WindowSecurity.com Newsletter - January 2013 Sponsored by: NetWrix

Welcome to the WindowSecurity.com newsletter by Stu Sjouwerman, Founder of Sunbelt Software & CEO of KnowBe4.com . Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: feedback@windowsecurity.com

Audit all critical IT systems for security and compliance

NetWrix Change Reporter Suite automates and simplifies the auditing of critical IT systems across the entire IT infrastructure. With one simple deployment you can efficiently audit critical IT systems such as Active Directory, Exchange, VMware to name just a few - while staying within a reasonable budget. Thanks to our unique AuditIntelligence technology NetWrix Change Reporter Suite allows you to easily track and report on the "4W detail": who changed what, where and when.

Download a free trial!

Editor's Corner

Facebook Graph Search Is Social Engineering Bonanza

Zuck has come out with something new, and you always need to watch it when that happens. It’s a combination of big data and social networking so that people can easily find new friends, dates, customers or business partners. In short, it’s more or less a search engine that allows you to track down Facebook users that meet the criteria you specify. With all that personally relevant data at hand, this new Graph Search function is a bonanza for social engineers that now can manipulate you more easily and/or send spear-phishing attacks. This data can be used in a variety of scams. They are currently beta testing and are planning to release it this summer. The only thing I can say is that it is more important than ever to THINK BEFORE YOU CLICK, and get some very good security awareness training. Here are more Facebook hacks you (and your employees) need to watch out for.

Facebook is loved far and wide by scammers. It's a great pool of an almost unlimited amount of victims, most of whom are gullible enough to fall for the most simple scams. Shooting fish in a barrel! Better yet, a bunch of these Facebook users are "endorsing" the scam giving it even more credibility. Incredible isn't it?

Most people think of Facebook as this secure, walled garden where nothing bad can happen because Zuck is watching out for you. Think again. There are several different categories of scams out there lying in wait. Many of these are recycled with small updates on a regular basis. Here are the different scam flavors:

  • Account related scams
  • Free stuff from third parties
  • Benefit from (fake) news
  • Curiosity Traps

Now, Zeljika Zorz over at net-security.org has done a great write-up of many of these and I will link to her article at the end. Here are a few that I am quoting:

"Facebook changes its look and functionalities often, but a lot of users dislike any kind of change. This normal human tendency is often misused by scammers who offer bogus Facebook Timeline deactivation options."

"An even greater number of scams targets those who aren't satisfied with features offered by the social network and are tricked into believing that there are ways to add functionalities such as the ability to view who checks out their profile more often, view who has deleted or unfollowed them, to see how many hours they spent on Facebook, to post again their first post, to add a Dislike button, to change their Facebook color theme, and even to add a Facebook security app to guard their accounts or to try a Facebook 2013 Demo app."

"Next we have the scams that profess that Facebook is giving out something for free: an official Facebook T-shirt or mug to celebrate the social network's birthday, the random $50,000 reward, free Facebook Credits, or even a free mobile recharge."

"Lastly, there are scams that try to scare users into doing something because Facebook is closing all accounts, will close theirs because of overpopulation, will start charging users, or the Facebook Security Team will suspend their page."

"It's also good to know that Facebook-themed scams - and especially phishing attempts and malware-infection attempts - can often come in the form of fake Facebook notification emails - password change notifications, account cancellation (or deactivation) warnings, offensive comment notices, friend requests, and so on." More: http://www.net-security.org/secworld.php?id=14252

GPS Security Hint

Don't use your real home address when you set your 'Home' destination on your GPS device, because that could make you a victim of burglary as well as auto theft. Here is the scenario. You are on the road and your car gets stolen. The first thing they do is drive to your house and rob that because they know you are not there, having no car! For that 'Home' destination, just use a location close by instead. Perhaps a neighbor you don't like? Just Kidding!!

Quotes Of The Month

"You cannot escape the responsibility of tomorrow by evading it today." -- Abraham Lincoln

"Java" stands for 'Just Another Vulnerability Announcement'" -- someone on the Internet

Warm regards,

Stu Sjouwerman

Editor, WindowSecurity.com Newsletter
Email me at feedback@windowsecurity.com

Released: Kevin Mitnick Security Awareness Training


Traditional once-a-year Security Awareness Training doesn't hack it anymore. Today, employees are frequently exposed to sophisticated phishing attacks, and your users are now the weak link in your network security. They need to be trained by an expert, and after the training stay on their toes, keeping security top of mind. Click on the orange "Get A Quote" button and find out how affordable this is! More info here.

Busy? Just take 90 seconds and watch this brand new video about the new Kevin Mitnick Security Awareness Training . You'll be glad you did.

Security Detail

Upper Management Often Ignores IT Security Policy

Over the years I have had a nagging suspicion that was only confirmed today. I ran into a study carried out last year by a company called Cryptzone who interviewed 300 IT Security professionals at a trade show. The results are not pretty. Almost half of upper management think they can sidestep security policies and believe that "the rules don't apply to them" when it comes to complying with IT security policies and procedures.

A whopping 42% admitted that upper management are regularly ignoring policies and procedures and fail to perceive that perhaps instead they should have been setting an example to employees. Worse, 52% of those surveyed agreed with the statement that upper management have access to the most sensitive information yet have the least understanding of security.

This shows where the problem starts in many cases: To be successful IT Security must be driven from the top down, and given air-cover from the Chairman and CEO level to be truly effective. As long as that does not happen, you will continue to read about databreaches in tomorrow's newspaper. In the coming issues I will suggest some strategies to help you convince upper management. You can see the whole survey and the results. Ouch!

12 Security Resolutions for 2013

From Wi-Fi to mobile security, here are 11 things you should commit to doing this year to keep hackers and malware at bay. Among your typical New Year's resolutions--lose weight, stop smoking, be happier--you should consider making some pledges to better secure your digital life. You might even be healthier if you can prevent the stress of a digital disaster, like malware wiping out your PC, having your online accounts hacked, or becoming a victim of identify theft because of a phishing scam or data theft. With that in mind, here are some security resolutions you should consider for the new year. Article at CSOonline.

Antivirus Controversy

The New York Times had an interesting article a few days ago where they are quoting a study by Imperva, a data security firm in Redwood City, California. They started out: "Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt", and went on with: "The bad guys are getting worse, antivirus helps filter down the problem, but the next big security company will be the one that offers a comprehensive solution." Now our comment to that would be: "And that should include security awareness training!" And although end-user training is more than ever an essential part of your defense-in-depth, it's too early to throw AV out the window.

The AV industry was dismayed that their technology was 'written off,' and came back with a whole series of counterpoints. One of the best was written by ESET's David Harley who notes that the Imperva report has methodological holes and has dubious statistics. I recommend you first read the NY Times article and then the ESET comments. This is an interesting topic, because you are potentially going to be asked about this in budget meetings. Here are the two links: NY Times Article and ESET comments.

Audit all critical IT systems for security and compliance

NetWrix Change Reporter Suite automates and simplifies the auditing of critical IT systems across the entire IT infrastructure. With one simple deployment you can efficiently audit critical IT systems such as Active Directory, Exchange, VMware to name just a few - while staying within a reasonable budget. Thanks to our unique AuditIntelligence technology NetWrix Change Reporter Suite allows you to easily track and report on the "4W detail": who changed what, where and when.

Download a free trial!

SecureToolBox

ViewPoint - Your Take

Write me! This is the spot for your take on things. Let me know what you think about Security, tools, and things that need to be improved. Email me at feedback@windowsecurity.com 

SecOps: What You Need To Know

Deloitte UK Study Shows 88 Percent Thinks They Are Cyber Threat Safe

Oh my. Deloitte UK did a bunch of interviews with small and medium organizations which showed that a whopping 88% think they are safe and will not be attacked from the outside. Talk about a false sense of security. OUCH. The Infographic is here and worth having a look at, the numbers are very interesting:
http://blog.knowbe4.com/deloitte-study-shows-88-percent-thinks-they-are-cyber-threat-safe/

Healthcare Security Awareness Training

I was interviewed in 'For The Record Magazine', a leading publication for Healthcare. The article was about the risks of Bring Your Own Device (BYOD) in healthcare environments and how to mitigate these risks. One of the areas that is very important in a BYOD healthcare environment is security awareness training, the article explains. Here is a link to For The Record Magazine the January 14 edition. The article is called "Left To Their Own Device" and is on page 14.

Phishing Attacks Up 19% Year Over Year

RSA reported that phishing attacks are up 19% year over year, but did you know that this translates into 33,000 attacks per month? And that those attacks actually cause a whopping loss of $700,000,000? It just takes one click from an employee who has a weak moment to cause untold damage.

The recent South Carolina data breach was a good example. Millions of records full of confidential information stolen from the Dept of Revenue, because of ONE CLICK on a phishing link. It's time to start training employees within an inch of their life to THINK before they CLICK! Get them Security Awareness Training by Kevin Mitnick over here: http://www.knowbe4.com/
    

Audit all critical IT systems for security and compliance

NetWrix Change Reporter Suite automates and simplifies the auditing of critical IT systems across the entire IT infrastructure. With one simple deployment you can efficiently audit critical IT systems such as Active Directory, Exchange, VMware to name just a few - while staying within a reasonable budget. Thanks to our unique AuditIntelligence technology NetWrix Change Reporter Suite allows you to easily track and report on the "4W detail": who changed what, where and when.

Download a free trial!

Hackers’ Haven

Fake Apple Invoices

RSA reported that phishing attacks are up 19% year over year, but did you know that this translates into 33,000 attacks per month? And that those attacks actually cause massive financial losses? It just takes one click from an employee who has a weak moment to cause untold damage, just look at the recent South Carolina hack. One click causing millions of records with confidential data to be stolen.

A good example is fake Apple invoices being sent in high volume that claim you have been charged for a (large) purchase from Apple. If you click on these, they lead to the Blackhole exploit kit that drains your bank account. Warn your employees and tell them to stay safe out there! Here are two fake Apple invoice examples at the KnowBe4 Blog.

Microsoft Warns Against Scams Using Its Name

Redmond has a special page where they warn everyone about popular scams using their name. This is useful to tell your employees about.

"Cybercriminals often use the names of well-known companies, like ours, in their scams. They think it will convince you to give them money or your personal information. While they usually use email to trick you, they sometimes use the telephone, instead.

Common scams that use the Microsoft name

  • Someone from "Microsoft Tech Support" calls to fix your computer
  • "You have won the Microsoft Lottery"
  • Microsoft "requires credit card information to validate your copy of Windows"
  • "Microsoft" sends unsolicited email messages with attached security updates

More at their site.

MSN/Hotmail Scam

It's a new year and you'd like to think that your users are getting smarter about clicking on phishing links and not fall for recycled tricks by cyber criminals. Unfortunately, there is a new attack this week that's been used before but people are falling for it in droves.

This is the attack, an email which claims to come from the "Windows Live Team" and warns Hotmail/MSN users that their account is at risk of immediate closure after different computers logged into it, and multiple attempts were made to guess the password.

The email, which has the subject line "CONFIRMATION ALERT RESET (2013)" and comes from an unofficial-looking @msn.com email address, urges the user to reply via email with their full name, username, password, date of birth, and country in order to confirm their identity. Alert your users about this, and continue to warn them they should NEVER give login information to ANYONE. You can see the image with the actual scam email over at the KnowBe4 Blog.

Fave links & Cool Sites

 

Audit all critical IT systems for security and compliance

NetWrix Change Reporter Suite automates and simplifies the auditing of critical IT systems across the entire IT infrastructure. With one simple deployment you can efficiently audit critical IT systems such as Active Directory, Exchange, VMware to name just a few - while staying within a reasonable budget. Thanks to our unique AuditIntelligence technology NetWrix Change Reporter Suite allows you to easily track and report on the "4W detail": who changed what, where and when.

Download a free trial!