Welcome to the SecAware blog

I spy with my beady eye ...

29 Apr 2010

ISACA phish ... or is it?

Here's an extract from an email purporting to have come from ISACA:

Problem viewing this email? Click here http://isaca.informz.net/z/cjUucD9taT03ODMzNDAmcD0xJnU9MTAyMDE2NDE5OCZsaT0zMDAxODgz/index.html for our online version.
April 28, 2010
In This Issue:
http://isaca.informz.net/isaca/data/images/bullet3.gif ISACA Database Change
http://isaca.informz.net/isaca/data/images/bullet3.gif CRISC Grandfathering Program Now Open
http://isaca.informz.net/isaca/data/images/bullet3.gif Top Eight Tips for Forensics
http://isaca.informz.net/isaca/data/images/bullet3.gif New Blog to Debut on Revamped Web Site
http://isaca.informz.net/isaca/data/images/bullet3.gif Read About the Latest Changes in Oracle E-Business and ERP
http://isaca.informz.net/isaca/data/images/bullet3.gif Finding Career Variety and Stability Through Certification
http://isaca.informz.net/isaca/data/images/bullet3.gif Enhanced Chapter Integration on New Web Site

Notice that all the links don't point to ISACA's website, but to a third party, informz.net. Now I don't know who informz.net are - most likely a marketing company tracking clicks from the ISACA email but frankly I don't care. ISACA seems oblivious to the fact that it looks very similar to a million phishing emails in my deleted folder, which is exactly where this one is headed.

Come on ISACA, get with it! We expect leadership by example!

[PS Hopefully I have managed to prevent the blogging software interpreting the link text as active URLs. Please don't fix and click those links just to satisfy your curiosity. That's like kicking a bomb to see if it's armed ...]

28 Apr 2010

There must be 30 ways to steal your ID

[With a nod towards Paul Simon's fabulous song 50 ways to leave your lover ...]

While researching identity theft for the latest NoticeBored security awareness module, I came across a list on one of the major websites of about 15 ways to steal someone's identity. With a bit of lateral thinking, it didn't take long to expand the list to 30 ways to steal and exploit an identity and I'm sure I have continued in the same vein - but instead I stopped at 30 and left it to our customers' employees to think up another 20 ways and maybe earn themselves a security awareness prize in the process.

I realise some may feel it inappropriate to describe identity theft so openly. My argument is that people need to know what they are up against if they are to stand a chance of preventing it, and in particular resisting the plethora of social engineering attacks currently doing the rounds. The truth is that scammers, hackers and fraudsters have plenty of ways to find out how to commit identity theft, starting with their own email inboxes or spam folders of course. Withholding this kind of information for fear of giving identity thieves more ideas seems rather short-sighted. How else are we to explain identity theft to employees if we don't give them a decent clue about what to watch out for, and what to do if they do spot the warning signs?

This blog has moved

This blog is now located at http://blog.noticebored.com/.
You will be automatically redirected in 30 seconds, or you may click here.

For feed subscribers, please update your feed subscriptions to

20 Apr 2010

Australian govt security awareness criticized

A newly published report from the Australian National Audit Office into information security awareness and training for Australian government agencies is somewhat ambiguous in tone. The ANAO has previously recommended that agencies "develop and schedule periodic education and awareness programs for non-security personnel addressing agency security standards", "develop a structured and proactive security awareness education and training strategy" or "promote security aftercare arrangements in security education and training activities" - in other words, they have clearly been advised to sharpen up their act in this area. The latest report says:
"Overall, the audit concluded that the security awareness and training arrangements at the audited organisations were generally adequate and operating as intended. Nevertheless, there is considerable scope to enhance the effectiveness of the organisations’ security awareness and training programs. The main areas for improvement relate to more thoughtful planning, including tailoring the approaches used in light of the organisations’ security risk profiles, and better monitoring to help identify security awareness techniques that are not effective or working well. In addition, the audited organisations would benefit from improved record keeping to assist them manage the timely delivery of, and attendance at, security awareness training."
So although they are 'generally adequate', the security awareness and training arrangements evidently need better planning, monitoring and record-keeping. Only one of the four agencies audited had an actual awareness and training plan - the rest presumably make it up as they go along.

The report continues: "none of the organisations had any training or briefings targeted at the
roles and responsibilities of security cleared staff". I find this somewhat hard to believe. Security cleared staff presumably handle protectively marked information, systems etc., but despite the clearances, their obligations towards protecting those information assets are not spelled out to them? Seems odd. It's not as if the requirements are undefined - the government's Protective Security Manual surely lays out the most important aspects in black and white.

"None of the audited organisations had regular and structured processes in place to assess the impact and success (or otherwise) of their security awareness and training activities." So the agencies are investing an unknown but presumably significant amount in security awareness and training but not bothering to see whether all this public money is well spent?

This is hardly rocket science. Awareness and training strategies, plans and metrics are straightforward enough, aren't they?

Oh well, perhaps we can anticipate sales enquiries from our Australian colleagues. We'd love to help them with planning, delivering and measuring best practice awareness and training programs ...

16 Apr 2010

Webcam home security system

An burglar who stole stuff from an NZ home was snapped by the owner's webcam that had been set to monitor the scene for movement. When triggered, the camera sent still images to the owner by email, alerting him to the burglary in progress. Unfortunately the police arrived just too late to nab the intruder but his face is quite clearly recorded for posterity ...

The news cutting says the owner used software called "Motion", possibly this package which is promoted on the strength of its use for home security monitoring - CCTV on the cheap.

15 Apr 2010

DNSsec pros and cons

A somewhat self-contradictory piece in The Register regarding DNSsec was pointed out to me by a fellow CISSP. The way the Internet root DNS servers work is going to change soon - essentially after May 5th, they will only respond to DNS queries that have been digitally signed using the DNSsec protocol. Until then, I believe DNSsec is running on some of the root servers, allowing organizations to try out their software and get any wrinkles sorted out.

Kevin Murphy, the Register's columnist, indicates that some ISPs or large organizations running old software without the facility for DNSsec may thereafter be unable to make DNS queries, which mnay be true but seems rather unlikely to be such a problem as he implies. As I understand it, DNSsec has been around for years, implying that ISPs etc. who have not updated their software probably have other more serious security problems. On top of that, end users (like me!) are not tied to their ISP's DNS offerings. Personally, I have used both OpenDNS and the faster Google DNS successfully for years, particularly as my ISP's DNS had trouble resolving the very useful SANS Internet Storm Center address for some obscure reason.

Anyway, your ISP and/or your IT Department should be well on top of this by now, but for the sake of availability, it might be worth double-checking.