WindowSecurity.com - Monthly Newsletter - June 2013

Welcome to the WindowSecurity.com newsletter by Stu Sjouwerman, Founder of Sunbelt Software & CEO of KnowBe4.com . Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: feedback@windowsecurity.com

Editor's Corner

10 IT Security Myths That Put You At Risk

Gartner Analyst Jay Heiser explained that in InfoSec, there are a lot of "misperceptions" and "exaggerations" about both the threats you face and the solutions you use to protect your networks. All this false data boils down to "security myths" which are widely known and regularly used to explain things. Here are the ten myths, and a link to Ellen Messmer's article in InfoWorld where each of them gets busted and/or the cure is provided. This is a good read!

Myth #1: "It won't happen to me"
Myth #2: "InfoSec budgets are 10 percent of IT spend."
Myth #3: "Security risks can be quantified"
Myth #4: "We have physical security (or SSL) so you know your data is safe"
Myth #5: "Password expiration and complexity reduces risk"
Myth #6: "Moving the CISO outside of IT will automatically ensure good security"
Myth #7: "Adhering to security practices is the CISO's problem"
Myth #8: "Buy this tool <insert tool here> and it will solve all your problems"
Myth #9: "Let's get the policy in place and we are good to go"
Myth #10: "Encryption is the best way to keep your sensitive files safe"

Thanks for your Interest!

I am getting so busy in KnowBe4 that unfortunately I have to give this newsletter to someone else. It's been a great run and thank you for your interest and feedback. I'm sure we'll see each other in IT somewhere.

Quotes Of The Month

"Procrastination is like a credit card: it's a lot of fun until you get the bill." - Christopher Parker

"Procrastination is opportunity's assassin." - Victor Kiam

Warm regards,

Stu Sjouwerman

Editor, WindowSecurity.com Newsletter
Email me at feedback@windowsecurity.com

Released: Kevin Mitnick Security Awareness Training


Traditional once-a-year Security Awareness Training doesn't hack it anymore. Today, employees are frequently exposed to sophisticated phishing attacks, and your users are now the weak link in your network security. They need to be trained by an expert, and after the training stay on their toes, keeping security top of mind. Click on the orange "Get A Quote" button and find out how affordable this is! More info here.

Busy? Just take 90 seconds and watch this brand new video about the new Kevin Mitnick Security Awareness Training . You'll be glad you did.

Security Detail

Data Breach Costs: 10 Ways You're Making It Worse

Inadequate response plans and poorly executed procedures caused data breach costs to rise significantly at some businesses, according to the Ponemon Institute. Mistakes, negligence and glitches are more likely to be responsible for computer-related security breaches than cyber attacks, according to a Ponemon report released last week sponsored by Symantec.

The research firm interviewed more than 1,400 individuals in 277 companies as part of its "2013 Cost of Data Breach Study: Global Analysis." The study, sponsored by Symantec, estimated the costs of data breaches in nine countries. The breach costs varied by region, but Ponemon Institute researchers found a number of common costly errors.

One short quote: "Building a sense of security into end users cannot happen with one-off training programs -- there needs to be a systematic and consistent security program over an extended period of time, according to the Ponemon Institute". Here is the slide show.

Citadel Botnet 'Shutdown' Makes Cybercrime Worse

It was all over the news. The Citadel botnet responsible for stealing more than 500 million dollars out of bank accounts from both individuals and organizations worldwide has been largely shut down or so it seems if youread the breathless press. Citadel is a smarter and more sophisticated cousin of the Zeus Trojan.

Citadel is an example of Crime-as-a-Service and has been sold since 2012 in do-it-yourself crime kits that cost $2,400 or more. The malware itself is installed on workstations using social engineering. End-users were tricked with phishing and spear-phishing into clicking on links which infected their workstations.

The Press Release said that Redmond aligned with the FBI and authorities in 80 other countries to take down one of the world’s biggest cyber crime rings. Microsoft said its Digital Crimes Unit Wednesday took down at least 1,000 of an estimated 1,400 Citadel Botnets, which infected as many as five million PCs around the world and targeted major banks.

Now, I agree that it’s about freaking time these gangsters were shut down, but there is quite some collateral damage with all this hoopla. Let's have a look at what Microsoft actually did. They identified about 1,400 botnets and disturbed them by pointing the infected machines to a server operated by Redmond instead of the Command & Control servers controlled by the bad guys.

This is not new, technically this is called 'sinkholing', and it's been around for a long time. Simply put, you redirect the traffic generated by the Trojan on an infected PC to the good guys, who then warn the owner so they can clean the machine.

It so happens that a lot of security researchers had created their own sinkhole domains and a good chunk of these Citadel botnets had already been sinkholed when Microsoft seized both the domains of the bad guys but also the domains of the security researchers. Nearly a 1,000 domain names out of the approx 4,000 domain names seized by Microsoft had already been sinkholed by security researchers!

The problem is that sinkholing is just a game of whack-a-mole. Takedowns like this trigger countermeasures by the bad guys who simply respond by using a peer-to-peer architecture instead of command & control servers making it much harder to take them down.

Cybercrime cannot be stopped with takedowns, as a matter of fact takedowns make cybercrime worse. You need legislation in Eastern Europe, and sufficient resources for law enforcement to take down the bad actors themselves. (Hat Tip to Abuse.ch)

Top 5 System Admin Hate Votes

May 22, the question was asked on Spiceworks: "What is your IT-related Arch Nemesis?". More than 200 random replies came in. I thought it would be interesting to know what the top ones were. I tabulated (and somewhat normalized) the main things that generate support tickets and most of the system admins came back and voted on which things they HATED the MOST!

The Top 5 most mentioned things they HATE are in sequence of percentage:

  1. No Documentation: 29.7%
  2. Users: 27.4%
  3. Printers and Apple products tie with 25.5% each
  4. Fake Antivirus: 24.5%

Some other observations: You seem not to mind Microsoft Exchange very much, (kudos for Microsoft) and driver problems seem to have subsided over time. Java is still causing a lot of headaches with 21.2% as the most hated item.

SecureToolBox

ViewPoint - Your Take

Write me! This is the spot for your take on things. Let me know what you think about Security, tools, and things that need to be improved. Email me at feedback@windowsecurity.com 

SecOps: What You Need To Know

Android Antivirus Products A Big Flop, Researchers Say

Bob Brown at NetworkWorld reported on something a bit concerning. "Android smartphones and tablets are under attack, and the most popular tools developed to protect them are easily circumvented, according to new research from Northwestern University and the University of North Carolina".

The researchers created technology called DroidChamelon that can be used to perform common obfuscation techniques (simple switches in a virus' binary code or file name, for instance) to blow by security products. Here is more, with a link to the research paper with all the details. Yikes.

Mobile Threats Now Outpace PC Attacks

Tracy Kitten over at Government InfoSecurity interviewed Dave Jevans, the founder and chairman of the Anti-Phishing Working Group. (APWG)

Attacks aimed at mobile devices are progressing much more rapidly than any attacks ever waged against PCs. Organizations are in danger if they don't pay attention. Over the past six months, the APWG has analyzed emerging mobile security threats and pinpoints some of the key vulnerabilities, such as jail-broken devices, open-source OSen and sophisticated malware baked into rogue mobile applications.

Jevans, founder and chairman of the APWG, says criminals are increasingly targeting mobile devices, building on their decades' worth of experience through attacks waged against PCs.

"The big message here, as you look through the report, is that malicious and fraudulent activity on the mobile platform is growing much more quickly than it did on the PC platform over the last 10 years," Jevans says. More.

Phishing 2.0: Anatomy of a New Attack

This is the title of a new whitepaper by Webroot, which breaks down to its component parts what I have been warning about for a while now: mass customized spear phishing. They identity five stages:

Phase 1: Targeting

The first phase of a Phishing 2.0 attack involves profiling a group of potential victims. There is actually a spectrum of targeting opportunities, Broad categories, such as "business people who ship packages" and "managers who book business travel"

Phase 2: Reconnaissance

Finding personal information and email addresses of the targeted victims. For attacks targeting broad categories of victims, it might be sufficient to obtain lists of email addresses from legitimate email houses or from black market sources of spam addresses.
 
Phase 3: Creating spear phishing emails

The next step is for the cybercriminal to create spear phishing emails.

These emails will have two characteristics:

  • They will mimic common business and personal emails—without using phrases that could identify them as mass distribution spam.
  • They will use details gathered during the reconnaissance phase to make the emails convincing.


Phase 4: Plant malware on the victim’s computer

In some examples of spear phishing, the cybercriminal simply entices the victim to fill out a web form with confidential information like account number, Social Security number or user ID and password. More commonly, though, the goal is to lure the victim into downloading a malware file, either by clicking on an attachment in the email,
clicking on a link in the email that requests a file download, or clicking on a link in a webpage.

Phase 5: Exploit the breach

The cybercriminal is now able to follow up by capturing the victim’s keystrokes, finding and exporting files on the victim’s computer, or burrowing into the company network using the victim’s credentials. The last approach is the method typically used as part of advanced persistent threats, which are systematic campaigns to capture large
quantities of confidential data over a period of time. Here is the full whitepaper with much more data.

Hackers’ Haven

Spear-phishing Espionage Malware: NetTraveler

Researchers at Kaspersky Labs discoverd another(!) probably state-sponsored malware known as NetTraveler. NetTraveler gains a foothold in targeted organizations through spear-phishing campaigns and exploits a pair of known vulnerabilities in Microsoft Word. These vulnerabilities were patched in 2010 and 2012. The malware logs keystrokes, and grabs file system listings, Office and PDF documents.

It has infiltrated more than 350 companies in 40 countries over the past eight years. Those behind the malware targeted a variety of organizations, including energy industry, scientific research facilities, universities, governments, military contractors, and social activists. NetTraveler has seen a burst of activity in the last three years, but there are
indications that it has been around in some form since 2004. And it was never found by any antivirus company, you wonder what else is out there.

More recently, NetTraveler has been stealing intellectual property in the areas of space exploration, nanotechnology, nuclear power, and energy production. If you look at the targets, to me this sounds like China is behind all this. All employees need security awareness training. Badly!  (Arstechnica has a pretty graph with all the attacks.)

See how Kevin Mitnick steals a workstation password using malware hidden in a Word File in less than 2 minutes.

Facebook Scams Of The Week

Since you are in IT, you or your webmaster may have been tasked to manage your organization's Facebook Page. This phishing scam specifically targets -you- with an email from 'Facebook Security.'

The scammers try to trick Page owners into starting a 'Fan Page Verification Program.' You are asked to share your Facebook Page’s URL, login creds and create a 10-digit number as a 'Transferring Code.' Once you have done this, they can now post links for your followers which trust you as a source.

Oh, while we are talking Facebook, cybercriminals are now using the following trick. They clone a whole profile, befriend the victim's friends and use their trust to defraud them.

Cloned accounts can be used to send spam messages, initiate scams, and steal personal information that could be used for more serious identity theft. In the recent cases, there are reports that once the cloned account's repeated and fraudulent friend request has been accepted, the scammer starts soliciting money from 'friends'. Warn your users to use Real Life verification before they agree to any transaction over Facebook.

Fave Links & Cool Sites

Your Five Minute Virtual Vacation! Beautiful shots of the arches and red rocks in Utah and Arizona captured and uploaded in 4K resolution. The music and sights are just breathtaking.                           
                            ---
The most splashing way to discover Amsterdam - with the amphibuous bus 'The Floating Dutchman.' This is new and looks like a lot of fun!                           
                            ---                            
Are you a sailor, pilot, do you like whitewater Kayak, or mountain climbing? This Breitling watch has you covered in an emergency.                           
                            ---
While we are looking at watches, here is what they call the world's smartest watch...it's called "Agent" and a cool kickstarter project.
                            ---
A chipmunk will store over 6,000 acorns - but he needs to keep an eye out for pickpockets.                           
                            ---
Breathtaking crossbow performance by Ben Blaque at the French TV show "The Worlds's Greatest Cabaret" hosted by Patrick Sebastien.                           
                            ---
A flying bicycle invented by three Czech companies successfully completed its first test flight, just like a Star Wars Jedi hover-bike.
                            ---
Check out the massive accelleration of these top-of-the line electric racing motorcycles at the recent Isle of Man championship.
                            ---
A network of balloons traveling on the edge of space, designed to connect people in rural and remote areas, help fill in coverage gaps and bring people back online after disasters. Looking for a Tech Support job with Challenges?