IT audit is probably not one of the first topics you'd think of when planning a security awareness program but it does add value. The latest batch of awareness materials from NoticeBored explain what IT auditors do, what interests them and how they work. If your only experience of IT audit has been SOX (Sarbanes Oxley) work, you have a lot to learn!

The BBC reports that a substantial reward is on offer for the return of two CD-ROMs that went missing in the post en route between two Government offices. They have searched numerous offices (including TNT, a well-known courier company) and at least one rubbish tip, and have completed some forensic analysis (presumably looking to see if individuals implicated in the incident might have something to hide), but these all came up blank. Having forlornly scaled down the search, a cash reward is now on offer and the British populace is warned to keep an eye out for identity theft or similar incidents. The report notes several other personal information breaches at the Department concerned, and low staff morale as a result of the latest one. Given the sorry history of incidents, heads should roll. If public servants cannot be trusted to protect sensitive information provided to them by the public they serve, the public have every right to withhold information - but the civil disruption ...

McAfee has been warning about malware installed on 10,000 Web pages . The malware attempts to infect the systems of visitors to the sites by exploiting vulnerabilities in various common programs. This kind of attack is yet another good reason to ensure your antivirus software is always up to date (assuming I don't need to tell you to install and run AV software!), and to load security patches promptly for all of the software programs on your system. PSI from Secunia is a useful tool to track the release of patches - it keeps an eye on what's installed and what versions are current, alerting you when your system falls behind.

A malware article in CSO Magazine points out the ultimate futility of the signature-based antivirus detection and blacklisting mechanisms, given the escalating rate of release of new/variant malware and its inability to block data theft (which is what Data Leak Prevention is all about: personally, I never expected AV software to do this so that is a rather curious point). The demise of signature-based AV detection has been predicted many times before but it stubbornly remains a relatively effective and inexpensive control, on the whole. I'm worried about bespoke malware, custom-written to infiltrate specific target organizations, but there other techniques come into play, DLP and checksumming being two of them. So called "heuristic scanning" has a bad press for generating too many false positives, but that's another piece of the defense-in-depth puzzle, along with prompt patching and (of course) security awareness. There's no need to detect avoided malware.

CERT has re-issued a Cybertip on malware .

A 20 minute CERT podcast on botnets gives an overview of botnets - sizeable networks of compromised computers remotely controlled by hackers, used for stealing data, identity theft, hacking other systems and spamming. Hear how compromises occur, how botnets are used and controlled by the black hats, and how to secure your systems to avoid compromise and clean out bot infections. If you don't have audio facilities on your system, or simply prefer to read, a transcript is also available. A little collection of information security-related podcasts from CERT . They are aimed at busy executives with largely nontechnical content.

single spyware infection on a work computer can impact the productivity of the typical small business employee for two-and-a-half days, according to research commissioned by the Computing Technology Industry Association (CompTIA). A survey of employees at businesses with 10 to 200 computer users found that more than one in four computer users reported having their productivity impacted by a spyware infection during the past six months. Of these, more than one-third reported multiple spyware inflections. Definitions of spyware vary but the take-home message from this CompTIA study is simply that spyware is a widespread problem that impacts productivity.

McAfee is warning about malware installed on 10,000 Web pages . The malware attempts to infect the systems of visitors to the sites by exploiting vulnerabilities in various common programs. This kind of attack is yet another good reason to ensure your antivirus software is always up to date (assuming I don't need to tell you to install and run AV software!), and to load security patches promptly for all of the software programs on your system. PSI from Secunia (or NSI for corporates ) are useful tools to track the release of patches - it keeps an eye on what's installed and what versions are current, alerting you when new patches are released. PSI, the personal home-use version, is free and recommended.

Ross Anderson's team at Cambridge University has demonstrated physical security vulnerabilities in two of the devices commonly used to validate chin-and-PIN cards in the UK. The vulnerabilities would enable an attacker with sufficient physical access to the devices and some manual dexterity with a needle or bent paper clip to hack them, exposing PIN codes. With PIN codes plus data from the magnetic stripes, card hackers could create fake cloned cards that work in non chip-and-PIN validators (which are becoming uncommon in the UK now, but less so abroad), or in chip-and-PIN validators that fallback to the magstrips if card chips don't work. This ably demonstrates the difference between "tamper resistance" and "tamper proofing". The chip-and-PIN security mechanism, like many others, was designed to resist certain attacks not to prevent them. Compromises inevitably had to be made during the chip-n-PIN design specification prosess for the sake of cost, usab...

I just thought I'd share this little gem with you. It's possibly the most inept phishing email I've seen. The phisher has evidently heard of "ISO 27001" certificates and either hasn't got a clue what that means, or figures most of his victims won't understand. I have removed the embedded URL for your safety. Who knows what kind of inept malware might be lurking there? -----Original Message----- From: Wachovia Connection banking Consumer support [mailto:techsupport@wachovia.com] Sent: Thursday, 6 March 2008 11:14 p.m. To: press@globalsecurityweek.com Subject: Notice: : New Certificates 2008 wachovia.com IMPORTANT SECURITY NOTICE All Users - Must Accept New Digital Security Certificate 2008 (SecurityISO 27001 Certification Consulting) Customers of numerous banks have been victims of ACH and wire transfer fraud in recent weeks, resulting in the origination of unauthorized ACH entries and wire transfers from customers' computer systems. Wachovia Enh...

Government departments in Australia and New Zealand, in collaboration with some local banks and other firms, have launched Fraud Awareness Week 2008 with a website offering two quality posters ( one two ), a plain leaflet and a tri-fold leaflet . Their simple message is "Fight the scammers. Don't respond." The after-the-early-evening-news current affairs program on NZ TV has run stories on a similar theme this week. The main website address is supposed to be www.SCAMwatch.govt.nz although this currently redirects to www.consumeraffairs.govt.nz/scamwatch/fraud-awareness/FAW2008.html which is ironic really, since misleading links and browser tricks are often part of the scammer's toolbox.