Welcome to the SecAware blog

I spy with my beady eye ...

30 Nov 2011

Network security awareness

December's awareness module on network security has just been released to our subscribers.   Here's a thumbnail of one of six new security awareness poster designs in the module:

Computer networks, particularly the Internet, enable employees, business partners, suppliers and customers to share information and collaborate more or less instantaneously.  The advantages of networking are enormous and have revolutionized modern business life – we are in the midst of an “information revolution”.  However, the World Wide Web is not unlike the Wild Wild West.  Hackers and organized criminals (the Internet’s outlaws) are plundering vulnerable online businesses to steal the gold (information assets).  There are precious few sheriffs in cyberspace and the outlaws pack powerful weapons.  Consequently there are significant risks associated with networking and strong security controls are necessary to protect the organization’s information assets.

The NoticeBored awareness materials cover a wide variety of information security risks associated with networks and networking, and recommend a corresponding variety of security controls to address them.  The ‘risk-control spectrum’ (one of several diagrams and mind maps provided as an MS Visio file) summarizes many of them in an easily digested format.

It was not hard to find topical examples and recent news cuttings for the awareness newsletter this month, unforutnately, since networking is almost universal and network security incidents often hit the headlines.

Read more about the module here and, if NoticeBored looks like something that would pep-up your flagging or non-existent security awareness program, do get in touch.  I'd love to hear back from you.

Gary (Gary@isect.com)

22 Nov 2011

Heir Hunters - not

Interesting new slant on an old 419 scam now circulating:

Hello Dear,

I am writing you from Heir Hunters Company in the United kingdom .

Heir Hunters probate detectives looking for distant relatives of people who have died without making a will,

the United Kingdom  government last year made over ?18m from uncliamed assets.

When people die intestate ( without a will ) and with no known relatives, their names are released by the Treasury.

Every Thursday, a list of these unclaimed estates, the Bona Vacantia ( Latin for "ownerless goods" ) is published on the Treasury Solicitor's website.

The race is then on for heir locators to track down the often distant relatives in line for a windfall. Often heir hunters pick more unusual names first, as they are easier to trace.

We came across your profile and email while searching  through genealogy database,we will be glad if you can get back to us with your full name, date of birth,

address and your direct number if it corresponds to the information

we have in our data base in order to enable us carry out necessary  verification processes and to get your claim across to you without any delay.

Heir Hunters have handed over thousands and millions of funds to heirs who have no idea of their fortune,some of them ,Holocaust  victims' estates,

whom some of their heirs tried to flee war-torn Europe,but did any of them survive to claim these fortune ?

We will gladly answer this question for you.

Very Truly Yours
Mrs.Sarah Bernstein OR Mr.James Horgan
Tell your family and friends if you think they might fall for it.

Gary (Gary@isect.com)

17 Nov 2011


Brian Krebs is an excellent journalist and blogger on information security matters.  He often seems to pick up infosec stories that nobody else covers and his advice is generally sound.

In respect of password choices, however, I think Brian's missing a trick. He offers the stock advice on avoiding common words, using miXed case and punctuation ... etc. all fair enough but neglects to mention the coolest tip of all, which is to use long pass phrases. 

Long passwords used to be counterproductive on old Windows systems that broke them all into weak 7-character chunks.  Windows hasn't done this for years.  The only other issue I'm aware of is that some dinosaurs of the mainframe era still restrict password length to about 8 characters.  But hey, it's only the mainframe, so nothing much to protect there, eh?

My favorite passphrases are the complete lines of songs, complete with punctuation, spaces, capiTaliZation and tricks such as duplicating, omitting or substituting certain characters.  Best of all, I only need to remember one long passphrase - the one that opens my password vault - and I practice it often enough that it stick in my mind.  When it's time to change it, I simply pick another line or another song, poem or famous quotation, something memorable.  Occasionally I find myself quietly humming along as I type it in, and yes I'm paranoid enough to worry about anyone overhearing me!

Gary (Gary@isect.com)

7 Nov 2011

Colombian credentials

Presumably as a result of international pressure on the Colombian authorities, a colleague sending me a letter had to attach a photocopy of his REPUBLICA DE COLOMBIA - IDENTIFICACION PERSONAL - CEDULA DE CIUDADANIA (what appears to be his Colombian government-issued ID card), front-and-back including his mugshot and fingerprint, to the "CARTA DE RESPONSABILIDAD" form PR-OP-AD-001-FR-001 endorsed by somebody working for the POLICIA ANTINARCOTICOS at Aeropuerto El Dorado - Bogota.

The bottom of the form reads "Nota: Recuerde que es obligatorio anexar fotocopia del documento de identidad".  With my rather primitive understanding of Spanish, I take that to mean that it was compulsory for the sender to attach the photocopy of his ID card, presumably to be able to send me the letter.

I was absolutely amazed to receive all that personal information 'in plaintext', attached by sticky tape to the rear of the airmail letter that arrived in my NZ postbox today.

I guess the Colombian authorities appreciate that the attached information is personal to the sender and could probably be used as credentials for identity theft.  I presume that nevertheless they insist on it due to the significant risk of drugs being exported via email.  I am astounded that, having checked it, they actually sent the personal information out of the country.

Needless to say, I have destroyed the form and the photocopied ID card.   

Gary (Gary@isect.com)

2 Nov 2011

Credentials module released

One of this month's awareness poster images

'Credentials' is the rather formal title of November's NoticeBored security awareness module, but in fact the materials cover a wider brief relating to identification and authentication.

Authentication associates a person unambiguously to an identity, excluding others. It reduces the possibility of fraud and hacking, helps maintain the integrity of the systems and data, and is a prerequisite for personal accountability. Authenticated individuals can safely be given access to sensitive and valuable information resources which they are authorized to access. Without authentication, unauthorized access would be a much bigger problem and the information security risks would be even greater.

That said, from the ordinary employee's perspective, the key issues are choosing good passwords and keeping his staff ID card safe.

Gary (Gary@isect.com)