In a Jan 10, 2019 article, the Wall Street Journal reconstructed the worst known hack into the USA's power grid revealing attacks on hundreds of small contractors.

The title is very apt: "America’s Electric Grid Has a Vulnerable Back Door—and Russia Walked Through It".

It's so relevant because it describes a very effective supply-chain attack that could happen to your own organization as well. The article focuses on the spear phishing and watering hole attacks that compromised small contractors and giving the attackers a footprint to hack further up the power grid chain. Remember the Target hack?

The Wall Street Journal pieced together this account of how the attack unfolded through documents, computer records and interviews with people at the affected companies, current and former government officials and security-industry investigators. Some experts believe two dozen or more utilities ultimately were breached.

It's a must-read because this is the No.1 vulnerability that leads to the dreaded data breach. If I were you I would sit down with your management team do the following exercise:

• Identify the top 5 suppliers that would cause downtime or serious disruption of your production if they would get hacked or were off the air

• Find out if they only require once-a-year awareness training just to be compliant

• To keep their business as your supplier, require them to sign up with KnowBe4, and deliver you the evidence that their users have stepped through the 45-minute module and get sent simulated phishing attacks once a month. As you see, I'm dead serious here.

This excellent WSJ reporting demonstrates again that your own employees need to be the strongest human firewall possible, and that your suppliers also need to be part of that same defense-in-depth strategy.

Here is the link to that article one more time, so you can cut & paste it. This may be the most important article related to InfoSec your C-levels read this year. Make sure they do:

https://www.wsj.com/articles/americas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112

Let's stay safe out there.

Warm regards,

Stu Sjouwerman

Founder and CEO, KnowBe4, Inc

This starts to be more than a bit concerning. The faces in this post look like pretty normal humans. They could be social media shots. However, they were generated by a recent type of algorithm: generative adversarial network, or GAN.

Nvidia researchers Tero Karras, Samuli Laine, and Timo Aila posted details of the method to produce completely imaginary fake faces with stunning, almost eerie, realism.

GANs employ two "dueling" neural networks to train a model to learn the nature of a dataset well enough to generate convincing fakes. When you apply GANs to images, this provides a way to generate often highly realistic still fakes you could use for extremely hard to detect social engineering attacks, especially combined with deep fake videos.

Here is the blog post with the links to the paper, still shots and example videos. Check it out and shiver:
https://blog.knowbe4.com/these-incredibly-realistic-fake-faces-show-how-ai-can-now-mess-with-us

Warm regards, Stu

Our friends at Proofpoint reported that last week employees in the United States have been bombarded by a spam attack that pushed a double-whammy of a sextortion attempt combined with a possible ransomware infection.

Starting around May 2018, there have been a number of attack waves pushing different versions of sextortion threats.

There have been sextortion scams where the criminals claimed they were from China, where the hackers claimed they intercepted a user's computer cache data, where the hackers claimed to have hacked all of a victim's online accounts, where crooks claimed they hacked the victim's phone, or where crooks claimed to have recorded the user via his webcam while visiting adult sites.

These themes vary almost on a weekly basis, as scammers professionally test different themes and tactics to determine the best ROI. And they've been making money hand over fist.

But this week, sextortion scams took another dangerous turn. Security researchers at Proofpoint blogged they've seen a variation of a sextortion scam campaign that included a download link at the bottom of the blackmail message.

The scammers claimed to have a video of the user pleasuring himself while visiting adult sites, and they urged the user to access the link and see for himself. But Proofpoint says that instead of a video, users received a ZIP file with a set of malicious files inside.

Users who downloaded and ran these files would be infected by the AZORult malware, which would immediately download and install the GandCrab ransomware. Even if the user had no intention of paying the sextortion demand, curious users would still end up being held for ransom if they were careless enough to follow the link and ran the files they received.

You should warn your users to delete these emails, or better yet, click on the (free) Phish Alert Button and report them your organization's IT Incident Response team.

I suggest you send the following to your employees in high-risk jobs specifically. You're welcome to copy, paste, and/or edit:

The bad guys are getting more and more dangerous with sextortion scams. They now send you an email that claims they have a video of you watching an inappropriate website, and that you can download that video and see it for yourself. But if you do, your computer gets infected with ransomware! If any of this type of emails make it through the spam filters, please follow our organization's email security policy, and Think Before You Click! [OPTIONAL] Click on the Phish Alert Button to delete it from your inbox and at the same time alert IT about this scam.

Do your users know what to do when they receive a suspicious email?

Should they call the help desk, or forward it? Should they forward to IT including all headers? Delete and not report it, forfeiting a possible early warning?

KnowBe4’s Phish Alert button now also works with Outlook Mobile for iOS and Android. This enables your users to report suspicious emails from not only their computer but from their mobile inbox as well.

(If you’re running Office 365 and want to give your end-users the ability to report suspicious emails from from their mobile inbox, you can enable the official Outlook Mobile app for iOS or Android directly from the KnowBe4 console. )

The Phish Alert Button gives your users a safe way to forward email threats to the security team for analysis and deletes the email from the user's inbox to prevent future exposure. All with just one click!

Best of all, there is no charge!

• Reinforces your organization's security culture
• Incident Response gets early phishing alerts from users, creating a network of “sensors”
• Email is deleted from the user's inbox to prevent future exposure
• Easy deployment via MSI file for Outlook, G Suite deployment for Gmail (Chrome)

This is a great way to better manage the problem of social engineering. Compliments of KnowBe4!

Here is a link you can cut and paste into your browser to get the Phish Alert Button https://info.knowbe4.com/free-phish-alert

Warm regards, Stu

The moment this 3-minute video was released on LinkedIn it went viral, had 900 likes, 90 comments, and well over 30K views in no time.

Kevin Mitnick, KnowBe4's Chief Hacking Officer wrote: "I’m excited to share the new
#USBNinja cable that uses Bluetooth to command the malicious cable to inject its
payload onto a targeted machine. The transmitter range is up to 100m depending on the antenna used.

"My sincere Congrats to Olaf, Dennis, Vincent Yiu and the rest of the RFID Team for
such brilliant work. This work was borne out of the NSA’s COTTONMOUTH project
disclosed by Edward Snowden. For those that are interested in the #USBNinja cable,
this was formally codenamed USBHarpoon."

Here is a link where you can see this brand new attack video yourself:
https://blog.knowbe4.com/knowbe4s-chief-hacking-officer-kevin-mitnick-demonstrates-the-usb-ninja-cable-attack

Warm regards, Stu

I'm excited to announce the actual release of a new tool to help protect your organization from the bad guys.

Phishing is still the most widely used cyber attack vector, and criminal attack campaigns often use spoofed websites to deceive your users so they simply allow the bad guys to take over your network.

Since look-alike domains are a dangerous vector for phishing and other social engineering attacks, it’s a top priority that you monitor for potentially harmful domains that can spoof your domain.

Our NEW Domain Doppelgänger tool makes it easy for you to identify your potential “evil domain twins” and combines the search, discovery, reporting, and risk indicators, so you can take action now.

Better yet, with these results you can now generate an online assessment test to see what your users are able to Domain Doppelganger recognize as “safe” domains for your organization. You then receive a summary of the test results to understand how security-aware your users are when it comes to identifying potentially fraudulent or phishy domains.

With Domain Doppelgänger, you can:

• Search for existing and potential look-alike domains
• Get a report with aggregated results that includes risk indicators, and
• Generate an online “domain safety” quiz based on the results to administer to your end users
• This is a complimentary tool and will take only a few minutes. Domain Doppelgänger helps you find the threat before it is used against you.

Find your look-alike domains here:

Copy & paste this link into your browser:

https://www.knowbe4.com/domain-doppelganger

Warm regards, Stu

We've been reporting on the top-clicked phishing email subjects every quarter for a while now across three different categories: general emails, those related to social media, and 'in the wild' attacks that are a result of millions of users clicking on the Phish Alert Button on real phishing emails and allowing our team to analyze the results.

Make Your Users Think Twice

Sharing the latest threats with users is a great way to keep them on their toes. Also we see a lot of similarities in the subjects quarter over quarter, so knowing what the popular ones are can help them to stay vigilant and ultimately think twice before clicking. The bad guys continue to take advantage of the human psyche and bypass rational behavior.

Using Human Nature Against Us

“Hackers are smart and know how to leverage multiple psychological triggers to get the attention of an innocent victim. In today’s world, it’s imperative that businesses continually educate their employees about the tactics that hackers are using so they can be savvy and not take an email at face-value. Hackers will continue to become more sophisticated with the tactics they use and advance their utilization of social engineering in order to get what they want,” said Perry Carpenter, chief evangelist and strategy officer at KnowBe4.

Here is a visual representation of top messages for the last quarter.

Warm regards, Stu

The ransomware strain that crippled several cities and school districts in the U.S. earlier this year is back with more tricks up its sleeve to avoid detection.

If you haven’t heard of SamSam, you haven’t been paying attention. Just one example of the kind of destruction they can cause is the recent attack on the Colorado Department of Transportation which caused downtime for 2,000+ systems.

This new SamSam strain adds a human element to its already devious mix of evasive techniques to keep antivirus, endpoint, and even more advanced security software from detecting it.

SamSam avoids being discovered using sophisticated methods of constructing its payload and how it executes. In their recent blog, endpoint protection company Malwarebytes provides a detailed technical explanation of how this new variant of SamSam works.

Your Executive Summary

Your executive summary is that basically this SamSam strain avoids detection using three advanced techniques.

• It decrypts the payload only at run-time, making it nearly impossible to identify and analyze.
• It’s loader, payload, and logs are wiped, leaving very few traces behind for any forensics or scanning tools.
• It requires a password to be entered by the threat actor to run in the first place.

It’s that last part of the attack that makes this latest strain so dangerous. Unlike most ransomware strains which are designed to spread automatically, this new strain of SamSam is designed for targeted attacks.

By requiring a password, the payload remains encrypted (and, therefore, an absolute secret), only woken up when and where the bad guys choose to unleash it in your network, all at the same moment to create the biggest impact and damage.

Do You Want The Good News Or The Bad News?

The good news is that, should users accidentally download this strain of ransomware, or your network is compromised via an RDP brute-force attack, the payload is harmless without the password to run it. The bad news is, should the SamSam gang decide that your organization is next up to be extorted, all your users will be sitting on their hands for possibly weeks if your backups fail.

The Two Problems: Open RDP Ports And Social Engineering

Gangs like SamSam and Crysis use two main attack vectors to get in. RDP ports and social engineering your users, normally through email attachments. Let's take a look at RDP first.

RDP Attack

A typical RDP attack goes through the following steps: An attacker picks targets with RDP ports available online and identifies if the computer is assigned to an enterprise network. Alternatively, he can always buy access to previously hacked RDP servers, via marketplaces like xDedic.

They try to brute-force the RDP connection, and once the system is accessed they return multiple times to quickly compromise the machine. These repeated attempts are generally successful in a matter of minutes.

Once they gain access the attacker goes lateral in the network and infects critical machines, but does not get the ransomware code executed... yet.

Social Engineering Your Users

Recent research shows that between 10.5% and 15% of malicious email makes it through the filters. This gap analysis is the best proof that you should train your end users and create an additional security layer that you could call your Human Firewall.

Five Things You Can Do About This Right Away:

1. When is the last time you tested the restore function of your backups? You want to do that ASAP, and make sure you have weapons-grade backups at all times.

2. Scan your network to identify any open RDP ports and ideally disable RDP completely on all Windows machines if possible. By default, the server listens on TCP port 3389 and UDP port 3389.

3. Best practice to protect a network from a brute force RDP attack is to apply strong RDP security settings, including limiting or disabling access to shared folders and clipboards from remote locations.

4. An RDP brute force approach does open the attacker’s information to the targeted network, so automate the process of parsing the Windows Event Viewer logs, find any compromised user accounts, identify the IP address of the attacker and block that.

5. Do a no-charge Phishing Security Test and find out what percentage of your users is Phish-prone. Use that percentage as a catalyst to start a new-school security awareness training program, which—by survey—your users are actually going to appreciate because it helps them stay safe on the internet at the house.

Let's stay safe out there.

Warm regards,
Stu Sjouwerman
Founder and CEO,
KnowBe4, Inc

Let me share some observations after 7 years of building KnowBe4 from scratch into a 100 million dollar company.

We train your employees to recognize social engineering attacks and not fall for hacker tactics that attempt to manipulate them into doing something against their and your interest. In short, we enable your employees to make smarter security decisions, every day.

But what is the basic mechanism behind social engineering? Why exactly does it work? How do you arm yourself against it?
Over the last 15 years, a lot of books have been written about this, and many experts have voiced their opinions. However, here is some hard-won experience from the trenches.

We all know that the bad guys go after your users—the weak link in IT security—because hacking humans is easier and faster than hacking software or hardware. Hacking the wetware can often be done in less than a minute.

OK, so exactly WHY is it so easy to hack the wetware?

Let's have a look at people's behavior in general for a moment and paint a picture in your mind. Two extremes: fully rational on the left and fully irrational on the right. In a business environment, which ideally is driven by both reason and competition, there is of course no pure black or white, these two extremes are really a gray scale and employees operate hopefully left from the middle.

GrayScale

How do the bad guys manipulate behavior? They attempt to influence—essentially bypass—rational behavior ("I'm not clicking that!") and force the user to the right into more irrational behavior ("I'm clicking that now!")

In other words, they are pushing your users from rational behavior that's based on a cycle of observation, deciding, and acting, into a more irrational short circuit that's a knee-jerk reaction consisting of only observation -> action without the decision step.

Here is an example of this in real-life battle

Since the 1950s, U.S. Navy fighter pilots have been trained to understand and follow the OODA Loop: Observe, Orient, Decide and Act.

From Wikipedia: The OODA loop is the decision cycle of observe, orient, decide, and act, developed by military strategist and United States Air Force Colonel John Boyd. Boyd applied the concept to the combat operations process, often at the operational level during military campaigns.

OODA-LOOP

Top Guns use the OODA loop in dogfights, and use a series of them in very short succession. Here is how that looks, Check out the US Navy's Blue Angels in action:

But the OODA loop can be applied in a number of ways, including business in general and here is how it applies to social engineering:

1. Observation Your end user is active in your organization getting their tasks done. Suddenly the end user observes something that seemingly they need to do something about, either to prevent a negative consequence or benefit from an opportunity. (The attacker's first attack vector).

2. Orientation in business refers to human judgement to put this into context with past experience and business understanding, to quickly predict what to do next. ("Hmm, I see phishing red flags here...")

3. Decide using the data and orientation toward rational, productive behavior. ("I'm not clicking that!")

4. Action putting that decision in motion. (User clicks on the Phish Alert Button instead)

Even without the heart-pounding thrill of barrel rolls and live-ammo contact with the enemy, the OODA Loop is a powerful weapon for everyone if they apply it correctly.

The exact anatomy of social engineering

The game for the bad guys is to get inside the OODA Loop and cut out the decide step. That is the exact anatomy of social engineering: subversion of the decision-making process.

The bad guy wants your user to react without much (or any) rational thought. The click, or the opening of the attachment, is action based on emotion, a good example is the attacker artificially creating shock (Celebrity Death!) in the mind of your user.

In the past, some people have tried to describe this process with terms like "influencing or activating the subconscious" which contains a hard-wired series of behavior patterns, like yanking your hand off a hot stove.

What they really tried to describe was the omission of the "decide" step in the OODA Loop.

So, how to arm your users against human hacking?

Educate them about social engineering. Show them how it works. Train them how the bad guys try to manipulate employees. Explain the exact mechanism so that they actually understand it, and are able to apply what they learned in their work environment.

A trained employee is much harder to fool, and dramatically less gullible when they are confronted with attack vectors that try to social engineer them. Step your users through new-school security awareness training.

Get a quote and find out how surprisingly affordable this is for your organization.

https://info.knowbe4.com/enterprise_get_a_quote_now

It's suddenly all over the news. In hindsight, it was a matter of "not if, but when".

Sophos just warned against a new hybrid worm that combines the ETERNALBLUE exploit and cryptomining.

ETERNALBLUE is the infamous escaped NSA code that was used in the WannaCry worm, so the combination of this method of breaking in, followed by a cryptomining payload, has been dubbed WannaMine.

WannaMine attacks aren’t new, but the Sophos Support team has recently had a surge in the number of enquiries from people asking for advice about the issue. Sophos posted a 13 minute video interview.

Here are the quick Questions and Answers, based on the video.

Q. Is WannaMine like WannaCry? Is it ransomware that scrambles my disk?

A. The name “WannaMine” is a coined term (pun intended) that refers to a malware family that uses the network spreading capabilities of WannaCry to deliver cryptomining malware rather than ransomware.

Q. What is cryptomining malware? Is it as dangerous as ransomware?

A. Cryptomining is when crooks secretly get your computer to do the calculations needed to generate cryptocurrency, such as Bitcoin, Monero or Ethereum; the crooks keep any cryptocoin proceeds for themselves.

To make money with cryptomining, you need a lot of electricity to deliver a lot processing power on a lot of computers.

By illegally installing cryptominers inside your network, the crooks therefore steal your resources to do their work.

Q. Can cryptomining damage my computer?

A. We’ve seen stories of mobile phone batteries bulging due to overheating when the device was deliberately forced to do mining calculations for hours on end.

However, WannaMine doesn’t run on mobile phones – it attacks Windows computers.

Nevertheless, even if no permanent damage is done, you’ll probably find your laptop batteries draining much faster than usual, your fans running flat out, and your laptop being noticeably hotter than usual.

Also, if malware like WannaMine can penetrate your network, you are at serious risk of other malware at the same time, including ransomware.

We frequently see evidence of cryptomining left behind on computers that were zapped by ransomware, so don’t ignore WannaMine infections if they show up – where one crooks goes, others will surely follow.

Q. If I don’t own any cryptocoins and I’m not part of the cryptocurrency scene, am I still at risk?

A. Yes.

WannaMine malware attacks aren’t trying to locate your digital cryptocurrency stash and steal it.

They want free use of your computer for cryptomining calculations of their own, whether you’re interested in cryptocurrency or not.

Q. Can security software prevent WannaMine attacks?

A. Yes.

Exploit prevention software (e.g. Sophos Intercept X) can block the ETERNALBLUE attack to prevent malware like this from entering your network in the first place.

Anti-virus and host intrusion prevention software (e.g. Sophos Endpoint Protection) can stop the malicious processes that allow the WannaMine attack to proceed, even if the exploit triggers at te start.

Network security software (e.g. Sophos XG Firewall) can block the network activity required for malware like WannaMine to work.

Q. What else can I do?

A. Patch promptly, and pick proper passwords.

WannaMine malware typically includes the same ETERNALBLUE exploit that was abused by WannaCry and allowed it to spread. This exploit was patched last year in Microsoft update MS17-010, so a properly patched network wouldn’t be open to the exploit in the first place.

If the ETERNALBLUE hole is already closed, WannaMine can try to spread using password cracking tools to find weak passwords on your network.

Sophos said: It only takes one user with poor password hygiene to put your whole network at risk.

Here are three things you can do about this right now

• Re-test your whole network for Patch MS17-010 and make 100% sure that all machines are indeed updated

• Step your users through new-school security awareness training, and have them do the new Strong Passwords Module.

• Download the free Weak Password Test tool, and immediately scan AD for passwords that need to be beefed up.

How weak are your user’s passwords? Are they... P@ssw0rd?

KnowBe4’s complimentary Weak Password Test (WPT) checks your Active Directory for several different types of weak password related threats.

WPT gives you a quick look at the effectiveness of your password policies and any fails so that you can take action. WPT tests against 10 types of weak password related threats for example; Weak, Duplicate, Empty, Never Expires, plus 6 more.

Here's how Weak Password Test works:

• Reports on the accounts that are affected

• Tests against 10 types of weak password related threats

• Does not show/report on the actual passwords of accounts

• Just download the install and run it

• Results in a few minutes!

This will take you 5 minutes and may give you some insights you never expected!

Download Now:

https://info.knowbe4.com/weak-password-test

Warm regards,

Stu Sjouwerman
Founder and CEO, KnowBe4, Inc.

@tim_g We do ! Now 15,000 customers.

OK, here is something new and really scary.

KnowBe4's Chief Hacking Officer Kevin Mitnick called me with some chilling news. A white hat hacker friend of his developed a working "ransomcloud" strain, which encrypts cloud email accounts like Office 365 in real-time. My first thought was :"Holy $#!+".

I asked him: "Can you show it to me?", and Kevin sent this to me a few hours ago. Lucky for us, this ransomware strain is not in the wild just yet, but it's on the horizon, so this is your heads-up! If a white hat can do this, so can a black hat.

This new strain uses a smart social engineering tactic to trick the user to give the bad guys access to their cloud email account, with the ruse of a "new Microsoft anti-spam service".

Once your employee clicks "accept" to use this service, it's game over: all email and attachments are encrypted real-time! See it for realz here in 5 minutes and shiver:
YouTube Ransomcloud Demo

What Kevin recommends at the end of this video: "Stop, Look and Think before you click on any link in an email that could potentially give the bad guys access to your data." is now more true than ever.

What Percentage Of Your Users Would Click On That Link?

Organizations are moving millions of users to O365. However, this video proves that being in the cloud does not automatically mean you are secure. The Phish-prone percentage of your users is your number one vulnerability, as they remain to be the weakest link in your IT security, cloud or not.

Here is a way to get your users' phish-prone percentage baseline at no cost

KnowBe4's free Phishing Security Test allows you to choose which environment you want to test:

If you choose the O365 option, your user will be send this Phishing Security Test (PST) email after you upload the email addresses and whitelist our domain:

As you just saw, cyber-attacks are rapidly getting more sophisticated. We help you step your employees throuigh new-school security awareness training to better manage the urgent IT security problems of social engineering, spear-phishing and ransomware attacks. Take the first step now. No need to talk to anyone.

Find out what percentage of your employees are Phish-prone with our free Phishing Security Test (PST). If you don't do it yourself, the bad guys will.

https://www.knowbe4.com/phishing-security-test-offer

2017 was a dumpster fire of privacy and security screw-ups.

To start 2018 with a simple, effective, IT security strategy is an excellent New Years resolution and helps your CEO to keep their job. Better yet, thousands of your peers will tell you this was the best and most fun IT security budget they ever spent... hands-down.

This list is the high-power ammo you need to get budget and roll out new-school security awareness training, ideally right now.

Here are the Top 5 reasons...

• Social Engineering is the No. 1 go-to strategy for the bad guys. Unfortunately their time is money too. Why spend 2 months of research uncovering a 0-day when you (literally) can create an effective spear-phishing attack in 2 hours? They are going after the human—the weakest link in IT security—and your last line of defense.

• Ransomware is only going to get worse in 2018. Email is still their favorite attack vector, and their sophistication is increasing by the month. The downtime caused by ransomware can be massive.

• Compliance requirements for awareness training are being sharpened up. Thinking that today you can get away with a yearly one-time, old-school awareness training session is whistling past the graveyard. A good example is May 25, 2018 when enforcement actions for GDPR begin. We have compliance training for GDPR ready for you in 24 languages.

• Legally you are required to act "reasonably" and take "necessary" measures to cope with a threat. If you don't, you violate either compliance laws, regulations, or recent case law. Your organization must take into account today's social engineering risks and "scale security measures to reflect the threat". Don't trust me, read this, confirm with your lawyer, and next insist on getting budget. Today, data breaches cause practically instant class action lawsuits. And don't even talk about all employees filing a class action against your own company because your W-2 forms were exfiltrated with CEO fraud.

• Board members' No. 1 focus today is cyber security. Some very pointed questions will be asked If they read in the Wall Street Journal that your customer database was hacked and the breach data is being sold on the dark web. Once it becomes clear that your organization did not deploy a simple, effective strategy that could have prevented this, a few (highly placed) heads will roll. Target's CEO and CISO are just an example. Help your CEO to keep their job.

So now that it's clear you just have to do this ASAP, why choose KnowBe4?

OK, let's list the 5 reasons why KnowBe4 is the complete no-brainer option—after casually mentioning we are the fastest growing vendor in this field and have 15,000+ customers, more than all our competitors combined:

• KnowBe4 was recognized by Gartner as a Leader in the Magic Quadrant

• Goldman Sachs recently invested $30M of Series B funding in KnowBe4 because they believe in our mission

• The KnowBe4 platform was built from the ground up for IT pros that have 16 other fires to put out

• The KnowBe4 ModStore has the world's largest choice in fresh awareness training content

• Pricing is surprisingly affordable, and gives you a 127% ROI with a one-month payback

• BONUS: It's actually a lot of fun to phish your users and get the conversation started!

I strongly suggest you get a quote for new-school security awareness training for your organization and find out how affordable this is. You simply have got to start training and phishing your users ASAP because your filters have an average 10.5% failure rate. Get a quote now and you will be pleasantly surprised.

Get A Quote
https://info.knowbe4.com/kmsat_get_a_quote_now

Warm regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc.

A new survey by Webroot shows that 86% of security professionals worry that AI and ML (machine learning) technology could be used against them. And they are right, because it will and probably is already happening right now with fake celebrity sex videos.

The survey shows the US is an early adopter of AI for cyber security, with 87 percent of US professionals reporting their organizations are currently using AI as part of their security strategy.

Three quarters of cyber security professionals in the US believe that, within the next three years, their company will not be able to safeguard digital assets without AI. Overall, 99 percent believe AI could improve their organization's cyber security.

Respondents identified key uses for AI including time-critical threat detection tasks, such as identifying threats that would have otherwise been missed and reducing false positive rates.

"There is no doubt about AI being the future of security as the sheer volume of threats is becoming very difficult to track by humans alone," says Hal Lonas, chief technology officer at Webroot. More detail at Webroot's Quarterly Threat Trends report.

AI is a game changer for better or for worse

This is the first time in history that AI has come up to the level predicted in Sci-Fi for decades. And some of the smartest people in the world are working on ways to tap AI’s immense power to do just that.

And some bad guys are using it to create fake celebrity sex videos. Yes, you read that right.

This is going to be the next wave of phishing emails that use social engineering to manipulate your users into opening an infected attachment.

With help from a face swap algorithm of his own creation using widely-available parts like TensorFlow and Keras, Reddit user “Deepfakes” tapped easily accessible materials and open-source code that anyone with a working knowledge of machine learning could use to create serviceable fakes.

"Deepfakes" has produced videos or GIFs of Gal Gadot (now deleted ), Maisie Williams, Taylor Swift, Aubrey Plaza, Emma Watson, and Scarlett Johansson, each with varying levels of success. None are going to fool the discerning watcher, but all are close enough to hint at a terrifying future.

After training the algorithm — mostly with YouTube clips and results from Google Images — the AI goes to work arranging the pieces on the fly to create a convincing video with the preferred likeness. That could be a celebrity, a co-worker, or an ex. AI researcher Alex Champandard told Motherboard that any decent consumer-grade graphics card could produce these effects in hours. (THIS LINK IS NFSF!)

So, picture this. (Or rather, don't picture this!)

Your user gets a spear-phishing email based on their social media "likes and shares", inviting them to see a celebrity sex video with.. you guessed it, their favorite movie star! Take it one step further and your user will be able to order fake celeb sex videos with any two (or more) celebrities of their liking and get it delivered within 24 hours for 20 bucks.

And a good chunk of these video downloads will come with additional malware like Trojans and Keyloggers that give the bad guys full pwnage. Yikes.

All the more reason to educate your users within an inch of their lives with new-school security awareness training that sends them frequent simulated tests using phishing emails, the phone, and txt to their smartphone.

We help you train your employees to better manage the urgent IT security problems of social engineering, spear-phishing and ransomware attacks. Take the first step now. Find out what percentage of your employees are Phish-prone with our new, improved free Phishing Security Test

Get Your Free PST Now

https://www.knowbe4.com/phishing-security-test-offer

Warm regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc.

Oh boy. Uber is known for pushing the limits of the law and has dozens of lawsuits pending against it, but this one went too far and now comes the reckoning.

Bloomberg was first to report that hackers stole the personal data of 57 million customers and drivers from Uber, a massive breach that the company concealed for more than a year. Finally, this week, they fired their chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers to "delete the data". Yeah, sure!

Victim Of A Simple Credentials Phishing Attack?

Here’s how the press describes the hack: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company.

From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company. If you read between the lines, that could very well be a simple credentials spear phishing scheme, done with some crafty social engineering, or perhaps careless developers leaving internal login passwords lying around online:

Failure To Disclose

Joe Sullivan, the outgoing security chief, spearheaded the response to the hack last year, a spokesman told Bloomberg. Sullivan, a onetime federal prosecutor who joined Uber in 2015 from Facebook Inc., has been at the center of much of the decision-making that has come back to bite Uber this year.

Bloomberg reported last month that the board commissioned an investigation into the activities of Sullivan’s security team. This project, conducted by an outside law firm, discovered the hack and the failure to disclose, Uber said.

SNAFUS are bad, but cover-ups can kill you

No doubt regulators will also be asking tough questions about why they were not informed about the breach until this week, and class-action lawsuits... heeeere we come!

Uber says it has "not seen evidence of fraud or misuse tied to the incident." Let's hope that they are right, but it is highly unlikely that these records were deleted. It's practically sure they are sold on the dark web or will be. There are many ways that data could be abused by criminals without Uber ever becoming aware.

All organizations would be wise to remember this: SNAFUS are bad, but cover-ups can kill you. You can ask forgiveness for being hacked and handle your disclosure correctly, but many people will find it harder to forgive if you deliberately covered up the truth.

Expect Uber-themed phishing attacks

Now that this is all over the press, the bad guys are going to send Uber-themed phishing attacks in a variety of flavors. First will be emails with warnings like "Your Uber Account Has Been Compromised" sending people to compromised websites where indeed their credentials will be stolen! You can imagine online criminals are going to have a field day with this, since it's all over the press and people are going to get worried.

I suggest you send the following to your friends, family and employees, feel free to copy/paste/edit:

Uber has suffered a data breach a year ago, and the address and email information of 57 million people were stolen. Uber paid off the hackers who then supposedly deleted the data, but that cannot be confirmed.

Watch out for phishing emails related to this Uber data theft, for instance that your "Uber account was compromised" and that you need to change your password, or anything else related to Uber that could be suspicious.

Never click on a link in an email, always go to the website yourself through your browser's address bar or a bookmark you have set eaarlier. Remember, Think Before You Click!

Warm regards,

Stu Sjouwerman

Founder and CEO, KnowBE4, Inc.

Here is the latest tactic in the cat-and-mouse game between cybercrime and security software vendors. The bad guys have come up with new a ransomware phishing attack, tricking users to open what appears to be a document scanned from an internal Konica Minolta C224e. This model is one of the most popular business scanner/printer in the world. The emails are written to make the user think that the communication is from a vendor.

Basically, Locky is back with a vengeance and a whole new bag of evil tricks.

The campaign launched Sept. 18 features a sophisticated new wrinkle, enabling it to slip past many of the machine learning algorithm-based software sold by some of the industry’s most popular vendors, said security firm Comodo.

“The method of phishing is by an attachment of an email; the attachment is disguised as a printer output, and it contains a script inside an archive file,” said Fatih Orhan, vice president of Comodo Threat Research Labs. “These are not enough to make a phishing detection.”

This is the third recent Locky attack

The third in an increasingly sophisticated series of ransomware attacks launched this summer is also a “Locky” malware variant dubbed IKARUS by Comodo, some other other security vendors are calling it Diablo6.

As in previous attacks, the hackers are using a botnet of zombie computers which makes it hard to block in spam filters.

“Employees today scan original documents at the company scanner/printer and email them to themselves and others as a standard practice, so this malware-laden email looks quite innocent but is anything but harmless,” the report continues.

The most innovative hook of this new feature involves the way the hackers manage to evade anti-malware software.

Here is how it evades machine learning

“Machine learning algorithms need to extract the attachment, open the archive, extract the script and understand it has a malicious intent,” said Orhan, the Comodo research head. “But usually, these scripts contain just a download component and do not have malicious intent on their own.”

“That’s why even machine learning is not sufficient in making these kind of detections,” he continued. “Complex solutions are needed to run the script dynamically, download actual payload, and perform malware analysis to conclude that it is phishing.”

In other words, it looks like that again the bad guys are ahead of your antivirus, whether that is traditional or machine-learning flavor.

What do you do when all filters have failed?

Your users still are and will remain your last line of defense, when all filters have failed. You need to create a human firewall. New-school security awareness training is the way to go. Join 13,000 KnowBe4 customers and keep the bad guys out of your network.

I strongly suggest you get a quote for new-school security awareness training for your organization and find out how affordable this is. You simply have got to start training and phishing your users ASAP. If you don't, the bad guys will.

Get a quote now and you will be pleasantly surprised.

https://info.knowbe4.com/kmsat_get_a_quote_now

Warm regards, Stu

Interesting Scott! I crossed CheckPoint Charlie into Eastern Germany at the Berlin Wall.

There are many kinds of maps, they can show roads or general geography, but sometimes they shed light on other dimensions like economic, political and/or military perspectives.

First of all, you need to realize that Planet Earth is an "anarchy of nations". There is no planetary overlord—which we probably should be glad about—and the United Nations are corrupt and ineffective. Countries are locked in a constant struggle for power.

These maps explain why Russia is so incredibly aggressive on the Internet, and essentially is using the net as an integral part of their asymmetric cold warfare.
Strategically speaking, Russia is in a difficult spot since the 1991 collapse of the communist Soviet Union. Putin has repeatedly said this is his biggest regret, and he wants to resurrect the old Soviet power (where his job was stealing Western intellectual property for the KGB).

Here is a map that shows the furthest reach of the old Soviet regime during the cold war:

Have a look at the straight line drawn from Leningrad to Rostov-on-Don, and keep that line in mind. (Note that Leningrad became St. Petersburg in 1991 after the collapse).

No Natural Barriers

Now, there are no natural barriers that stop invaders from Western Europe to roll straight into Russia, like the Germans did in the Second World War. Here is a map that illustrates this:

Since the 1991 collapse, Russia has no buffers in place to protect against an invasion, and NATO has made significant inroads in Eastern Europe. The other problem is that Russia is almost landlocked and has no easy access to the sea.

Landlocked

Basically Europe controls Russia's access to the sea, and during the Cold War, air bases in Norway, Scotland, and Iceland, coupled with carrier battle groups, worked to deny Russia access to the sea. This demonstrates the vulnerability Russia faces due to its lack of access to oceans and waterways.

Cannot Project Significant Force

Russia cannot project significant force because its naval force is bottled up and because you cannot support major forces from the air alone. Russia's primary issue is the western frontier and Ukraine. Putin thinks that the Euro-American interest in creating a pro-Western regime there has a purpose beyond Ukraine. Putin's Ukraine viewpoint is that they lost a critical buffer zone, and guess what, from his perspective he is right.

Russian Economy In Serious Trouble

Russia's economy is very much like an intersection in the boondocks with a gas station, a gun shop, and a flag on top. Their economy is in serious trouble given the plummeting price of oil in the past years and no expectation of getting better. Their weapons exports only partially compensate for this.

The Upshot

Russia occupies the weaker strategic position, having lost their western buffers against an invader, an economy in trouble, and are struggling to maintain the physical integrity of their "Mother Russia".

Here is the picture of how things look now, and compare the straight line from St. Petersburg to Rostov-on-Don again with the first map:

It is not hard to see why they are grabbing hold of any strategic advantage they can get their hands on, and the internet allows them to overcome traditional military limitations. Russian cyber attacks by the FSB, GRU and organized cyber crime (protected by the Kremlin) are not going away any time soon.

The Gerasimov Doctrine

The WSJ observed: "Russia’s military laid out what is now seen as a blueprint for cyberwarfare with a 2013 article in a professional journal by Gen. Valery Gerasimov, the chief of Russia’s General Staff. Cyberspace, wrote Gen. Gerasimov, 'opens wide asymmetrical possibilities for reducing the fighting potential of the enemy.'"

In his 2013 article, Gerasimov talked about the Russian military’s desire to hone its hacking skills as an extension of conventional warfare and political conflict. In reality, they were already deeply engaged in this and expanding their reach. In Washington’s defense and national security circles, Russia’s attacks in cyberspace have become known as the “Gerasimov doctrine”.

In addition to the above, Russian President Vladimir Putin said a few days ago: "The leader in Artificial Intelligence will rule the world." He predicted that future wars will be fought by drones, and "when one party's drones are destroyed by drones of another, it will have no other choice but to surrender." Terminator, here we come. Link to Associated Press.

The vast majority of Russia's attacks start with social engineering and spear phishing attacks. KnowBe4's integrated training and phishing platform allows you to send fully simulated phishing emails so you can see which users answer the emails and/or click on links in them or open infected attachments.

See it for yourself and get a live, one-on-one demo.

Request A Demo

https://info.knowbe4.com/kmsat-request-a-demo

Emisoft Security researcher xXToffeeXx discovered another new phishing threat adept at bypassing Antivirus using a variation of the game played by PowerPoint PPSX attachment phishing email scam we posted about last week.

“SyncCrypt” distinguishes itself by using a JPG file and a Trojan horse trick of hiding a ZIP file inside a JPG file with automated download of the graphic from one of the several sites controlled by the bad guys.

The method uses Windows Scripting Language (WSF) which is an old friend of ransomware authors. But this is a clever way to offload and activate the malware on the user's computer while displaying a graphic designed to confuse or buy a minute of time.

As Larry at Bleepingcomputer observed: "SyncCrpt uses the WSF scripting language to download images with embedded ZIP files making it invisible to many leading antivirus vendors on VirusTotal."

The attachments then encrypt all the files with a .kk extension.

The bad news is that there’s no way yet to de-encrypt SyncCrypt encrypted files yet.

The phishing emails look like Court Orders which are named (not very sophisticated) as CourtOrder_XXXXX.wsf (where X equals a number). Bleepingcomputer reports that the (WSF) Windows scripting files will execute JScript code when released from the JPG encapsulated Zip file.

The scripting process calls one of three websites to manage the upload of the JPG.

The screenshot demonstrates the WSF script calling one of the three sites to download the JPG trojan loaded with a Zip file.

Once the image is rendered the graphic displays “Olafur Arnalds' album titled “They Have Escaped the Weight of Darkness" which Arnalds released in 2010. Does this have significance to the location and origin of the ransomware author? We don’t know.

Meanwhile, hiding in the embedded a zip file is sync.exe, readme.html, and readme.png files. These files are the core components of the SyncCrypt ransomware.

According to bleepingcomputers.com, the sync.exe file is able to fool about 28 of 63 VirusTotal’s indicators and able to sneak by many of the leading AV vendors.

Here is the attack sequence:

• User gets phished
• Sync.exe is extracted from the attachment
• WSF file is executed
• Schedules a task one minute later to execute encryption process using AES encryption with a public encryption key saved in %Desktop%\READM
• Encrypted files contain a .kk extension
• A splash screen reads you the ransom note and gives you 48 hours to act by sending the exact amount of Bitcoin (which when discovered was about $USD 429) to an address and refers to payment details in a file called amount.txt located in the desktop folder Readme.
• Victim sends “key” file to one of three email accounts. Instructions are emphasized you must follow all directions exactly or your files will stay encrypted.
• Currently no way to decrypt files for free

Way more technical detail:

KnowBe4's integrated training and phishing platform allows you to send fully simulated phishing emails with attached zip files so you can see which users answer the emails and/or click on links in them or open infected attachments.

See it for yourself and get a live, one-on-one demo.

Request A Demo

https://info.knowbe4.com/kmsat-request-a-demo

Warm regards, Stu

@dashrender We want to make sure our brand new password management training module reflects the requirements of the market. The survey tells us what you really need and want. Stu

OK, this is a headscratcher. This is why we were surprised. I found it in a Wall Street Journal article (paywall).

Bill Burr, the author of “NIST Special Publication 800-63. Appendix A.” which covers “traditional” password complexity requirements, has said that password complexity has failed in practice.

Whoa Nellie.

NIST started from scratch and the general idea of the new NIST guidelines is to use pass phrases of (suggested 25 normal characters) that change only as needed, as in a compromised account.

Turns out this NIST special publication has been formal since last month – and it’s been available in draft form for some time before that.

It is true that complex passwords with arbitrary password expiration force many users to make poor security choices. I applaud NIST for being pragmatic about this. Let’s at least get the conversation going. The real test will be how the audit and compliance world accepts these recommendations.

So now, we need a little bit of feedback about the password policy in your organization, because we were just updating our password training module!

Please take this 1-minute, 7-question, multiple choice survey.

Help me out and give me your feedback? This is the link to Survey Monkey (not phishing, but if you do not want to click on redirected links, please copy and paste this in your browser)

https://www.surveymonkey.com/r/KB4_password_survey

Thanks in advance!

Warm regards,

Stu