What makes hackers tick? Who are they? What is the difference between hacking and cracking? Are phreaks and social engineers hackers too? And most of all what can we do to avoid being hacked? We can't promise to answer these questions fully but our latest NoticeBored security awareness module does at least address them. Please sign-up here to receive the free monthly awareness newsletter . We will be using Google Groups in future rather than Topica to circulate the newsletters but unfortunately this means everyone on the current mailing list must make the effort to join the Google Group to continue getting them [we'd have migrated all your email addresses ourselves except that some might consider that a privacy violation!].

Anti-Terrorist and Monitory Crimes Division. Federal Bureau Of Investigation. J. Edgar. Hoover Building, Washington D.C Telephone Number : (206) 984 - 0470 ATTN: BENEFICIARY This is to Officially inform you that it has come to our notice and we have thoroughly completed an Investigated with the help of our Intelligence Monitoring Network System that you are having an illegal transaction with Impostors claiming to be Prof. Charles C. Soludo of the Central Bank Of Nigeria, Mr. Patrick Aziza, Mr Frank Nweke, none officials of Oceanic Bank, none officials of Zenith Bank and some impostors claiming to be the Federal Bureau Of Investigation agents. Oh, OK, so I'm supposed to suspend disbelief for a moment and accept that the FBI is writing to me out of the blue, with a grammatically incorrect and anonymous email, warning me about impostors from Nigeria? Right. Let's see what they want ... During our Investigation, it came to our notice that the reason why you have not received your...

As the title suggests, Will your cellphone spill your secrets focuses on privacy exposures from lost cellphones but the same considerations apply to other gizmos of course. The loss of a gizmo is more than just a privacy issue: we become very attached to, if not dependent on them. Speaking personally, I'm terrible at remembering names let alone phone numbers, email addresses, passwords and so forth, so I rely heavily on the technology to do the remembering for me. Naturally, being a security freak, I use encryption and other controls to protect such sensitive information so the privacy side is less of a concern than me simply losing access to all that valuable information ... so don't forget backups. Decent backups. Off-line backups with the backup media stored securely. It's a bit of a pain to take them but it's far worse to lose a gizmo (whether by leaving it on the back seat of a cab on the roof of a car, having it stolen, dropping it in a puddle or some other ...

"Ultraportable" lightweight slimline laptops are all the rage, apparently (I've been using them for years already - ahead of my time maybe, or just wary of the old luggable portables?). A Computerworld piece " Small laptops pose a big security threat " claims that because they run with "a stripped down" Linux or Windows XP operating system instead of, presumably, Vista, they are inherently insecure. Well maybe there are drawbacks but I'm not entirely convinced that they are significant - properly configured, I would rate XP and Linux at least as if not more secure than Vista. On the physical security front, there are arguments both ways. Ultraportables may have less physical protection making them more vulnerable to knocks (less so the ones with solid state hard drives) and they are perhaps more likely to be lost or stolen due to their portability. On the other hand, I carry mine in a standard briefcase or portfolio rather than an obvious ...

In the past year, the British Government admits to having lost : 53 computers 36 BlackBerrys 30 mobile phones 4 memory sticks; and 4 disc drives. If we assume that the devices had just 1 Gb of data storage each (a low estimate for some I'm sure), that's 127 Gb of data gone walkies. Some of them were hopefully strongly encrypted - let's be generous and say half, bringing the exposure down to 63.5 Gb of unencrypted data. By my calculation, that's equivalent to a pile of printed papers more than 50 feet high: The reported numbers of lost devices is certainly an underestimate, since (a) it's self reported by government officials; (b) it excludes the Ministry of Defense and Home Office who did not respond to the request for information; (c) government employees probably use, and lose, personal devices for official work; and (d) it excludes other formats e.g. lost CD/DVD ROMs and actual papers. As to whether it is acceptable for Her Majesty's Government to lose at lea...

Looks like McCain's team need to read the latest NoticeBored module on security for gizmos ... oh wait, it's too late. They sold at least one information-packed Blackberry to a reporter ...

The security risks associated with social networking sites such as FaceBook and LinkeDin are pointed out by a well-balanced piece on Search Security by David Sherry, CISO of Brown University . Unusually for this kind of article, the author describes a reasonably comprehensive range of security controls that organizations might adopt to minimize the risks. I'm pleased to note that security policies and awareness are among the recommendations, and in fact the security issues arising from social networking can be used as an awareness-raising topic: "Social networking risks are also a great way to enhance security awareness throughout an organization and build convergence with key decision makers and leaders. Social networking is a familiar term, but one that may not conjure up risks to the enterprise. Many other areas of the corporation, while focusing on risk and some aspects of security, may need to be educated and consulted when creating a policy or mo...

Despite our standard subscription charges being probably the lowest in the marketplace, some prospective customers struggle to find any money for security awareness. We are very conscious of the global credit crunch and financial turmoil out there so, for a trial period, we are offering a special SME version of NoticeBored for less than US$1,000 per year . Read more about NoticeBored Lite .

December's NoticeBored module covers security issues associated with gizmos. Please visit the website or read the newsletter to discover what gizmos are and find out about the security issues.

A key finding from the 2008 information security survey by PwC is that organizations are spending more on security technologies but need to achieve a better balance: "One of the best ways of improving enterprise-wide visibility into the crucial details of actual security incidents is to match technology investments with an equally robust commitment to the other principal drivers of security’s value: the critical business and security processes that support technology, and the people that administer them." Technology is a bottomless pit for security investment: one can always spend more on security hardware and software but after the basics (such as antivirus and firewalls) are covered, the returns diminish. Organizations should be complementing their technological investments with security awareness and training. "What matters, of course, is improving an organization’s ability to defend and prevent attacks on an ongoing basis—without distracting people from the every-d...

Surveys and news items suggest that social engineering attacks are on the rise in terms of scale and sophistication, as well as number. A new 40-page white paper from ENISA : outlines social engineering methods such as pretexting, phishing, spear phishing and vishing; presents an interview with acknowledged social engineer Kevin Mitnick; discusses three studies portraying how easily naive/untrained users are manipulated; identifies five defence measures; and offers a checklist to fight social engineering based on the mnemonic LIST (Legitimacy, Importance, Source, Timing). While technical controls can help to some extent for example by identifying emails that might be phishers, research on undergraduates (described in the paper) demonstrates the effectiveness of repeated security awareness/training.

The eponymous man in the street may think information security primarily involves technical security controls but in fact other types of control are equally important in protecting information assets. For example, physical controls (locks, gates, fire/intruder/water alarms etc.), legal and regulatory controls (data protection/privacy laws, PCI DSS, HIPAA etc.) and procedural controls (policies, procedures, guidelines, management reviews, audits etc.). Most security risks are countered by a combination of controls from these different categories. Social engineering is fairly unusual in that technical controls are more or less irrelevant: social engineers aim to bypass the technology completely either by physically penetrating the organization or by fooling employees into giving them unauthorized access to information assets. We have covered awareness of physical security controls and compliance obligations in other NoticeBored modules but November’s module concentrates on pretext...

Here's a crude attempt to get me to install malware, fresh from my inbox: Dear Microsoft Customer, Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista. Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update. Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users. As your computer is set to receive notifications when new updates are available, you have received this notice. In order to start the upda...

Police are using technology to capture criminals, for example by fitting out vehicles with CCTV and leaving them in vulnerable locations to lure car thieves. The CCTV images are so good that it's easy to make out the criminal's facial features and sometimes even his name and birth date tattoo'd on his neck (doh!). But consider the question about whether such activity is ethical. From most perspectives (other than the criminals'!), it seems acceptable since the recording devices are within someone's property space which is clearly being violated by the criminals. One might argue that leaving such an attractive lure in a vulnerable place is entrapment, encouraging an otherwise law-abiding person to step over the line and break in, but what do you think? This is a good topic for a tea-time discussion in the average office. UPDATE Oct 17th: Here's another situation with similar ethical issues. The FBI has allegedly been running DarkMarket , a carders' web ...

My colleague Rob Slade, renowned for his book reviews, has just circulated a glowing review of the book Computer Ethics by Deborah Johnson. I say "glowing" deliberately: Rob has published many harsh reviews and, in my experience, they are generally well deserved. The relatively few books that Rob likes stand out as somewhat exceptional and, again, in my experience are well worth reading. Rob knows his stuff. I find him hard but fair. In short, I trust Rob's judgement on computer security books. Ethically I should point out that I have not actually read Johnson's book myself - I am merely passing on a recommendation. If you have read it and would like to put me straight, please comment below!

A fellow inmate of CISSPforum sent us a link today to an interesting piece in the Boston Globe regarding the victim of a laptop theft using remote access software to log on to his machine and, in due course, identify the suspected thief's name and address as he typed it into a website. At last, an ethical use for a Remote Access Trojan (RAT)! The Web is awash with organizations offering to license their RATs and keylogging Trojans but, so far as I can see, they are mostly aiming at the "Spy on your spouse" market. Some of them claim to be aiming at "Spy on your employees" or "Spy on your children", as if that legimitises their activities but speaking personally, I find these uses unethical too. Spouses, employees and children ALL have legitimate expectations of privacy, whether online or off. To me, spying on them as they use the computers is essentially the same as spying on them in the Real World. It's underhand and unfair. Putting yoursel...

Why is it that so many organizations expect their software developers and other IT people to “do” information security, yet they don’t bother to train them in the art? A new security awareness briefing pack contains a set of notelets (short briefings) to help those involved in managing and delivering IT system developments fulfill their information security obligations. The notelets fall into two groups: Technical notelets introduce common information security controls, explain generic control requirements and outline the options available to satisfy those requirements. Development process notelets outline information security issues that ought to be taken into account during most software developments (including ‘end user computing’ projects such as spreadsheet programs). Although all the notelets are succinct double-sided items, the briefing pack contains 33 of them and hence with introduction and copyright notice is some 70 pages in total. Download the complete pack here (1Mb PDF ...

Whereas most months we revise and reissue NoticeBored security awareness modules on topics we've covered before, this month we've written a completely new one on ethics and morality in information security. To be fair, its something we have touched on several times but it seemed appropriate to go into a bit more depth for once. Ethical people and indeed organizations act in accordance with principles of conduct that are generally considered correct, appropriate or proper. In respect of information security, ethical behavior reinforces procedural controls. Unethical people who disregard the principles and ignore procedures weaken security, just as a rusty door bolt can jeopardize physical security. However, there is more to ethics than mere compliance. We all face ethical decisions and dilemmas from time to time, situations in which our internal values, beliefs guide our actions as much as external pressures. The NoticeBored newsletter explores the risks around ethics and s...

A blog entry by Gerry O’Neill , CEO of the Institute of Information Security Professionals , gives us an update on the IISP's progress towards defining and implementing a certification process for its members.  Gerry acknowledges a handful of existing certifications (such as CISSP, CISM, CISA and MSc) from which ISSP appears to have borrowed a few ideas ( e.g . referring to a "common body of knowledge", presumably similar to the CISSP CBK?).  He identifies certain characteristics of a profession, including "a ‘licence to practice’, based around a core of specialist knowledge, skills and disciplines, regulated by a professional body and, crucially, with business recognition of its value."  The ‘licence to practice’ idea works well for professions such as medicine, accountancy and law but these professions are clearly much older than information security.  Whether the IISP can first establish itself as a recognised professional body, secondly impose regulations an...

An email allegedly from an Asian domain name registrar based in China caught my eye in the spam box today.  The email basically says an investment company intends to register NoticeBored.ASIA and NoticeBored.CN, and that we'd better act fast to stop it. Dear Manager, We received a formal application on intending to register "noticebored" as their domain name and Internet brand in China and also in Asia from an investment company pn Sept.7th,2008. During our audit period, we find that this Investment company has no trade mark, brand or patent. As a professional institution of domain name registration, we have reasons to suspect this investment company to be a domain name grabber. Therefore, we need your confirmation on two points as follows. First of all, whether this investment company is your business partner or distributor in China? Secondly, whether you are interested in registering these domain names? (According to the rules of domain name registration, the investmen...

The drip-feed of news about the Terry Childs case continues. [Quick recap: Childs held the City Government of San Francisco to ransom by refusing to divulge the city's network admin passwords that were under his sole control.] The Washington Post tells us: "Childs compromised more than 1,100 devices and created unauthorized network doorways, allowing him unfettered and undetectable access. He collected pages of user names and passwords, including his supervisor's, to use their network log-ons. And he downloaded thousands of gigabytes of city data -- possibly privileged information, such as police reports and e-mails -- to a personal encrypted storage device. Experts still aren't sure what data the device contains." 'Thousands of gigabytes'? That's an impressive capacity for a personal storage device. The Post also says Childs had a criminal record: "Childs, as it turns out, carried a list of convictions, including aggravated burglary, aggrava...

Dan Swanson just put me on to the fact that MIT, the world-renowned Massachusetts Institute of Technology, publishes course notes from many of its classes, for free, on the Web.  This includes the Sloan School of Management with its broad range of fascinating courses about managerial psychology and other topics of interest to security awareness professionals and management students alike - take a look at Advanced Corporate Risk Management for example to understand a bit about futures and options trading where amazingly enough, risk has an upside! Thanks Dan!

 Infoworld reports on the sentencing of a phisher : "A West Haven, Conn., man has been sentenced to seven years in prison for masterminding a phishing scheme that targeted AOL users over a four-year period.  Michael Dolan, 24, was sentenced Wednesday in Connecticut federal court. The seven-year sentence was the maximum he could have received, said Assistant U.S. District Attorney Edward Chang, via e-mail. Dolan was also sentenced to three years' supervised release, and a $200 special assessment, he added. Last year Dolan pleaded guilty to fraud and aggravated identity theft charges. ..." Dolan conned AOL users into disclosing their credit card numbers, using fake greetings cards.  He also "attempted to bribe a codefendant, threatened to kill someone he thought was a government informant, and suborned perjury from his girlfriend" according to the article, indicating the sort of person he is.

The BBC reports that a father, concerned about his under-age daughter's relationship with an adult ice hockey coach, installed spy software on the family PC to monitor her online liaisons.  It soon became apparent from the emails and Messenger chat the pair were exchanging that they were having unlawful sexual intercourse.  The coach was arrested, charged and convicted of five counts of sexual activity with a child and jailed for 4½ years. In a corporate setting, it is not entirely obvious to many IT, HR and information security professionals whether an employer has the legal right to monitor it's employees' use of email and other IT facilities in the same way, even if those facilities clearly belong to the organization and are provided to employees for work purposes.  In some countries, privacy laws constrain what employee monitoring employers can reasonably do but there are often exceptions to permit more intrusive monitoring in order to investigate suspected illegal a...

Email security is our topic for September's NoticeBored module. This is a core topic covering perennial issues worth reminding employees about every year. By the way, we've had some problems with the blog feeds lately but hope things are working OK now. I'm also posting occasionally to the (ISC)2 blog in the company of other CISSPs and luminaries. Do take a look if you're not already subscribed.

This is just too funny to resist . I might open up a little on this blog from time to time but you won't find a picture of me in a fairy costume, clutching a beer, when I'm supposed to be at work. Oh the joys of Facebook.

An update to the Payment Card Industry Data Security Standard (PCI DSS) has been announced with a preview/summary of the changes due for release in version 1.2 on 1st October. Most of the changes are classified as clarifications of existing requirements but controls for wireless networks caught my beady eye. On the one hand, PCI DSS semingly acknowledges that WEP is no longer adequate (about time!), but on the other it allows WEP to continue until July 2010. 2010! That's like saying "Wardrivers, take your time, you have 2 years to find and exploit vulnerable stores". Given recent high-profile incidents of that nature, I'm puzzled as to why WEP is tolerated at all. PCI DSS 1.2 is an opportunity to drive up security standards and in many respects it is incrementally improving things, but in this one respect, they're letting the chance slip by. Examples of "critical employee-facing technologies" that ought to be covered by security policies will be e...

Over at ISO27001security dotcom I've just posted: - a 2.2Mb ZIP file containing the full contents of the free ISO27k Toolkit ; and - a printoutable PDF version of the ISO27k FAQ . Although they are already useful and generating good feedback, these are both works-in-progress. Further contributions to the toolkit and FAQ are always welcome. If you have implemented the ISO27k standards, are there policies, procedures etc . that you would be willing to donate to the cause? If you wish, I can help you format them to suit the purpose, for example removing any proprietary content to make them generic and adding a Creative Commons license. In return, you will be openly acknowledged as the contributing author in the material and on the website. Clearly, it is vital that you either personally own the materials you submit or have the copyright owner's express permission since they will end up in a public forum. Visit the website or contact me (Gary@isect.com) for more info.

I don't know about you but models have intrigued me ever since I was a kid playing with Meccano and Lego. There's something fascinating about the structure and relationships making the whole thing greater than the sum of its parts. So when I heard about a new model linking people, process, technology and organizational design/strategy in the context of information security , I couldn't resist a look. A PDF presentation of the ICIIP model gets off to a good start, representing it as a nice symmetrical three-dimensional tetrahedron rather than so many other flat two-dimensional tabular models. It even has information labels on the six connections (described as "tensions") between the four nodes as well as on the nodes themselves. The tensions are governance, architecture, culture, human factors, enabling and support, and 'emergence' (representing the inherent complexity and emergent properties of any organizational system). Digging a bit deeper, authors ...

The field of corporate governance exploded onto management’s agenda following Enron’s collapse in 2000/2001 and the introduction of SOX (Sarbanes Oxley Act) in 2002. There has been some public discussion of IT governance since then but information security governance is still emerging from the murk. In August's security awareness module we expand on what ‘governance’ means and how it relates to information security in particular. It affects our target audiences (staff, managers and IT professionals) differently so we explain the implications in practical terms, covering the essential elements that everyone should comprehend. You may have seen the recent news about the arrest of a network administrator in San Francisco. As reported, the accused (Terry Childs) was solely responsible for designing, operating and securing the city government’s network. He allegedly refused to disclose the network admin passwords at first, preventing others from managing the network in his absence...

Mike Blakley wrote a fine piece in EDPACS on using SQL queries to interrogate a database system for audit purposes. Abstract: "Organizations, both large and small, are increasingly reliant on database systems for their operational support needs. This is due to the adoption of accounting systems ranging from large enterprise resource planning systems, down to departmental or even desktop-based database systems. The traditional audit approach used to account for data stored in databases has relied on information technology or other support staff to extract data for audit, which was then tested by others, often technical specialists. An alternative approach, which also provides greater audit independence, is to increase the knowledge level and skills of audit staff so they can obtain this data directly and perform their audit tests independently. This article may have relevance to other IT system audits." In the same issue, Fred Cohen discusses the specification of control requi...

Secure Computing Magazine explains what the Trusted Platform Module (TPM) is, and what it can be used for. It stops short of explaining how to use it but has links to other sites that do so. The TPM is a hardware crypto module on a chip, pre-installed by the manufacturers in ~100 million PCs. Being hardware based makes it more resistant to attacks than pure software based crypto systems - note 'more resistant to' not 'totally secure against'. I'm sure it's only a matter of time before some enterprising hacker hacks the TPM, perhaps using side channels (e.g. power consumption) or electron microscopy, attacks that have worked to some extent against smart cards. Meanwhile, TPM is considered stronger than normal software-based password vaults etc. Here's a list of the top 10 uses for TPM, extracted from the article: 1. Multi-factor authentication. 2. Strong login authentication. 3. Machine binding. 4. Digital signatures. 5. Password vaults. 6. File and fold...

We've just released our latest security awareness module on "information security risk management". The title is deliberately a bit ambiguous - in fact it cover mostly risk management in an information security context, plus a bit of information security management and a sprinkling of IT operations for good measure. Identifying and managing information security risks is of course a key objective for information security managers. The module dispenses sage advice to managers and IT professionals on exactly what is involved in the infosec risk management process. For general employees, we emphasize the "What's in it for me?" aspect by drawing parallels between managing infosec risks at home and at work. You'll need to subscribe to NoticeBored to see the whole module in all its glory, and receive another one each month. We work this way to encourage customers to deliver rolling/continuous awareness programs. It seems to us a month is long enough to ...

The Information Card Foundation is a trade body representing "a group of thoughtful designers, architects, and companies who want to make the digital world easier for you by building better products that help you get control of your personal information", and promoting the concept of "Information Cards". There are some big- and not-so-big-name backers . Billed as "the digital version of the cards in your wallet" and "the new way to control your personal data and identity on the web", Information Cards (also known as InfoCards or I-Cards) are stored in an identity selector ("selector" or "digital wallet") on your desktop, browser or mobile device. Websites that accept Information Cards access the stored card, retrieving user identity and authentication information automatically without the user having to login in the conventional way. Other information such as your shipping address can also be retrieved automagically. So fa...

At last! Indiana has seen the light! A new Indiana state law comes into effect on July 1st mandating disclosure of breaches involving loss or theft of laptops containing personal data, even if the data are 'protected by a simple password' (such as a normal Windows or Linux login password, presumably). "Public Law 136 (House Enrolled Act 1197) requires businesses to notify consumers when any of their personal information is contained on a laptop that has been lost or stolen unless that information is encrypted," Pierce said. Current law does not require consumers to be notified about a lost or stolen laptop if personal information about them on the laptop is protected by a simple password. The article goes on to explain that 'a simple password' can be compromised by brute force attack, which is often true but is not really the point. A hacker with unrestrained physical access to a laptop could remove the unencrypted hard drive, install it on another system ...

A survey by CompTIA on security for mobile IT devices reveals the continuing lamentable and rather puzzling lack of investment in security awareness: "Seventy-one per cent of respondents said their organizations allow mobile and remote employees to access data and networks, but only 39 per cent said their organizations have implemented security awareness training and education. Only 19 per cent said they intend to implement such training in 2008. The good news is that of the organizations that have implemented security awareness training for remote and mobile employees, 92 per cent of respondents said they believe the number of major security breaches has been reduced." So, security awareness works but few organizations are using it. More fool them! Jay Cline, writing in Computerworld , describes the top five mistakes of privacy awareness programs: 1. Doing separate training for privacy, security, records management and code of ethics. 2. Equating "campaign" wi...

ICANN's Security and Stability Committee has released a 12-page advisory on ' registrar impersonation phishing attacks ' - in other words, phishing attacks targeting domain name owners ("registrants" in ICANN-speak). Owners' contact details are usually published and can be interrogated for free through WHOIS. Putting the target person's contact details together with the fact that they have registered a domain name provides the phishing hook. Owners are invited to 'login and update their contact details', whereupon the phisher steals the login credentials and, presumably, manipulates the DNS entries for their own nefarious purposes.

Today we've released an updated version of our business case for a security awaeness program . I wrote the first complete version of this paper a few years ago, developing a set of ideas I'd had and written into budget applications and investment proposals over previous years. It gets updated every year or so to reflect the state of the art and remains one of the most popular white papers on our website. I'm currently working on an ENISA project developing advice for organizations on building the business case for security awarness. The project team members represent a variety of experiences and backgrounds so it will be fascinating to see how things work out. I'm sure the end result of our work will be a useful and worthwhile document but, as is so often the way with collaborative projects of this nature, a productive team gets even more value from the writing process - sharing thoughts and methods, discussing common issues, explaining things and illuminating the t...

According to the Beeb , the UK credit reporting agency Experian has analyzed its records to profile typical victims of identity theft. The results are thought provoking. "Company directors or those running their own businesses are most likely to be victims of identity theft, according to a report from Experian." Um. So company directors are unable to spot phishing and similar ID theft scams? I thought being in a responsible management position implied a level of intelligence, integrity and ability. Perhaps the phishers and other identity thieves are a step ahead after all. "The credit reference agency said 6,000 victims in the UK asked its staff for help last year, a 66% rise on 2006." Oh oh. Either ID theft has risen significantly, or Experian's marketing wizards have had an exceptional year. "The most likely victims were aged between 26 and 45, earned more than £50,000, rented their home and lived in London, Experian's analysis found." OK,...

It's out! The latest NoticeBored awareness module on phishing and identity theft. It's no coincidence that this module follows last month's on IT fraud, integrity & trust. We try to link successive modules in some way for continuity, making the awareness program flow a little. It will be an interesting challenge for us to link from phishing/ID theft to next month's one on information security and risk management, though, but we'll give it a go.

The BBC reported that over 38,000 patients' confidential health records have gone missing on a backup tape from an NHS Health Centre on the Isle of Wight. The tape was lost by a courier firm en route back to the centre after having been checked for integrity. Though the centre was clearly concerned about data integrity, confidentiality seems to have been further down their priority list: "The risk of the tape being misused is extremely small," the trust spokesman added. "The tape requires specialist computer equipment to run it and the data is password-protected. Highly advanced computer skills and/or access to a specialist programme only normally used by GPs and the data verification company are needed to make any sense of the information on the tape." The 'specialist computer equipment' is presumably some sort of tape drive. OK, so it's not the kind of thing that everyone has laying around in their bedroom but some do, and specialist data rec...

(ISC)2 , the organization behind SSCP, CISSP and CISSP-concentration certifications, has released a new blog aimed primarily at qualified information security professionals but also relevant to those just considering qualification and in fact anyone with an interest in information security. I'm delighted and humbled to have been invited to join the blogging panel alongside a range of well known and highly experienced colleagues. As the (ISC)2 blog develops, I expect I will be blogging less frequently here on the NoticeBored blog on topics that are not directly related to our current monthly awareness topic, moving those general interest posts over to the (ISC)2 blog ... so, if you want to continue seeing all these little pearls of wisdom plus others from the erudite (ISC)2 blogging panel, please subscribe to the (ISC)2 blog as well as this one. It's free, of course, and easy to track through blog aggregators such as Bloglines .

Most inbound 419 scams go directly to my spam box but every so often one escapes detection and lands up in my inbox. 99% of those get instantly deleted .... but oh I do enjoy the remaining 1%. Here's a classic example: ------------------------- Assistant Director in Charge Joseph Persichini, Jr J. EDGAR. HOOVER BUILDING WASHINGTON D.C 13/10/2007 http://www.fbi.gov ROBERT MUELLER EXECUTIVE DIRECTOR FBI FBI SEEKING TO WIRETAP INTERNET. ATTNETION THIS IS TO BRING TO YOUR NOTICE THAT WE THE FEDERAL BUREAU OF INVESTIGATION (FBI) HAVE BEEN CONTACTED BY THE OFFICE OF THE PRESIDENCY FEDERAL REPUBLIC OF NIGERIA TO COMMENCE WORK THROUGH OUR INTELLIGENCE MONITORING NETWORK TO MONITOR THE ON GOING TRANSACTION BETWEEN YOU AND THE (INTERNATIONAL CREDIT SETTLEMENT DEPARTMENT/KTT CENTRAL BANK OF NIGERIA.) WE HAVE BEEN INSTRUCTED TO MAKE SURE THAT THE OUT STANDING PART PAYMENT WHICH IS SET AND READY TO BE PAID TO ALL THE BENEFICIARIES AND INHERITORS IS MADE TO THEM COMP...

Today I've been browsing the good stuff going on over at Unified Compliance Project whose aim, as I understand it, is essentially to help organizations find and exploit alignments between various compliance requirements, eliminating duplication and hence reducing the total amount of compliance effort required. For example, implementing an ISO/IEC 27001-compliant Information Security Management System (ISMS) should simultaneously satisfy most if not all legal requirements for information privacy controls (with no additional effort), and should at least partially satisfy governance requirements arising from SOX, in addition to miscellaneous business benefits as a result of having a best practice ISMS. One of the issues I've been pondering relates to "mandatory" requirements and obligations such as those enshrined in laws, regulations and contractual terms. It seems to me that, despite initial impressions, compliance with "mandatory" requirements may not be...

A heart-wrenching story from New Zealand shows the human impact of an 419/advance fee fraud involving a dating site, a fraudster and a naive indivudual. Some if not most of the people who use online dating sites deliberately expose vulnerable parts of their personas as part of the deal. It's an inevitable part of the process of falling in love. But, as in Real Life, there are some who exploit such vulnerabilities to take advantage of the situation. A woman who initially claimed to be in South Africa struck up an online relationship with a kiwi man. Things developed, as they do, with the couple swapping little love notes online and through text messages. Flattered at the attention and besotted with the woman, the man agreed to send NZ$2k "towards her air fare", sending it to Kuala Lumpur where she was (allegedly) staying. It was OK, she assured him, because she was due US$30k from a company her father had worked for, but he and his wife had been "killed in a c...

I spent a few hours at the weekend viewing/listening to a series of presentations to accompany the launch of the Information Security Awareness Forum (ISAF) in London. If you have read the previous blog item , you'll know that one item in particular caught my eye/ear. One of the presenters essentially said that security awareness doesn't work, a somewhat curious perspective to express in support of a security awareness initiative. Anyway, it's not the first time I've heard the argument and I've been mulling it over ever since. My blood having dropped just below boiling point, it's time to respond. Today I took one of those "online security awareness" things, and came away with a whole case study on How NOT To Do security awareness. I shan't name the organization concerned because my aim is not to embarrass them in any way, and it really doesn't matter - I'm sure these lessons are equally valid for many other security awareness programs...