Today's release of Information Security 101 adds another valuable tool to the security awareness toolkit from IsecT Ltd. Information Security 101   was formally known as the Induction Module and that remains its primary purpose: facilitating security induction courses for new employee orientation. It provides a coherent and comprehensive set of foundation level awareness materials covering the basics of information security, the kinds of things that all new employees (and indeed contractors, consultants and even temps) should soon become familiar with when they turn up for work. All the awareness materials from the original Induction Module have been thoroughly revised, updated and refreshed, with several brand new items being added.  Information Security 101   still provides three parallel 'streams' of materials addressing three audience groups with subtly different awareness information needs and perspectives: General employees or staff have broad responsibilities for

Last month a story broke about employees of the company behind Twitter being hacked. TechCrunch has published details of the incident, and the comments on their story identify some of the possible controls. In short: - A Twitter employee uses Gmail - Gmail has a password reset function that sends the user's password to a pre-registered email account - The Twitter employee had originally configured Gmail to use a Hotmail email account for this - The Hotmail account was unused for months and lapsed - The hacker requested and obtained the same Hotmail email address [it looks like the hacker was able to guess the address, preumably it was a similar address to the Gmail account] - The hacker told Gmail to reset and send him the Gmail account password via the Hotmail address that he now owns, which it did - The hacker then logged on to the Twitter employee's Gmail account - One of the emails he could now access was the original "Welcome to Gmail" type notice with the or

A new magazine for fans of digital forensics will debut later this year, covering: • Cyber terrorism • Law • Management issues • Investigation technologies and procedures • Tools and techniques • Hardware, software and network forensics • Mobile devices • Training • eDiscovery • Book/product reviews Meanwhile they are seeking input - perhaps we should recycle one of our recent security awareness deliverables ...

An article about responsible Twittering hints at a broader concern for all social media, and in fact all forms of communication between the office and the outside world. Examples in the article include people falsely claiming to represent their employers and disclosing sensitive information via Twitter, plus Twitter being used to direct potential victims to infectious sites hosting malware. People have done the same kinds of things for years using email, telephone, blogs, bulletin boards, IM, VoIP and so on - even letters in the post: the incidents are pretty similar though the communications media vary. This obviously raises questions about how to reduce the risks without unduly interfering with legitimate business communications. Technical controls offer limited assistance e.g. blocking IM will block legitimate IM activities, and determined users can sometimes find ways around such blocks anyway. Automatically appended email disclaimers have dubious legal validity, particularly

The BBC reports that fraudsters are exploiting taxpayers' passwords to access an online Inland Revenue system in attempts to make fraudulent claims for tax refunds. They presumably obtain the passwords by stealing the notification letters from the post or carelessly discarded in rubbish bins, by tricking people out of them (perhaps by social engineering or phishing), or perhaps most worryingly for the tax authorities, hacking their lovely online and/or back-end IT systems. It's hard to imagine that taxpayers would deliberately discard letters with login credential that might let them reclaim overpaid tax, but its possible some do not even realise that they are able to do so. I doubt the tax man says this in big bold print! We know from studies by the Police and other dumpster divers that many people routinely discard all sorts of juicy documents without a care. Stealing mail from the postal system is certainly a possibility, although of course there are controls in place to

We've released a thoroughly refreshed and updated awareness module on office security , covering physical and IT security in the workplace. It includes email security and security for other forms of office messaging and inter-personal communications such as IM and VoIP.