While we generally fill out days looking at the security of people’s office networks, online services and mobile working, we also are sometimes asked to look at more unusual “business” scenarios. Just what sort of information security controls would you expect to see in an tank? Army, that is, not petrol. Or in a surgical theatre?
Keep reading »

Depending on what internet sites you usually visit, you may notice that there is a little bit less content up than normal. Sites as significant as the English wikipedia and BoingBoing are blank and even the Google.com homepage is carrying a link. What’s up?
Keep reading »

Twitter followers?

Unlike Wendy, I don’t actively use twitter, but I do have a twitter account. Recently, I’ve started seeing follower requests coming in. Given that there is even less content on there than there has been, recently, on this blog, it is clearly not a legitimate request. So, what’s up?

Well, here we go:

Keep reading »

So, just before my recent trip to London, Idrach got a letter. Well, a form.

Here’s the top:

Now, being well aware of these sorts of scams, it was put on the desk to be blogged about when I got back!

So, now, you can check their website – it certainly doesn’t appear to be effective competition for any of the online local business directories – Thomson, Yell or one of the more recent web-only ones. And, as ever with frauds, the catch is expensive:

Right, so that’s three editions at just under €1000, ex VAT. Or, all in, somewhat north of £3100. For 3 CDs and an online listing. Clearly, another offer too good to miss.

Of course, if I was behind this fraud, I’d be a really sneaky person and put a simple error in to the “current company information” section. That should be enough to significantly increase the response rate

I have just been invited to “Protect Idrach Ltd in the New .XXX Domain”. Of course, this is by buying the .xxx domain extension for all of the domains we control (we hold a reasonable number of these on behalf of friends and family.)

I don’t like scare sales and have no real interest in hosting porn sites. So, and especially at nearly £80 per year, over 15 times as much as a .co.uk domain,  I don’t think we’ll be playing.

Interestingly, with my normal registrar, the most expensive domain is the United Arab Emirates, at some £140 per year.

For those of you who were at my IS2 talk in Prague, here is the, somewhat vital, image that was missing from the printed papers:
Keep reading »

I love mixing with the owners and managers of small businesses and charities.  Generally they know and love their business, in many cases they are passionate about it.  On a good day it can be like rolling in buttercups on a warm sunny day, energising and refreshing (depending where the buttercups are of course).

In the last 5 years that I have been moving in these sorts of networking circles there has been a growth in the use of social media to advertise and to grow a relationship with their customers.  I think this is wonderful because it gives power and means of communication back to the people with the vision and drive in the business.  However, the great thing about social media is that it is easy to use, so easy in fact that many drift into use with little or no understanding of the risk to that most precious part of their business- their reputation and the quality of their customer relations.

These risks include:

• A rogue complainant, whether customer or ex staff member, can make a lot of noise on a work Facebook site or on Twitter.
• The importance of keeping a clear profile, appropriate to the business image.
• That people can talk about a business on other parts of the internet, how can a hard pressed SME owner keep up?
• That all this is manageable by non-technical business users if they know what to do.

All of these attack the achilles heel of the small and medium business- Their Reputation.  Yes I know the reputation is important to all businesses, look how quickly multinationals drop the endorsement of ‘shamed’ celebrities such as Tiger Woods when they do something the public is perceived as disapproving of.  They do that because they don’t want the company image and reputation to be spoilt with the association.  And, frankly, if they can afford to pay Tiger Wood’s fee they could afford a good marketing budget to overcome any negative fall-out.

Smaller businesses don’t have that luxury.

I am, therefore, very sad that, having put together an event which covers risks to reputation and how to handle any incidents, and uses a workshop format so there is a lot of discussion and debate, that this workshop is not attracting people.

Yes, I am sad because it was a bit of business for me; but more than that I am concerned about all those my friends and fellow networkers in central Scotland  who are taking huge risks that might endanger the business that they so want to succeed.

Just half a day of learning and networking in Glasgow could save that organisation that you are so passionate about.  Is that really too much?

The workshop is scheduled for the morning of 20th April at Touchbase’s office 43, Middlesex Street, Glasgow.

Book Now at www.rudesocialmedia.co.uk

I was on customer site this week, helping them with the security model for a product in development and there were a couple of little things that caught my attention concerning the tricky subject of “trust”.

• It was a late notice contract so there was a bureaucratic problem getting confirmation of my security clearance. Quite correctly, I was an “escorted visitor”. At the same time, of course, I was providing them with security advice on the product (as I was being paid to do.) If I wasn’t trusted to let myself in to or out of the office (which was a slight problem as the loos were 4 security doors away from my work space …) why was I trusted to provide reliable security advice?
• After I did get my badge, I was heading for the coffee machine (a mere 1 security door away) and was treated to an amusing vignette. A gentleman was escorted in by security to collect the sensitive material for shredding. This is a man who is going to walk out of the building carrying a sack of material that has been carefully sorted to only include the sensitive stuff (the rest goes for recycling). Yet, like me, he isn’t trusted to let himself in or out.

Okay – all the customer was doing was correctly applying HMG security rules, as they are required to do (and, in the case of the shredding, it may have been simply less trouble to escort him than to issue a badge and access token.) But it does show, quite clearly and not in a technicial context, that the issue of trust in information security is quite a hard one.

It actually becomes much harder when you try to use computers to enforce it – especially as the rigid rules necessary confront human frailty (have you ever looked at peoples’ ID card pictures? Imagine if a computer was using facial recognition!) Lost passwords, access cards in the other jacket pocket (or left behind on your desk when you nip out for a sandwich / cigarette / toilet break) – these all become the classic routes that “social engineers” use to bypass security.

This coincided with me first hearing about the “claims based access” model in Microsoft’s new version of Sharepoint. Rather than setting up roles and allocated users to one or more of these, you set up rules (such as “has been with the company for over 1 year”) and these can control access. If, of course, you have an appropriate identity provider which has access to the necessary data. Quite an interesting development – but concerning for the point of view that you need to be exposing personal and potentially sensitive data to the identity provider to make best use of it – HR data, specifically. Your LDAP database(s) has just become a much more interesting target for an attacker.

Facebook has spent the last year trying to convince the world that they have seen the light and are now keeping security as a key focus.  For a while we begin to believe them and then they go and do it again.  They have dreamt up yet another  ’great new gimmick’ that appears to make the users’ ‘experience’ on the internet better and more personalised.

But the key word is ‘personalised’.  Remember that word because it is a word that is the alert signal for new applications.  Think about it, to get something personalised you have to give the facilitator your name.  That is not a problem if the jewellery shop is engraving “to Catherine, love from William”, but internet applications want a lot more information than that; your age, your likes, your address and as much as they can get about your friends too.

If this is not the sort of information that you want everyone at the application developers – and everyone they sell your details to- to know, then it is time to change settings again!

The application is called  ”Instant Personalization”

As is FB tradition it is automatically set at ‘enable’.

To fix

Go to Account>Privacy Settings>Apps & Websites>Instant Personalization>edit settings & uncheck “Enable”.

There you go- safe until next time!