Security & privacy

Dark Reading – Host security – Social Engineering, the USB Way – Security

/ Security & privacy / Leave a Comment

Here is an interesting variation on social engineeing attacks, this one relying on our human nature to be attracted to free, interesting things… USB Drive

Dark Reading – Host security – Social Engineering, the USB Way – Security

… We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us.

Dark Reading – Host security – Social Engineering, the USB Way – Security Read More »

The Eternal Value of Privacy

/ Security & privacy / Leave a Comment

An important rant by Bruce Schneier from Wired:

Wired News: The Eternal Value of Privacy

The most common retort against privacy advocates — by those in favor of ID checks, cameras, databases, data mining and other wholesale surveillance measures — is this line: “If you aren’t doing anything wrong, what do you have to hide?”

Some clever answers: “If I’m not doing anything wrong, then you have no cause to watch me.” “Because the government gets to define what’s wrong, and they keep changing the definition.” “Because you might do something wrong with my information.” My problem with quips like these — as right as they are — is that they accept the premise that privacy is about hiding a wrong. It’s not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.

The Eternal Value of Privacy Read More »

Security Absurdity; The Complete, Unquestionable, And Total Failure of Information Security.

/ Security & privacy / Leave a Comment

An alarming article on the terrible state of information security systems.

Security Absurdity.com > Security Absurdity; The Complete, Unquestionable, And Total Failure of Information Security.

It is time to admit what many security professionals already know: We, as security professionals, are drastically failing ourselves, our community and the people we are meant to protect. Too many of our security layers of defense are broken. Security professionals are enjoying a surge in business and growing salaries and that is why we tolerate the dismal situation we are facing. Yet it is our mandate, first and foremost, to protect.

The ramifications of our failure are immense. The success of the Internet and the global economy relies on trust and security. Billions of dollars of ecommerce opportunities are being lost due to inadequate security. A recent survey of U.S. adults revealed that three times the number of respondents believed they were more likely to be victimized in an online attack than a physical crime. A recent Gartner survey that indicated that 14% of those who had banked online had stopped because of security concerns, and 30% had altered their usage. People are simply losing trust in the Internet.

The security community is not just failing in one specific way, it is failing across multiple categories. It is being out innovated.

It is losing the digital battle over cyberspace.

Security Absurdity; The Complete, Unquestionable, And Total Failure of Information Security. Read More »

Password Security: What Users Know and What They Actually Do

/ Security & privacy / 1 Comment

An interesting study on creating passwords…

Password Security: What Users Know and What They Actually Do

This study investigated the common password generation practices of online users. Three hundred and fifteen undergraduate and graduate students completed a survey querying (1) the types and number of different password protected accounts maintained; (2) actual practices used in generating, storing and using passwords; (3) practices believed they should use in generating and storing passwords; and (4) general demographic information. Results indicate that, in general, users do not vary the complexity of passwords depending on the nature of the site (bank account vs. instant messenger) or change their passwords on any regular basis if it is not required by the site. Users report using lower case letters, numbers or digits, personally meaningful numbers and personally meaningful words when creating passwords, despite the fact that they realize that these methods may not be the most secure.

Password Security: What Users Know and What They Actually Do Read More »

Proof: Employees don’t care about security

/ Security & privacy / Leave a Comment

Here is an interesting story about user behavior when it comes to security. This was an experiment with a different kind of trojan horse delivery.

Proof: Employees don’t care about security

An experiment carried out within London’s square mile has revealed that employees in some of the City’s best known financial services companies don’t care about basic security policy.

Proof: Employees don’t care about security Read More »