• United States



Senior Staff Writer

Salted Hash Rehashed: Vegas Adventures (Part II)

Aug 16, 20164 mins
CybercrimeData BreachSecurity

We're still buried under a mountain of email that collected during vacation

071916blog welcome to las vegas sign
Credit: REUTERS/Steve Marcus

Welcome to this week’s second installment of Rehashed. Today’s post has a quick recap of the shenanigans that took place earlier this month in Las Vegas, along some updated information and additional insight that didn’t appear in our videos shot during BSides Las Vegas, and Black Hat.

First up, we have an update to a video we recorded during BSides Las Vegas. Munin, who had never been called a hacker before (until we gave him that title), has created a rather cool tool to deal with Phishing and other threats that rely on domain resolution, such as Ransomware and macro-based email threats. He calls it foghorn.

Fight Phishing with DNS:

The video below offers some basics on foghorn itself, but Munin recently opened the project’s Github to the public, which includes a whitepaper, FAQ, and his slides from BSidesLV. The project is active, and there are updates in the works.

Awareness training lacks realism, and that’s a problem:

During Black Hat, CSO Online spoke with Stephanie Carruthers, the CEO and owner of Snow Offensive Security, about why Phishing works, and more importantly – why most awareness training fails in the workplace.

Not long after we finished the interview, she emailed some additional details that we wanted to share. Her thoughts, based on the question of why most awareness training programs fail, are reprinted below:

“In one word: realism. Security awareness training fails because they lack realistic situations that your employees can identify with. Most awareness trainings show video clips of B-level actors, at a random company being portrayed in very overt security predicaments. Even worse, some of these trainings are animated, making it that much more difficult for your employees to related or take it seriously.

“This is where we change things up. Our security awareness [training programs] are performed in person and they show realistic results from assessments that we just performed against your organization. For example, when training on tailgating, we will actually show a video clip of a member of our team tailgating Bob from human resources from your organization. Everyone knows Bob and everyone knows this “employees only” entrance of their company. The risk now becomes very relatable for every employee.”

What can organizations do to expand their awareness training programs, to expand them?

“While we need to change our delivery to include realistic examples, we also need our employees to be like LeBron James. We wouldn’t sit LeBron in front of a computer, have him take a computer based training once a year about basketball, then expect him to go out and win every game. So, why would we expect Frank from accounting to?

“While LeBron is spending every day practicing, going to the gym, conditioning – getting ready for the game, Frank is crunching numbers and Cheetos. LeBron is building muscle memory through repetition, so why aren’t we having Frank practice as well?

“If we want Frank to be as good spotting Social Engineering attacks as LeBron is at basketball, he needs to build muscle memory. Organizations can do this simply by constantly performing assessments for social engineering attacks more often, such as weekly, monthly or even quarterly. This way, our employees can be continuously practicing and building muscle memory in identifying and responding to these attacks.”

Other items of note:

HEI Hotels reports point-of-sale terminals breach:

The company, which manages close to 60 Starwood, Hilton, Marriott, Hyatt and InterContinental properties, said it appears that malicious software was installed on the payment processing systems at certain properties, with the aim of harvesting the card data as it was routed through the systems.

Insider exposes employee details for 280 Sage Group customers:

According to reports by Reuters, as well as a statement by Sage Group, someone using an “internal login” exposed personal details on employees of about 280 British companies. It isn’t clear if data was exfiltrated, but Sage is said to be investigating the incident. According to their figures, Sage is one of Britain’s largest tech firms, counting more than 6 million SMBs as clients.