|
|
KnowBe4 Got A CEO Fraud Phishing Attack. Wrong Mark!
KnowBe4 has been warning against "CEO Fraud" emails for a few months now, the FBI also calls them "Business Email Compromise" (BEC). I had been hoping we would get one of these ourselves, and lo and behold, we received one of these phishing schemes ourselves last week.
It was spoofed "from our CTO" Alin Irimie to our Financial Controller Alanna Cormier. The whole story is blow-by-blow on our blog with all the screen shots. Find out what we did with that hacker! Enjoy: https://blog.knowbe4.com/knowbe4-got-a-ceo-fraud-phishing-attack.-wrong-mark
|
The Meaning Of The U.S. and China Hacking Agreement
Last Friday, after years of data breaches by Chinese hackers, many months of negotiations and occasional threats from the White House, while China's President Xi was in DC, the U.S. and China announced an agreement not to launch or support cyberattacks that steal corporate records for economic benefit.
But what does that really mean? China is famous for paying lip service and in the meantime do what it wants to. How is this going to be enforced? Also, China already has most of the data it set out to get, so it's easy to agree to something like this.
Mr. Obama said progress has been made through the talks with Mr. Xi but added that U.S. officials would be monitoring closely to see if Chinese officials stop the attacks. “The question now is: ‘Are words followed by actions?’ And we will be watching carefully to make an assessment,” he said.
Well, apart from the thousands in the Chinese Cyberarmy, hacking in China is a grass-roots kind of thing that works bottom-up. There are hundreds of hacking groups supported by local governments. This is not an easy thing to stamp out because if you try to suppress it, they will go underground and work for cyber crime instead of the government.
This agreement simply is hard to enforce. From the data that is known at the moment, it looks like that the U.S. will have to:
- Prove there’s been a cyber incursion, then
- Correctly attribute its source, next
- Identify what proprietary data was exfiltrated,
- Prove that there was a benefit gained from it, and
- That the stolen information was put to use
Good luck with that. If you are in the Fortune 100, can call Mandiant after a hack has been discovered, and can write a 10 million dollar retainer check I guess this is not entirely impossible, but getting all 5 points above nailed down is really hard. For the rest of us, fuhgeddaboutit. You are still mostly on your own.
|
Bidding for Data Breaches On Criminal Forums
Our friend Brian Krebs reported on more evidence cybercrime has gone pro. "A growing community of private and highly-vetted cybercrime forums is redefining the very meaning of 'targeted attacks.' These bid-and-ask forums match crooks who are looking for access to specific data, resources or systems within major corporations with hired muscle who are up to the task or who already have access to those resources.
What strikes me the most about these forums is the obvious use of spear-phishing attacks, the raw demand for people who know how to map targets for phishing, and the fact that so many people are apparently willing to pay for it. It surprises me how much people are willing to pay for good fraudsters and good social engineering experts who are hooking the bait for phishing.”
New forums like this are notable because they’re changing the face of targeted attacks, building crucial bridges between far-flung opportunistic hackers, hired guns and those wishing to harness those resources."
Maybe this is part of the reason for the massive increase of CEO spoofing attacks. The whole story at Brian's site: http://krebsonsecurity.com/2015/09/bidding-for-breaches-redefining-targeted-attacks/
|
Warm Regards, Stu Sjouwerman
|
"Today was good. Today was fun. Tomorrow is another one." - Dr. Seuss
"Our greatest weakness lies in giving up. The most certain way to succeed is always to try just one more time." - Thomas A. Edison |
Thanks for reading CyberheistNews
|
This Week's Five Most Popular HackBusters Posts
Miami County Pays CryptoWall Ransom To Get 911 Center Back Online
The Miami County Communication Center’s administrative computer network system was compromised with a CryptoWall 3.0 ransomware infection which locked down their 911 emergency center. They paid a 700 dollar Bitcoin ransom to unlock their files.
According to a Miami County Sheriff’s Office report, the county’s technology director Matt Watkins reported the computer virus called CrytoWall 3.0 had locked down the 911 center’s administrative system. In the report, Watkins stated a report with the sheriff’s office was needed in order for the auditor’s office to make the payment. Watkins explained in the report that the only way get the files back was to pay the fee for the fix.
According to the report, the virus was originally sent to the county’s animal shelter in the form of an email attachment. Then the email went to the communication center and was opened by a dispatch supervisor which then activated itself and locked down the center’s files.
Another great reason to step employees through effective security awareness training. Find out how affordable this is for your organization and be pleasantly surprised.
|
The Ten Immutable Laws Of Security Administration Revisited
Casper Manes wrote: Last month, we talked about the Ten Immutable Laws of Security, a fifteen year old set of rules first put forth by Microsoft security researcher (now a Director at Microsoft) Scott Culp.
Culp also wrote a post called “10 Immutable Laws of Security Administration” which, while it doesn’t get quite as much press as the first article does, is no less important for sysadmins of any system to know, and for Infosec professionals to get tattooed on their (…).
Well, let’s just say these are critical for anyone working in Infosec and leave it at that. Let’s look at these ten, they are at the KnowBe4 Blog: https://blog.knowbe4.com/the-ten-immutable-laws-of-security-administration-revisited
|
WEBCAST: Security Awareness Training: Are We Getting Any Better at Organizational and Internet Security?
For the second year in a row, David Monahan, security expert and research director at leading IT analyst firm Enterprise Management Associates (EMA), has delved into the world of security awareness and policy training. His latest research on this topic - with over 600 participating respondents - revealed that a tremendous shift in awareness training programs has taken place, especially across the previously underserved SMB space.
Join David for this informative webinar to understand the reasons for this shift, as well as get other insights into this new research including:
- Training content is becoming more accessible to organizations of all sizes from both a delivery and cost perspective.
- Programs are becoming more effective and have better measurement and management capabilities.
- Due to training, employees are better at recognizing various forms of social engineering.
- Trained personnel recognize that they make better security choices at home as well as at work, further increasing the value of training.
If you’re interested in the security of your organization, you can’t afford to miss this event!
Date: Tuesday, Oct. 6, 2015 Time: 11 a.m. Pacific / 2 p.m. Eastern Duration: 45 minutes http://research.enterprisemanagement.com/security-awareness-training-2015-webinar-knowbe4.html
|
This Week's Links We Like. Tips, Hints And Fun Stuff.
|
|
|
|
|
|