Welcome to the WindowSecurity.com newsletter by Stu Sjouwerman, Founder of Sunbelt Software & CEO of KnowBe4.com . Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: email@example.com
Is Your Email Front Door Wide Open?
I was interviewed by Jeremy Quittner this week. Here is how he started his article in American Banker a day later: "It took Stu Sjouwerman, the founder and chief executive of security firm KnowBe4, of Clearwater, Fla., about two minutes to launch a successful social engineering attack against me."
What data did I have to get that done? His first name, phone number and the name of his publication, all of it public information. We were supposed to do an interview, so I decided to send him a 'demo'. First I went to the website of American Banker and found out who the Editor in Chief was, and grabbed his email address. Then I searched for and found a recent article that Jeremy had written. Next, I went to a site that allows me to enter a domain name, and it reports back if there is an SPF record (here it is).
Since there was no SPF record, I could spoof the email address of Jeremy's boss, the Editor. I sent him a short email that came supposedly from his boss, and asked if something was wrong with that recent story I had found on the website. I provide a link to the article, without a redirect or a Trojan, but that would have been relatively easy. When we were on the phone, I asked him if he had received an email from his boss. And he admitted he was ready to hang up the phone, click on the link, as this is the thing that reporters fear, stories being queried by the boss.
All of that took a few minutes, and shows how easy it is to social engineer and get an end user to click on a link. For all of you IT security people out there, Only about 30% of sites have an SPF record configured correctly. I strongly advise you to test your own mail server with the link above, and see if your own SPF record is set. If not,
make that priority, as it leaves the front door wide open. And here is the full interview with the American Banker website.
Quotes Of The Month
"Passwords are like underwear. You shouldn’t leave them out where people can see them. You should change them regularly. And you shouldn’t loan them out to strangers." -- Unknown
"I changed all my passwords to ‘incorrect’. So my computer just tells me when I forget." -- Anonymous
Editor, WindowSecurity.com Newsletter
Email me at firstname.lastname@example.org
Prevent Email Phishing
Sign Up For Your Free Email Exposure
Want to stop Phishing Security Breaches? Did you know that many of the email addresses of your organization are exposed on the Internet and easy to find for cybercriminals? With these addresses they can launch spear-phishing attacks on your organization. This type of attack is very hard to defend against, unless your users are highly ‘security awareness’ trained.
IT Security specialists call it your ‘phishing attack surface‘. The more of your email addresses that are floating out there, the bigger your attack footprint is, and the higher the risk is. Find out now which of your email addresses are exposed with the free Email Exposure Check (EEC). An example would be the email address and password of one of your users on a crime site. Fill out the form and we will email you back with the list of exposed addresses. The number is usually higher than you think.
Sign Up For Your Free Email Exposure Check Now
How To Avoid 5 Common Email Management Mistakes
Just as I showed in the editorial that a misconfiguration of how email is handled can leave a hole you can drive a truck through, there are other email management mistakes that you need to look out for.
The CSO website has a great article that I warmly recommend.
- Mistake 1: Pigeonholing email as just an IT function
- Mistake 2: Complacency with regard to spam and phishing
- Mistake 3: Failing to consider business critical factors when trusting email to the cloud
- Mistake 4: Not protecting failover servers
- Mistake 5: Failure to plan for IPv6
This is a good article to check out and see how you are doing yourself in this regard.
To Whitelist Or To Not Whitelist
Derek Melber wrote a really good article about whitelisting and it's over at the WindowSecurity.com site. He started out with: "There are some key concerns about using whitelisting in your organization to control which applications users can use. In my opinion, whitelisting can be a very powerful tool to help reduce the overall attack surface within your organization. That is, to have the ability to control, one by one, which applications can run and which can’t. However, some issues arise when you start to put the rubber to the pavement in your configuration and implementation of a whitelisting solution. If you can overcome the hurdles that come with deploying a whitelisting
solution, I suggest you implement it as soon as possible. If you can’t overcome the hurdles, there are some other settings that I always suggest along with whitelisting that I think should be done at a minimum. Here is the article.
Recently I have written a whitepaper about whitelisting myself, and fully agree with what Derek thinks. This is an idea whose time has come. The whitepaper looks at whitelisting from the Admin perspective.
Still Run Vista? Redmond Sez: "Infection Rates Climb"!
Microsoft said last week that a skew toward more exploits on Windows Vista can be attributed to the demise of support for the operating system's first service pack. Data from the company's newest security intelligence report showed that in the second half of 2011, Vista Service Pack 1 (SP1) was 17% more likely to be infected by malware than Windows XP SP3, the final upgrade to the nearly-11-year-old operating system. That's counter to the usual trend, which holds that newer editions of Windows are more secure, and thus exploited at a lower rate, than older versions like XP. Some editions of Windows 7, for example, boast an infection rate half that of XP. Story at ComputerWorld.
ViewPoint - Your Take
Write me! This is the spot for your take on things. Let me know what you think about Security, tools, and things that need to be improved. Email me at email@example.com
SecOps: What You Need To Know
Busted: When Security Tools Fail
Bill Brenner over at the CSO website had a very good post about the problem that security tools themselves have flaws. He illustrates this with two stories, and the first one is worrisome. Did you know this?
"The first, by Dan Goodin, IT security editor at Ars Technica, is about a smartphone hijacking vulnerability affecting AT&T and 47 other carriers. In what may be the mother of all ironies, the flaw was introduced by a class of firewall products cell phone carriers use.
Goodin writes: "The attack, which doesn't require an adversary to have to have any man-in-the-middle capability over the network, can be used to lace unencrypted Facebook and Twitter pages with code that causes victims to take unintended actions, such as post messages or follow new users. It can also be used to direct people to fraudulent banking websites and to inject fraudulent messages into chat sessions in some Windows Live Messenger apps. Ironically, the vulnerability is introduced by a class of firewalls cellular carriers use. While intended to make the networks safer, these firewall middleboxes allow hackers to infer TCP sequence numbers of data packets appended to each data packet, a disclosure that can be used to tamper with Internet connections." More info here.
Tech Guns For Hire: 5 Places To Find Skilled IT Contractors
Most of you are forced to do more with less, and you usually have open positions that are difficult to fill. Here is some help from ComputerWorld:
"Even for organizations with a stellar full-time IT staff, situations often arise where temporary outside help is needed. A big Web project might demand a few extra programmers to meet a tough deadline, for example, or a rollout of tools to support a sales force bent on capturing a broader market may require expertise not available in-house.
That's when contractors come in. With job losses and uncertain economic times the new norm, independent contractors are on the rise in the U.S. In 2009, the number of U.S. freelancers in all fields stood at 12 million, according to market research firm IDC. That number is expected to reach 14 million by 2015." Here is how to find them.
Survey Finds Energy and Utility Industry Companies Weak on Cyber Risk Management
A recent survey of 108 global companies conducted by the Carnegie Mellon University CyLab and sponsored by RSA and Forbes found that those in the financial sector have the best cyber and information risk management
practices, while companies in the energy and utility industries have the worst. While more than 90 percent of respondents said that they are actively addressing risk management at their organizations, only 33 percent said they were attending to cyber and information security, 29 percent said they were attending to information technology operations, and just 13 percent said they were attending to managing vendors who provide software and other services. Reported by SANS, and link here.
Adware Stages Comeback Via Browser Extensions
The Wikimedia Foundation last week warned that readers who are seeing ads on Wikipedia articles are likely using a Web browser that has been infected with malware. The warning points to an apparent resurgence in adware and spyware that is being delivered via cleverly disguised browser extensions and plugins that are bundled with other software or foisted in social engineering schemes. More at Brian Krebs' blog.
Android Hackers Hone Skills In Russia
The malware business growing around Google Android - now the leading smartphone operating system - is still in its infancy. Today, many of the apps built to steal money from Android users originate from Russia and China, so criminal gangs there have become cyber-trailblazers. More at ComputerWorld.
Thwarted By Security At Enterprises, Cyber Criminals Target SMBs
"Big business -- at least a significant percentage of it -- has apparently heeded the decades-long mantra from information security experts, and invested enough in security to make it difficult, expensive and risky for cyber criminals to attack them".
So criminals are seeking easier and safer ways to make money -- by attacking smaller businesses, according to Verizon's 2012 Data Breach Investigations Report (PDF), "A study conducted by the Verizon RISK Team with cooperation from the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting and Information Security Service, Police Central e-Crime Unit, and United States Secret Service."
Verizon's security research director, Wade Baker, told London's The Inquirer that cyber criminals were mass producing their attack techniques and targeting small-and medium-size businesses (SMBs).
Speaking from Verizon's Security Operations Center in Dortmund, Germany, Baker said SMBs are "easy targets" for organized cybercrime compared with larger enterprises. "Cyber criminals have figured out that if their goal
is to make money, attacking a large organization that's well defended and probably has ties to law enforcement that is going to pursue them, is a high-risk solution," he said.
A mass-produced, commoditized attack against smaller organizations with fewer defenses is, "a very low risk," Baker said. More of this story at the Chief Security Officer (CSO) website.
Fave links & Cool Sites
- The fantastic world of steampunk technology
- Electric Drag Bike Breaks 200 MPH Barrier. WOW that thing is fast
- An entirely new way to interact with your computer - more accurate than a mouse, as reliable as a keyboard and more sensitive than a touchscreen
- An 18-wheeler semi-trailer truck and a bus meet at a hairpin turn at Trollstigen, Norway. Now there is some skillful driving...
- Got $259,500 to spare? How about a sports car that transforms into a boat, for real
- Don't watch this if you are afraid of heights! The bridge to Russky Island will be the world’s largest cable-stayed bridge with a total length of 10,200 ft when it opens in June 2012
- On May 20, 2012 China and the Western United States saw an "annular" eclipse, the first of its kind since 1994. An "annular" eclipse is when the moon lines up between Earth and the Sun to create what looks like a ring of fire
- Honda re-invented the wheel with its battery-powered, two-wheeled mobility device that allows the rider to control speed, move in any direction, turn and stop, all simply by shifting his or her weight. And what is wrong with walking one might ask? This thing is sloooow