CyberheistNews Vol 7 #23
Vladimir Putin Approves of "Patriotic Russian Hackers"
The WSJ just posted a very interesting article by Nathan Hodge confirming what we have been saying here for the last few years.
Russian President Vladimir Putin suggested in St Petersburg that what he called "patriotic Russian hackers" could have been behind cyberattacks that have soured relations with the U.S. and other countries, adding fresh nuance to his denials that the Russian state was involved.
“If they [hackers] are feeling patriotic they will start contributing, as they believe, to the justified fight against those speaking ill of Russia. Is that possible? In theory, yes. At the government level, we never engage in this,” Putin told international media at an investment conference."
Putin is changing his story about Russian cybercrime
Russian officials up to now have consistently denied being behind any interference with elections in America or European countries. The WSJ said that "Putin's suggestion that Russian hackers may have played a freelance role in election hacking—and his clear implication that such efforts were “justified”—appears to mark a change of narrative for the Kremlin." That is putting it mildly.
This change in narrative is basically freely admitting that criminal hackers are one of Russia's admitted points of leverage in what Putin feels their asymmetrical cold war against America; the attitude of "anything goes when my defense budget is 10% of that of my adversary."
Putin provides air cover for Russian organized cyber crime while they are on their ransomware attack campaigns, as long as they help him shut down a power plant of a former Soviet satellite state or help hack elections with sophisticated phishing attacks.
Email Becomes the Weapon of Choice
Symantec's 2017 Internet Security Threat Report (ISTR) detailed that email has become a dangerous and efficient threat to users: one in 131 emails contained malware, the highest rate in five years. And Business Email Compromise (BEC) scams, relying on spear-phishing emails, targeted over 400 businesses every day, draining 3 billion dollars over the last three years.
I suggest you send this WSJ link to your C-level execs:
https://www.wsj.com/article_email/putin-says-anti-russian-sentiment-is-counterproductive-1496318628-lMyQjAxMTE3MDA2MjYwOTIzWj/
The WSJ just posted a very interesting article by Nathan Hodge confirming what we have been saying here for the last few years.
Russian President Vladimir Putin suggested in St Petersburg that what he called "patriotic Russian hackers" could have been behind cyberattacks that have soured relations with the U.S. and other countries, adding fresh nuance to his denials that the Russian state was involved.
“If they [hackers] are feeling patriotic they will start contributing, as they believe, to the justified fight against those speaking ill of Russia. Is that possible? In theory, yes. At the government level, we never engage in this,” Putin told international media at an investment conference."
Putin is changing his story about Russian cybercrime
Russian officials up to now have consistently denied being behind any interference with elections in America or European countries. The WSJ said that "Putin's suggestion that Russian hackers may have played a freelance role in election hacking—and his clear implication that such efforts were “justified”—appears to mark a change of narrative for the Kremlin." That is putting it mildly.
This change in narrative is basically freely admitting that criminal hackers are one of Russia's admitted points of leverage in what Putin feels their asymmetrical cold war against America; the attitude of "anything goes when my defense budget is 10% of that of my adversary."
Putin provides air cover for Russian organized cyber crime while they are on their ransomware attack campaigns, as long as they help him shut down a power plant of a former Soviet satellite state or help hack elections with sophisticated phishing attacks.
Email Becomes the Weapon of Choice
Symantec's 2017 Internet Security Threat Report (ISTR) detailed that email has become a dangerous and efficient threat to users: one in 131 emails contained malware, the highest rate in five years. And Business Email Compromise (BEC) scams, relying on spear-phishing emails, targeted over 400 businesses every day, draining 3 billion dollars over the last three years.
I suggest you send this WSJ link to your C-level execs:
https://www.wsj.com/article_email/putin-says-anti-russian-sentiment-is-counterproductive-1496318628-lMyQjAxMTE3MDA2MjYwOTIzWj/
Scam of the Week: DMV Warns Drivers About Traffic Ticket Phishing
Online reporter Doug Olenick at SC Media was the first to point to a press release from the NY State Department of Motor Vehicles warning about a phishing scam where New York drivers are being targeted, stating they have 48 hours to pay a fine or have their driver's license revoked. This may happen in your state as well, so this is your heads-up.
The NY DMV alerted motorists that the scam is just bait to entice them to click on a “payment” link that will in turn infect their workstation with malware. The DMV does not know how many people have been affected, but Owen McShane, director of investigations at New York State DMV, said calls came in from New York City, Albany and Syracuse.
Olenick was able to get a bit more detail: "The malware being dropped came in two categories. The first simply placed a tracking tool on the victim's computer to see what websites were visited; and the second, more nefarious, attempted to acquire a variety of personally identifiable information, such as names, Social Security numbers, date of birth and credit card information."
There are several social engineering red flags that show the email is a scam. The supplied links lead to sites without an ny.gov URL, tied to the fact that the state would never make such a request. Here is what the phishing email looks like:
https://blog.knowbe4.com/scam-of-the-week-dmv-warns-drivers-about-traffic-ticket-phishing
“The Department of Motor Vehicles does not send emails urging motorists to pay traffic tickets within 48 hours or lose your license,” said Terri Egan, DMV deputy executive commissioner, in a statement.
McShane noted that this scam is similar to one that hit the state about 18 months ago. The DMV, he said, is often used as bait in phishing attacks. Most previous attacks only lasted for 24 to 48 hours and this attack seems to have wrapped up too at this point, he added. This means that the bad guys may have moved on to other states with this attack, so...
I suggest you send employees, friends and family an email about this Scam of the Week, you're welcome to copy/paste/edit:
"Here is a reminder that you need to be alert for fake emails that look like they come from your local police or State Dept of Motor Vehicles (DMV) claiming you have a traffic violation. At the moment, there is a local scam in New York that falsely states you have outstanding violations you need to either pay for or refute, and if you don't your license will be revoked.
This scam may spread to the rest of America soon. Remember that citations are never emailed with links in them, or sent out with an email attachment, and report scams like this to your local police department."
Obviously, an end-user who was trained to spot social engineering red flags like this would have thought before they clicked.
Here is a free job-aid for all your employees. It's a PDF you can print which they can pin on their wall:
https://cdn2.hubspot.net/hubfs/241394/Knowbe4-May2015-PDF/SocialEngineeringRedFlags.pdf
Online reporter Doug Olenick at SC Media was the first to point to a press release from the NY State Department of Motor Vehicles warning about a phishing scam where New York drivers are being targeted, stating they have 48 hours to pay a fine or have their driver's license revoked. This may happen in your state as well, so this is your heads-up.
The NY DMV alerted motorists that the scam is just bait to entice them to click on a “payment” link that will in turn infect their workstation with malware. The DMV does not know how many people have been affected, but Owen McShane, director of investigations at New York State DMV, said calls came in from New York City, Albany and Syracuse.
Olenick was able to get a bit more detail: "The malware being dropped came in two categories. The first simply placed a tracking tool on the victim's computer to see what websites were visited; and the second, more nefarious, attempted to acquire a variety of personally identifiable information, such as names, Social Security numbers, date of birth and credit card information."
There are several social engineering red flags that show the email is a scam. The supplied links lead to sites without an ny.gov URL, tied to the fact that the state would never make such a request. Here is what the phishing email looks like:
https://blog.knowbe4.com/scam-of-the-week-dmv-warns-drivers-about-traffic-ticket-phishing
“The Department of Motor Vehicles does not send emails urging motorists to pay traffic tickets within 48 hours or lose your license,” said Terri Egan, DMV deputy executive commissioner, in a statement.
McShane noted that this scam is similar to one that hit the state about 18 months ago. The DMV, he said, is often used as bait in phishing attacks. Most previous attacks only lasted for 24 to 48 hours and this attack seems to have wrapped up too at this point, he added. This means that the bad guys may have moved on to other states with this attack, so...
I suggest you send employees, friends and family an email about this Scam of the Week, you're welcome to copy/paste/edit:
"Here is a reminder that you need to be alert for fake emails that look like they come from your local police or State Dept of Motor Vehicles (DMV) claiming you have a traffic violation. At the moment, there is a local scam in New York that falsely states you have outstanding violations you need to either pay for or refute, and if you don't your license will be revoked.
This scam may spread to the rest of America soon. Remember that citations are never emailed with links in them, or sent out with an email attachment, and report scams like this to your local police department."
Obviously, an end-user who was trained to spot social engineering red flags like this would have thought before they clicked.
Here is a free job-aid for all your employees. It's a PDF you can print which they can pin on their wall:
https://cdn2.hubspot.net/hubfs/241394/Knowbe4-May2015-PDF/SocialEngineeringRedFlags.pdf
Should You Hack Back? Not So Fast. I was interviewed by Bloomberg
Daniel Stoller at Bloomberg interviewed me about the pros and cons of "hacking back":
"Companies facing cyberattacks may not have to resist the temptation to strike back to identify their adversaries if some businesses and federal lawmakers get their way. But some cybersecurity pros are concerned that loosing companies on their online enemies may be counterproductive.
As it stands now, a company can’t legally direct its internal cybersecurity teams to hack back by intruding into other computer networks to track down cybercriminals. The Computer Fraud and Abuse Act and analogous state laws prohibit such intrusions.
Whether to amend the laws to allow hacking back isn’t a new debate, but it has gained traction again due to large-scale cyberattacks, such as the WannaCry ransomware strike that affected over 300,000 computers in at least 153 countries.
Read here why I think that hacking back is a very unsmart move:
https://www.bna.com/vigilante-cybersecurity-hacking-n73014451714/
Daniel Stoller at Bloomberg interviewed me about the pros and cons of "hacking back":
"Companies facing cyberattacks may not have to resist the temptation to strike back to identify their adversaries if some businesses and federal lawmakers get their way. But some cybersecurity pros are concerned that loosing companies on their online enemies may be counterproductive.
As it stands now, a company can’t legally direct its internal cybersecurity teams to hack back by intruding into other computer networks to track down cybercriminals. The Computer Fraud and Abuse Act and analogous state laws prohibit such intrusions.
Whether to amend the laws to allow hacking back isn’t a new debate, but it has gained traction again due to large-scale cyberattacks, such as the WannaCry ransomware strike that affected over 300,000 computers in at least 153 countries.
Read here why I think that hacking back is a very unsmart move:
https://www.bna.com/vigilante-cybersecurity-hacking-n73014451714/
Have We Reached "Peak Ransomware"?
There was an article with the title: "Don’t panic: We’ve reached ‘peak ransomware’" in a publication called The Memo. They decided to ask an expert: Rik Ferguson, VP of security research at AV company Trend Micro. (He looks a bit like Christopher Lambert from the Highlander movie don't you think?)
He said: " “In a word, it’s huge, it’s huge and has been consistently growing for at least the last three years.”
Oh, I agree with that. But wait. Things quickly get into the twilight zone.
Read the rest of this post at the KnowBe4 Blog:
https://blog.knowbe4.com/have-we-reached-peak-ransomware
There was an article with the title: "Don’t panic: We’ve reached ‘peak ransomware’" in a publication called The Memo. They decided to ask an expert: Rik Ferguson, VP of security research at AV company Trend Micro. (He looks a bit like Christopher Lambert from the Highlander movie don't you think?)
He said: " “In a word, it’s huge, it’s huge and has been consistently growing for at least the last three years.”
Oh, I agree with that. But wait. Things quickly get into the twilight zone.
Read the rest of this post at the KnowBe4 Blog:
https://blog.knowbe4.com/have-we-reached-peak-ransomware
Watch for a chance to WIN: Simulated Phishing and Awareness Training Live Demo
Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school Security Awareness Training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.
Join us on Wednesday, June 14, 2017, at 2:00 p.m. (EDT) for a 30-minute live product demonstration of KnowBe4’s Security Awareness Training and Simulated Phishing Platform.
See the latest features and how easy it is to train and phish your users. Plus, when you attend you'll be entered to win an awesome Nintendo Switch! We will pick 3 winners.(*)
You’ll Learn About:
Register Now: https://attendee.gotowebinar.com/register/4537952052044265473
(*) US and Canada Only Terms and Conditions Apply.
https://www.knowbe4.com/knowbe4-terms-and-conditions-ld-062017
Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school Security Awareness Training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.
Join us on Wednesday, June 14, 2017, at 2:00 p.m. (EDT) for a 30-minute live product demonstration of KnowBe4’s Security Awareness Training and Simulated Phishing Platform.
See the latest features and how easy it is to train and phish your users. Plus, when you attend you'll be entered to win an awesome Nintendo Switch! We will pick 3 winners.(*)
You’ll Learn About:
- Social Engineering Indicators patent-pending technology, turns every simulated phishing email into a tool IT can use to instantly train employees.
- Access to the world's largest library of awareness training content through our innovative Module Store.
- Send Simulated Phishing tests to your users during specified business hours with "Reply-to Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.
- Active Directory Integration allows you to easily upload, sync and manage users, set-it-and-forget-it.
- Reporting to watch your Phish-prone percentage drop, with great ROI.
Register Now: https://attendee.gotowebinar.com/register/4537952052044265473
(*) US and Canada Only Terms and Conditions Apply.
https://www.knowbe4.com/knowbe4-terms-and-conditions-ld-062017
Warm Regards,
Stu Sjouwerman
Quotes of the Week
"Be yourself. The world worships the original." - Ingrid Bergman - Actress
"Always be a first rate version of yourself and not a second rate version of someone else."
- Judy Garland - Actress
Thanks for reading CyberheistNews
"Always be a first rate version of yourself and not a second rate version of someone else."
- Judy Garland - Actress
Thanks for reading CyberheistNews
Security News
Frequent Employee Training Helps Stave Off Ransomware
Article in Modern Healthcare: "Children's Health receives nearly 28 million emails a month. While about 90% of malicious messages are caught by a sophisticated firewall, some still manage to sneak through.
The Dallas-based health system isn't alone. Getting hit by ransomware seems almost inevitable lately, with thousands of new attacks daily and little hope for relief anytime soon. These attacks are easy and cheap for hackers to deploy, and they can wreak havoc on computer systems, sometimes taking them down completely and holding patients records hostage.
What seems to be a purely technological problem actually isn't, and it's all too easy to lose sight of one very, very important—and analog—factor: people.
Great article if you are in healthcare and need IT security budget:
http://www.modernhealthcare.com/article/20170603/MAGAZINE/170539976/frequent-32-employee-8203-32-training-8203-32-helps-8203-32-stave
Article in Modern Healthcare: "Children's Health receives nearly 28 million emails a month. While about 90% of malicious messages are caught by a sophisticated firewall, some still manage to sneak through.
The Dallas-based health system isn't alone. Getting hit by ransomware seems almost inevitable lately, with thousands of new attacks daily and little hope for relief anytime soon. These attacks are easy and cheap for hackers to deploy, and they can wreak havoc on computer systems, sometimes taking them down completely and holding patients records hostage.
What seems to be a purely technological problem actually isn't, and it's all too easy to lose sight of one very, very important—and analog—factor: people.
Great article if you are in healthcare and need IT security budget:
http://www.modernhealthcare.com/article/20170603/MAGAZINE/170539976/frequent-32-employee-8203-32-training-8203-32-helps-8203-32-stave
Target Cyber Breach Settlement Reflects Emerging Best Practices for Cybersecurity
Last week, Target Corp. reached a record $18.5 million settlement with 47 states and the District of Columbia to end investigations into Target’s data breach in 2013. The settlement highlights the growing list of specific measures that companies are expected to have in place to mitigate the risk of cyber breaches.
This chart lists some of the specific cybersecurity measures required in the 2017 settlement. The significant overlap between the terms of the recent Target settlement, which included 47 Attorneys General, and measures required by the new DFS cybersecurity regulations illustrates the specific measures that appear to be emerging as industry best practices in cybersecurity. PDF created by Law Firm DavisPolk: https://alerts.davispolk.com/10/3014/uploads/2017-05-30-target-corp-cyber-breach-settlement-reflects-emerging-best-practices-for-cybersecurity.pdf
But How Do You Keep Track of These Hundreds of Controls?
Here is a great way to get through audits in half the time and at half the cost. The KnowBe4 Compliance Manager (KCM) simplifies the complexity of getting compliant and eases your burden of staying compliant year-round:
https://www.knowbe4.com/demo_kcm
Last week, Target Corp. reached a record $18.5 million settlement with 47 states and the District of Columbia to end investigations into Target’s data breach in 2013. The settlement highlights the growing list of specific measures that companies are expected to have in place to mitigate the risk of cyber breaches.
This chart lists some of the specific cybersecurity measures required in the 2017 settlement. The significant overlap between the terms of the recent Target settlement, which included 47 Attorneys General, and measures required by the new DFS cybersecurity regulations illustrates the specific measures that appear to be emerging as industry best practices in cybersecurity. PDF created by Law Firm DavisPolk: https://alerts.davispolk.com/10/3014/uploads/2017-05-30-target-corp-cyber-breach-settlement-reflects-emerging-best-practices-for-cybersecurity.pdf
But How Do You Keep Track of These Hundreds of Controls?
Here is a great way to get through audits in half the time and at half the cost. The KnowBe4 Compliance Manager (KCM) simplifies the complexity of getting compliant and eases your burden of staying compliant year-round:
- Quick Implementation with Compliance Templates - Pre-built requirements templates for the most widely used regulations like NIST.
- Enable Users to Get the Job Done - You can assign responsibility for controls to the users who are responsible for maintaining them.
- Dashboards with Automated Reminders - Quickly see what tasks have been completed, not met, and past due. With automated email reminders, your users can stay ahead of any gaps in compliance.
https://www.knowbe4.com/demo_kcm
SANS Ouch! - The Monthly Security Awareness Newsletter for Everyone
SANS said: "We are excited to announce the June issue of OUCH! This month, led by Guest Editor Johannes Ulrich, we discuss the WannaCry ransomware attack. With the recent outbreak of this worm there have been a tremendous number of questions about malware and what people can do to defend themselves. This OUCH newsletter explains what WannaCry is and reinforces the key behaviors that defend against it and other malware attacks. Please share OUCH! with your family, friends, and coworkers."
https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201706_en.pdf
SANS said: "We are excited to announce the June issue of OUCH! This month, led by Guest Editor Johannes Ulrich, we discuss the WannaCry ransomware attack. With the recent outbreak of this worm there have been a tremendous number of questions about malware and what people can do to defend themselves. This OUCH newsletter explains what WannaCry is and reinforces the key behaviors that defend against it and other malware attacks. Please share OUCH! with your family, friends, and coworkers."
https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201706_en.pdf
Powerful New KnowBe4 Feature: Training Notifications Are Here!
We have a powerful new feature that you can use now.
Here is the data about the training notifications and how they work. This feature is for all subscription levels that have training, it is not just for the higher subscription levels.
Automated Notifications
https://blog.knowbe4.com/powerful-new-knowbe4-feature-training-notifications-are-here
We have a powerful new feature that you can use now.
Here is the data about the training notifications and how they work. This feature is for all subscription levels that have training, it is not just for the higher subscription levels.
Automated Notifications
- Added ability to create as many automated notifications as desired
- Added reoccurring notifications (remind incomplete users every XX days to complete training after XX time has passed)
- New notification type for letting users know when training has been completed
- All notifications may now optionally be sent to the user’s manager and/or site administrators
- Enhanced notification template management
- Ability to send notification to specific users
- Ability to bulk notify users based on if they have not logged, not started, not completed, or not accepted a policy
- Users’ Managers and site administrators may also be notified based on user training status
https://blog.knowbe4.com/powerful-new-knowbe4-feature-training-notifications-are-here
Other Interesting News Items This Week
Identity thieves used stolen data 9 minutes after it was posted online:
http://money.cnn.com/2017/05/26/technology/identity-thieves-stolen-data-ftc/index.html
Microsoft Lists Products Using Insecure SMB 1 Protocol:
https://redmondmag.com/articles/2017/06/02/smb-1-use-list.aspx?m=2
Mary Meeker’s 2017 internet trends report: All the slides, plus analysis:
https://www.recode.net/2017/5/31/15693686/mary-meeker-kleiner-perkins-kpcb-slides-internet-trends-code-2017
Cosmetic Surgery Clinic's Photos Released in Cyber Blackmail Attack:
https://www.theguardian.com/technology/2017/may/31/hackers-publish-private-photos-cosmetic-surgery-clinic-bitcoin-ransom-payments
Only half of U.S. firms have cyber insurance, fewer than in U.K., Canada:
https://www.cyberscoop.com/half-u-s-firms-cyber-insurance-fewer-u-k-canada/
Identity thieves used stolen data 9 minutes after it was posted online:
http://money.cnn.com/2017/05/26/technology/identity-thieves-stolen-data-ftc/index.html
Microsoft Lists Products Using Insecure SMB 1 Protocol:
https://redmondmag.com/articles/2017/06/02/smb-1-use-list.aspx?m=2
Mary Meeker’s 2017 internet trends report: All the slides, plus analysis:
https://www.recode.net/2017/5/31/15693686/mary-meeker-kleiner-perkins-kpcb-slides-internet-trends-code-2017
Cosmetic Surgery Clinic's Photos Released in Cyber Blackmail Attack:
https://www.theguardian.com/technology/2017/may/31/hackers-publish-private-photos-cosmetic-surgery-clinic-bitcoin-ransom-payments
Only half of U.S. firms have cyber insurance, fewer than in U.K., Canada:
https://www.cyberscoop.com/half-u-s-firms-cyber-insurance-fewer-u-k-canada/
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
- Female magician Josephine Lee amazes the judges and audience of Britain’s Got Talent 2017 Semi-Final:
http://www.flixxy.com/magic-woman-josephine-lee-britains-got-talent-2017-semi-final.htm?utm_source=4
- Magician Richard Jones, the grand price winner of Britain’s Got Talent 2016, makes a spectacular return as he amazes the judges and audience:
http://www.flixxy.com/magician-richard-jones-britains-got-talent-2017-semi-final.htm?utm_source=4
- Wow @British_Airways really fantastic! Great example of tech used for advertising:
https://twitter.com/juanbuis/status/870960672506597378/photo/1
- Microsoft's Co-Founder Just Revealed the Largest Plane in the World:
https://futurism.com/microsoft-co-founder-just-revealed-the-worlds-largest-plane/ - Watch this talented "cappucino artist" create a piece of art with espresso and steamed milk.
http://www.flixxy.com/cappucino-artist.htm?utm_source=4