Search This Blog

Wednesday, April 24, 2013

WindowSecurity.com - Monthly Newsletter - April 2013

WindowSecurity.com - Monthly Newsletter - April 2013

Hi Security World,

Welcome to the WindowSecurity.com newsletter by Stu Sjouwerman, Founder of Sunbelt Software & CEO of KnowBe4.com . Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: feedback@windowsecurity.com

Sponsored by:
NetWrix http://url2open.com/oG" target="_blank

=========================================================================

******* EDITOR'S CORNER

* Bank Closings + Mobile Malware = Bad Combination

"After years of growth, banks are pruning their branches" is how
the Wall Street Journal started an article that described how banks
worldwide are shutting down expensive brick & mortar branches. As an
example, U.S. banks shut 2,267 branches in 2012, and another 13,000
branches are expected to close over the next decade.

Where are those customers going? The banks are pushing people to
online (smartphone) banking. Each time a bank customer deposits a
check by snapping a picture on a mobile phone, which saves the bank
$3.88 per transaction compared with a deposit at a teller window.
Closing a whole branch saves a bank $300,000.

You already see where this is going. Cybercrime sees this and thinks:
"Bingo" as Android malware is pretty much ready to take advantage of
this. And if your employee is also using that phone as part of your
Bring Your Own Disaster (BYOD) program, you can see it's a huge
vulnerability and a data breach waiting to happen.
---------------------------

* Quotes Of The Month:

"Rather fail with honor than succeed by fraud." - Sophocles

"Whoever is detected in a shameful fraud is ever after not believed even
if they speak the truth." - Phaedrus

Warm regards,

Stu Sjouwerman
Editor, WindowSecurity News
Email me at feedback@windowsecurity.com
==================================================================

**** SECURITY DETAIL

* Spear Phishing Goes Mobile

Kaspersky Lab has identified a new spear-phishing attack involving a Trojan
designed to target Android devices. Researcher Kurt Baumgartner says
organizations need to be prepared for more mobile malware attacks.

The discovery is part of an emerging trend: spear phishing attacks using
Trojans that can compromise not just mobile devices, but also the PCs
or Macs to which these devices connect, he says.

Baumgartner, a researcher who monitors malware, says mobile device users
should add additional security packages to their devices to protect
them from malicious downloads. "There is a layer of security they
can add to their phones," he explains. You can listen to the full
interview at BankInfoSecurity:
http://www.bankinfosecurity.com/interviews/spear-phishing-goes-mobile-i-1877?
-------------------------

* Scam Of The Week: New Pope Becomes Latest Lure

Bad guys are now using the new Pope Francis as bait in malware, phishing
and spam attacks. There is a drive-by malware campaign that uses a bogus
CNN article to get people to an infected website that, once your user
opens it, infects their workstation with the Blackhole Exploit Kit, the
#1 cybercrime tool to deliver all kinds of malware. Your users need to
look out for email from "CNN Breaking News", Here are the subjects:
- Opinion: Family sued new Pope. Exclusive!
- Opinion: New pope tries to shake off the past
- Opinion: Can New-Pope Benedict be Sued for the Sex Abuse Cases?

Drive-by attacks use a link to an infected Web site instead of including
the malware in the email attachment and have become a popular delivery
mechanism. This latest Pope Francis campaign is part of a wider effort to
use current news events for distributing spam and malware. The bad guys
also use the economic crisis in Cyprus to try to trick people into clicking
on links.

We have a FREE JOB AID for you. It's Kevin Mitnick's 30+ years of first-hand
hacking experience condensed to a single page with 22 Social Engineering Red
Flags. Here is a copy that your users can print and stick on their wall:
https://s3.amazonaws.com/knowbe4.cdn/SocialEngineeringRedFlags.pdf
---------------------------

* IT Pros Stress Levels Slightly Down

The number of IT professionals considering leaving their job due to workplace
stress has declined from 67% last year to 57% in 2013, according to a
recent survey.

That doesn’t mean that life is simple for IT professionals â€" far from it.
Nearly two-thirds (65 percent) of all IT administrators surveyed still
consider their job stressful (down only 4 percent from last year). And
the hours are still long, with nearly one-third of those surveyed working
more than eight hours of overtime each week in order to keep on top of
their workload; the equivalent of working more than 10 weeks a year in
overtime, according to the survey.

Phil Bousfield, GM of IT Operations at GFI Software, who conducted the
second annual IT Administrator Stress Survey, said in a press statement
that the increased importance of IT in the workplace is giving rise to
this feeling of stress. More at the securitybistro site:
http://www.securitybistro.com/blog/?p=6257

======================================================================

***** SECURETOOL BOX

Free Service: Email Exposure Check. Find out which addresses of your
organization are exposed on the Internet and are a phish-attack target:
http://www.knowbe4.com/eec/

Frustrated with gullible end-users causing malware infections? Find out
who the culprits are in 10 minutes. Do this Free Phishing Security Test
on your users:
http://www.knowbe4.com/phishing-security-test/

======================================================================

****** VIEWPOINT â€" YOUR TAKE

Write me! This is the spot for your take on things. Let me know what you think
about Security, tools, and things that need to be improved.
Email me at feedback@windowsecurity.com

======================================================================

****** SECOPS: WHAT YOU NEED TO KNOW

* An Inside Look At Avoiding Cloud Risks

At the speed at which companies and individuals are adopting multiple
cloud platforms, the high level of risk is unavoidable. In this article
we will cover recent events in the UK and Europe, which have exposed
millions of users due to lack of planning and contingency. Article by
Ricky M. Magelhaes at WindowSecurity:
http://www.windowsecurity.com/articles-tutorials/Cloud_computing/inside-look-avoiding-cloud-risks.html
-------------------------

* Dead OS Walking: Win XP Has 12 Months Of Support Left

The Windows XP launch was held in New York City less than two months after
9/11, and within a few weeks Redmond discovered a big security vulnerability
in the 'universal plug and play' (UPnP) code that shipped in XP. This scare
led to their 'Trustworthy Computing' initiative, and eventually they released
XP Service Pack 2 more or less as a redo of the initial release.

Fast forward 10 years. WinXP is still the second largest PC OS, behind Win7,
and that is after three major OS releases since XP launched. It is still
being used on tons of business desktops: a whopping 300 million.

Now, on April 8, 2014 Redmond will cut off support for XP and for good
reason, the OS leaks like a sieve and is very easy to hack. No more support
means no more security updates or tech support. Meaning any 0-day
vulnerability will stay open and no patch will come forth from Redmond.
There could be a 3-rd party market for XP patches coming up, but who wants
to rely on those for a business environment?

The upshot is that now's the time to start planning your migration to at
least Win7. You have one year left, and at that time XP becomes a major
security liability. Time to get going!
--------------------------

* At RSA, Specious Arguments Against Security Awareness

Samantha Manke over at ComputerWorld wrote an interesting article
and instead of the beginning I will give you the end, and you then
decide if you want to read the whole article or not! Here goes:

"Interestingly, in the end, this non-debate debate had another effect on
the audience that I would not have expected. They were asked both at
the beginning and the conclusion of the session whether they thought
security awareness was worthwhile. The first time they were asked, a
very small number of people raised their hands. The second time, after
the debate, the vast majority raised their hands. Who would have expected
a stacked debate to have such an outcome?" Here it is:
http://www.computerworld.com/s/article/9238058/At_RSA_specious_arguments_against_security_awareness?

======================================================================

****** HACKERS’ HAVEN

* How To Keep Your Family Safe Online

When you receive an email from a friend or relative saying they are in trouble
and desperate for your help, most likely you would open the email. This is
just one clever 'social engineering' tactic that cybercriminals use to hack
into your personal home computer. KnowBe4 this week launched the brand new
"Kevin Mitnick Home Internet Security Course," which will help to keep your
family safe online, or the family of your employees.

Today, cybercriminals are not just hacking into companies’ computers to steal
millions of dollars and private information; they are also targeting your home
computerâ€"and succeeding, simply if you click just -once- on a malicious link.

When we asked the employees that did our business security awareness training
what they thought after completing the training, about 80% came back with:
"Wow, I did not know it was that scary out there, I learned a lot", immediately
followed by: "How can I share this with my family?"

So that's why we created a family-friendly security awareness course especially
designed for non-technical consumers which features:

- A browser-based interactive course created in 2013â€"updated to reflect recent
scams;

- 8 sections using real-life case studies that show how someone got in trouble
using the Internet, and what you need to do to stay safe;

- Each section has a live Kevin Mitnick video with security do’s and don’ts,
and each section has a fun "security check" quiz at the end.

The 8 topics the course covers are: Passwords, Giving out Personal Information,
Online Banking, Protecting Children Online, Protecting your Identity, Securing
your Computer and Home Network, Spam viruses and more, and Opening email and
attachmentsâ€"with the latest information on cybercrime in each section.

This course allows all members of your family to do the course, plus send five
invites to friends who can also do the full course. Check out the brand new
Kevin Mitnick Home Internet Security Course site here:
http://home.knowbe4.com/
--------------------------------

* Your Social Network Profiles Are Like Catnip To Cyber Crooks

Dan Tynan interviewed me at the ITworld.com site. He wrote a great article
on March 28 and started off with:

"Could you say no to pictures of adorable kittens? Apparently, you’re not alone.
Nearly half of all people who receive an email containing an image of a cute
cat will automatically open it, according to security training firm PhishMe.
But behind those fallacious felines lies danger â€" or at least, the potential
for it.

The Wall Street Journal’s Geoffrey A. Fowler has a fascinating story today
about how companies are using faux phishing attacks â€" including links to
bogus cat videos -- to teach employees how to handle real ones. Per Fowler:

Many big network breaches begin not with brainy hacker code but with workers
who are tricked by so-called social engineering, which manipulates people into
revealing sensitive information. So companies are trying to get workers to
act badly before the bad guys do.

Interestingly, last week I interviewed the CEO of a company that does just
that. Stu Sjouwerman is CEO of KnowBe4, which trains employees at mostly
small and medium size businesses to detect cyber attacks before they do any
damage. Sjouwerman knows of what he speaks; he’s a founder of security
software firm Sunbelt Software (now called ThreatTrack Security). More:
http://www.itworld.com/it-management/350130/your-social-network-profiles-are-catnip-cyber-crooks?
-------------------------------

* 81% of IT Managers Believe Employees Willfully Ignore Security Rules

Lieberman Software's 2013 Information Security Survey reports the attitudes
and opinions of IT security professionals regarding the behaviors of
end-users, the state of unauthorized privileged access, and the likelihood
of their own organizations withstanding data breaches. Highlights include:

- 81.4% of IT security staff think that staff tend to ignore the rules that IT
departments put in place.

- 75.8% of IT personnel think that employees in their organization have access
to information that they don't necessarily need to perform their jobs.

- 73.3% of respondents would not bet $100 of their own money that their company
won't suffer a data breach in the next six months.

- 64.7% of respondents think that they have more access to sensitive information
than colleagues in other departments.

- 54.7% of those respondents did not report their colleagues who accessed
that information.

- 52.2% of the same respondents believe that staff would not listen more even
if IT directives came from executive management, rather than IT.

- 38.3% of IT security personnel have witnessed a colleague access company
information that he or she should not have access to.

- 32.3% of IT security professionals work in organizations that do not have a
policy to change default passwords when deploying new hardware, applications
and network appliances to the network.

The full report is available at Lieberman's website:
http://www.liebsoft.com/2013_information_security_survey/

======================================================================

***** FAVE LINKS & COOL SITES

---
* This Week's Links We Like. Tips, Hints And Fun Stuff.

Got a 50-minute lunch or dinner break and want to see something really
cool? This documentary called the 'Secret History of HACKING' with Captain
Crunch, Kevin Mitnick and Steve Wozniak is worth your time:
http://www.youtube.com/watch?v=aEo3PfH2ffk

Top Gear's Jeremy Clarkson test drives the Pagani Zonda C12S supercar. Classic:
http://www.flixxy.com/pagani-zonda-supercar-top-gear.htm
---
F-18 display pilot Mike Bryan demonstrates the impressive maneuverability
of the Boeing 787 Dreamliner at the Farnborough International Airshow:
http://www.flixxy.com/what-a-boeing-787-dreamliner-can-do-in-the-hands-of-an-f-18-fighter-pilot.htm
---
Although they are graduates of the renowned Vienna College of Music, "Mnozil
Brass" show that playing music is not just serious business:
http://www.flixxy.com/four-lazy-brass-players-and-one-amazing-multi-tasker.htm
---
Two dogs play "Dueling Banjos," the classic bluegrass song. They are obviously
very talented musicians:
http://www.flixxy.com/dogs-playing-banjos.htm
---
Footage of first F-35B nighttime take off and landing tests looks like
something straight out of a sci-fi movie:
http://www.flixxy.com/f-35b-vertical-landing-at-night.htm
---
Creative Home Engineering can build Hollywood-style secret passages for your
home or office:
http://www.flixxy.com/hidden-secret-passages-for-your-home.htm
---
Hyperlapse - a technique combining time-lapse and sweeping camera movements -
created by using Google Street View photos:
http://www.flixxy.com/google-street-view-hyperlapse.htm
---
Pentagon’s Humanoid Disaster-Rescue Robot Is Dressed to Impress:
http://www.wired.com/dangerroom/2013/04/petman-dressed/?cid=co6981744


WindowSecurity.com Sections
-----------------------------------------------------------------
- Articles & Tutorials (http://www.windowsecurity.com/articles-tutorials/)
- Products (http://www.windowsecurity.com/software/)
- Reviews (http://www.windowsecurity.com/articles-tutorials/Product_Reviews/)
- Free Tools (http://www.windowsecurity.com/software/Free-Tools/)
- Blogs (http://www.windowsecurity.com/blogs/)
- Forums (http://forums.windowsecurity.com/)
- White Papers (http://www.windowsecurity.com/white-papers/)
- Contact Us (http://www.windowsecurity.com/pages/contact-us.html)



Techgenix Sites
-----------------------------------------------------------------
- MSExchange.org (http://www.msexchange.org/)
- WindowsNetworking.com (http://www.windowsnetworking.com/)
- VirtualizationAdmin.com (http://www.virtualizationadmin.com/)
- ISAserver.org (http://www.isaserver.org/)
- MSPanswers.com (http://www.mspanswers.com/)
- WServerNews.com (http://www.wservernews.com/)


--
Visit the Subscription Management (http://www.techgenix.com/newsletter/) section to unsubscribe.
WindowSecurity.com is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@WindowSecurity.com
Copyright WindowSecurity.com 2013. All rights reserved.

No comments: