Self-phishing for educational purposes

Several organizations have started using (simulated) phishing attacks against their own employees as a security awareness activity. The New York State Office of Cyber Security and Critical Infrastructure Coordination, for example, sent staff an internal email asking them to enter their passwords into a ‘password checker’. 17% of their 10,000 users succumbed and were given additional education. When the exercise was repeated a month later, the phishing email phooled just 7% who were presumably given stronger, more explicit advice and encouragement by management regarding their future career prospects.
More authentication resources

Blogging for SMEs

An editorial in Processor Magazine outlines some of the security risks facing SMEs as a result of blogging, along with some tips to address them.
More security awareness resources

Biometrics Resource Center

The Information Technology Laboratory Biometrics Resource Center offers research papers, standards and other resources on biometrics, with the high quality we have come to expect of NIST.
More authentication resources

I hear you made spelling mistake ...

It is evidently possible to determine what someone is typing on a keyboard purely by painstaking analysis of tiny differences in the sounds made by the keys. A research team used the standard letter distribution in English to reconstruct what had been typed by a typist using a computer keyboard, using just a 15-minute audio recording. [This is a creative application of a standard cryptanalysis technique.] Perhaps quiet keyboards and background noise should be considered information security measures?
More physical security resources

OECD cross border fraud guidelines

OECD countries have signed-up to cooperate on the investigation of cross-border frauds. OECD Guidelines for Protecting Consumers from Fraudulent and Deceptive Commercial Practices Across Borders (2003) is a high-level paper defining guiding principles.
More authentication and IT fraud resources

Microsoft antiphishing proposal raises privacy concerns

Microsoft is reportedly on the verge of releasing an optional utility to track the websites users visit and compare them against a blacklist of phisher sites. Maybe this would work if the blacklist is reliable (no false positives and few false negatives), but the downside is that (for some reason I can’t quite fathom) Microsoft plans to gather details of users’ surfing habits, raising privacy concerns.
More authentication resources

FAIR risk analysis method

The FAIR (Factor Analysis of Information Risk) method is described by the author as a paradigm shift - quite a claim for yet another version of what looks like an entirely conventional risk analysis process, even one that contains a “computational engine”, no less. The author admits that FAIR is “just one way of skinning the risk analysis cat”. With pseudo-scientific language, he insists on presenting his own “definitions” (actually, curious descriptions that relate particularly to information security risk, not risk in general) for the components of risk without reference to the accepted academic theories in the field. His definition of vulnerability, for example (“The probability that an asset will be able to resist the actions of a threat agent”), is 180º opposed to the normal definition, in other words high vulnerability means a high probability that an asset will NOT be able to resist a threat. The vulnerability definition goes on to confuse threat, vulnerability and control despite the author having stated that unclear terminology is one of the problems in this field. To cap it all, the method is labeled “patent pending”, a phrase with no legal standing (either it is patented or it is not - I suspect the latter).
More risk management resources

Reveal Oracle user passwords

Applications that are not securely written and configured can open security vulnerabilities that affect the whole system. A 2001 posting by Pete Finnegan, for instance, explains how, under the right (wrong!) circumstances, someone can reveal Oracle user passwords in clear text. Pete has published a fascinating set of papers on Oracle (in)security on his website.
More authentication resources here

Online bankers risk ID theft

Reporting on a study of 1,000 US users of online banking by a market research firm, ZDNet UK News said "many consumers were worried that their personal information could either be stolen by hackers and phishers or sold to third parties by banks. Nearly 83 percent of those who conduct banking online reported such concerns, while 73 percent of respondents said personal information theft is a deterrent for them." By neglecting to mention the threat of ID theft from offline bank users, ZDnet implies that online banking is especially risky, although other studies have indicated the opposite (e.g. see last Friday's blog entry).
More authentication resources

New technology may increase ID theft

Golly! New technology such as chip-and-PIN will not solve the problem of identity theft. According to Emily Finch, a social scientist from the University of East Anglia, quoted in Computerworld, criminals will find ways around the new technical controls, such as 'snatching credit card application forms and getting new cards and numbers', apparently. Emily also points out that new technology may lead people to be even less vigilant than before.
More resources for authentication

Global Security Week starts today!

Global Security Week is a community project to coordinate security awareness activities worldwide in the week leading up to September 11th annually. Although this is the first year the event has been run, a broad range of public and private sector organizations around the globe have expressed interest in and offered their support for the event. If you are a security awareness professional, please take a moment to visit the Global Security Week website and think about getting involved in 2006. Participation is voluntary and free of charge: just start planning security-related activities in the week leading up to September 11th 2006 and tell us about it. We will gladly publicize your event in the Global Security Week calendar. The FAQ on the website has some ideas to help you organize a more effective event and we welcome further input from all awareness event organizers.
More security awareness resources

Identity theft

The Better Business Bureau's identity theft survey noted that theft of sensitive paperwork is more likely to lead to identity theft than online data compromises. Often, the perpetrator turns out to be someone close to the victim - a family member or friend with access to the victim's personal effects.
More authentication links

ISACA draft Audit Evidence standard up for comment

The IS Audit and Control Association ISACA releases new or updated audit standards as 'exposure drafts' for public comment from time to time. The standard on Audit Evidence is out for review now with comments due back before November this year. If you have IT audit experience, why not take a moment to look at the draft and send in your thoughts? Contribute to the profession.
More IT audit resources

New awareness module on authentication

We have released our next security awareness module on authentication today. Authentication is one of the core topics in information security, covering aspects such as the system login process and access control. Please visit the NoticeBored website or contact us for more details.

New Orleans disaster predicted

An article published last year by the Natural Hazards Center effectively predicted the New Orleans disaster currently plastered all over our TV screens. What if Hurricane Ivan had not Missed New Orleans? describes with uncanny foresight the damage and disruption that would ensue if the levees were breached and a significant proportion of the population was unable to evacuate due to lack of transportation. There are some hard lessons here for contingency planners everywhere. Global warming undeniably changes the threat horizon for anyone located near the sea.
More contingency planning links

Fraudulent charity requests

Even as the flood waters are still rising in New Orleans, the American Red Cross has already spotted at least one fraudulent email and website soliciting donations for victims of hurricane Katrina. Phishers and fraudsters evidently have no qualms about preying on the kind to siphon off funds for the needy. Report any Red Cross emails that do not refer to www.redcross.org to the Red Cross CISO (infosec@usa.redcross.org).
More IT fraud resources