CyberheistNews Vol 4, # 45 Free Pizza Delivers Malware



CyberheistNews Vol 4, # 45
KnowBe4
Stu Sjouwerman's New Security Newsletter Don't miss the Fave Links! Case Studies Resources About Us Contact Us
Facebook LinkedIn Blog Twitter YouTube YouTube
 

CyberheistNews Vol 4, 45

Editor's Corner

KnowBe4

SCAM of the Week: Free Pizza Delivers Malware

There is a current, active cybercrime campaign going, using the tempting lure of free pizza, researchers at Cloudmark warned. They spotted new spam emails claiming to be a campaign from "Pizza Hut", which social engineer recipients to "click and claim" their delicious reward.

"Of course, if you click on the link, you do not get a coupon for free pizza – you get a zip file containing a Windows executable which will make you part of a malicious botnet called Asprox or Kuluoz," they said.

So we have added a new template in the Social Media section and here is how it looks. We recommend sending this out ASAP to inoculate your users just one more time and keep them on their toes. Finally something you can do that is proactive! If you are not a KnowBe4 customer, warn your users through an email to all employees and include this picture in the email.

 

Home Depot Blames Security Breach on Windows

As if it wasn't bad enough to lose 56 million credit card accounts, now Home Depot has to admit it also lost 53 million email addresses. This gives the bad guys a fabulous opportunity to go spear-phishing with a Home Depot theme. What an epic fail.

Home Depot warns its customers to be on guard against phishing scams. What they should do is give all these households a free security awareness training course for the whole family on top of the required one-year credit report monitoring.

Notable is that the hack followed the same pattern as Target where the bad guys came via a Pennsylvania-based refrigeration contractor’s electronic billing account.

Home Depot's Frank Blake, who retired as chief executive last month as scheduled, has conceded the company needs to place greater emphasis on data security. "If we rewind the tape, our security systems could have been better," Mr. Blake said in an interview last month. "Data security just wasn’t high enough in our mission statement."

No $#!+, Sherlock. Your internal IT security people were leaving the company and telling their friends and family to only pay cash at Home Depot.

The malware's entry point turned out to be a server at a store south of Miami. The hackers got into the vendor's systems last April by stealing a password, elevated their access by using a zero-day vulnerability in Windows, got admin rights and were then able to move throughout Home Depot’s systems in daytime hours and over to the company’s point-of-sale systems, the people briefed on the investigation said.

The report claims that while Microsoft did issue a security patch after the breach began, which was installed by The Home Depot, the fix arrived too late. How they got in? Here is our thinking: (continue at the KnowBe4 Blog):
http://blog.knowbe4.com/bid/399706/Home-Depot-Hackers-Also-Steal-53-Million-Email-Addresses

Despite Skeptics, Security Awareness Training for Employees is Booming

This article is fabulous ammo to get budget for end-user education. It covers Gartner's first-ever "Magic Quadrant for Security Awareness Computer-Based Training Vendors", and why enterprises are rapidly rolling this out. Send a link to your C-suite executives.

I'm happy to report that KnowBe4 made it in the World's Top 20 Awareness Training companies! Note that quite a few of these players in the Magic Quadrant are from other countries and we do not see much of them here in America, so in reality that gets KnowBe4 in the U.S. Top 10. Not too shabby :-D

Brandan Blevins, writer at TechTarget summed it up rather nicely: "Employee security awareness training has been derided in the past, but new Gartner research suggests that a market of competitive, high-quality vendors are making security awareness a must-have."

He went on to say: "Enterprise security awareness training for employees has long been considered a compliance-checkbox activity, but not necessarily an effective tactic for protecting corporate assets.

"However, amid what has become a large and competitive market full of quality security awareness training products, one expert says that enterprise security managers should rethink their attitudes toward user awareness training."

"With thousands of security awareness training vendors in the market, and nearly 20 making Gartner's Magic Quadrant, enterprises may be left asking which is the best. Despite labeling certain vendors as "leaders" or "visionaries" for the Gartner report, Walls emphasized that there is no "best vendor" when it comes to training, only the right vendor for specific circumstances."

We agree. Especially when you start to compare pricing. Here is the article:
http://searchsecurity.techtarget.com/news/2240234092/Despite-skeptics-security-awareness-training-for-employees-is-booming

Link to the Gartner $1,995 USD report here:
https://www.gartner.com/doc/2871817?ref=unauthreader&srcId=1-3478922225

Quotes of the Week

"The greater danger for most of us lies not in setting our aim too high and falling short; but in setting our aim too low, and achieving our mark." - Michelangelo

"The game isn't big enough unless it scares you a little." - Commander William T. Riker, Star Trek, The Next Generation

Thanks for reading CyberheistNews! Please forward to your friends. But if you want to unsubscribe,
you can do that right here

Thanks for reading CyberheistNews! Warm Regards, Stu Sjouwerman | Email me: feedback@knowbe4.com
Facebook LinkedIn Blog Twitter YouTube YouTube
KnowBe4

PCI DSS 3.0 Compliant in Half the Time at Half the Cost

It's time to get and stay PCI DSS 3.0 compliant.

Now that the new 3.0 standard goes into effect, it's a great time to start using a new tool that will save you half the time and half the cost of becoming compliant: KnowBe4 Compliance Manager 2015.

It comes with a pre-made PCI DSS 3.0 template that you can immediately use to get compliant and maintain compliance in a business-as-usual process.

Escape from Excel-hell!

Most organizations track PCI compliance using spreadsheets, MS-Word, or proprietary self-maintained software. This is inefficient, error prone, costly, and a risk in itself. Get and stay PCI DSS 3.0 compliant in half the time and at half the cost with KnowBe4 Compliance Manager™.

Get a short, live web-demo, and we will show you how easy and affordable this is!
http://info.knowbe4.com/_kcm_pci_30-14-11-04-0

KnowBe4

Google: "Best Phishing Scams Have a 45-Percent Success Rate"

You would think that phishing scams are relatively easy to spot: an email that doesn't look quite right with a dodgy URL -- who's going to click on that? Well, more people than you think. According to a new study Google did with the UCSD, the top criminal phishing sites capture data from a whopping 45% of people visiting.

The worst crime sites still scored information from three percent of their visitors. However, when you know that the bad guys are sending these campaigns out to millions of addresses, these are still respectable numbers that pay off.

The study reported that most of these scammers operate out of China, the Ivory Coast, Malaysia, Nigeria and South Africa, and that they operate at Internet speed. Twenty percent of accounts were compromised within 30 minutes of having given out their information.

The hijacked accounts are then used to fuel the criminal cycle by sending emails to all the account's contacts and then attempt to scam them for a bank transfer or simply to send links that try to social engineer yet more people.

Google said that the best way to protect yourself is to use two-factor authentication on all your accounts and to stay alert. STOP, LOOK, THINK before you give out personal information and never reply to them. Here is a link to the new study from Google and the University of California, San Diego:
http://services.google.com/fh/files/blogs/google_hijacking_study_2014.pdf

KnowBe4

Survey: Cybersecurity Priorities Shift to Insider Threats

A survey of federal IT managers in both the civilian and defense sectors showed a shift in cybersecurity concerns from outside actors to insider threats and a focus on the need to educate employees.

The survey — commissioned by the Fort Meade Alliance and conducted by Market Connections, Inc. — posed five questions to 200 federal IT decision-makers about the biggest challenges and opportunities they saw in the cybersecurity realm.

One quote is noteworthy: "Cyber security awareness training can help solve many of the challenges we face with protecting information technology assets and our government’s most sensitive information and mission-critical systems,” said Deon Viergutz, president of Ft. Meade Alliance and director of cyber operations for Lockheed Martin Information Systems and Global Solutions." Full Article:
http://www.federaltimes.com/article/20141103/FEDIT03/311030016/Survey-Cybersecurity-priorities-shift-insider-threats

A similar message was given to the House of Lords in the UK, where Hugh Boyes, a cyber security expert at the Institution of Engineering and Technology (IET) told a House of Lords committee that a basic level of security knowledge among employees is critical in the modern business world.

A reliance on a small number of professional security staff is insufficient and cannot provide the level of assurance and security that the modern company requires he said. Giving evidence to the House of Lords Digital Skills Committee he said:

"With the increasing use of computer-based and digital technologies in all aspects of our lives, engineers and technicians need to have a general understanding of cyber security principles.

This is essential if we are to improve the security and resilience of our systems. Most modern companies require all their staff to complete basic health and safety training and promote a workplace safety culture; cyber security should be approached in a similar way. It is the responsibility of anyone using computer-based and digital technologies and cannot be left to a relatively small number of specialists."

Methinks he has a point. Link to article:
http://www.security-faqs.com/security-awareness-should-be-as-common-as-health-and-safety-training-house-of-lords-committee-told.html?

KnowBe4

Debate: Should You Pay a Cyber Ransom?

Industry experts debate whether organizations should or should not pay a cyber ransom to miscreants. The discussion is between Jeff Bardin, chief intelligence officer, Treadstone 71, and Dave Chronister, founder, Parameter Security. From the November 2014 Issue of SCMagazine. Obviously I think that if your backup fails and you stand to lose days, weeks or more of your data, in which case paying $500 is a no-brainer. But use that crisis to your advantage and get your best practices in place in a great big hurry:
http://www.scmagazine.com/debate-should-you-pay-a-cyber-ransom/article/377745/

KnowBe4

Post Breach: Prioritizing Cyber Spending

Great article from Data Breach Today (isn't it sad that there IS a whole website like that to start with?) The subtitle is "How to avoid wasteful security investments", and then goes on with:

"Before allocating funding for cybersecurity initiatives, organizations should conduct risk assessments to pinpoint security gaps. Potential spending priorities in the current environment, experts say, include ramping up breach detection measures, improving employee security awareness and training and taking steps to devalue sensitive data, such as through encryption." More:
http://www.databreachtoday.com/post-breach-prioritizing-cyber-spending-a-7525?

KnowBe4

SANS Announces the November OUCH! Issue

"We are excited to announce the November issue of OUCH! This month, led by Guest Editor Alissa Torres, we cover Social Engineering. Specifically, we explain what it is, how cyber attackers use social engineering to get what they want and the different ways people can detect it. Ultimately, we want people to understand that technology alone cannot protect them; that in many ways, people are their own best defense. As always, we encourage you to download and share OUCH! with others." English Version (PDF)
http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201411_en.pdf

KnowBe4

Cyberheist 'FAVE' LINKS:

* This Week's Links We Like. Tips, Hints And Fun Stuff.

Super Fave: You have never seen Earth like THIS. A beautiful recording by NASA of planet Earth from July 16 - 23, 2005, when a category-4 typhoon developed off the coast of China:
http://www.flixxy.com/our-planet-is-like-a-living-organism.htm?utm_source=4

Off-Road Racing Champion RJ Anderson does some amazing stunts in a one-of-a-kind heavily modified Utility Terrain Vehicle. That must be such a rush!
http://www.flixxy.com/utility-terrain-vehicle-stunt-driving.htm?utm_source=4

Amazing Circle Illusion. You see the balls rotate in a circle, but if you focus on one ball at a time you will notice that each ball moves in a straight line:
http://www.flixxy.com/amazing-circle-illusion.htm

Talking about circles, learn this simple technique to help you draw a near perfect circle freehand:
http://www.flixxy.com/how-to-draw-a-perfect-circle.htm

And here is another fabulous display of skill. Murano glass has been a famous product of the Venice centuries. This guy makes a horse in 3 minutes:
http://www.flixxy.com/venice-murano-glass-blower-makes-horse-figurine-in-2-minutes.htm?utm_source=4

Watch a feather and a bowling ball drop at the exact same speed in the largest vacuum chamber in the world, done by the BBC:
http://www.flixxy.com/what-falls-faster-a-feather-or-a-bowling-ball.htm?utm_source=4

Q2S hydrofoil electric watercraft, available on pre-order now, with the Q2A version costing significantly less at $18,700 Due to ship in March 2015. The video link below shows the Quadrofoil PWC on a Slovenian lake. I want one:
http://youtu.be/ooAAnZIgj8o

A stray dog decides to join a televised bicycle race in Italy - outpacing the pro cyclists riding at a speed of over 25 miles per hour (40 km/h):
http://www.flixxy.com/dog-leads-bicycle-race-in-italy.htm?utm_source=4

James May drives and flies the Aerocar, a roadable aircraft, designed and built in the 1950s. Funny. And technology has improved dramatically over these 50 years, check out the next two Faves:
http://www.flixxy.com/1956-aerocar-drive-and-fly-by-top-gear-james-may.htm?utm_source=4

Tesla Model S achieves Euro NCAP 5 Star safety rating, sorry to see it being wrecked this way, but it's pretty sturdy!
https://www.youtube.com/watch?v=7uhhYKJWEBw

And, the world's fastest sedan is no longer from Germany but from Palo Alto, CA. Auf Wiedersehen, BMW, Mercedes and Audi! Motor Trend Reviews Tesla P85D, drools & froths uncontrollably:
http://www.motortrend.com/roadtests/alternative/1411_2015_tesla_model_s_p85d_first_test/

73,000 security cameras viewable online due to use of default passwords. Now there's a good reason to double-check if you changed the defaults!
http://www.networkworld.com/article/2844283/microsoft-subnet/peeping-into-73-000-unsecured-security-cameras-thanks-to-default-passwords.html

Taylor Swift's 'Shake It Off' fits almost too perfectly with aerobic dance video from 1989. Sits over at the huffpost site, but may be taken down because of copyright problems. If so, this is a riot worth googling for:
http://www.huffingtonpost.com/2014/11/06/shake-it-off-1989-aerobic-video_n_6116400.html?cps=gravity

 
KnowBe4
Facebook LinkedIn Blog Twitter YouTube YouTube



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews