A 46-page academic paper by Richard Thompson Ainsworth of Boston University School of Law describes "zappers" - programs designed to divert some sales transactions from the normal sales processing and accounting systems. Fraudsters with sufficient access to an organization's sales systems (e.g. small business owners) sometimes use zappers either to misappopriate the entire sales income for the diverted sales (steal the entire value from the company - the sales don't go through the books) or to to manipulate the value (for example to steal the VAT/GST/sales tax content). So-called "zap" and "super-zap" programs have existed for decades in the mainframe world. They allow intervention on databases, overriding normal access constraints to manipulate the data, and potentially programs, directly. They are supposed to be used only under carefully controlled emergency conditions, for instance to modify or delete a rogue data record that is somehow bloc...

Trust is an important concept in security but few awareness programs give it the coverage it deserves. This month’s awareness module brings together trust, integrity, fraud in an IT context, and touches on closely related concepts such as honesty, governance and whistleblowing. Identity thefts, 419 scams, deliberate sabotage and fraud by trusted insiders (such as the recent incident at Société Générale Bank) and numerous other information security incidents provide no shortage of topical content for our 60th module. We’ve all had our share of disappointments and incidents in life due to misplaced trust in someone or something. Such painful experiences are all part of the rich experiential lessons from life’s School of Hard Knocks. With hindsight, things would have been different, we hope. On the upside of risk, we are sometimes pleasantly surprised when people and systems deliver on their promises, or even better exceed expectations. Such is the way in which trust is built up. Trust co...

IT Assurance Framework - a professional practices framework for IT assurance is a new product - a ~70-page PDF document - from ISACA. "ISACA has tapped its global network of leading IT governance, control, security, and assurance experts to develop a widely embraced framework to help ensure the quality, consistency, and reliability of IT assessments. ITAF also contains a helpful set of good practice-setting guidelines and procedures." The ITAF content is largely a repackaging of existing ISACA standards and guidelines in the areas of IT audit, assurance and governance. I'm pleased also to note that the ISO27k standards merit a mention. ITAF is free to ISACA members, $45 for infidels.

City of London Police officers thinking of transferring information on USB memory sticks can self-assess the risks using a questionnaire . It's a simple idea really: a police officer's responses to a few questions determine the 'risk score' leading to approval (or rather a requirement to seek approval from the relevent level of management authority, and/or to use USB sticks with additional security controls) or disapproval of the use of a USB stick for the intended situation. Being self-assessment, the system depends on users answering appropriately and is open to deliberate abuse and inadvertent errors. However, this risk is offset to some extent by compliance procedures and structures in the police. Furthermore, it's better than nothing - without the system, police officers presumably make such decisions on a more arbitrary basis, assuming they even consider the security risks. The tool at least raises security awareness (assuming the tool is suitably promoted...

BT has admitted to secretly using spyware to monitor the web surfing habits of tens of thousands of its British broadband customers. According to BT, this was merely a technical trial. Allegedly no personal data were collected since machines were identified "by anonymous code numbers" (presumably IP addresses - hardly anonymous) and content keywords were recorded, not website addresses (so what? It's still unethical and possibly illegal inteception in my book).

The US power grid is not changing to DC by 2020. We are not going to shift our watches a minute a day to avoid the problems caused by daylight savings time . Please send further fools-in-the-wild spottings to us . We'll probably mention information security and risk-related ones here.

A supermarket security breach late last year/earlier this compromised over 4 million credit/debit cards and led to thousands of fraudulent transactions. The breach has been blamed on malware on the store's servers . The fact that the store systems were PCI DSS compliant, apparently, doesn't exactly inspire confidence in the system of independent security audits but on the other hand it's a reminder that malware is an omnipresent threat.