Welcome to the SecAware blog

I spy with my beady eye ...

11 Jun 2012

NZ Cybersecurity Awareness week - woo hoo

The following sentence is quoted directly from the top of the first awareness leaflet I downloaded from the new website associated with a public information security awareness campaign, running in New Zealand this week:
"NetSafe has heard from hundreds of people who have has their account broken into because their passwords where weak - meaning they where easily acccessed by hackers." [sic]
Aside from the evident lack of competent proofreading, other concerns regarding  the free security advice they are offering hardly inspire confidence in the campaign.  For example, the same leaflet continues:
Made up of a mix of 15 letters, characters and symbols. 
An example would be: Th1sI5a5tr0ngP@ssw0rd!
Maybe the leaflet's author is not aware that:
  • Th1sI5a5tr0ngP@ssw0rd! is not 15 characters but 22 (it should have advised "at least 15 characters", or simply said "the longer the better").
  • Rather than "letters, characters and symbols" the author presumably meant "letters, numbers and punctuation".
  • Pass phrases in most modern systems can include spaces, so normal sentences, with conventional capitalization and punctuation, are OK.  The short phrase "This is a strong password!", for instance, is 28 characters including the quotes making it stronger than the convoluted example, and much easier to recall and type accurately.  [The convenient password tester at Rumkin.com tells us the leaflet's example password has 112 bits of entropy, whereas mine has 132 bits, and still has 122 bits even without the quotes.  I rest my case m'lud.]
  • Complete lines from favourite songs, poems, books, quotations or  sayings make long, memorable passphrases, and better still suggest an obvious family of distinct passwords for different sites or when changing passwords (I won't lay into the dubious, outdated advice later in the same leaflet to change passwords every 90 days, at least not right now). 

In summary, the leaflet is badly written, somewhat inaccurate and misleading, and doesn't bode well for the rest of the campaign.

Arguing that it is "better than nothing" is lame because they are missing a golden opportunity to give helpful information security advice to naive Kiwis, and no doubt spending my tax dollars to do it.


PS  Aside from ourselves (we weren't invited), notably absent from the list of corporate sponsors are the banks, and I can't say I blame them, despite their obvious reliance on customers to avoid phishing, malware and other nasties, most of which ultimately cost the banks $$$.  Wespac's plain-speaking information security advice to its customers, for instance, would knock spots off the stuff in this campaign.

PPS  Please stop using "cyber" as a prefix.  It reminds me of the terrifying cybermen from the iconic BBC series Doctor Who that I used to watch from behind the settee as a kid some 30-odd years ago.  Security should be friendly, positive and welcoming, not scary and outdated.  Computer security, IT security, network security, Internet security or information security are perfectly adequate and understandable terms without the connotations.

PPPS   Many other countries have run public security/privacy awareness campaigns, a few quite successfully over several years.  I wonder if it even occurred to Netsafe to find out about them and apply the lessons from abroad, or was it "not invented here"?  

PPPPS (June 18)  A classic spot-it-a-mile-off 419 scam story that led to a  Christchurch man losing about $20k in advance fees for a nonexistent $600k prize from Ghana is yet another reminder of the importance of security awareness for Kiwis.  Who knows: maybe the penny finally dropped for him when he saw the NetSafe campaign?

No comments:

Post a Comment