Welcome to the SecAware blog

I spy with my beady eye ...

29 Jul 2005

Email disclaimers

We've all read those pseudo-legal statements at the end of most corporate emails but do they carry any weight? Stupid Email Disclaimers takes a look at the issue and makes some interesting points for discussion with your corporate counsel.
More email security resources

28 Jul 2005

Social psychology & INFOSEC

Mich Kabay's 1993 paper on security awareness makes the case for "changing beliefs, attitudes and behaviour, both of individuals and of groups. Social psychology can help us understand how best to work with human predilections and predispositions to achieve our goals of improving security".
More security awareness resources

27 Jul 2005

Data recovery hardware

An interesting suite of products from Germany protects key system files against unauthorized modifications. WatchIT presumably takes a backup copy of boot files and other key data from the disk. If the files are corrupted (e.g. by a virus) or accidentally deleted, the originals can be restored in a flash. Sounds ideal for classroom and many corporate situations where users have a tendency to corrupt their own systems from time to time.
More contingency planning links

26 Jul 2005

An upside to privacy breaches?

An editorial in Chief Marketing Officer Magazine hints at a possible upside to recent privacy breaches splattered across the press. "Privacy activists are up in arms over ChoicePoint and other high-profile security breaches at institutions such Bank of America, DSW and CardSystems, where 40 million credit card accounts from Visa, MasterCard and other card issuers may have been compromised. Legislation to tackle growing worries over credit report information, data breach disclosures and spyware is in the political pipeline. Wary consumers are increasingly reluctant to share personal information with marketers." Well OK, maybe calling it an 'upside' is a bit cynical, but if the general public are more security aware, we're happy :-)
More anti-hacking resources

23 Jul 2005

Success strategies for security awareness

"Without visible executive stewardship, information security awareness programs are doomed to fail" says E Kelly Hansen, Chief Executive of Neohapsis. Unfortunately, like so many other articles on security awareness, ZDNet falls short on practical guidance on how one might actually gain 'visible executive stewardship'. Apart from the standard advice to circulate a newsletter and consider corporate videos, there are few creative ideas here.
More on the need for security awareness and some helpful advice to start an effective security awareness program

22 Jul 2005

Hacking with Google

Johnny I Hack Stuff is the website of ‘Johhny Long’, author of Google Hacking for Penetration Testers (~$32 from Amazon). Johnny explains how to construct interesting Google queries in order to identify vulnerabilities such as security holes in system and application software, disclosure of sensitive information and so on.
More [anti-hacking] resources

How To Become A Hacker

How To Become A Hacker is a primer on the philosophy and ethics of hacking, more than the mechanics of hacking. Starting from the point of view that “hackers build things, crackers break them”, this is a thoughtful, well-written and stimulating piece of creative writing. “Contrary to popular myth, you don't have to be a nerd to be a hacker. It does help, however, and many hackers are in fact nerds. Being a social outcast helps you stay concentrated on the really important things, like thinking and hacking.”
More [anti-]hacking resources

London cellphone network resilient under stress

The BBC is reporting that cellphone networks in London are coping adequately with higher-than-normal call volumes arising from the bomb incidents at lunchtime today. Cellphones have becomeas much a part of the critical national infrastructure as the "Plain Old Telephone System" (POTS). Wireless networks like their wired ancestors are designed with resilience in mind, including spare capacity, alternate routing and 'intelligent' real-time switching protocols. This is mostly to cope with the diurnal peaks and troughs of demand, partly for continuity through abnormal periods such as bombings, planned maintenance and unanticipated system failures.
More on crisis management and contingency planning

21 Jul 2005

Sazo GPS/GSM location

Sazo is an interesting low-cost product line from a UK company that uses GPS or GSM signals to locate Sazo devices. They are being marketed for concerned parents to track and communicate with their children, and for similar personal-location applications. The technology may also prove useful for tracking stolen vehicles or PCs or other valuables (although it would of course need to be modified slightly so as not to need the thief to acknowledge the location request message!).
More physical security links

Kevin Mitnick preaches social engineering awareness

In a keynote presentation at the Citrix iForum conference in Australia today, hacker Kevin Mitnick : said "social engineering appeals to hackers because the Internet is so widespread, it evades all intrusion detection systems, it's free or very low cost, it's low risk, it works on every operating system, leaves no audit trail, is nearly 100 percent effective, and there is a general lack of awareness of the problem."
More [anti-]hacking and social engineering links.

"Underground" websites

Perusing this list of 100 "underground" websites gives a flavor of what certain hackers find interesting - hacking/cracking tools and how-to courses, warez and cracked serial numbers for examples. [Warning: take great care if visiting or downloading “useful tools” from dubious websites. Some of them may exploit security vulnerabilities in your system or indeed yourself to install Trojans and other malware.]
More anti-hacking and malware resources

20 Jul 2005


The free Hoax-Slayer Newsletter explains email scams, Internet frauds and other such nasties to the general public. A nice easy way to keep up with things.
Other IT fraud resources

19 Jul 2005

CSI/FBI survey 2005

The latest Computer Security Institute/Federal Bureau of Investigation security survey is packed once again with interesting statistics and insightful commentary. With responses from around 700 US respondents, this is one of the most reliable surveys. Security awareness gets several mentions. "The vast majority of respondents view security awareness training as important. However, (on average) respondents from all sectors do not believe their organization invests enough in it." The survey does not explain why this might be, unfortunately. I wonder if it might be related to the lack of understanding of security awareness amongst senior management?
Download our white paper on the value of security awareness

Nigerian scammer fined in $242m case

It appears the courts in Nigeria are convicting fraudsters guilty of 419 advance fee frauds and other scams ... but not before these swindles have allegedly become one of the country's main foreign exchange earners after oil, natural gas and cocoa according to "anti-sleaze campaigners" quoted by Reuters.
More IT fraud resources

US airman convicted of hacking

The European and Pacific Stars & Stripes reports that an airman based in Japan has been convicted by a court martial for trying to hack PC files on the base using a password cracker program he downloaded from the Internet. It seems the man also uploaded a password file from the base to a personal web server through the Internet, with the risk of third party interception en route.
More anti-hacking resources

17 Jul 2005

Default login info

Next time you install a new device, load an operating system or install an application, don't forget to change the default installation username and password before you connect it to the network. Over 1700 are published at Virus.Org.
More anti-hacking resources

14 Jul 2005

US-CERT Cyber Security Bulletins

The weekly Cyber Security Bulletins from US-CERT summarize reported software security vulnerabilities such as buffer overflows. While there are so many bugs being reported on a weekly basis, there is not much hope of securing our computer systems against determined attackers. It's like drinking from the fire hose. (We will pick up on this point in future NoticeBored modules on 'security in the SDLC' and 'bugs!'.
More anti-hacking resources

13 Jul 2005

Patch Tuesday

Microsoft's latest Security Bulletin describes three patches to close off critical security vulnerabilities in Windows and Word. Now that these vulnerabilities are in the public domain, it's open season for hackers to try to exploit them before everyone gets patched. The patching treadmill is a logistical nightmare for organizations running business-critical applications on numerous distributed technology platforms, creating risks to the deployment. It is critically important to strike a balance between delaying the patching (increasing the window of opportunity for the hackers) and patching too soon (before patches have been tested on all applicable platforms). More will appear on this topic in next month's NoticeBored Classic module.
More anti-hacking resources

The human factor in information security

The British Computer Society has published a paper by Zach Anuka highlighting the importance of human factors in information security, alongside physical and logical/technical factors. "... the human piece of the puzzle, the soft factor, receives the least attention and investment. How often in an IT project do you hear about human vulnerabilities requirements? Not often. It is not usual for systems integration projects to include the aspect of user training that could enable users to manage their own inherent vulnerabilities." Well said Zach!
Click for more security awareness resources and our own white papers on why we need awareness and human factors.

Iron Mountain Loses More Tapes

Perhaps as a result of the Californian law requiring disclosure of security breaches involving personal data on Californian residents, several incidents involving the loss of backup tapes in transit between the primary and backup sites have come to light since 2004. Given the sensitivity and volume of data on the tapes, and the fact that they are being handed to (albeit trusted) third parties for transportation, it is perplexing to discover how few organizations apply encryption ['encoding' and 'proprietary formats' don't count - these are just weasel words], even in financial services. The latest example of this kind of incident involves Iron Mountain Inc., a backup specialist that hit the news over another similar incident a few months before. Why is it that the possibility has escaped otherwise quite comprehensive risk analyses? Presumably it is not explicitly covered by SAS70 or the auditing standards and has simply slipped under management’s radar, until now.
More physical security resources

12 Jul 2005

End of an era for Phrack

After 20 years, Phrack magazine's editorial team are hanging up the quills and closing down the press. The last issue will be released at US hacker conventions later in July. The hacking and phreaking world will mourn the loss, shed a tear maybe, and then turn back to the web for their fix.
More anti-hacking resources

11 Jul 2005

'London bombing' Trojan

The day after London was bombed, a 'London bombing' Trojan started circulating. "Virus writers have created a Trojan which poses as London terrorist attack news footage. Infected emails harbouring the Trojan pose as a CNN Newsletter which asks recipients to 'See attachments for unique amateur video shots'." Shameless.
More malware, anti-hacking and crisis management links

Security awareness on crisis management

We published a special NoticeBored Classic module on crisis management and contingency planning, inspired by the emergency services' amazing response to the bombing of London last Thursday, along with a special newsletter. [These materials are no longer online]
More crisis management and contingency planning links

9 Jul 2005

Targeted Trojan emails

The threat of targeted malware attacks was discussed a few months ago in the NoticeBored Classic awareness module on malware. US-CERT Technical Cyber Security Alert is now warning of the increased threat of Trojans that (a) elude conventional protective measures such as antivirus software and firewalls, and (b) are emailed to specific targeted recipients. External disclosure (exfiltration or stealing) of data appears to be the primary purpose, for example using port 80 like normal web traffic, passing straight through the perimeter firewalls.
More anti-hacking and malware resources

What The Hack!

What The Hack is a hacker conference taking place on a camping site in the South of The Netherlands from 28 until 31 July 2005. "The event is not just for those who already define themselves as hackers, although they will almost certainly have an excellent time. Like previous times we hope to create an opportunity for people from a great many different cultures and subcultures to meet. So no matter whether you're interested in any of the topics presented, curious about what it is we're into, feel there are some cultural connections missing that you could facilitate, or if you just want to hang out with some of the brightest and funniest people we know: please come."
More (anti-)hacking resources

7 Jul 2005

MS UK site hacked

A Microsoft UK website has been defaced with a GIF image file supporting a hacker arrested in April. The Register reports that the GIF has been removed. Crude website defacements of this nature are at the 'vandal' end of the hacking scale, way below the level of concerted terrorist IT infrastructure attacks feared by military security experts.
More anti-hacking resources

SSNs exposed by college server hack

In yet another college server hack, personal information including Social Security Numbers have been exposed. The college has belatedly removed SSNs from the server but why they were there in the first place is not clear. "If someone has a name and Social Security number, they can apply for a credit card, so this is a major issue". A separate news story reports that "many colleges and universities used a student's social security number as their primary student identifier, until recently [and] some schools still have not stopped the practice." In the UK and other countries, SSNs are not generally used as secrets for personal authentication purposes and individuals need to provide additional information such as something proving their home addresses: the US seems behind the curve on this one.
More anti-hacking resources

'Hunting season' for computer attackers

The Toronto Globe And Mail yesterday ran a well-written piece about the upsurge of computer crime. The article makes the case that criminals are turning to electronic crime due to the enormous opportunities opened up by the combination of numerous insecure systems on the Internet, widespread lack of awareness of basic security measures by users, and the disjointed trans-national law enforcement activities. This is not just scare-mongering, the story is illustrated with news of recent hacking incidents and quotes from professionals in the field. The worrying trend is every bit as clear as global warming.
More anti-hacking resources here

Man charged with stealing WiFi signal

A Florida man has been unauthorized access to a WiFi network. The man admitted using a laptop PC in an SUV parked outside the house to 'steal' WiFi access. The case will presumably center on whether the WiFi network was adequately secured - most aren't.
More wireless networking security and anti-hacking resources

Chinese student arrested for hacking

A Chinese student has been arrested in Tokyo, allegedly for hacking into up to 14 companies' systems to obtain information on their customers.
More anti-hacking resources

6 Jul 2005

Decoys for the Pentagon

US Military experts have proposed the use of 'decoys' (commonly known elsewhere by the term 'honeypots') as a defensive move to protect the Pentagon Network from hackers. Now there's an idea.
More anti-hacking resources

5 Jul 2005

Monitoring attacks on Windows networks

Microsoft's Security Monitoring and Attack Detection Guide is designed to help organizations plan a security monitoring and attack detection system based on Windows Security Event logs. It explains how to interpret the events (albeit within the rather limited capabilities of standard Windows tools) and which events indicate the possibility that an attack is in progress.
More anti-hacking resources

PayPal phishers get more creative

PayPal has settled a class-action claim, the claims period for which expired in October 2004. According to the claims administrator, phisher emails are circulating that cite the original case and direct victims towards a false claims site where, as usual, they seek to obtain their personal information.
More email links here

4 Jul 2005

Bank workers biggest ID theft threat

deseretnews.com reports that customer details have been sold to identity thieves by employees of Bank of America, Wachovia and two other banks. "We've got a nasty problem and it keeps getting worse over the past couple of months," said Peter G. Neumann, a security expert with SRI International in Menlo Park [and manager of the RISKS mailing list], Calif. "Insiders have always been a concern, it's just that (institutions) are finally admitting it."
More anti-hacking resources.

1 Jul 2005

Help! I Think I've Been Hacked!

Help! I Think I've Been Hacked!! is a common cry on IT bulletin boards. Non-technical people usually don’t understand why hackers have hacked them, nor how they did it. All they want to do is get the hackers out - no mean feat without IT knowledge, even using the antivirus and antispyware tools commonly available. Keeping the hackers out is a further challenge but at least former hacking victims should be well aware of the threat.
More anti-hacking resources


Find out why you should beware rootkits on your systems. Rootkits typically install modified operating system files such as “ls.exe” (the UNIX list files command) to conceal the presence of hacking tools from naive system administrators. The tools themselves give hackers complete control of a compromised system and often provide backdoors to the system in case the primary mode of entry is blocked.
More (anti-)hacking resources