Welcome to the SecAware blog

I spy with my beady eye ...

28 Feb 2006

Free identity theft DVD

The US Treasury's identity theft resource page is offering a free DVD about identity theft including a piece from Howard Schmidt, and a whole stack of other papers and information on this topic.
More authentication resources

24 Feb 2006

Building secure systems

A DHS/CERT/CEI website BuildSecurityIn promotes secure coding practices. The site has a couple of dozen white papers already and will hopefully become a useful source of advice for developers and project managers interested in developing secure code.

More resources on Bugs!

23 Feb 2006

CERT Cyber Security Tips

The US CERT Cyber Security Tips are a source of straightforward advice on common IT security issues faced by all of us. Read the archives and sign-up for updates as they are released. And best of all, it's all free!

More security awareness and general security resources

Plagiarism alleged in (ICS)2 book

(ISC)2, the organization responsible for the well-known CISSP information security qualification, has allegedly published copyrighted materials in the Official CISSP Study Guide, apparently without the explicit prior permission of the copyright holders and without acknowledging its sources. The public embarrassment and reputational damage this kind of situation can create is a seldom recognized impact of Intellectual Property Rights (IPR) incidents, regardless of the truth of the matter. The material in question appears to have been sourced from information on public websites and research papers, and the copyright owners may even approve of its use in this manner, but the outcry is hardly helpful for a security organization’s image.
More IPR resources

19 Feb 2006

The CISO Handbook

The CISO Handbook is a well-written practical guide to building and delivering an information security improvement programme. Presenting sage advice in a consistent manner, the book is a helpful primer for the person tasked by management with 'fixing information security'.
More book reviews, white papers etc. on our website

14 Feb 2006

Win Rebecca Herold's book

In conjunction with other volunteers on the Global Security Week initiative, we are running a competition to find a new logo for Global Security Week 2006. Rebecca Herold's excellent book "Managing an information security and privacy awareness and training program" is one of the prizes on offer. So, if you have some creative ideas to help promote a global security awareness campaign, you have until March 10th to submit your entries. Good luck!

13 Feb 2006

Security awareness videos

“EDUCAUSE is a nonprofit association whose mission is to advance higher education by promoting the intelligent use of information technology.” They have a particular interest in information security awareness and have a number of activities to promote security awareness in education. The results of an EDUCAUSE/Internet2 Computer and Network Security Task Force and the National Cyber Security Alliance contest for computer security awareness videos will be used in campus security awareness campaigns and efforts, and are available for non-commercial use from their website.
More security awareness resources

12 Feb 2006

NSA/CIS Security Configuration Guides

The NSA and CSI’s SNAC security configuration guides comprise a set of security standards for various operating systems (such as Windows, MacOS, Solaris), applications (such as Oracle, SQL Server, Exchange, Office, SMS, BEA Weblogic, IIS, IE and Netscape), network equipment (routers and switches) and more. If your management has endorsed your high-level and information security policies but the supporting technical standards are still ‘work in progress’, then take a look at SNAC.
More IT operations security resources

11 Feb 2006

Protected Storage Explorer

If you ever wondered why information security experts recommend not clicking on the 'remember my login details' or similar options, then check out Protected Storage Explorer. This free Windows tool decrypts and displays usernames and passwords stored in so-called (but clearly not) protected storage.
More authentication resources

10 Feb 2006

Yet more Microsoft bugs

Following on from the .WMF Windows Meta File zero-day exploit story at the end of 2005, Network World reports that Microsoft has acknowledged another bug in the .WMF code, plus another unconnected bug, and independent researchers have identified a third. The truth is that software bugs are discovered and fixed all the time - this is presumably only newsworthy because of the connection to .WMF and because all three bugs have security implications.
Microsoft has also published advance details of the clutch of bugs to be patched next Patch Tuesday.
More resources on Bugs!

9 Feb 2006

Bugs in common Windows programs

According to a research project reported in Network World, "Vendors are making mistakes when they write programs for Windows". Golly.
More resources on Bugs!

8 Feb 2006

Reporting spam

If you receive spam, you can do something positive about it other than clicking the ‘Please unsubscribe me’ or similar links (which in some cases merely confirm your email address to the spammers). Report it to the spam reporting websites such as SpamCop and Abuse.net (the latter has a lot of helpful information about spam) or forward it with the original header to your authorities such as the U.S. Federal Trade Commission (spam@uce.gov). But please be responsible in this: only report spam if you are certain it is truly spam i.e. there is no possibility that you requested it. Our NoticeBored newsletters are only sent to our customers and to others who have double-opted-in to our newsletter mailing list. We never send spam - in fact, we are actively fighting spam. We really detest spam. Yet some people who sign up for the newsletter find it is being blocked by spam filters somewhere upstream of their inbox. That happens, presumably, because other users who use the Topica email system have sent spam and have been reported as such, meaning that our emails unfortunately get tarred with the same brush. We would be extremely disappointed if anyone reported our newsletter as spam.
More email security resources

Russian hackers hawked Windows exploit for $4k

News.com reports that Russian hackers were selling code exploiting the .WMF Windows Meta File bug at the end of 2005. For $4,000 a time, allegedly, one could purchase the zero-day exploit code.
More resources on Bugs!

5 Feb 2006

Computer forensics toolkits

A handy list of computer forensics toolkits provides a summary of each offering and links to the source. Many of them are free and worth exploring when you have a spare hour or two - best do it now at your leisure rather than in a hurry during an actual incident! The same site has a huge list of computer forensics links and papers.
More incident management resources

3 Feb 2006

F-Secure phished

Finnish antivirus vendor F-Secure has published an advisory about fake emails sent out in its name that contain malware. The emails contain the line: "I have enclosed a screen capture of the problem so your team can get it fixed if you deem it an issue." The attachment (presumably) contains not a screenshot but a new variant of the Breplibot worm. This is essentially the same phishing technique often used to send keylogging Trojans to bank customers. The email uses social engineering techniques to fool recipients into doing something silly, in this case opening the attachment.
More malware, social engineering and authentication links

2 Feb 2006

ID theft 'costs UK £1.7bn a year'

The BBC reports the Home Office minister saying that identity theft costs Brits £35 (around US$60) each per year, on average.
More IT fraud links

Firefox fixes funnies

A new release of Firefox fixes a number of bugs including "other security holes not yet disclosed". The implication is: update your Firefox before (more) black hats figure out what the holes are, and before the vendor discloses the nitty gritty details to help other black hats work out the flaws.

More Bugs! resources

US DoD infosec personnel

The US Defense Department has published a manual about the qualifications and experience required of information assurance professionals. The manual includes images of certain certificates, a decision that may potentially encourage some enterprising but unethical individuals to fake their qualifications. Fortunately the images are monochrome whereas the original certificates presumably (hopefully!) have color seals etc. to reduce the risk of forgeries ... so if someone approaches you claiming these qualifications, make sure to check the original certificates and do not accept FAXes or photocopies. The same point applies to other certificates by the way. Caveat emptor.
More information security management and IT fraud links