NoticeBored blog

This blog has moved

2010-04-28T14:16:00.001+12:00

This blog is now located at http://blog.noticebored.com/.
You will be automatically redirected in 30 seconds, or you may click here.

For feed subscribers, please update your feed subscriptions to
http://blog.noticebored.com/feeds/posts/default.

Australian govt security awareness criticized

2010-04-20T16:50:00.004+12:00

A newly published report from the Australian National Audit Office into information security awareness and training for Australian government agencies is somewhat ambiguous in tone. The ANAO has previously recommended that agencies "develop and schedule periodic education and awareness programs for non-security personnel addressing agency security standards", "develop a structured and proactive security awareness education and training strategy" or "promote security aftercare arrangements in security education and training activities" - in other words, they have clearly been advised to sharpen up their act in this area. The latest report says:

"Overall, the audit concluded that the security awareness and training arrangements at the audited organisations were generally adequate and operating as intended. Nevertheless, there is considerable scope to enhance the effectiveness of the organisations’ security awareness and training programs. The main areas for improvement relate to more thoughtful planning, including tailoring the approaches used in light of the organisations’ security risk profiles, and better monitoring to help identify security awareness techniques that are not effective or working well. In addition, the audited organisations would benefit from improved record keeping to assist them manage the timely delivery of, and attendance at, security awareness training."

So although they are 'generally adequate', the security awareness and training arrangements evidently need better planning, monitoring and record-keeping. Only one of the four agencies audited had an actual awareness and training plan - the rest presumably make it up as they go along.

The report continues: "none of the organisations had any training or briefings targeted at the
roles and responsibilities of security cleared staff". I find this somewhat hard to believe. Security cleared staff presumably handle protectively marked information, systems etc., but despite the clearances, their obligations towards protecting those information assets are not spelled out to them? Seems odd. It's not as if the requirements are undefined - the government's Protective Security Manual surely lays out the most important aspects in black and white.

"None of the audited organisations had regular and structured processes in place to assess the impact and success (or otherwise) of their security awareness and training activities." So the agencies are investing an unknown but presumably significant amount in security awareness and training but not bothering to see whether all this public money is well spent?

This is hardly rocket science. Awareness and training strategies, plans and metrics are straightforward enough, aren't they?

Oh well, perhaps we can anticipate sales enquiries from our Australian colleagues. We'd love to help them with planning, delivering and measuring best practice awareness and training programs ...

Webcam home security system

2010-04-16T09:43:00.003+12:00

An burglar who stole stuff from an NZ home was snapped by the owner's webcam that had been set to monitor the scene for movement. When triggered, the camera sent still images to the owner by email, alerting him to the burglary in progress. Unfortunately the police arrived just too late to nab the intruder but his face is quite clearly recorded for posterity ...

The news cutting says the owner used software called "Motion", possibly this package which is promoted on the strength of its use for home security monitoring - CCTV on the cheap.

DNSsec pros and cons

2010-04-15T09:32:00.002+12:00

A somewhat self-contradictory piece in The Register regarding DNSsec was pointed out to me by a fellow CISSP. The way the Internet root DNS servers work is going to change soon - essentially after May 5th, they will only respond to DNS queries that have been digitally signed using the DNSsec protocol. Until then, I believe DNSsec is running on some of the root servers, allowing organizations to try out their software and get any wrinkles sorted out.

Kevin Murphy, the Register's columnist, indicates that some ISPs or large organizations running old software without the facility for DNSsec may thereafter be unable to make DNS queries, which mnay be true but seems rather unlikely to be such a problem as he implies. As I understand it, DNSsec has been around for years, implying that ISPs etc. who have not updated their software probably have other more serious security problems. On top of that, end users (like me!) are not tied to their ISP's DNS offerings. Personally, I have used both OpenDNS and the faster Google DNS successfully for years, particularly as my ISP's DNS had trouble resolving the very useful SANS Internet Storm Center address for some obscure reason.

Anyway, your ISP and/or your IT Department should be well on top of this by now, but for the sake of availability, it might be worth double-checking.

Inside GCHQ

2010-03-31T15:16:00.000+13:00

Fascinating BBC report on GCHQ, the UK Government Communications HQ - "GCHQ: Cracking the Code".

There's a nod to Bletchley Park's work cracking Enigma in WWII.

Clifford Cocks talks about inventing PKI "overnight".

GCHQ employees talk enthusiastically about the buzz their work gives them and the 'culture of security' which extends to home life, avoiding any specifics of course.

The reporter and guides describe the 10,000 square metres of computer halls in the centre of the donut, and their dependence on cooling water ...

They mention monitoring Web 2.0, VOIP and other Internet comms globally, and the need to adapt quickly to agile targets exploiting new security technologies and constantly watching for new exploits.

The ethics of snooping/spying and the inevitable privacy compromises that entails get a good mention: the very fact that the program was produced at all is surely a positive sign of GCHQ management and indeed the British government's intent to be more open.

GCHQ people are now 'embedded' with military units deployed around the world, sharing intelligence (no doubt in both directions).

Bonus marks for picking out all the other the physical security controls mentioned throughout the programme, and the social engineering potential of a program like this, no matter how carefully produced and edited.

Novel money mule scam

2010-03-23T20:14:00.004+13:00

Here's a scam I've not seen before, received by email:

Hello, My name is Raphael Scott I would be in your country for a seven days business meeting with 10 people. Do you have any vehicle or vehicles we could use during the period of our stay. The vehicle(s) would needed during on the following dates: ARRIVAL DATE: 23TH APRIL 2010 DEPARTURE DATE: 30TH APRIL 2010 Remember our movement basically from airport to hotel and venue conference, about 20 miles within the vicinity. Your duty is only to arrange vehicles and drivers that will contain 10 people for seven days. We would be happy if you could provide us with any of the following 2 mini buses , 2 sedans, 8 to 16 cheater bus or a Limousine. Let know a quote or estimate for the seven days. We would need the car with a driver. I would send a deposit via credit card details as soon as this booking is confirmed. I hope you do accept credit cards? Kindly email me if you have availability on those dates, also tell me the area you operate in your country. Kindly confirm this booking with the vehicle details and total cost for the 7 days. Best Regards Raphael Scott 28 Montague Street London WC2B 5BP +447011196388

I presume the intention is to get victims to launder credit card payments, as money mules, in much the same way as those lame requests along the lines of "I want to buy your products. Do you take credit cards? Please send me your prices ...".

I feel a bit sorry for those who fall for this kind of nonsense, but on the other hand some of them are just greedy and must surely know this is not legit.

Steer well clear.

Malawareness

2010-03-20T09:38:00.006+13:00

Malware, an old favorite, is the security awareness topic for this month's NoticeBored module. One of the issues noted in the awareness materials is that of user PCs picking up infections simply by visiting infectious websites ... like for example a 'bargain shopping' site in Australia that had evidently been exploited by hackers. According to the news report, certain browsers warned users when they visited the site and hopefully, if the users were aware enough to take note of the warnings and not override the technical controls, that would have significantly reduced the risk of being infected. On top of that, the malware was probably recognized by normal antivirus software, further reducing the risk. However, unaware users without these controls may well have drawn the short straw, and to make matters worse they may still be blissfully ignorant of the infection.

Awareness value of a US data center incident

2010-02-27T12:25:00.003+13:00

Consonus, a US data-center/co-location facility provider that prides itself on its "highly secure and reliable data centers", suffered a rather embarrassing physical security incident at one of its data centers on Saturday February 20th. An email from the Consonus data center manager to his customers indicates that an Inergen automated fire suppression system was accidentally triggered during a routine 6-monthly inspection of the fire system. This incident somehow damaged a large number of disks in the facility - I understand from other less reliable sources that as many as five hundred disks may have bitten the dust. Oops.

The point of this blog posting is not to poke fun at Consonus, who have clearly invested heavily in state-of-the-art controls and appear to have a comprehensive approach to information security, but rather to indicate that control failure remains a risk that we should all consider, no matter how strong we believe our controls may be.

In this incident, disk damage was evidently not the anticipated result of triggering the fire suppression system. It was an unforseen risk, exactly the kind of thing that contingency planning is designed to mitigate. I wonder how many of Consonus' customers either buy its optional disaster recovery and data protection (evidently meaning backup and archival) services, or have their own contingency controls in place, or didn't but now wish they did ...

At the same time, this incident is probably not generating the kind of publicity that Consonus would welcome (although there's truth in the saying that there's no such thing as bad publicity!). I wonder if their customer services team has its own contingency plan for this kind of event?

This unfortunate incident would form the basis of an excellent case study for security awareness purposes, but it's far from isolated. The truth is that unpredictable and costly information security incidents happen more often than most people realize [and here I'm talking in general terms, explicitly not referring to Consonus!]. In the course of my career, I have seen many and, I'm ashamed to admit, been personally involved in a few.

Investing in high availability technologies and strong security measures still cannot guarantee that essential IT services will be 100% available under all circumstances. Testing the fire system 'outside normal office hours' reduces but does not eliminate the risks. Siting IT facilities above the anticipated '100-year flood level' is merely gazing into some weather man's crystal balls. 'Uninterruptible power supply' is an oxymoron.

Even if information security is truly taken to heart by an enlightened senior management, as IT technologies and services get ever more complex, some types of coincident or catastrophic failure (including those caused by the very security controls we are implementing) become more not less likely.

Contingency planning depends on contingency thinking, which starts with someone posing the inevitable "What if ...?". There's a fine art to getting managers to suspend their rather charming but somewhat dubious trust in technology just long enough to consider what might happen if things don't in fact work perfectly, while at the same time not going so far as to be accused of just spreading FUD or constantly crying wolf (which is where classic "worst case scenarios" can easily lead). This is exactly the area where security awareness really helps in that it aligns information security and business thinking, focusing everyone on the risks and controls with the benefit of knowledge of what can, and indeed does, go wrong in similar situations elsewhere.

And that's why case studies make such good awareness tools. Better to learn from other people's misfortunes than to suffer them yourself.

Cracking encrypted VOIP?

2010-01-31T16:29:00.003+13:00

Taken at face value, a claim to have cracked voice encryption programs in minutes sounds pretty melodramatic, when in fact it appears the hacker has merely intercepted the 'plaintext' (plainvoice? Plainaudio? Plaingab?) en route to/from the encryption software at the client end, using a Trojan. The same kind of trick would probably work against most encryption systems unless they physically and logically secure the plaintext streams.

Cryptography in the dock

2010-01-31T14:25:00.002+13:00

As if to mark the release of our latest security awareness module on cryptography*, Stephen Murdoch and Ross Anderson of Cambridge University have released a highly critical report into the security of the Veri fed by Visa and MasterCard SecureCode authentication systems. True to one of the central messages in the awareness materials, their main complaints revolve not around the cryptography, per se, but rather the implementation. It seems the banks, credit card companies, merchants and service providers have failed to pay sufficient attention to the poor human beings who use the system. Human factors significantly weaken a design that probably looks great on paper.

* Not so, of course, it was purely a coincidence.

ISO27k application security standard

2010-01-21T08:30:00.003+13:00

An ISO/IEC 27000-series multi-part standard on application security is 'in the works'.

I'm currently reviewing the second Committee Draft of ISO/IEC 27034-1 "Information technology — Security techniques — Application Security — Part 1: Overview and concepts" which lays out the basic concepts and principles for other parts of 27034 to elaborate upon.

Despite this overview section being around 78 pages in length, part 1 states explicitly that 27024 is not a software application development standard, an application project management standard, nor a software development cycle standard. Its purpose is to provide general guidance that will be supported, in turn, by more detailed methods and standards in those areas.

The standard explictly takes a process approach to specifying, designing, developing, testing, implementing and maintaining security functions and controls in application systems. For instance it defines application security not as the state of security of an application system but as "a process an organization can perform for applying controls and measurements to its applications in order the manage the risk of using them".

The draft standard draws on concepts such as auditing and certification of application systems similar in style to the Common Criteria and similar schemes primarily used for government and military systems. It tends to emphasize deliberate threats arising from external adversaries over those from insiders, and perhaps more importantly in many situations accidental threats and hence the need for integrity and availability controls.

The standard is not projected to be released until 2012 - such is the glacially slow pace of ISO/IEC. The upside, though, is that the final product will - we hope - be well worth the wait.

Making money from the Haitian quake

2010-01-17T20:27:00.004+13:00

I can barely believe the cheek of this email that plopped into my inbox today:

HELP HAITI LONDON
13 Liverpool Road,
Islington, London,
N1 0RW

Dear.Friend

On Tuesday, a catastrophic earthquake struck near Port-au-Prince almost the whole of Haiti. The full extent of the damage is still being assessed, but the death toll -- already in the thousands -- is climbing fast.

This is the worst earthquake to hit the area in more than 200 years. Entire communities have been ripped apart and as many as 3 million people have been directly affected, including tens of thousands of American citizens who are in Haiti.

Haiti is racing to confront the enormous devastation -- and the OFA community can help.
Footage is pouring in of homes collapsing, Haitians carrying injured family members, and hospitals being overrun in what was already the poorest nation in the Western Hemisphere.

we have directed this means of contact individuals to respond with a swift, coordinated, and aggressive effort to save lives. Personnel from the United States and our partners in the international community are on the ground in damaged areas right now, working side by side with the Haitian people. They're providing food, water, and sanitation supplies, saving lives and helping Haitians,please your help is also needed

Despite the fact that we are experiencing tough financial times now we encourage those who can to reach out and help. It's in times like these that we must show the kind of compassion and humanity that has defined the best of our national character for generations.

PLEASE FOR NOW YOU CAN SEND YOUR DONATIONS BY WESTERN UNION TO OUR HELP HAITI LONDON CORDINATIOR ANN BROWN WITH THE BELOW INFORMATION,NO AMOUNT ITS TOO SMALL HELP AND GOD WILL BLESS YOU!!

Receiver:Ann Brown
Location:London Uk
Email: helphaitinow@consultant.com
send her all related information or call john on +447031842276

Please if you make any donation send us the following informations for reference .
1) Your full name:

2) Sex:

3) Age:

4) Occupation:

5) Mobile / Telephone Number:

6) Country:

6) Nationality:

As this story continues to unfold, I hope you will continue to keep the people of Haiti in your thoughts and prayers, as well as the many Haitian-Americans who have done so much to enrich our country and who are worried about friends and loved ones in this time of need.

Thank you,

David Cole

Just in case you missed the rather obvious signs of a 419 scam such as the rotten grammar and spellings and other inconsistencies, there's a completely unnecessary request for personal information to cap it all off.

Scumbags.

Privacy/security awareness

2010-01-11T09:49:00.003+13:00

A report from Government Technology caught my eye this morning: CSI Computer Crime and Security Survey Shows Poor Security Awareness Training in Public and Private Sectors. "Mmmm, looks interesting" I thought, especially when I saw this:

"But respondents also expressed even greater concern over a perceived lack of proper security awareness training for users at endpoints. A whopping 43.4 percent of them said that less than 1 percent of their security budget was allocated to awareness training, and 55 percent said current investments in this area were inadequate.

"I think that's too bad it is that way, but consider that you could cut half of the losses simply by taking care of that problem," Richardson said.

Twenty-five percent of respondents said more than 60 percent of financial losses came from accidental breaches by insiders, not external hacks, and 16.1 percent said 81 to 100 percent of all losses came from accidental breaches as well."

So, less than 60% of organizations surveyed spend at least 1% of their 'security budget' (whatever that means) on 'awareness training' (whatever that means also). I can't say I'm surprised by that but I'd like to know more and check the original source for details.

The GovTech report didn't include a link to the survey, merely a link to the CSI website. There's an obvious link to the survey on CSI's home page, but Heuston we have a problem: it seems the only way to obtain the survey is either to purchase membership of CSI, for over US$200, or obtain a 'free preview' of the report .... which requires me to enter a bunch of personal information.

If, as the GovTech article, suggests there really is a problem with security awareness, it seems rather ironic that the CSI report is not freely available to all without invading our privacy. The report sounds like it might be useful from an awareness perspective but not at that price.

Similar surveys are freely available from many other organizations. Guess I can live without CSI's.

Secure software development

2010-01-05T16:35:00.004+13:00

In connection with this month's NoticeBored awareness materials on the security aspects of software development, I've been listening to a podcast by Ralph Hood and Kim Howell (two Microsofties) about how both privacy and wider information security issues are integrated into Microsoft's development practices.

From a non-US perspective, the very idea that privacy and security are "opposite sides of the same coin" seems a little weird. For most of the rest of the world, privacy has long been acknowledged as a subset of information security, being essentially the confidentiality of information about specific individuals. But, as host Julia Allen mentions in the podcast, the US is still shifting from the idea that it's perfectly OK to collect all sorts of personal information from people and use it as you wish.

One of the interesting approaches discussed in the podcast is that personal information needed purely for aggregation or statistical purposes should be collected and held only temporarily, then deleted as soon as possible. Personal information in server logs, for example, may be parsed out, analyzed and deleted by a regular process. While this would make post-hoc validation of the data difficult, this slight drawback is outweighed by the privacy advantages for those who supply their information.

The podcast is one of the excellent Security for business leaders series by CERT at Carnegie Mellon University. An impressive range of podcasts is available to download.

Security awareness research

2009-12-10T15:32:00.004+13:00

Thanks to a link posted to an email reflector, I've just stumbled across a 2006 PhD thesis that examined a number of approaches to information security awareness in order to develop design guidelines for awareness programs and activities. The research was mentored by Professor Mikko Siponen, leader of Oulu University's Information Systems Security Research Center in Finland. The thesis, "A design theory for information security awareness" by Petri Puhakainen is well written. As usual for a scientific PhD thesis, it starts by briefly reviewing existing literature in the field of information security awareness, then goes on to present the author's research experiments, findings and conclusions.

The thesis uses cognitive theories on how learning and behavioural changes are understood to occur to evaluate common awareness practices. For example, "Communication is presented as a continuous process where the parties should take turns and create information to be shared, interpreted, and reinterpreted until a sufficient degree of mutual understanding and agreement is achieved to enable collective action. The outcomes of the communication process are social (mutual understanding, agreement, and collective action) and individual (perceiving, interpreting, understanding, and believing)." (page 78).

As I read it, Petri (in common with many others in this field) often confuses 'awareness' with 'training', for example discussing a research case involving quite narrow training on the use of encryption for confidential email as a security awareness exercise. To my mind, awareness is intended to achieve a generalized appreciation or understanding of information security throughout the enterprise as a whole, while training is intended to focus on a specific problem area or development need for specific individuals or teams. Awareness aims to change employees' behaviour in quite subtle but broad ways (cultural development), while training aims to change employees' behaviour more overtly under quite specific circumstances (personal development). These are quite distinct aims that are usually satisfied by different teaching/training and moticational/awareness methods.

By stating "At least in large organizations, it is not possible to aim at mutual understanding by engaging all employees in the conversation process. Such approach would be expensive and slow, making [it] unfeasible." (also on page 78), Petri arguably misunderstands the value of broad-based enterprise-wide security awareness programs that inform and engage employees throughout the corporation but without the expense normally associated with classroom training sessions.

All arguments aside, the previous two paragraphs hint at the value of reading petri's thesis in depth, exploring the many embedded references and thinking critically about what the author presents. As an information security professional with more than two decades experience and a penchant for both academic and pragmatic writings on the subject, I'm delighted to have learnt new things and found useful new references in the thesis. Good job Petri!

419 phisher mash-up

2009-11-12T19:13:00.003+13:00

Well here's a new take on an old scam - well possibly two old scams in one as it has elements of both 419 advance fee fraud and phishing about it (click on the email screenshot to see it in its full glory - I added the red highlighting).

I must say I have never before had scammers offering to send me my own "account online log in and password". What's the betting there is a small charge to release the information?

Cheapskate copycat 419 scammers

2009-11-07T21:03:00.007+13:00

The following extraordinary sentence launched yet another tedious social enginering 419 scam in my spam box:

"Take notice that based on the UNITED NATIONS government inauguration of this committee which extended to all countries which combined with the United Nation Anti-crime commission to alleviate and redeem the image and past wounds of our dear citizens and foreign firms who were duped, defrauded, scammed and abandoned by some impostors who indiscriminately use the name of God, Office of governors, Presidency, Banks etc to slight down our dignities to international communities."

Most 419ers are clearly one sandwich short of a picnic as all they seem to do is replay the same old scams over and over. The 'clever' ones add daft little elaborations and the rest duly plagiarise them without actually understanding how dumb they end up sounding.

This cretin continued: "Many banks have been in bankruptcy today, Universal firms, Companies due to the activity of these hoodlums. However, investigation have shown that these people have dropped over 500,000 clients after collecting their money, many committed suicide and others living by the grace of God," [that comma ended the paragraph].

By the third paragraph, the bizarre language had actually become quite entertaining: "Meanwhile, we have a committee whose duties are to re-commend [sic] genuine contractors, loan bidders, next of kin (inheritance payment), foreign firms who have completed all the U.S government normal payment requirements but abandoned due to take over of some sacked officials who take Government papers to collect money and leave the beneficiary half way." He's obviously read far too many emails by his friends in the back-street Internet cafe, and mashed them all together in his tiny pin-head, as if that somehow enhances the magic.

After a boring fourth paragraph, we discover that his CAPS-LOCK key is evidently sticking: "We also have endorsed your payment to FALCON BANK TO PAY YOU THROUGH A DIPLOMATIC COURIER SERVICE without prejudice and will need a confirmation of all your communication until you finally receive your money so as to investigate more so to find out more facts on this issues, it will be well appreciated if you can provide us some vital information on how you have been scammed. The U.N government is using this opportunity to compensate the entire victim who some have duped."

The 'U.N Government'?! Gosh, I must have missed that election. Silly me.

"So you are advice to contact Mr. Felix De Lapaz to mail to you a certified check which can be cashed anywhere in the world and the amount is $250,000.00 U.S.D(TWO HUNDRED AND FIFTY THOUSAND UNITED STATES DOLLARS)." Now, just in case the rest of this tripe somehow escaped my beady and rather jaundiced eye, I clearly smell a very large malodorous rat as most of this cheapskate scammer's peers are offering me many MILLIONS (all in CAPS of course, spelt out for me word-by-word as if this somehow adds credibility to those crazy digits).

After asking me to cough up a little personal information ("Please fill the following form for documentations:"), the numbskull ends with this: "As soon as you give him the following he will mail your compensation cheque to you. THIS IS PROUDLY SPONSORED BY "THE U.N CAMPAIGN TEAM AGAINST ONLINE SCAMS"." So, this is a sponsored scam, eh? I'm sorely tempted to write back to see if I can discover how he managed to secure such high-powered sponsorship ... but then I come to my senses and realise that bozos like this are simply not worth the electrons.

Still, at least I got yet another entertaining case study out of it. And a wry smile.

Word-based email blacklisting

2009-11-04T09:27:00.001+13:00

Using banned-word lists to block spam may be a simple and hence cheap control but it may be too crude or simplistic to work properly. Blocking emails with "teen" in them, for example, is perhaps not the smartest move made by New Zealand's Social Development Ministry.

Blogging policies

2009-11-02T15:50:00.005+13:00

A set of policies, presented as checklists or guidelines for employees, explains typical rules for employees who use blogs or other social media:

"The Disclosure Best Practices Toolkit is a draft series of checklists to help companies, their employees, and their agencies learn the appropriate and transparent ways to interact with blogs, bloggers, and the people who interact with them.
We believe in the principles of transparency and openness, and this document is a way of making this real on the inside. Our goal is not to create or propose new industry standards or rules. These checklists are open source training tools designed to help educate the hundreds or thousands of employees in any large corporation the appropriate ways to interact with the social media community."

The authors evidently have a bee in their bonnet about people disclosing any pecuniary interest in the matters on which they are writing. If adapted to become corporate policies, management may wish to be crystal clear about the limits on employees discussing the organization, its products, customers or related matters in any public forum (including all social media), particularly if all such pronouncements should normally be explicitly sanctioned by Public Relations, Law, Marketing or other interested parties.

Note: this may be just as much an issue for employees (or indeed contractors, consultants and others) blogging 'in their own time' as for those blogging at work.

Blogging policy

2009-10-30T10:00:00.002+13:00

The CBC Blogging Manifesto is not unlike a skeleton corporate policy about blogging by employees. Even in this succinct original form, it would be an interesting advisory or discussion piece for your intranet Security Zone.

New NB module on social networking

2009-10-28T20:07:00.002+13:00

Social networking has become extremely popular of late and is getting lots of coverage on new and traditional news media. Given the fact that a great deal of network/Internet use and applications have traditionally been social in nature, this is hardly surprising: what is more surprising is that the media and technology pundits seem to feel that we need to have a special term for it. Like most Internet and IT developments, it’s more evolution than revolution, and in fact more hype than substance in many cases.

Businesses are making use of interactive social media for corporate (primarily marketing) purposes. While these applications are, at the moment, more projected than proven, it is undeniable that many enterprises are either openly examining social networking and so-called Web 2.0 technologies, or are facing covert use of these systems and technologies by rogue employees. Either way, employees need to find out about the concerns and security dangers related to such use before landing themselves, their family, friends and colleagues, and maybe even their employers, in trouble.

Humans are social animals. Social networking websites such as MySpace, Facebook and Twitter, plus associated network applications, provide a conduit for social interaction by individuals, for example keeping in touch with family and friends, making new acquaintances and friends, and often publishing details of their normally private and personal activities on the Interwebnet.

The primary information security risks relating to social networking and social media can be classed as social engineering - the deliberate manipulation of vulnerable people in order to gain control over the information assets they own or have access to, and the use of information so obtained to deceive or manipulate others. With systems and networks getting ever more complex, ordinary users are getting more and more remote from the underlying technologies, which opens them to new threats from hackers who know how to turn the technologies and processes to their advantage.

You can find out more about the information security risks associated with social networking in this month’s NoticeBored security awareness newsletter, and take a look at what's in store in the new awareness module here.

Yet another inept 419er

2009-10-15T07:44:00.003+13:00

Some Nigerian thinks I was born yesterday:

Content-Type: text/plain Content-Transfer-Encoding: 8bit Message-Id: <20091014171244.7474f21fec20@kunde.business-light.com>
Date: Wed, 14 Oct 2009 19:12:44 +0200 (CEST)

From :The Honourable Officeof the Finance Minister.(FMF)In collabration with (CBN)Office.ATT : Honourable Contr(FMF/CBN) Payment Notification Update. In order to eradicate the fraudulent rampant extortion of money from contractors as transfer charges and taxes by non-exiting individuals and corrupt Government officials.I am obliged to reach you concerning the immediate payment of your fund by ATM Visa Card. Be- informed that this communication superside any other you must have had with any office in connection with your payment. Investgations reveal that you have paid some good money in the past as transfer charges and taxes which did not reflect in the bank treasury, that means officials concern have help themselves to the money at your own detriment. Now that your file has scaled their huddle and your file is on my table.I want to ensure the immediate payment of your fund by ATM Visa Card. You are thereby advise to re-confirm to me the following:Your full Name 2) Your Telephone and Fax number (3)Your receiving Address &Banking particulars. (4)Copy of your international passport. This is imperative to enable me confirm your informations and make my recommendations to Foreign Operation ATM Department of FMF for immediate payment of your fund by ATM Visa Card.Note:If your file returns to the cabinet without my recommendation you will end up not benefiting from the present batch of beneficiaries.PETER EZE,Minister Ministry of Finance FMFFederal Republic of Nigeria.Contact me via my private e-mail address;( petereze.eze@gmail.com)

The "non-exiting individuals" interest me but I'm not pleased my email address has "scaled their huddle", even if it does "superside" others.

Give it a break you idiots. We're tired of all this spam.

Directions in Security Metrics Research

2009-09-03T08:42:00.004+12:00

NISTIR 7564 "Directions in Security Metrics Research" says:

"Advancing the state of scientifically sound, security measures and metrics (i.e., a metrology for information system security) would greatly aid the design, implementation, and operation of secure information systems."

Hear hear!

"... Enterprise-Level Security Metrics, was included in the most recent Hard Problem List prepared by the INFOSEC Research Council ..."

That I didn't know, but I totally agree: security metrics is indeed a Hard Problem.

If you would like to metricate your ISMS, do take a look at NIST's new paper. The main body is quite short at just 15 pages but covers a wide brief, drawing on metrication practices from other fields. If you are eager to learn more, there are six pages of references to deepen your knowlege still further.

Locational privacy

2009-09-02T11:49:00.002+12:00

The Electronic Freedom Foundation's paper on locational privacy explores the privacy issues relating to automatic road toll devices and similar systems that check the locations of users. Such systems can be designed to incorporate locational privacy controls but this increases their complexity and cost - the question is whether that's justified by the privacy benefits.

It's also a moot point given that most of us already carry cellphones which can be tracked to a few city blocks or a few miles in open country.

HSBC fined for not protecting customer confidentiality

2009-09-01T19:11:00.002+12:00

Info4security published news about HSBC's privacy lapses:

"The Financial Services Authority (FSA) has fined three HSBC firms over £3 million for not having adequate systems and controls in place to protect their customers' confidential details from being lost or stolen ... During its investigation into the firms' data security systems and controls, the Financial Services Authority (FSA) found that large amounts of unencrypted customer details had been sent via post or courier to third parties. Confidential information about customers was also left on open shelves or in unlocked cabinets, and could easily have been lost or stolen. In addition, it was noted that members of staff had not been given sufficient training on how to identify and manage risks such as identity theft."

Read the whole item here.