Those who have subscribed to the Tw/oB newsletter for a length of time or followed my write.as blog before that, have read my concerns about security training. This article from ZDNet highlighting the failure of such efforts struck a chord with me, but not because I agree with the position of the article. Well, not entirely. I agree that security training is not the be-all, end-all, and new learning techniques are needed.
The article proposes that security training is failing because it’s not being delivered in a way that creates a security mindset. The author believes the effort needs to be all-encompassing and daily.
"I think one of the most important things to realize is most of the education and training done, it's not very effective,"
"The 30-minute video you're obligated to watch once a year doesn't do the job".
Yes, I’ll agree with this, but maybe it’s not all on the security professionals.
I like to use the analogy of telling a child not to touch a hot stove. You can tell a child over and over to not touch the stove coil while it's glowing red hot, and even show them the scars you have from doing it, but until they do it and get burned they don't have any context. And because they don’t have any context, because they haven’t felt the pain, they’re going to touch the hot stove.
Consider phishing. How many phishing victims have received some form of training? A LOT. Yet they still clicked the link. In many of the cases I have investigated, the person responsible for clicking the link or sending the money order says to me, " I knew it looked suspicious" and " I know better, I saw the same thing in training",
Almost all promise me " I won't make that mistake again". And they won't. Much like a child never touches a hot stop top twice, they must get burned for the message to have an impact.
A report that’s worth your data
It’s rare when I suggest you give away your personal information to get a vendor report, but the newly released 2021 Crypto Crime Report by Chainanalysis is well worth it. The 113 page report details the firms work over the past year and highlights the topics of money laundering, ransomware, scams, stolen funds, and extremist financing. And if you are that protective of your name and email address you can give them a sock-puppet email as there is no verification. https://go.chainalysis.com/2021-Crypto-Crime-Report-demo.html
Should’ve stopped while ahead
The criminal CEO of a South Carolina technology firm obtained 750,000 IPv4 IP addresses through fraud. When ARIN, the agency that oversees IP address distribution for North America, figured it out they took back the IP addresses. The CEO filed a lawsuit against ARIN. This drew the attention of the local United States Attorney. The guy should have just returned the IP addresses and walked away because now he’s lost the lawsuit and he’s a felon. https://krebsonsecurity.com/2021/11/tech-ceo-pleads-to-wire-fraud-in-ip-address-scheme/
Mission Driven
I question the existence purpose effectiveness of several federal law enforcement agencies. The Criminal Investigation section of the IRS is not one of them. They are getting work done! The 2021 annual report highlights their work over the past year. And it was quite a year! 2.9 billion dollars in tax fraud identified, 8.18 billion dollars in other financial crimes identified, and 3.5 billion dollars in cryptocurrency seized through 1372 investigations. https://www.irs.gov/pub/irs-pdf/p3583.pdf
The true pandemic
I know this is a newsletter about financial crime. But working for a middle-sized municipal law enforcement agency requires that I pitch in when needed and too often it is to investigate drug overdose deaths. Imagine if our government leaders would attack the opiate epidemic like they have Covid. Fentanyl is now the number one killer of Americans between the ages of 18 and 45. Covid-19 isn’t even close. But I guess battling a war against opiate abuse won’t make any politicians rich from drug company money right?
Families Against Fentanyl - Fentanyl Fatality Fact Sheet.
https://www.foxnews.com/us/fentanyl-overdoses-leading-cause-death-adults
The Rest…
This terrible person admitted to scamming a retired bricklayer, an elderly blind man and others out of more than $630,000 in an inheritance scam. https://www.marketwatch.com/story/retired-bricklayer-elderly-blind-man-among-victims-in-630k-inheritance-scam-11641245287?rss=1&siteid=rss
Researchers from Unit 42 detail the workings of a threat group targeting real estate websites with a web skimmer. https://unit42.paloaltonetworks.com/web-skimmer-video-distribution/
Police in Austin, TX issued a warning about fake QR codes being stuck to parking meters. Scanning the code directs the soon-to-be victim to a fake payment portal that harvest the credit card data. https://www.bitdefender.com/blog/hotforsecurity/us-police-parking-meters-phishing-qr-codes/
Cool Tool
I don’t have to explain this app. If you need it - you know. I’ve been using this for a week and it’s awesome.
Cool Job
Director - Fraud Prevention and Investigations; Customers Bank (Reading, PA)
Irrelevant
Remember that scene in the movie Tommy Boy where David Spade and Chris Farley hit a deer with their car and load it in the back seat because they don’t know what to do with it? But it wasn’t actually dead and wakes up inside the vehicle, remember that? Yeah well, these people didn’t. https://www.pennlive.com/crime/2022/01/suspected-dui-driver-hit-deer-put-it-in-hatchback-still-alive-and-kept-driving-police.html
Homophones are hard
Which - As a pronoun, what one or ones out of a group. As a conjunction, used as an introductory particle before a word or phrase that is a reaction to or commentary on the previous clause.
Witch - a person who is credited with having usually malignant supernatural powers
Thank you for reading Issue 60. It’s cold and icee here in Central Pennsylvania so heres to only 68 more days until Spring. Stay warm.
Matt