How The NSA Killed Internet Security in 1978 & Scam Of The Week
Need to get ammo for your IT security budget, but the people holding the purse strings lack some understanding? Here is a great little article that gives them 5-minute Cliff Notes on Internet Security in (mostly) understandable terms:
"The Internet grew from the work of many people over several decades. Few predicted how essential it would become to our lives or the ways that it would make us more vulnerable to scam artists, snoops and spies. Here are some of the milestones in the development of our insecure online world."
Scam Of The Week: "Your Data Was Hacked, How To Protect Yourself"
It is all over the news, the 4-million Federal Employee OPM database was hacked and lots of employee information leaked to probably the Chinese. This weekend on CNN they said that in the coming few days all Fed employees will receive an email something like: "You've been hacked, here's what you need to do to protect yourself."
The press has a tendency to jump to the "who" but it is more interesting to focus on the how and why. The real issue here is how the attackers penetrated the OPM again, just after a major data breach a year ago. The focus on this recent breach should be how come they did not fix an apparently systemic problem, and it is my prediction that they were hacked with a spear-phishing attack with by zero-day malware as a payload, which could have been prevented with effective security awareness training.
Also in the news this week, it came out that in 2012 the NSA was granted the authority to conduct surveillance on US Internet traffic without a warrant to investigate foreign cyber attacks. The documents indicate that the NSA pursued attackers even if there was no proof that the attacks originated outside the US. So we have the "guvmint" hoovering up massive amounts of data, and not protecting that data very well. Recipe for disaster?
Having said that, many people work (or used to work) for all kinds of government institutions, and will not know if their data was in that database or not. Sometimes they will have family members working for either local, county or state government and will be worried that their data is exposed too. This is a phishing bonanza and I'm willing to bet a hundred bucks that the cyber mafia is already working on campaigns to exploit this fear.
I would email your employees, family and friends something to this extent. Edit if you want:
"It's all over the news, again. A large database with information of Federal employees has been hacked and millions of employee records are now out there. Cyber criminals are going to use this hack to scare you into clicking on phishing emails and infect your computer with malware or manipulate you into giving out personal information.
"If you receive an email that claims your personal information has been hacked, and that you need to click on links or open attachments to find out how to protect yourself, be very careful. Do not click on links, do not open attachments, and if there is a reference to a website with more information, type the web address in your browser, and do not click on any links."
For KnowBe4 customers, inoculate your employees before they get hit, at the house or in the office. Send them this new template from the Current Events campaign: "Federal Database Breach - Action Required"
Top 5 Phishing Templates CTR This Month
Our almost 1,500 enterprise accounts are sending many thousands of simulated phishing attacks to their employees every month. We thought it would be interesting to let you know which ones have the highest Click Through Rates (CTR) for the last 30 days:
Change Of Password Required Immediately - 16.49%
Email Account Updates - 9.92%
Low Balance Alert On Primary Savings - 7.59%
Your Friend Tagged a Photo of You - 7.49%
Join my network on LinkedIn - 7.45%
And the recent Current Events template: "Hey, has your Adult Friend Finder Secret come out?" was clicked on 3.4% of the time. Draw your own conclusions about what that means.
Quotes Of The Week
" Happiness resides not in possessions, and not in gold, happiness dwells in the soul." - Democritus, Philosopher
" To change things, don't try to fight the existing reality. Build a new model that makes the old model obsolete" - Buckminster Fuller
Thanks for reading CyberheistNews!
Accept Credit Cards? Your Liability Will Shift: Oct. Deadline
Heads-Up! If your organization accepts cards from customers, the liability for card-present fraud shifts to your bottom line this October, not the bank's. This is a very important change that 42% of C-level execs are not aware of, but may cost them dearly.
Phishers Registered More Malicious Domain Names Than Ever in 2014
In its Global Phishing Survey: Trends and Domain Name Use in 2H2014 report, the APWG found that the number of domain names used for phishing reached a record number. According to the report, there were at least 123,972 unique phishing attacks worldwide during the final half of last year, and those attacks occurred on 95,321 unique domain names. That represents the most the APWG has ever seen during a half-year period.
Make Sure To Check Your Vendors’ Cyber Security Practices
A weak link in many cyber security plans is the outside companies that help you run your businesses, such as all kinds of Managed Service and Cloud Providers. Your organization wants to focus on delivering great service to your customers, so your vendors’ cyber security practices are often not top of mind.
46 percent of organizations that have suffered a data breach took more than four months to detect a problem, and more than three months to mitigate the risk. Worryingly, the survey of 1,000 IT professionals, conducted by OnePoll on behalf of LogRhythm, also revealed that 70 percent of breaches were detected by a third-party, rather than the organization itself.
Ross Brewer, vice president and managing director for international markets at LogRhythm said: “While the maturity of an organization's security can vary dependent on budgets and its own risk tolerances, today’s threat landscape is such that if a hacker wants to get in, they will, which means every single organization should seriously consider putting systems in place that will immediately alert them to suspicious activity.”
“What’s more, even the most bare-bones business needs to take greater responsibility for educating employees,” continues Brewer. “As the front-line of any business there is the very real danger that, without increased education, an employee could easily and unwittingly leave the door to sensitive information wide open. Read more about the survey at: http://www.net-security.org/secworld.php?id=18475
Study Shows Kids' Willingness To Meet People They Interact With Online
Danielle Walker at SCMag wrote about an issue that you can do something about.
In the survey, 27 percent of kids aged 8 to 16 said they would meet, or have met, someone in person they first interacted with online. The study, commissioned by Intel Security, surveyed 1,001 young people, aged 8 to 16, and a matching number of parents in the U.S. The online poll was conducted from April 28 to May 12 by MSI International.
While a significant number of kids were OK with meeting individuals from online, the survey revealed that 28 percent of parents were most concerned about their children “unknowingly interacting with predators/pedophiles.” Furthermore, 21 percent of parents feared that their children might interact with any strangers online, an Intel Security release detailing the findings said.
And here is what you can do about it right now. SANS just announced their June issue of OUCH!: "This month, led by Guest Editor Bob Rudis of Verizon DBIR fame, we focus on kids -specifically, educating kids on cyber safety. We feel this is an important message and one we want to share with the world. You are encouraged to share OUCH! newsletters with anyone you want, including family, friends or as part of your security awareness program. All we request is you do not modify or sell the newsletters." Send it out to anyone you know with kids! English Version (PDF) http://www.securingthehuman.org/u/4TS
Cyberheist 'FAVE' LINKS:
This Week's Links We Like. Tips, Hints And Fun Stuff.