Here's an extract from an email purporting to have come from ISACA: Problem viewing this email? Click here http://isaca.informz.net/z/cjUucD9taT03ODMzNDAmcD0xJnU9MTAyMDE2NDE5OCZsaT0zMDAxODgz/index.html for our online version. http://isaca.informz.net/isaca/data/images/isaca-header-01.jpg April 28, 2010 In This Issue: http://isaca.informz.net/isaca/data/images/bar-inthisissue.gif http://isaca.informz.net/isaca/data/images/bullet3.gif ISACA Database Change http://isaca.informz.net/isaca/data/images/bullet3.gif CRISC Grandfathering Program Now Open http://isaca.informz.net/isaca/data/images/bullet3.gif Top Eight Tips for Forensics http://isaca.informz.net/isaca/data/images/bullet3.gif New Blog to Debut on Revamped Web Site http://isaca.informz.net/isaca/data/images/bullet3.gif Read About the Latest Changes in Oracle E-Business and ERP http://isaca.informz.net/isaca/data/images/bullet3.gif Finding Career Variety and Stability Through Certification http://isaca.inform...

[With a nod towards Paul Simon's fabulous song 50 ways to leave your lover ...] While researching identity theft for our latest security awareness module, I came across a list on one of the major websites of about 15 ways to steal someone's identity. With a bit of lateral thinking, it didn't take long to expand the list to 30 ways to steal and exploit an identity and I'm sure I have continued in the same vein - but instead I stopped at 30 and left it to our customers' employees to think up another 20 ways and maybe earn themselves a security awareness prize in the process. I realise some may feel it inappropriate to describe identity theft so openly. My argument is that people need to know what they are up against if they are to stand a chance of preventing it, and in particular resisting the plethora of social engineering attacks currently doing the rounds. The truth is that scammers, hackers and fraudsters have plenty of ways to find out how to commit identity...

This blog is now located at http://blog.noticebored.com/. You will be automatically redirected in 30 seconds, or you may click here . For feed subscribers, please update your feed subscriptions to http://blog.noticebored.com/feeds/posts/default.

A newly published report from the Australian National Audit Office into information security awareness and training for Australian government agencies is somewhat ambiguous in tone. The ANAO has previously recommended that agencies "develop and schedule periodic education and awareness programs for non-security personnel addressing agency security standards", "develop a structured and proactive security awareness education and training strategy" or "promote security aftercare arrangements in security education and training activities" - in other words, they have clearly been advised to sharpen up their act in this area. The latest report says: "Overall, the audit concluded that the security awareness and training arrangements at the audited organisations were generally adequate and operating as intended. Nevertheless, there is considerable scope to enhance the effectiveness of the organisations’ security awareness and training programs. The main a...

An burglar who stole stuff from an NZ home was snapped by the owner's webcam that had been set to monitor the scene for movement. When triggered, the camera sent still images to the owner by email, alerting him to the burglary in progress. Unfortunately the police arrived just too late to nab the intruder but his face is quite clearly recorded for posterity ... The news cutting says the owner used software called "Motion", possibly this package which is promoted on the strength of its use for home security monitoring - CCTV on the cheap.

A somewhat self-contradictory piece in The Register regarding DNSsec was pointed out to me by a fellow CISSP. The way the Internet root DNS servers work is going to change soon - essentially after May 5th, they will only respond to DNS queries that have been digitally signed using the DNSsec protocol. Until then, I believe DNSsec is running on some of the root servers, allowing organizations to try out their software and get any wrinkles sorted out. Kevin Murphy, the Register's columnist, indicates that some ISPs or large organizations running old software without the facility for DNSsec may thereafter be unable to make DNS queries, which mnay be true but seems rather unlikely to be such a problem as he implies. As I understand it, DNSsec has been around for years, implying that ISPs etc. who have not updated their software probably have other more serious security problems. On top of that, end users (like me!) are not tied to their ISP's DNS offerings. Personally, I hav...