Monday, March 23, 2009

Scareware

My mother-in-law runs a small craft shop (with lovely craft products, sold very cheaply and with good friendly advice ;) and her business relies a lot on the Internet. Queries come in via email, she has an online store and a website.

Yesterday she got sent an email telling her that due to some unsavory use of the Internet, she would be disconnected. The email had an attachment which was (pretending to be) some sort of log of her activities.

Now, the more savvy of us may think - scam. But she is not "the more savvy of us" and this email freaked her out. She imagined her Internet presence being shut down. And, of course, she was always careful about her browsing.

Fortunately for her, her ISP's antivirus recognised the attachment as being a trojan and deleted it. But she may have been stressed into opening the attachment to see what the accusations were.

I have written this post to tell people about this type of trickery and to just remind those out there that are maybe not so Internet savvy - NEVER open attachments that you are not expecting. If you are concerned about your Internet connectivity being taken away then contact your ISP directly.

And always have an up-to-date antivirus.

The Victorian Police Have Issues (Ironic Post)

[The irony in this article is so lovely, it has to be shared]

The Age newspaper reports that a leaked memo from inside the Victorian Police (Australia) department says that their IT systems are risky.

The article lists a whole bunch of "Availability" risks such as backups failing and the like. It doesn't really go into details about how information security can be compromised although it does list the kind of information that the police have on hand which is very confidential.

The wonderful part is that the article says: 'A police spokeswoman said the force believed its IT applications were secure and there was a "full back-up regime across all our services as well as disaster recovery for core applications".'

My question is ... if the Victorian Police are secure, as they claim to be, how did a highly confidential memo with the ability to cause massive amounts of embarrassment to the department get leaked to the press?

Friday, March 20, 2009

More Fame... Where is the Fortune?!

[The Highly Esteemed Author Presents At ITWeb Conference]

I applied and my presentation was accepted to be presented at the ITWeb Security Conference.

If you have read my Blog posts then there will be very little new information in the presentation. However, I do tie my thoughts together in one big "this is where you should be going" session. It will be on the management track so I should be expecting some high level thinkers and, yes, the presentation is very high level.

Even though I am now involved, I highly recommend this conference for all that can make it. I missed out in 2007 but the twice that I attended (2006, 2008), I certainly came out with some mind blowing insights.

I also highly recommend that management don't have the mindset: "we need to think about this security stuff" and then send their IT Guy but rather that they make the effort to send someone who can make business decisions. Even better - send both. That is why there is a management stream and a technical stream.

The reason I promote this event (and I really don't get commission) is that it is the only major event in South Africa with an Information Security focus. I believe that management at any company should make an effort to stay in touch with what is happening in Information Security.

Unless you don't use information or none of your information is private.

Monday, March 9, 2009

Fame! I'm gonna live forever!

[The esteemed writer of Security Thoughts Gets a Mention in Two of His Favourite Blogs]

Yes, not only did I get a mention on The Hoff's Rational Survivability.

But I also got a mention on Securosis.

Life is good.

[OT] So, you think YOU have problems?

[A bit of background info for our International readers..I think we have more than 1..]

Shabir Shaik was a prisoner. He was arrested for (allegedly) bribing the President of South Africa's biggest political party - the ANC.

It seemed as though he believed that he would escape arrest but after appealing all the way through the justice system he ended up with a 15 year sentence.

From the start things didn't seem kosher. Complaining of a heart problem, he spent more time in hospital than actually in jail.

Eventually, after 2 years of being incarcerated he was released. The reason given is that he was in the last stages of a terminal illness. The law exists that terminally ill patients are allowed out of jail to spend their last days at home.

Huge questions are being asked about this particular case considering his connections with the leaders of South Africa, his huge wealth and his legally proven happiness to use that wealth to grease palms.

[South African readers can start here]
So, basically, the only way, really, that Shaik can prove that he is innocent of these new suspicions is to die. And you think that you have issues. :)

Tuesday, March 3, 2009

Pepsi is not desperate.

[The other side to my prediction. Why I still believe it will happen but why it hasn't happened just yet.]

As per usual, the Securosis guys are smack bang on the pulse and deliver some interesting reading.

The take-away quote from the article is this:

[J] ust because the employee walked out with the information does not necessarily mean that the company suffered a loss. That data has to be used in some manner that affects the value of the company, or results in lost sales.
The Securosis blog entry links to an article about a Coke employee trying to sell Intellectual Property (IP) to Pepsi. Pepsi said "no thanks" and helped Coke who tipped off the FBI who made 3 arrests.

My feeling is that cyber criminals (hackers) are getting desperate. The average price of a credit card on the black market has dropped to the point where it is not worthwhile trading in credit cards anymore. The new currency will be intellectual property. The problem with IP as opposed to credit card data is that credit cards are easy - there are any number of buyers and the consequences are still not too harsh.

Intellectual Property really would only benefit the competitors of a company so there are not so many buyers for the information. And that company would need to act on the information that they get, otherwise it is not worthwhile.

The Coke/Pepsi example is not very technical - it sounds like the employee stuffed files in her bag but it is still a breach. The thing is that there are few companies that would benefit from Coke's private documents. There are fewer that would take the risk in acting on stolen information. Pepsi was not interested in taking the chance.

I think that my prediction still stands but it requires a desperate employee who has access to valuable information. And a desperate competitor that will use the information offered to them. There will probably be a middle-man orchestrating the transaction. Big money will be paid out for the information and the original company will suffer in some way - market share, share price, loss of tender, etc.

I don't think it will be widespread but it may get ISOs around the world thinking "that could be my CEO with egg on his face apologizing to shareholders about losing IP"