New NoticeBored Classic security awareness module

NoticeBored Classic this month covers information security in relationships with third parties.

More 3rd party security links

2006 security awareness calendar

Our latest security awareness calendar is provided free of charge as our little Christmas/new year's gift to the Internet community. Enjoy!

Homo sapiens in the SANS top 20?

An entertaining blog entry concerning The Human Side of Security makes a convincing case for including humans in the SANS Top 20 vulnerabilities. The original item and blog are decidedly tongue-in-cheek but the basic point is sound. Humans are most certainly vulnerable.
More social engineering links

NoticeBored awareness module on social engineering

An updated NoticeBored Classic security awareness module has been released covering social engineering. This is one of our core topics, updated and reissued annually.
Social engineering links

Self-phishing for educational purposes

Several organizations have started using (simulated) phishing attacks against their own employees as a security awareness activity. The New York State Office of Cyber Security and Critical Infrastructure Coordination, for example, sent staff an internal email asking them to enter their passwords into a ‘password checker’. 17% of their 10,000 users succumbed and were given additional education. When the exercise was repeated a month later, the phishing email phooled just 7% who were presumably given stronger, more explicit advice and encouragement by management regarding their future career prospects.
More authentication resources

Blogging for SMEs

An editorial in Processor Magazine outlines some of the security risks facing SMEs as a result of blogging, along with some tips to address them.
More security awareness resources

Biometrics Resource Center

The Information Technology Laboratory Biometrics Resource Center offers research papers, standards and other resources on biometrics, with the high quality we have come to expect of NIST.
More authentication resources

I hear you made spelling mistake ...

It is evidently possible to determine what someone is typing on a keyboard purely by painstaking analysis of tiny differences in the sounds made by the keys. A research team used the standard letter distribution in English to reconstruct what had been typed by a typist using a computer keyboard, using just a 15-minute audio recording. [This is a creative application of a standard cryptanalysis technique.] Perhaps quiet keyboards and background noise should be considered information security measures?
More physical security resources

OECD cross border fraud guidelines

OECD countries have signed-up to cooperate on the investigation of cross-border frauds. OECD Guidelines for Protecting Consumers from Fraudulent and Deceptive Commercial Practices Across Borders (2003) is a high-level paper defining guiding principles.
More authentication and IT fraud resources

Microsoft antiphishing proposal raises privacy concerns

Microsoft is reportedly on the verge of releasing an optional utility to track the websites users visit and compare them against a blacklist of phisher sites. Maybe this would work if the blacklist is reliable (no false positives and few false negatives), but the downside is that (for some reason I can’t quite fathom) Microsoft plans to gather details of users’ surfing habits, raising privacy concerns.
More authentication resources

FAIR risk analysis method

The FAIR (Factor Analysis of Information Risk) method is described by the author as a paradigm shift - quite a claim for yet another version of what looks like an entirely conventional risk analysis process, even one that contains a “computational engine”, no less. The author admits that FAIR is “just one way of skinning the risk analysis cat”. With pseudo-scientific language, he insists on presenting his own “definitions” (actually, curious descriptions that relate particularly to information security risk, not risk in general) for the components of risk without reference to the accepted academic theories in the field. His definition of vulnerability, for example (“The probability that an asset will be able to resist the actions of a threat agent”), is 180º opposed to the normal definition, in other words high vulnerability means a high probability that an asset will NOT be able to resist a threat. The vulnerability definition goes on to confuse threat, vulnerability and control despite the author having stated that unclear terminology is one of the problems in this field. To cap it all, the method is labeled “patent pending”, a phrase with no legal standing (either it is patented or it is not - I suspect the latter).
More risk management resources

Reveal Oracle user passwords

Applications that are not securely written and configured can open security vulnerabilities that affect the whole system. A 2001 posting by Pete Finnegan, for instance, explains how, under the right (wrong!) circumstances, someone can reveal Oracle user passwords in clear text. Pete has published a fascinating set of papers on Oracle (in)security on his website.
More authentication resources here

Online bankers risk ID theft

Reporting on a study of 1,000 US users of online banking by a market research firm, ZDNet UK News said "many consumers were worried that their personal information could either be stolen by hackers and phishers or sold to third parties by banks. Nearly 83 percent of those who conduct banking online reported such concerns, while 73 percent of respondents said personal information theft is a deterrent for them." By neglecting to mention the threat of ID theft from offline bank users, ZDnet implies that online banking is especially risky, although other studies have indicated the opposite (e.g. see last Friday's blog entry).
More authentication resources

New technology may increase ID theft

Golly! New technology such as chip-and-PIN will not solve the problem of identity theft. According to Emily Finch, a social scientist from the University of East Anglia, quoted in Computerworld, criminals will find ways around the new technical controls, such as 'snatching credit card application forms and getting new cards and numbers', apparently. Emily also points out that new technology may lead people to be even less vigilant than before.
More resources for authentication

Global Security Week starts today!

Global Security Week is a community project to coordinate security awareness activities worldwide in the week leading up to September 11th annually. Although this is the first year the event has been run, a broad range of public and private sector organizations around the globe have expressed interest in and offered their support for the event. If you are a security awareness professional, please take a moment to visit the Global Security Week website and think about getting involved in 2006. Participation is voluntary and free of charge: just start planning security-related activities in the week leading up to September 11th 2006 and tell us about it. We will gladly publicize your event in the Global Security Week calendar. The FAQ on the website has some ideas to help you organize a more effective event and we welcome further input from all awareness event organizers.
More security awareness resources

Identity theft

The Better Business Bureau's identity theft survey noted that theft of sensitive paperwork is more likely to lead to identity theft than online data compromises. Often, the perpetrator turns out to be someone close to the victim - a family member or friend with access to the victim's personal effects.
More authentication links

ISACA draft Audit Evidence standard up for comment

The IS Audit and Control Association ISACA releases new or updated audit standards as 'exposure drafts' for public comment from time to time. The standard on Audit Evidence is out for review now with comments due back before November this year. If you have IT audit experience, why not take a moment to look at the draft and send in your thoughts? Contribute to the profession.
More IT audit resources

New awareness module on authentication

We have released our next security awareness module on authentication today. Authentication is one of the core topics in information security, covering aspects such as the system login process and access control. Please visit the NoticeBored website or contact us for more details.

New Orleans disaster predicted

An article published last year by the Natural Hazards Center effectively predicted the New Orleans disaster currently plastered all over our TV screens. What if Hurricane Ivan had not Missed New Orleans? describes with uncanny foresight the damage and disruption that would ensue if the levees were breached and a significant proportion of the population was unable to evacuate due to lack of transportation. There are some hard lessons here for contingency planners everywhere. Global warming undeniably changes the threat horizon for anyone located near the sea.
More contingency planning links

Fraudulent charity requests

Even as the flood waters are still rising in New Orleans, the American Red Cross has already spotted at least one fraudulent email and website soliciting donations for victims of hurricane Katrina. Phishers and fraudsters evidently have no qualms about preying on the kind to siphon off funds for the needy. Report any Red Cross emails that do not refer to www.redcross.org to the Red Cross CISO (infosec@usa.redcross.org).
More IT fraud resources

Hacker intrigue

Here’s a hacking story with a difference: after investigating a hack perpetrated by a suspected Chinese-government-backed gang of uberhackers, Shawn Carpenter, a network security specialist at Sandia National [nuclear research] Laboratories, got caught up in the FBI investigation. Time Magazine reports that he was dismissed by Sandia when they discovered his out-of-hours hacking, even though Shawn claims to have been encouraged by the FBI to help them track the gang. The FBI has acknowledged their role in the investigation and Shawn subsequently got his security clearance reinstated, so the story seems to hold water.
More [anti-]hacking and cracking resources

Cisco patches released

Cisco users have their own patching worries. Check out the latest Cisco patches including a fix for a privilege escalation vulnerability in the Cisco Intrusion Protection System (oops).

More change management resources

Oracle patching process unreliable

Users of Oracle systems are advised to double-check that the patches they think they have applied have in fact been successfully applied. Inconsistencies in the internal inventory of Oracle programs maintained by an Oracle installation, for example, may result in relevant patches being missed. [The article is based on a somewhat self-serving press release by an Oracle specialist, but has a ring of truth. A similar situation applies to Microsoft: Microsoft Update does not always apply all relevant MS patches, so it is worth running something like Microsoft Baseline Security Analyzer every so often to double-check the installation. Regression testing and penetration testing can also be useful if sufficient resources are available to 'keep the lights on'.]
More change management resources

5 steps to data Nirvana

Starting with a comment from Gartner that “More than 25% of critical data in Fortune 1,000 databases is inaccurate or incomplete”, a thought-provoking piece in Baseline magazine suggests five steps improve your data accuracy: (1) Acknowledge the problem; (2) Determine the extent of the problem; (3) Establish the costs of getting it right (and wrong); (4) Use available tools; and (5) Put somebody in charge.
More integrity resources

Slow patchers hit by worms

Systems at CNN, ABC, the New York Times, DaimlerChrysler and others were reportedly either hit by the Zotob-family worms or were taken offline to apply the Microsoft patches. The decisions about whether and when to apply security patches are especially difficult in the case of critical business systems. It sounds like some organizations either didn’t get the right answers from their risk assessments or simply fouled up implementing the patches. However their contingency plans (presumably at some point involving the command ‘apply those **** patches, NOW!’) seem to have limited the damage, so far, although companies that were infected with Zotob now have to deal with the threat that their systems may perhaps be 0wn3d with keyloggers and other nasties quietly doing their stuff.
More change management resources

Patching Window closed

Certain "security experts" reportedly believe that the patching window is non-existent. I guess the journalist who swallowed that line must have missed out on the last few year's discussion about zero day attacks. He goes on to discuss the merits of the white hat community sharing information about vulnerabilities and patches (again, largely ignoring the ongoing professional discussion about vulnerability disclosure) and ends with the implication that patching even quicker is somehow the answer to the patching window being closed. Errrrm ... call me a cynic but how does that work?
More change management resources

Techworld.com - Critical Veritas attack code loose

Contrary to uninformed opinion, MS Windows is, of course, not the only vulnerable software Out There. Right now, there’s a race between those seeking to exploit an announced vulnerability in Symantec's Veritas Backup Exec Agent for Windows and those who are desperately patching their Veritas systems.
More change management and hacking resources

(IN)SECURE Magazine

The third edition [9Mb PDF file!] of (IN)SECURE, The Digital Security Magazine, carries an article on security vulnerabilities, exploits and patches.
More change management resources

F-Secure Computer Virus Information Pages: Zotob.A

The Zotob.A worm exploits a Plug-and-Play vulnerability, targeting unpatched Windows machines by scanning port 445 and downloading a virus using ftp. The worm was released within just 5 days of Microsoft releasing August’s security patches. HAVE YOU PATCHED ALL YOUR WINDOWS SYSTEMS YET?
More change management and malware resources

Amazon pays $40m in patent dispute

If anyone still doubts the economic value of intellectual property, Amazon 's out-of-court settlement of a $40m claim by a patent holder should be a salutary lesson. The patents relate to Internet shopping processes used by Amazon ... and Gap ... and presumably many other eCommerce-enabled companies. Amazon has deeper pockets than most but the writing is on the wall for those who flagrantly ignore patent infringements.
More intellectual property resources

8 vulnerabilities per day

NIST's National Vulnerability Database reports an average of 8 new security vulnerabilities every day, with over 12,000 already listed. It's not difficult to see that keeping track of new vulnerabilities, assessing whether they are relevant, testing and applying patches to all relevant systems is no trivial matter for the average corporation. Any organization that lacks adequate IT resources must surely struggle.
More change management resources

NIST SP on patching and vulnerability management

NIST is inviting public comments on a new draft Special Publication SP800-40 on Creating a patch and vulnerability management system (1Mb PDF file). Comments are especially welcome in three areas: (1) patching metrics, (2) required duties of the patch and vulnerability management group and (3) the overall patch and vulnerability management process. The summary earns a big thumbs-up from us with the sentence: “Not all vulnerabilities have related patches; thus, system administrators must not only be aware of applicable and available vulnerabilities and patches, but also other methods of remediation (e.g., device or network configuration changes, employee training) that limit the exposure of systems to vulnerabilities.” Other NIST drafts are also open to comment.
More change management resources

Microsoft fixes yet more bugs

As eagerly anticipated, Microsoft released yet another a bunch of fixes on a few days ago, three of which were rated critical. It is widely reported that problems with the patch files originally made available from some download locations may have interfered with the update process, although we understand everything is working fine now. Nevertheless, Microsoft customers are well advised to double-check that all necessary patches have been applied to all relevant systems using Microsoft Baseline Security Analyzer (MBSA), Microsoft Update (which updates both Windows and Office) or other patching utilities. There are rumors of exploit code already in circulation for the announced vulnerabilities so consider the risks carefully if you are not certain that all your systems are fully patched.

More change management resources

Racing to beat full disclosure

Bruce Schneier discussed the race to fix and close vulnerabilities before they are publicly disclosed in his Crypto-Gram newsletter way back in 2000. The risk-time graphs are illustrative, of course, but do seem to reflect reality.
More change management links

How to spot spoofs and fake emails & websites

A tutorial from eBay to help customers spot spoof/fake emails and websites, is of general interest to anyone who uses the Internet.
More IT fraud resources

The value of currency

Microsoft's HoneyMonkeys project is using XP PCs with various levels of patching to search for malicious download sites. If an original unpatched XP PC is affected by malware on visiting a website, an XP SP1 machine is sent to the same site to see whether the SP1 patch fixed the vulnerability. If that fails, an SP2 machine is tried, and so on up to the most recent fully-patched version of XP. If the latest version is still vulnerable, they are presumably facing a 'zero day' exploit, worth further examination. The project confirms the importance of maintaining version currency to minimize the level of known vulnerabilities.
More change management resources

Information Security Awareness book review

Having just read Tim Layton's new book "Information Security Awareness - The Psychology Behind the Technology", I wrote a book review to share my thoughts. The bottom line: it's too academic to recommend to practitioners, and difficult to read thanks to a poor writing style, but worth reading Chapter 7 at least.
More security awareness links

Going on holiday? Think security!

Out of Office (OoO) automatic replies to incoming emails are a menace to mailing lists and can cause security issues, primarily disclosure of sensitive information. It is quite common for those going on vacation or traveling on business to want to tell other people that they are not around to respond to inbound emails, and it is quite easy for end users to configure OoO replies themselves. Unfortunately, OoO information is of interest to spammers and social engineers as well as legitimate email correspondents. ‘As I will be away from the office from date1 to date2, please address your queries to XXX@company.com or phone (123) 456 789. John Doe, Security Manager’, for example, gives away quite a lot of useful information unnecessarily. Advice on how to configure email systems for OoO replies is given in this IETF draft proposal (an incomplete work-in-progress but well worth a read). As so often in information security, the technical controls should be complemented by suitable policies, procedures and awareness of this issue.
More email security resources

Oracle's view of the patching treadmill

A rare insight to the change management problems caused by vulnerabilities disclosed by 'security researchers' is provided by the CSO of Oracle. She argues that although fixing an identified problem may only take a few minutes, it can be far more involved. Furthermore, she claims there are customer-friendly reasons for delaying the release of fixes [which seems just a tad far-fetched to me]. She also admits that one quarter of security fixes are a result of information provided by third parties, an amazing fact given that Oracle has complete 'glass box' access to its own source code and the best Oracle professionals on the planet at its disposal.
More change management resources

Data security and backup

Data security and backups can be a pain for roving users using portable PCs but SecureTrieve is an attractive option. The system protects data stored on the PC using AES encryption and makes off-site backups through the web. Without the user's password, a thief can't easily see the encrypted files, and even if he can get at them, AES protects them. Meanwhile, the user can retrieve his valuable data from the off-site backup onto another machine. Combining this with PC Phone Home might even give the user a fighting chance of finding the stolen PC when it connects to the web.
More mobile and teleworking security resources

Fix costs escalate 200x post implementation

It has been estimated that it is about 200 times more expensive to fix a problem when an IT system is in Production compared to fixing at the requirements analysis step during Development. The factor falls to about 4 for small IT projects but can exceed 500 for very large projects. Even if these figures are only vaguely close to the truth, the implications for quality assurance processes in IT development are crystal clear, as are the benefits of splitting massive projects into discrete sub-projects.

More change management, bugs and secure systems development resources

Emotional intelligence and change

Emotional intelligence, a relatively new form of psychological research, offers some fascinating insights into the part played by motivation in change activities. For anyone involved in dealing with people as part of change management, the Emotional Intelligence Consortium's Technical Report on Training and Developing Emotional Intelligence in the Workplace is well worth a read, as are the books on emotional intelligence.
More change management resources

Leading whole-organizational changes

In a McKinsey interview, the CEO of P&G discusses various aspects of leading and managing change across the entire organization. For example, targets that stretch too far risk demotivating people [whilst those that don’t stretch enough are lame]. Difficult concepts such as ‘core business’ have to be explained patiently and frequently to some people. Similarly, the CEO of D&B says of his change strategy “The primary focus was to repair the brand, change the business model to get funds to pay for the repairs, and create a new culture. Creating a new culture was fundamental to the new strategy.” [There are clear implications for security awareness programs here!]
More change management resources

Contingency plans in action

I'm waking up this morning to news of three contingency situations. First of all, an Airbus A340 aircraft failed to stop on the runway on landing at Toronto. The Air France emergency evacuation procedures worked pretty much as designed with only relatively minor injuries, we hear.
Secondly, the space shuttle crew are about to undertake a 'delicate task', cutting away some ceramic spacer strips protruding between the shuttle's tiles using a makeshift tool. The tool and cutting process are themselves the product of a well-rehearsed contingency process (the Apollo 13 film is a popular case study for contingency situations).
Finally, today's Handler's Diary from the SANS Internet Storm Center recounts a power incident involving the partial failure of a standby generator and office UPS units. It seems the generator has insufficient capacity for the full startup load, and some of the UPSs were incorrectly installed by users, raising questions about the system design, installation and testing procedures.
Otto von Bismark said "Only a fool learns from his own mistakes. The wise man learns from the mistakes of others" - I'd rephrase the last part slightly: "The wise man learns from the successes and mistakes of others, and makes his own contingency arrangements."
More crisis management and contingency planning resources

Revision control

The description of 'revision control' at Wikipedia reads a lot like what is commonly called 'version control' or 'Software Configuration Management' (SCM), but is interesting nonetheless. The wiki itself provides an object lesson in revision control: users are invited to make changes, with the system automatically retaining checkpoints in case something goes wrong and optionally notifying other users that changes have been made.
More change management resources

IIA Change and Patch Management Controls guide

The Institute of Internal Auditors’ final draft guide to change and patch management controls is “about managing risks that are a growing concern to those involved in the governance process. Like information security, management of IT changes is a fundamental process that can cause damage to the entire enterprise and easily disrupt operations if it is not performed well. This enterprisewide impact makes change management of interest to many audit committees and, as a result, to top management. The objective of this guide is to convey how effective and efficient IT change and patch management contribute to organizational success.”

Security induction module

We have also released a special bonus module - a security induction module covering the basics of iformation security intended for use in induction training classes for new employees. The induction module might be useful to launch a new information security awareness program too. It is being provided free of charge to NoticeBored customers.
General/induction information security resources

Change management security awareness module

We've released a new NoticeBored Classic security awareness module on change management - an important information security topic seldom but covered in awareness programs.
More change management resources here

Email disclaimers

We've all read those pseudo-legal statements at the end of most corporate emails but do they carry any weight? Stupid Email Disclaimers takes a look at the issue and makes some interesting points for discussion with your corporate counsel.
More email security resources

Social psychology & INFOSEC

Mich Kabay's 1993 paper on security awareness makes the case for "changing beliefs, attitudes and behaviour, both of individuals and of groups. Social psychology can help us understand how best to work with human predilections and predispositions to achieve our goals of improving security".
More security awareness resources

Data recovery hardware

An interesting suite of products from Germany protects key system files against unauthorized modifications. WatchIT presumably takes a backup copy of boot files and other key data from the disk. If the files are corrupted (e.g. by a virus) or accidentally deleted, the originals can be restored in a flash. Sounds ideal for classroom and many corporate situations where users have a tendency to corrupt their own systems from time to time.
More contingency planning links

An upside to privacy breaches?

An editorial in Chief Marketing Officer Magazine hints at a possible upside to recent privacy breaches splattered across the press. "Privacy activists are up in arms over ChoicePoint and other high-profile security breaches at institutions such Bank of America, DSW and CardSystems, where 40 million credit card accounts from Visa, MasterCard and other card issuers may have been compromised. Legislation to tackle growing worries over credit report information, data breach disclosures and spyware is in the political pipeline. Wary consumers are increasingly reluctant to share personal information with marketers." Well OK, maybe calling it an 'upside' is a bit cynical, but if the general public are more security aware, we're happy :-)
More anti-hacking resources

Success strategies for security awareness

"Without visible executive stewardship, information security awareness programs are doomed to fail" says E Kelly Hansen, Chief Executive of Neohapsis. Unfortunately, like so many other articles on security awareness, ZDNet falls short on practical guidance on how one might actually gain 'visible executive stewardship'. Apart from the standard advice to circulate a newsletter and consider corporate videos, there are few creative ideas here.
More on the need for security awareness and some helpful advice to start an effective security awareness program

Hacking with Google

Johnny I Hack Stuff is the website of ‘Johhny Long’, author of Google Hacking for Penetration Testers (~$32 from Amazon). Johnny explains how to construct interesting Google queries in order to identify vulnerabilities such as security holes in system and application software, disclosure of sensitive information and so on.
More [anti-hacking] resources

How To Become A Hacker

How To Become A Hacker is a primer on the philosophy and ethics of hacking, more than the mechanics of hacking. Starting from the point of view that “hackers build things, crackers break them”, this is a thoughtful, well-written and stimulating piece of creative writing. “Contrary to popular myth, you don't have to be a nerd to be a hacker. It does help, however, and many hackers are in fact nerds. Being a social outcast helps you stay concentrated on the really important things, like thinking and hacking.”
More [anti-]hacking resources

London cellphone network resilient under stress

The BBC is reporting that cellphone networks in London are coping adequately with higher-than-normal call volumes arising from the bomb incidents at lunchtime today. Cellphones have becomeas much a part of the critical national infrastructure as the "Plain Old Telephone System" (POTS). Wireless networks like their wired ancestors are designed with resilience in mind, including spare capacity, alternate routing and 'intelligent' real-time switching protocols. This is mostly to cope with the diurnal peaks and troughs of demand, partly for continuity through abnormal periods such as bombings, planned maintenance and unanticipated system failures.
More on crisis management and contingency planning

Sazo GPS/GSM location

Sazo is an interesting low-cost product line from a UK company that uses GPS or GSM signals to locate Sazo devices. They are being marketed for concerned parents to track and communicate with their children, and for similar personal-location applications. The technology may also prove useful for tracking stolen vehicles or PCs or other valuables (although it would of course need to be modified slightly so as not to need the thief to acknowledge the location request message!).
More physical security links

Kevin Mitnick preaches social engineering awareness

In a keynote presentation at the Citrix iForum conference in Australia today, hacker Kevin Mitnick : said "social engineering appeals to hackers because the Internet is so widespread, it evades all intrusion detection systems, it's free or very low cost, it's low risk, it works on every operating system, leaves no audit trail, is nearly 100 percent effective, and there is a general lack of awareness of the problem."
More [anti-]hacking and social engineering links.

"Underground" websites

Perusing this list of 100 "underground" websites gives a flavor of what certain hackers find interesting - hacking/cracking tools and how-to courses, warez and cracked serial numbers for examples. [Warning: take great care if visiting or downloading “useful tools” from dubious websites. Some of them may exploit security vulnerabilities in your system or indeed yourself to install Trojans and other malware.]
More anti-hacking and malware resources

Hoax-Slayer

The free Hoax-Slayer Newsletter explains email scams, Internet frauds and other such nasties to the general public. A nice easy way to keep up with things.
Other IT fraud resources

CSI/FBI survey 2005

The latest Computer Security Institute/Federal Bureau of Investigation security survey is packed once again with interesting statistics and insightful commentary. With responses from around 700 US respondents, this is one of the most reliable surveys. Security awareness gets several mentions. "The vast majority of respondents view security awareness training as important. However, (on average) respondents from all sectors do not believe their organization invests enough in it." The survey does not explain why this might be, unfortunately. I wonder if it might be related to the lack of understanding of security awareness amongst senior management?
Download our white paper on the value of security awareness

Nigerian scammer fined in $242m case

It appears the courts in Nigeria are convicting fraudsters guilty of 419 advance fee frauds and other scams ... but not before these swindles have allegedly become one of the country's main foreign exchange earners after oil, natural gas and cocoa according to "anti-sleaze campaigners" quoted by Reuters.
More IT fraud resources

US airman convicted of hacking

The European and Pacific Stars & Stripes reports that an airman based in Japan has been convicted by a court martial for trying to hack PC files on the base using a password cracker program he downloaded from the Internet. It seems the man also uploaded a password file from the base to a personal web server through the Internet, with the risk of third party interception en route.
More anti-hacking resources

Default login info

Next time you install a new device, load an operating system or install an application, don't forget to change the default installation username and password before you connect it to the network. Over 1700 are published at Virus.Org.
More anti-hacking resources

US-CERT Cyber Security Bulletins

The weekly Cyber Security Bulletins from US-CERT summarize reported software security vulnerabilities such as buffer overflows. While there are so many bugs being reported on a weekly basis, there is not much hope of securing our computer systems against determined attackers. It's like drinking from the fire hose. (We will pick up on this point in future NoticeBored modules on 'security in the SDLC' and 'bugs!'.
More anti-hacking resources

Patch Tuesday

Microsoft's latest Security Bulletin describes three patches to close off critical security vulnerabilities in Windows and Word. Now that these vulnerabilities are in the public domain, it's open season for hackers to try to exploit them before everyone gets patched. The patching treadmill is a logistical nightmare for organizations running business-critical applications on numerous distributed technology platforms, creating risks to the deployment. It is critically important to strike a balance between delaying the patching (increasing the window of opportunity for the hackers) and patching too soon (before patches have been tested on all applicable platforms). More will appear on this topic in next month's NoticeBored Classic module.
More anti-hacking resources

The human factor in information security

The British Computer Society has published a paper by Zach Anuka highlighting the importance of human factors in information security, alongside physical and logical/technical factors. "... the human piece of the puzzle, the soft factor, receives the least attention and investment. How often in an IT project do you hear about human vulnerabilities requirements? Not often. It is not usual for systems integration projects to include the aspect of user training that could enable users to manage their own inherent vulnerabilities." Well said Zach!
Click for more security awareness resources and our own white papers on why we need awareness and human factors.

Iron Mountain Loses More Tapes

Perhaps as a result of the Californian law requiring disclosure of security breaches involving personal data on Californian residents, several incidents involving the loss of backup tapes in transit between the primary and backup sites have come to light since 2004. Given the sensitivity and volume of data on the tapes, and the fact that they are being handed to (albeit trusted) third parties for transportation, it is perplexing to discover how few organizations apply encryption ['encoding' and 'proprietary formats' don't count - these are just weasel words], even in financial services. The latest example of this kind of incident involves Iron Mountain Inc., a backup specialist that hit the news over another similar incident a few months before. Why is it that the possibility has escaped otherwise quite comprehensive risk analyses? Presumably it is not explicitly covered by SAS70 or the auditing standards and has simply slipped under management’s radar, until now.
More physical security resources

End of an era for Phrack

After 20 years, Phrack magazine's editorial team are hanging up the quills and closing down the press. The last issue will be released at US hacker conventions later in July. The hacking and phreaking world will mourn the loss, shed a tear maybe, and then turn back to the web for their fix.
More anti-hacking resources

'London bombing' Trojan

The day after London was bombed, a 'London bombing' Trojan started circulating. "Virus writers have created a Trojan which poses as London terrorist attack news footage. Infected emails harbouring the Trojan pose as a CNN Newsletter which asks recipients to 'See attachments for unique amateur video shots'." Shameless.
More malware, anti-hacking and crisis management links

Security awareness on crisis management

We published a special NoticeBored Classic module on crisis management and contingency planning, inspired by the emergency services' amazing response to the bombing of London last Thursday, along with a special newsletter. [These materials are no longer online]
More crisis management and contingency planning links

Targeted Trojan emails

The threat of targeted malware attacks was discussed a few months ago in the NoticeBored Classic awareness module on malware. US-CERT Technical Cyber Security Alert is now warning of the increased threat of Trojans that (a) elude conventional protective measures such as antivirus software and firewalls, and (b) are emailed to specific targeted recipients. External disclosure (exfiltration or stealing) of data appears to be the primary purpose, for example using port 80 like normal web traffic, passing straight through the perimeter firewalls.
More anti-hacking and malware resources

What The Hack!

What The Hack is a hacker conference taking place on a camping site in the South of The Netherlands from 28 until 31 July 2005. "The event is not just for those who already define themselves as hackers, although they will almost certainly have an excellent time. Like previous times we hope to create an opportunity for people from a great many different cultures and subcultures to meet. So no matter whether you're interested in any of the topics presented, curious about what it is we're into, feel there are some cultural connections missing that you could facilitate, or if you just want to hang out with some of the brightest and funniest people we know: please come."
More (anti-)hacking resources

MS UK site hacked

A Microsoft UK website has been defaced with a GIF image file supporting a hacker arrested in April. The Register reports that the GIF has been removed. Crude website defacements of this nature are at the 'vandal' end of the hacking scale, way below the level of concerted terrorist IT infrastructure attacks feared by military security experts.
More anti-hacking resources

SSNs exposed by college server hack

In yet another college server hack, personal information including Social Security Numbers have been exposed. The college has belatedly removed SSNs from the server but why they were there in the first place is not clear. "If someone has a name and Social Security number, they can apply for a credit card, so this is a major issue". A separate news story reports that "many colleges and universities used a student's social security number as their primary student identifier, until recently [and] some schools still have not stopped the practice." In the UK and other countries, SSNs are not generally used as secrets for personal authentication purposes and individuals need to provide additional information such as something proving their home addresses: the US seems behind the curve on this one.
More anti-hacking resources

'Hunting season' for computer attackers

The Toronto Globe And Mail yesterday ran a well-written piece about the upsurge of computer crime. The article makes the case that criminals are turning to electronic crime due to the enormous opportunities opened up by the combination of numerous insecure systems on the Internet, widespread lack of awareness of basic security measures by users, and the disjointed trans-national law enforcement activities. This is not just scare-mongering, the story is illustrated with news of recent hacking incidents and quotes from professionals in the field. The worrying trend is every bit as clear as global warming.
More anti-hacking resources here

Man charged with stealing WiFi signal

A Florida man has been unauthorized access to a WiFi network. The man admitted using a laptop PC in an SUV parked outside the house to 'steal' WiFi access. The case will presumably center on whether the WiFi network was adequately secured - most aren't.
More wireless networking security and anti-hacking resources

Chinese student arrested for hacking

A Chinese student has been arrested in Tokyo, allegedly for hacking into up to 14 companies' systems to obtain information on their customers.
More anti-hacking resources

Decoys for the Pentagon

US Military experts have proposed the use of 'decoys' (commonly known elsewhere by the term 'honeypots') as a defensive move to protect the Pentagon Network from hackers. Now there's an idea.
More anti-hacking resources

Monitoring attacks on Windows networks

Microsoft's Security Monitoring and Attack Detection Guide is designed to help organizations plan a security monitoring and attack detection system based on Windows Security Event logs. It explains how to interpret the events (albeit within the rather limited capabilities of standard Windows tools) and which events indicate the possibility that an attack is in progress.
More anti-hacking resources

PayPal phishers get more creative

PayPal has settled a class-action claim, the claims period for which expired in October 2004. According to the claims administrator, phisher emails are circulating that cite the original case and direct victims towards a false claims site where, as usual, they seek to obtain their personal information.
More email links here

Bank workers biggest ID theft threat

deseretnews.com reports that customer details have been sold to identity thieves by employees of Bank of America, Wachovia and two other banks. "We've got a nasty problem and it keeps getting worse over the past couple of months," said Peter G. Neumann, a security expert with SRI International in Menlo Park [and manager of the RISKS mailing list], Calif. "Insiders have always been a concern, it's just that (institutions) are finally admitting it."
More anti-hacking resources.

Help! I Think I've Been Hacked!

Help! I Think I've Been Hacked!! is a common cry on IT bulletin boards. Non-technical people usually don’t understand why hackers have hacked them, nor how they did it. All they want to do is get the hackers out - no mean feat without IT knowledge, even using the antivirus and antispyware tools commonly available. Keeping the hackers out is a further challenge but at least former hacking victims should be well aware of the threat.
More anti-hacking resources

Rootkits

Find out why you should beware rootkits on your systems. Rootkits typically install modified operating system files such as “ls.exe” (the UNIX list files command) to conceal the presence of hacking tools from naive system administrators. The tools themselves give hackers complete control of a compromised system and often provide backdoors to the system in case the primary mode of entry is blocked.
More (anti-)hacking resources

NoticeBored July - The Hacking Threat

This month, our security awareness materials explain how hackers, crackers, phreaks and other assorted geeks go about their business. Hacking is a serious threat to organizations and individuals who depend on their information assets, and especially those of us connected to the Internet. A number of security surveys have shown however that hacking perpetrated by insiders is a threat even if your organization has no external network connections at all.
More (anti-)hacking resources here

Stego led CIA to a false alarm

There's an interesting story on MSNBC.com about the CIA drawing mistakenly concluding that Al Jazeera TV was broadcasting terrorist messages using steganography to hide the content in the ticker-tape news banner. It seems the high state of alert, verging on paranoia, led the CIA analysts to see phantom messages, yet they were credible enough to cause US authorities to cancel flights and raise the terror alert level from 'yellow' to 'orange'. I suspect the same false-alert could easily happen again due to the very nature of steganography but hopefully not without corroborating evidence from other sources. At least the false-alert was a fail-safe response.

More on confidentiality, crypto and steganography here

Never mess with privileged syadmins

Someone's resignation letter, whether it is actually true or not, makes fun reading but has a real sting in the tail. Read to the end and think about this the next time you appoint or dismiss a systems administrator or indeed anyone else with privileged systems access.

Targeted attacks pose new security challenge

Computerworld reports that "'We're clearly seeing a trend away from broadcast attacks to much more targeted and much more sophisticated types of attacks,' said Andreas Wuchner-Bruhl, head of global IT security at Novartis Pharma AG, a drug maker in Basel, Switzerland. 'Dealing with it is much tougher.' That's because 'the cons in the attacks are so much better customized' for the specific companies they target, said Lloyd Hession, chief information security officer at BT Radianz, a New York-based provider of telecommunications services to the financial industry. 'The chances of them being successful are much higher' than in large-scale attacks, he said." The potential for malware attacks targeting specific companies, or even individuals, looks clear to us, and we're not just talking about phishing/pharming type attacks. We can forsee worms, for instance, that are slow spreading, benign and cryptic (thereby largely evading the interest of the antivirus community) unless/until they find themselves inside the target organization whereupon they spring to life with devastating concequences. A senior manager at antivirus supplier Sophos with whom we discussed this very point three months ago did not see this as a serious threat but we beg to differ.
More email and malware resources

Implement Sender ID or be labelled a spammer by Microsoft

Cnet News is reporting that Microsoft intends to mark all emails not carrying the Sender ID tag as spam on entry to the Hotmail and MSN networks. The fact that Microsoft remains the main supporter of Sender ID, and that an IETF working group on it was dissolved last September due to their inability to agree on the details, means that those of us not using Sender ID need not be unduly worried at this point ...
More email security links

Deloitte Global Security Survey 2005

Deloitte's latest infosec survey continues the trend of other recent surveys: "... since fraudsters will always target what they perceive to be the weakest link, their efforts are now focused on the human factor." It's a bit like what's happening to car security: as the doorlocks and alarms get stronger, car thieves turn to carjacking or simply stealing car keys as more effective ways to get their hands on the vehicles. We will publish a brief review of Deloitte's survey on the freebies section of NoticeBored.com as soon as we've finished reading and dissecting the report.

Seven steps to security awareness

I wrote this white paper as an extended response to a simple question on the Yahoo groups Security Awareness mailing list. Someone simply asked for sources of posters and other materials for security awareness ... I responded by inviting him to think more broadly about his requirements for the awareness program, and to plan the program more professionally rather than, as he possibly implied, just putting up a few free or cheap posters. The response turned into a short white paper about the process for planning, selecting, evaluating and procuring security awareness products and services - really just the standard procurement process applied to security awareness. Enjoy.

Email exam misery shared

USATODAY.com reports that 119 University of Kansas students who failed classes last semester inadvertently found out who shared their misfortune. The email informing them was sent "To:" all 119 students so all recipients could see who else received the email - if it had been "BCC'd" (Blind Carbon Copied) instead, the recipients might have remained anonymous.
More email security links

UK agency warns about emails bearing gifts

"Employees are tricked into installing the malicious programs by cleverly-crafted e-mails loaded with infected documents. In some cases, the attackers download publicly-available documents off the Internet, load the documents with the Trojan horse, then e-mail them to carefully-selected employees who would be likely to open such a file. To make the notes even more realistic, the e-mail appears to come from a co-worker." So says the UK's NISCC (National Infrastructure Security Coordination Centre - home of the UK WARPs) in a generic public warning.
More email security and malware links.

A clutch of Microsoft patches

Hurray! It's patch Tuesday! Microsoft has released patches for a clutch of security issues including one affecting Outlook Web Access and another affecting Outlook Express. It's important to keep up with security patches to minimize the risk of compromise by worms or hackers attacks. If you/your organization uses OWA or Outlook Express, or indeed other vulnerable software that has just been patched, you may only have hours or days before exploits begin causing problems. Act now to prevent breaches.
More email security links

Information retention and destruction

With some analysis of the Enron case, The Register's piece Shred It! says you should "establish a clear and reasoned and workable [document retention] policy ... [and ideally] automate the process of document destruction ... Your policy should ensure that it is applied to active and archived documents equally, and paper and electronic documents." However, things change if your organization is under investigation. "Once you know, or reasonably should know that particular documents or categories of documents may be relevant to an actual or anticipated investigation or litigation, your document destruction policy should be suspended." In other words, you must not artificially use the policy to destroy evidence.
More physical security and confidentiality links

Phishing antidote

In "Man Bites Phish", Robert Cringely suggests a novel approach to the phishing problem: visit the phisher sites and enter realistic-loooking but inaccurate junk information. The idea is that the phishers will give up trying to separate the wheat from the chaff if enough people send them junk data. Given their motivation to steal money, the phishers may not be too bothered but the problem is that there are few other effective approaches against phishing.
More email security links

Phishing for domain registration info

As well as phishing directly for personal information such as bank account details, credit card numbers etc., it appears that phishers are also trying to fool domain owners into relinquishing control of their domains, potentially in order to redirect legitimate traffic through the phishers' systems. CIRA, registrar for the .ca domains, released this news bulletin on June 8th.
More email security and IT fraud links

Bin Laden email Trojan

According to CNET News and The Register, a Trojan attached to an email promising pictures of the capture of Bin Laden has been contained, presumably by effective antivirus software.
More malware links and email security links

SCADA security

I've just stumbled into the ISA website regarding an ongoing project to develop ANSI/ISA security standards for SCADA (Supervisory Control And Data Aquisition) systems used to control industrial machinery including large chunks of the critical global infrastructure (e.g. power plants, water treatment works, and no doubt the production lines at Rover - oops). In my limited experience, many old-fashioned SCADA systems pre-date modern thinking on information security controls other than availability, perhaps: the reason old SCADA systems remain a problem is that many of them have continued running more or less unchanged for decades.
More availability resources

The insider threat

In Looking at the insider threat!, Doug Schweitzer picks up on the need for organizations to protect themselves against attacks by insiders - employees and others working within the physical and logical perimeter. "Security starts from the inside out" neatly encapsulates it. We'll have more to say on hackers, both insider and outsider versions, in next month's NoticeBored security awareness materials.

Preserving digital evidence

Deb Schinder's Computerworld article Preserving Digital Evidence to Bring Hackers and Attackers to Justice is a brief but useful overview of how to deal with a PC that may contain forensic evidence of a breach. The key elements are: don't switch it off, disconnect it from the network; don't run any programs on it; don't open files to examine them; do call on forensic experts; do take bit-level disk and memory copies to another machine. "Pull out the network cable" is a good phrase to teach your IT help desk and information security staff, and should perhaps be splashed across the front of the incident response procedure manual, a bit like "Don't panic" across the Hitchhiker's Guide To The Universe.
More on incident management

Nigeria overwhelmed with spam

A new OECD report into the spam problem notes that developing nations lack the resources to cope with spam. Whereas the costs of spam filters, wasted bandwith and wasted disk space are not a significant issue for organizations in the developed world, places like Nigeria are being overwhelmed. [Given the volume of 419 scams still originating in that part of the world, some might call this peotic justice ... but spam is an indiscriminate problem and does not just affect the fraudsters].
More email security links

ITIL portal

Loads of free information on the IT Infrastructure Library.
More IT governance links

Email security awareness

We have just released the latest NoticeBored Classic security awareness module on email security. Email security is one of our core awareness topics - almost everyone in business these days uses email and should be aware of the security risks they face. Our core modules are updated and re-released every year.
Click here for our email security links collection

US DoD threat analysis

The US Department of Defense clearly faces some serious information security risks. According to this presentation about security policies by ex-military man and honeynet security guru Lance Spitzner, the DoD recognizes seven levels of threat. “T1: Inadvertent or accidental events e.g. tripping over the power cord. T2: Passive, casual adversary with minimal resources who is willing to take little risk e.g. listening. T3: Adversary with minimal resources who is willing to take significant risk e.g. unsophisticated hackers. T4: Sophisticated adversary with moderate resources who is willing to take little risk e.g. organized crime, sophisticated hackers, international corporations. T5: Sophisticated adversary with moderate resources who is willing to take significant risk e.g. international terrorists. T6: Extremely sophisticated adversary with abundant resources who is willing to take little risk e.g. well-funded national laboratory, nation-state, and international corporation. T7: Extremely sophisticated adversary with abundant resources who is willing to take extreme risk e.g. nation-states in time of crisis.” Another way of looking at this is as a maturity model for information security. Is your organization ready to face threats at level T4 or T5? Can you afford to address T6?
More risk management resources

Trojan used for industrial espionage

A handful of well known companies are caught up in a scandal over the use of a Trojan horse program for industrial espionage against selected targets. The story is a rather sketchy at present but it appears that police discovered the plot following a lead from an Israeli author whose London-based former son-in-law is accused of disclosing parts of a book he was writing. The existence of the Trojan is evidently not in dispute, along with the fact that it was distributed on a 'promotional CD'. The author, however, claims that it is legal and is 'not his fault' if it was misused for illegal/unethical purposes.
More malware and privacy links

ISO 27000-series security standards

ISO has earmarked the ISO 27000-series for the information security management standards including ISO 17799, BS 7799-2 and a new standard currently in preparation on security management metrics. This new website gives an overview and will gradually become a useful public resource for those implementing the ISO security standards.
More security standards links here

CERT vulnerability bulletins

US CERT issues a handy email update of vulnerabilities announced in the previous week. They mention patches, workarounds and other actions to help mitigate risk.
More infosec risk management resources

The Credit Card Prank II

Humble "retail operatives" (till-clerks) who are supposed to check credit/debit card signatures against those on the cards should actually read them and challenge suspicious signatures. It seems some of them perform absolutely no checks whatsoever. This is another example of why security awareness should extend to everyone in the organization.
More security awareness links

2005 AusCERT security survey

The latest AusCERT computer crime and security survey says "Only 35% of respondent organisations experienced electronic attacks that harmed the confidentiality, integrity or availability of network data or systems (compared to 49% in 2004 and 42% in 2003)." ONLY 35%! Am I the only person who finds it perverse to regard a situation in which MORE THAN A THIRD of those surveyed suffered business impacts as a success? 3.5% maybe but not 35. This is an outrageous indictment of the state of information security.

Security lessons learned

"Security isn’t only about protecting your network from external threats; it’s also about protecting against threats from within. The first step to security is awareness; therefore, it’s important that all your employees know not only the potential threats but also how to recognize and prevent such threats. Education and awareness empowers each employee with the knowledge of his role in protecting the organization’s network. This, in turn, will go a long way toward mitigating risk." Well said Doug Schweitzer! This week's Processor magazine has several interesting articles on security awareness and policies.
More risk management and security awareness links

Malware threats converge

Various infosec professionals have been commenting on the threat posed by new forms of malware used to install cryptic rootkits or spyware without alerting the user to their presence. It seems not all antivirus and antispyware software can detect these. There is a distinct possibility that a very specifically targeted chunk of malware could infect an organization or even an individual person, perhaps to wreak havoc with their systems or to disclose sensitive information. Call me paranoid if you like but the pieces are falling into place.
More malware links and risk management links.

A risk management classic

"The crash of a critical legacy system at Comair is a classic risk management mistake ... the legacy system failed, bringing down the entire airline, canceling or delaying 3,900 flights, and stranding nearly 200,000 passengers. The network crash cost Comair and its parent company, Delta Air Lines, $20 million, damaged the airline's reputation and prompted an investigation by the Department of Transportation." 

Executives stalled all attempts to replace the old crew scheduling system until eventually it failed in service. Reading between the lines of the story, however, it is not clear whether the proposed replacements would have presented even greater risks. Risk management decisions can be buggers.

DDoS extortion

Distributed Denial of Service attacks are being used to extort money from on-line businesses. This is hardly hot news but various experts in a Computerworld piece say this is an increasing threat. More interesting is the emergence of commercial tools to mitigate DDoS attacks, giving victims an alternative way to spend their money (I would be surprised if there were no free tools with the same aim out there, at least in development by the wonderful public-spirited open source community).
More risk resources

Insider threat

CERT has released a 45-page report into the threat of sabotage by insiders. As one might expect from CERT, it focuses on the threat to the IT elements with an emphasis on critical infrastructure although it includes examples in commercial settings.
More risk management resources here

Information Security Policies Made Easy

Version 9 of Charles Cresson Wood's masterpiece contains more than 1,400 infosec policies in 727 just-over-a-dollar-each pages. How this volume of material makes writing policies "easy" is beyond me but some readers claim the book is good for suggesting the breadth of topics that might be covered in any policy area ... just don't try to write your own 727-page policy manual!
Why do we need security awareness?

Fraudulent laptop sales

Police are warning of a street con involving the sale of what purports to be a laptop, only the bags are swapped and victims find they have actually bought a load of rubbish [the police don't actually say which make of PC is involved].
More IT fraud links here

Website certificates

Another excellent US-CERT Cyber Security Tip helps people understand website certificates. This tip is a bit more technical than most but power users and IT workers should be aware of the implications of accepting and trusting digital certificates.
More internet security resources

SOX puts audit costs up

A survey attributing $1.4 bn of additional costs to Sarbanes-Oxley compliance includes a subtle message. Banks, insurance and drug companies saw significant increases in their audit costs, but energy, utilities and retail companies saw even greater increases ... presumably implying that they had much more to do to reach compliance.
More IT governance links here

ST£RLING fraud initiative

The Metropolitan Police, in conjunction with Companies House, is promoting a scheme for UK companies to sign-up for electronic filing of company records to reduce the opportunities for fraud.
More IT fraud resources here

Passwords for $3 a pop

Verisign have found that the majority of people asked were willing to reveal their passwords for a $3 Starbucks coffee token. "According to the company, one executive who was too busy to respond to questions but still wanted a gift card sent his administrative assistant back to complete the survey. The assistant promptly revealed both the executive's password and her own." The survey team have no obvious/legal way to verify the passwords (which is presumably why this was labelled a "light-hearted and unscientific survey") but the take-home message in terms of a general disregard for information security is pretty clear.

How not to do security awareness

A somewhat tongue-in-cheek diary/blog by a typical if fictional information security manager shows how security awareness is constantly pushed to the bottom of the in-tray.
More security awareness resources

New threats and impacts

ComputerWorld points out that new/changing laws such as those concerning the protection of vital information in effect create new liabilities (we would say "impacts") and new threats such as employees or business partners failing to comply with the new laws - in other words they affect information security risks.
More information security risk management and legal resources

More backup tapes missing

There seems to have been a rash of security incidents involving the loss of backup tapes lately. Computerworld is now reporting that Time Warner lost an entire shipment of data backups en route to its off-site storage. The Register outlined a handful of similar incidents, pointing out that identity thieves would love to get their hands on backup tapes containing credit card numbers and other personal details, especially as so few are encrypted.
More risk management, physical security, privacy and confidentiality links

ISO 17799 newsletter

The fifth newsletter from the ISMS (Information Security Management System) IUG (International User Group) contains two pages by Angelica Plate on the changes in ISO 17799:2005, due for publication in a month or two.
More security standards links

CCTV effect on crime

A report by the UK Home Office reveals that only one of 13 CCTV systems studied directly produced a statistically significant reduction in crime relative to comparable control areas without CCTV. This runs counter to the general perception, and the implication of previous Home Office and Police statements, that CCTV deters city-center crime. The report has implications for the cost-benefit and risk analysis of CCTV in private/commercial settings.
More risk management and physical security links

Governance Focus blog

The Governance Focus blog has been going since September 2003. It covers governance very broadly and gives a fascinating insight into what's happening in the field. Well worth a look.
Other governance links here

IT Governance book

Peter Weill and Jeanne Ross published this precis of their book IT Governance in an Australian magazine.
Read our review of the book here

Principles of corporate governance

A white paper from US CEO forum The Business Roundtable gives an overview of their position on corporate governance. They recommend that every publicly owned corporation should have a committee that addresses governance issues, but then confuse the matter by discussing the nominating committee (appointing suitable Board members is only one part of corporate governance).
More governance resources

Benefits and risks of free email services

US-CERT Cyber Security Tip ST05-009 outlines the pros and cons of free web-based email accounts such as Yahoo, Hotmail and gmail. Three primary risks are identified: "security" (meaning confidentiality through SSL), privacy (confidentiality of personal and commercial information) and reliability (service availability).
More email security resources

Corporate espionage

This slightly xenophobic article nevertheless analyzes the threat of theft of proprietary information. "Experts say that company insiders are a much bigger problem than someone hacking into the system from the outside. 'Seventy-five to 85 percent of all theft per se is done by an insider,' said Julie Snyder, president of the Silicon Valley chapter of the International High Technology Crime Investigation Association."
More confidentiality resources

Microsoft Redmond

Curious to see the extensive Microsoft Redmond campus? One of their employees, presumably, has kindly posted this detailed aerial photograph of the site (warning: it's 4Mb!). Why did he/she post it on whe web? I've no idea.
More physical security links here

ISO17799 FAQ

A public Wiki has been set up for people to contribute to an FAQ on ISO17799, BS7799-2 and so on. This is a collaborative community project, a good opportunity to information security professionals with '7799 experience to share best practice with our peers. It's early days yet but that means there's plenty of scope for you to add questions and, most of all, add useful answers.
More links to information security standards, laws and regulations

Fake hospital inspectors

The Washington Post is reporting that imposters falsely claiming to be unannounced inspectors working for a US government hospital inspection body have been detected and ejected from at least three hospitals. Their motives are unclear at present. Until two weeks ago, the inspection body used to post the names of its inspectors on its website (‘nuff said).
More social engineering and physical security links

Disk erasure

Dirty disks clogged up with musty old data? Desperate to throw them away but worried about where they'llend up? You need DBAN! DBAN is a bootable system and disk eraser. Boot and nuke your old hard drives with DBAN! Kills 99.9% of data, DEAD!
More physical security resources

Internet drugs ring busted

Those who openly advertise and sell controlled drugs online are not above the law. The Washington Post reports that the DEA has shut down a major online drugs operation based in Philly distributing generic drugs supplied from India. This will not be the last online drugs bust, for sure. Perhaps this will finally curtail the spammers' obnoxious activities (don't hold your breath).
More web security resources

Security awareness tips

This webpage presents one of a number of security awareness tips at each load. It is an example of a creative use of the Web for security awareness.
More security awareness resources

ISO17799 case study

This is a fascinating case study expounding the business value of implementing ISO17799 (BS7799). The case reveals some surprising linkages between information security management and general business management, plus several indirect benefits that are seldom mentioned elsewhere.
More IT governance and information security management resources

IT Governance book review

We have published a review of the IT Governance book by Weill and Ross to tie-in with this month's NoticeBored Classic security awareness module, funnily enough on IT governance. Find out what makes it worthwhile reading to the last chapter.
More IT governance resources

MG Rover bosses grilled

Two weeks before British vehicle manufacturer MG Rover finally went into administration, tough questions were being asked of its Chairman and directors regarding some 'unusual' business transactions. Corporate governance is the core issue. We will probably never know the full picture. Meanwhile, thousands of workers are unemployed despite millions of pounds of public money being spent in attempts to shore-up the failing firm.
IT governance resources

Draining FAQ

"Draining" is the 'sport' of infiltrating places by means of underground sewers, cable ducts etc. Caving skills, a cyclops hat and a strong stomach are advisable. The implications for critical infrastructure facilities are glaringly obvious.
Other physical security resources here

Corporate governance ratings for UK listed companies

FTSE, a private company providing financial information on thousands of companies worldwide, has started providing corporate governance ratings in conjunction with ISS. The ratings are apparently derived from "up to 61 corporate governance variables". We have no opinion on the veracity of their Corporate Governance Quotients and, as always, advise investors to take advice from professional advisors, not us. [Note: access to the FTSE site requires free registration].
More IT governance resources

Privacy when browsing the Web

US-CERT's latest cyber security tip discusses privacy concerns as we browse the Web. Most browsers disclose information about their systems simply by visiting websites. The tip concludes with three straightforward actions to limit our exposure. It is well worthwhile signing-up for the cyber security tips and related materials from CERT whether you are simply a computer user or run a security awareness program. Author Mindi McDowell and colleagues are doing a great job.
More confidentiality and privacy resources

Network security lessons from a Bronze age fort

The latest CSO Mag has a thoughtful article about a 3,000 year old Irish cliff-top fort, drawing various analogies between securing a fort vs. securing a network. Unfortunately, interesting though the analogy might be, a 3,000 year old fort offers minimal protection against modern weapons of war. Increasingly sophisticated adversaries using powerful new technologies remain a serious threat in any age. Oh and don't forget the Peasants' Revolt when the Tower Of London was breached by dint of bribing the gatekeeper. Social engineering has a long history too.

Patch Tuesday

Yesterday was 'patch Tuesday' meaning that millions of PCs running Windows Update are slavishly downloading the latest patches from Microsoft. The explanation of "cumulative security update for Internet Explorer", just one of this month's patches, indicates that unpatched PCs accessing 'malicious Web pages' could be completely compromised by bugs in IE's handling of DHTML and URLs, potentially giving an attacker 'complete control of an affected system' through 'remote code execution'. In case you missed it, this important snippet of information is buried under the (normally unexpanded) vulnerability details section of the detailed bulletin accessible from the information page about the fix included in the latest set of patches ... how many of us bother to follow the trail through three web pages? What's more, today's Handler's Diary at SANS Internet Storm Center (which we blogged yesterday) reports that "A proof-of-concept exploit for this vulnerability is already publicly available from FrSIRT. The availability of the exploit is likely to increase the severity of this patch for most organizations.", a point which Microsoft neglected to mention explicitly. (FrSIRT notice here)
Watch out for a forthcoming NoticeBored security awareness module on 'security in information systems development' which will mention the patching treadmill as a contingency measure following the release of buggy software.
More Internet security resources

Rash of new infosec laws

An article in USA Today lists quite a few security-related US laws that are in progress or planned. Multiply this list by N to cover similar initiatives in the rest of the world and the scale of the legal compliance issue starts to become clear.
More IT governance and IT law resources

XP SP2 patches and spambots

The SANS Internet Storm Center's Handler's Diary provides a wonderful source of up-to-date information on current Internet security threats. Today, for example, it is reminding people that Microsoft will be auto-updating Windows XP machines to Service Pack 2 tomorrow, even if users have previously opted-out of the patch. It also includes a list of ports and IP addresses that might indicate your system is being used as a spambot. The diary is aimed at information security managers, information technologists and power users. If you are in these select groups, consider setting your browser's home page to the latest Handler's Diary page to keep up with current events.
Other information security management resources here

DDoS extortion thwarted (?)

Russian extortionists who used DDoS attacks to extort money from UK betting firms have been arrested. Complaints to the National High-Tech Crime Unit of attacks have evidently fallen since the arrest of a Russian gang believed to be behind the protection racket which forced Web-gambling firms to pay up or face extended service outages. [Whilst that may be true, DDoS attacks definitely remain a serious threat to any web-based business, us included.]
More availability resources

Whistleblower brokerage service

ReportLine, ComplianceLine, SilentWhistle and Shareholder.com are examples of commercial services handling calls from customers’ employees who wish to blow the whistle on dishonest/unethical behavior, fraud, health and safety breaches, HIPAA/data protection breaches and related matters. The Government Accountability Project and BlowTheWhistle support those blowing the whistle on wrongdoing affecting public bodies. Sarbanes-Oxley is yet another reason why organizations should take their responsibilities towards such whistleblowers very seriously indeed. Outsourcing this particular kind of service has a number of advantages. For instance, the call handling agency is independent of the organization and thus may be considered more trustworthy than insiders. Secondly, it builds a competence in assessing, prioritizing and dealing professionally with reported issues beyond the level achievable by an internal function. [We recently proposed the formation of an international not-for-profit organization to handle information security vulnerability reports in the same kind of way ...]
More IT governance resources here

Hacking school in Barcelona

Barcelona is home to a hacking school, more precisely a course teaching students about information security risks and control techniques. The course is backed by ISECOM, the Institute for Security and Open Methodologies, which describes itself as an 'open-source collaborative community ... dedicated to providing practical security awareness, research, certification and business integrity'.

Virginia spammer gets nine years

Jeremy Jaynes is apparently the first person in the US to get a prison term for spamming. Seems the authorities are getting tougher on spammers. 'Bout time.
More email security resources

Infosec incident in Indian call center

The gist of this news article is that a fraud involving the theft of customer details by call-center operators in an Indian company may discredit the whole Indian off-shore/outsourcing market. Sorry, I don't buy that argument. The truth is that IT fraud is a risk in ALL countries. I see no reason to believe that India is inherently more risky than anywhere else - in fact, the increasing level of interest in our security awareness products from Indian IT companies suggests quite the opposite to me. At the risk of over-generalizing, India seems very well aware of the importance of information security.
More IT fraud links and IT governance links

Web application security test tools

Watchfire supplies an application security test suite. Whereas we normally emphasize the importance of human factors in information security, application testing is one area where technical security measures are relatively underdeveloped. Manual testing is tedious, slow and error prone, but still necessary. Automated testing reduces the tedium and increases the coverage. The combination of a good test suite in the hands of experienced security testers is unbeatable.
More Internet security links

Australian IT governance standard

Australian standard AS 8015-2005 provides guiding principles for Directors on "the effective, efficient, and acceptable use of ICT". This is believed to be the first official standard in the world dedicated specifically to IT governance.
More IT governance links.

IT strategy and security issues for non-execs

This is part of a factsheet from the UK Institute of Directors advising non-executive directors on (a) how to go about asking questions to the Board or other managers about IT strategy and security; and (b) the types of question worth asking. [I particularly liked "Has your business assessed the risk of getting a reputation for slackness in security?"!]
More IT governance resources

Identity fraud quiz

Find out (roughly) how vulnerable you are to identity theft by completing this automated survey. Practical advice on how to reduce your risk is given at the end. [This might be a useful security awareness site for your intranet, and for your friends and relatives].
More IT fraud resources

Scams dotcom

This site is a real eye-opener. It is a bulletin board system where people supposedly post information about bad experiences with various get-rich-quick schemes. Purveyors of said schemes then respond by justifying their activities ... and so the cycle continues. The net result (pun intended) is that the schemes get even more promotion and naive site visitors get inundated with conflicting information. The eye-opener bit is the sheer scale of ignorance and greed on both sides of the argument. Why is it that so many people believe they can make a fortune (well a few hundred bucks maybe) by 'recruiting others to join the program' or 'completing surveys' or whatever? Why do the scammers resort to personal insults against any of their 'customers' who have the temerity to complain about non-receipt of checks etc.? Maybe these people are just made for each other.

More IT fraud resources here

Information security governance: what directors need to know

"Security awareness must start with the board and permeate the organization's values and culture". Hear hear.

SOX and information security awareness

Defining and promoting your information security policies is an essential requirement for Sarbanes-Oxley compliance. SOX auditors will most likely review your policies as one of the first steps: are you ready for them?
More IT governance links here

Awareness module on IT governance

We have just released the latest NoticeBored Classic module, this month a bumper package with nearly 12Mb of security awareness materials on IT governance. The pack introduces a new deliverable developed in response to customer inquiries about security metrics: a simple security awareness survey form. The survey format is likely to evolve in future months and, in parallel, we are working on a new white paper on security metrics. Watch this space.
By the way, an exciting new version of NoticeBored Plus has also been released. Please contact us for further information.
New IT governance links page here