rolling: “With stakes so high, CEOs and boards must begin to think about security in a new way. IT security — a task that could once be delegated to the IT staff — has become a top-level strategic issue because the consequences of failure can ruin a business. Any organization may be only a few hacks away from disaster.”
The paper’s authors, before discussing the new way of thinking, look at the current security landscape. Here is the article to pass along: http://www.techrepublic.com/article/c-level-execs-need-to-rethink-it-security/#ftag=RSS56d97e7
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
Peter Besenyei flies through the famous Corinth Canal while performing impressive aerial maneuvers and breathtaking tricks. Hold on to your seat belt! http://www.flixxy.com/flying-through-the-corinth-canal-with-peter-besenyei.htm?utm_source=4
After surviving the famous stampeding bulls in Pamplona, Spain, Richard Hammond finds his next thrill in the Lamborghini Murcielago Roadster: http://www.flixxy.com/lamborghini-murcielago-roadster-pamplona-bull-run-top-gear.htm?utm_source=4
15 sci-fi technologies that are (almost) here. Slideshow: http://www.infoworld.com/slideshow/146149/15-sci-fi-technologies-are-almost-here-239176
Look, you're an adult human being. You're better than this. Don't do any of the things in this slideshow. LOL: http://www.infoworld.com/slideshow/146350/16-terrible-computer-pranks-could-get-you-fired-239254?
Night Vision Challenge in the 2014 BMW X5! He drives around with a blindfolded car, just using the built-in infrared night vision. I want one! https://www.youtube.com/watch?v=bEftk0AzLM8
World's Largest Aircraft - Antonov 225 - Takes Off From Manchester Airport: http://www.flixxy.com/worlds-largest-aircraft-antonov-225-takes-off-from-manchester-airport.htm?utm_source=4
A pigeon keeps up with 90km/h (55 mph) traffic on the M1 motorway in Australia: http://www.flixxy.com/pigeon-races-against-cars-on-australian-highway.htm?utm_source=4
After decades of a drought, the waters miraculously return to the Zin River in Southern Israel, much to the delight of locals: http://www.flixxy.com/what-are-these-people-waiting-for.htm?utm_source=4
Cat begs for breakfast in an amazing way. How could anyone resist to grant the request to such a polite Japanese cat?: http://www.flixxy.com/good-morning-please-give-me-breakfast.htm?utm_source=4
|