- Monthly Newsletter - April 2013

Welcome to the newsletter by Stu Sjouwerman, Founder of Sunbelt Software & CEO of . Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to:

Editor's Corner

Bank Closings + Mobile Malware = Bad Combination

"After years of growth, banks are pruning their branches" is how the Wall Street Journal started an article that described how banks worldwide are shutting down expensive brick & mortar branches. As an example, U.S. banks shut 2,267 branches in 2012, and another 13,000 branches are expected to close over the next decade.

Where are those customers going? The banks are pushing people to online (smartphone) banking. Each time a bank customer deposits a check by snapping a picture on a mobile phone, which saves the bank $3.88 per transaction compared with a deposit at a teller window. Closing a whole branch saves a bank $300,000.

You already see where this is going. Cybercrime sees this and thinks: "Bingo" as Android malware is pretty much ready to take advantage of this. And if your employee is also using that phone as part of your Bring Your Own Disaster (BYOD) program, you can see it's a huge vulnerability and a data breach waiting to happen.

Quotes Of The Month

"Rather fail with honor than succeed by fraud." - Sophocles

"Whoever is detected in a shameful fraud is ever after not believed even if they speak the truth." - Phaedrus

Warm regards,

Stu Sjouwerman

Editor, Newsletter
Email me at

Released: Kevin Mitnick Security Awareness Training

Traditional once-a-year Security Awareness Training doesn't hack it anymore. Today, employees are frequently exposed to sophisticated phishing attacks, and your users are now the weak link in your network security. They need to be trained by an expert, and after the training stay on their toes, keeping security top of mind. Click on the orange "Get A Quote" button and find out how affordable this is! More info here.

Busy? Just take 90 seconds and watch this brand new video about the new Kevin Mitnick Security Awareness Training . You'll be glad you did.

Security Detail

Spear Phishing Goes Mobile

Kaspersky Lab has identified a new spear-phishing attack involving a Trojan designed to target Android devices. Researcher Kurt Baumgartner says organizations need to be prepared for more mobile malware attacks.

The discovery is part of an emerging trend: spear phishing attacks using Trojans that can compromise not just mobile devices, but also the PCs or Macs to which these devices connect, he says.

Baumgartner, a researcher who monitors malware, says mobile device users should add additional security packages to their devices to protect them from malicious downloads. "There is a layer of security they can add to their phones," he explains. You can listen to the full interview at BankInfoSecurity.

Scam Of The Week: New Pope Becomes Latest Lure

Bad guys are now using the new Pope Francis as bait in malware, phishing and spam attacks. There is a drive-by malware campaign that uses a bogus CNN article to get people to an infected website that, once your user opens it, infects their workstation with the Blackhole Exploit Kit, the #1 cybercrime tool to deliver all kinds of malware. Your users need to look out for email from "CNN Breaking News", Here are the subjects:

  • Opinion: Family sued new Pope. Exclusive!
  • Opinion: New pope tries to shake off the past
  • Opinion: Can New-Pope Benedict be Sued for the Sex Abuse Cases?

Drive-by attacks use a link to an infected Web site instead of including the malware in the email attachment and have become a popular delivery mechanism. This latest Pope Francis campaign is part of a wider effort to use current news events for distributing spam and malware. The bad guys also use the economic crisis in Cyprus to try to trick people into clicking on links.

We have a FREE JOB AID for you. It's Kevin Mitnick's 30+ years of first-hand hacking experience condensed to a single page with 22 Social Engineering Red Flags. Here is a copy that your users can print and stick on their wall.

IT Pros Stress Levels Slightly Down

The number of IT professionals considering leaving their job due to workplace stress has declined from 67% last year to 57% in 2013, according to a recent survey.

That doesn’t mean that life is simple for IT professionals — far from it. Nearly two-thirds (65 percent) of all IT administrators surveyed still consider their job stressful (down only 4 percent from last year). And the hours are still long, with nearly one-third of those surveyed working more than eight hours of overtime each week in order to keep on top of their workload; the equivalent of working more than 10 weeks a year in overtime, according to the survey.

Phil Bousfield, GM of IT Operations at GFI Software, who conducted the second annual IT Administrator Stress Survey, said in a press statement that the increased importance of IT in the workplace is giving rise to this feeling of stress. More at the securitybistro site.


ViewPoint - Your Take

Write me! This is the spot for your take on things. Let me know what you think about Security, tools, and things that need to be improved. Email me at 

SecOps: What You Need To Know

An Inside Look At Avoiding Cloud Risks

At the speed at which companies and individuals are adopting multiple cloud platforms, the high level of risk is unavoidable. In this article we will cover recent events in the UK and Europe, which have exposed millions of users due to lack of planning and contingency. Article by Ricky M. Magalhaes at WindowSecurity.

Dead OS Walking: Win XP Has 12 Months Of Support Left

The Windows XP launch was held in New York City less than two months after 9/11, and within a few weeks Redmond discovered a big security vulnerability in the 'universal plug and play' (UPnP) code that shipped in XP. This scare led to their 'Trustworthy Computing' initiative, and eventually they released XP Service Pack 2 more or less as a redo of the initial release.

Fast forward 10 years. WinXP is still the second largest PC OS, behind Win7, and that is after three major OS releases since XP launched. It is still being used on tons of business desktops: a whopping 300 million.

Now, on April 8, 2014 Redmond will cut off support for XP and for good reason, the OS leaks like a sieve and is very easy to hack. No more support means no more security updates or tech support. Meaning any 0-day vulnerability will stay open and no patch will come forth from Redmond. There could be a 3-rd party market for XP patches coming up, but who wants to rely on those for a business environment?

The upshot is that now's the time to start planning your migration to at least Win7. You have one year left, and at that time XP becomes a major security liability. Time to get going!

At RSA, Specious Arguments Against Security Awareness

Samantha Manke over at ComputerWorld wrote an interesting article and instead of the beginning I will give you the end, and you then decide if you want to read the whole article or not! Here goes:

"Interestingly, in the end, this non-debate debate had another effect on the audience that I would not have expected. They were asked both at the beginning and the conclusion of the session whether they thought security awareness was worthwhile. The first time they were asked, a very small number of people raised their hands. The second time, after the debate, the vast majority raised their hands. Who would have expected a stacked debate to have such an outcome?"  Here it is.

Hackers’ Haven

How To Keep Your Family Safe Online

When you receive an email from a friend or relative saying they are in trouble and desperate for your help, most likely you would open the email. This is just one clever 'social engineering' tactic that cybercriminals use to hack into your personal home computer. KnowBe4 this week launched the brand new "Kevin Mitnick Home Internet Security Course," which will help to keep your family safe online, or the family of your employees.

Today, cybercriminals are not just hacking into companies’ computers to steal millions of dollars and private information; they are also targeting your home computer—and succeeding, simply if you click just -once- on a malicious link.  

When we asked the employees that did our business security awareness training what they thought after completing the training, about 80% came back with: "Wow, I did not know it was that scary out there, I learned a lot", immediately followed by: "How can I share this with my family?"

So that's why we created a family-friendly security awareness course especially designed for non-technical consumers which features:

  • A browser-based interactive course created in 2013—updated to reflect recent scams;
  • 8 sections using real-life case studies that show how someone got in trouble using the Internet, and what you need to do to stay safe;
  • Each section has a live Kevin Mitnick video with security do’s and don’ts, and each section has a fun "security check" quiz at the end.

The 8 topics the course covers are: Passwords, Giving out Personal Information, Online Banking, Protecting Children Online, Protecting your Identity, Securing your Computer and Home Network, Spam viruses and more, and Opening email and attachments—with the latest information on cybercrime in each section.

This course allows all members of your family to do the course, plus send five invites to friends who can also do the full course. Check out the brand new Kevin Mitnick Home Internet Security Course site.

Your Social Network Profiles Are Like Catnip To Cyber Crooks

Dan Tynan interviewed me at the site. He wrote a great article on March 28 and started off with:

"Could you say no to pictures of adorable kittens? Apparently, you’re not alone. Nearly half of all people who receive an email containing an image of a cute cat will automatically open it, according to security training firm PhishMe. But behind those fallacious felines lies danger – or at least, the potential for it.

The Wall Street Journal’s Geoffrey A. Fowler has a fascinating story today about how companies are using faux phishing attacks – including links to bogus cat videos -- to teach employees how to handle real ones. Per Fowler:

Many big network breaches begin not with brainy hacker code but with workers who are tricked by so-called social engineering, which manipulates people into revealing sensitive information. So companies are trying to get workers to act badly before the bad guys do.

Interestingly, last week I interviewed the CEO of a company that does just that. Stu Sjouwerman is CEO of KnowBe4, which trains employees at mostly small and medium size businesses to detect cyber attacks before they do any
damage. Sjouwerman knows of what he speaks; he’s a founder of security software firm Sunbelt Software (now called ThreatTrack Security). More.

81% of IT Managers Believe Employees Willfully Ignore Security Rules

Lieberman Software's 2013 Information Security Survey reports the attitudes and opinions of IT security professionals regarding the behaviors of end-users, the state of unauthorized privileged access, and the likelihood of their own organizations withstanding data breaches. Highlights include:

  • 81.4% of IT security staff think that staff tend to ignore the rules that IT departments put in place.
  • 75.8% of IT personnel think that employees in their organization have access to information that they don't necessarily need to perform their jobs.
  • 73.3% of respondents would not bet $100 of their own money that their company won't suffer a data breach in the next six months.
  • 64.7% of respondents think that they have more access to sensitive information than colleagues in other departments.   
  • 54.7% of those respondents did not report their colleagues who accessed that information.
  • 52.2% of the same respondents believe that staff would not listen more even if IT directives came from executive management, rather than IT.
  • 38.3% of IT security personnel have witnessed a colleague access company information that he or she should not have access to.
  • 32.3% of IT security professionals work in organizations that do not have a policy to change default passwords when deploying new hardware, applications and network appliances to the network.  

The full report is available at Lieberman's website.

Fave links & Cool Sites