I completed an Internet Forensics training course this past week where the instructor made that statement. Of the twenty students in the class, only the instructor raised his hand. To which he declared ” Anyone who didn’t raise their hand is a liar!!” He was probably right.

I often fault security professionals and educators who speak in absolutes when trying to increase security awareness. Human nature isn’t absolutist. Any security doctrine that doesn’t account for reasonable human behavior is doomed to failure. Never do this! Never do that! Never use the same password with more than one account! And be sure to change them periodically. Naturally they must be complex passwords including upper and lower case letters, numbers and special characters. Really?

It’s not unusual today for an average Internet user to have 10 or more online accounts. That would mean 10 complex, constantly changing passwords. That would also mean the user will write them all down in a place that is readily available. Oh, I forget the never write passwords down mantra. Sigh.

I’ve taught course where as I went through my list of  “never do’s”, I would watch students’ eyes move from the gleam of interest to dull hopelessness. ” I could never do all THAT!”, someone would say.  Another would chime in, :” That’s why I don’t do online banking!”

Is have the same password for your Facebook and Twitter accounts the harbinger of doom??  Probably not. Myspace and your online bank account? That’s an absolute NO NO.

How do we increase security awareness in average computer users thereby strengthening the “weakest link” in our security posture? We certainly can’t continue to do it by burying them in an avalanche of rules.

“I think the social networking sites are good to have,” she said. “You just have to be smart about it. Because just because you’re trustworthy and a nice person does not mean everyone on your Facebook is. So you can’t put your address — my address wasn’t even listed — or your phone number or that you’re home alone or going out of town.”

That’s a quote from a woman whose house was robbed by a Facebook “friend” after she updated her status indicating she was on her way to a concert. She appeared on the CBS Early Show this morning. The robber  had contacted her six month previously claiming to be long lost neighbor from 20 years ago. Fortunately for her, she had cameras installed at home and recorded  the culprit in the act.

I can’t stress enough the importance of limiting the information you put out there. With friends like these, ….

Source: CBS NEWS

Today is the last day of RSA Conference 2010. If you didn’t make it,  CSOonline.com has provided a recap of the highlights:

RSA COVERAGE

RSA 2010: Infosec Pros Get Raises Despite Recession An (ISC)2 survey suggests salary increases and hiring went up for many security practitioners in the last year despite the Great Recession. Ironically, the recession may be WHY it’s happening.

RSA 2010: Why 41 Percent of You Would Fail a PCI Audit Miscellaneous news bytes from the RSA 2010 press room: QSAs tell Ponemon Institute that 41 percent of companies would bomb their PCI security audit; hackers industrialize their sinister revolution and VeriSign opens a new compatibility lab.

RSA 2010: Can Adobe Stop the Hate? Security pros are unhappy with Adobe Systems over recent flaws and attacks. Adobe Security Chief Brad Arkin on what the company is doing about it.

RSA Conference 2010: 4 Survival TipsFor the newcomer, the RSA security conference can be overwhelming. Follow these four strategies to get the most from it.

Social Networking is Risky Business From Computerworld: A panel discusses the risks associated with social networking sites.

Chertoff: Tracking Attacks to the Source is Key for Cybersecurity From Computerworld: An exclusive interview with former DHS leader Michael Chertoff.

RSA PODCASTS

RSA 2010: Microsoft’s Plan for Cloud Security Audio: Microsoft VP Jim Jones explains his company’s approach for securing its services in the cloud.

RSA 2010: Verizon Releases Its Threat Report Recipe Verizon Business will share the research framework used for its Data Breach Investigations Reports so companies can create reports tailored to their specific environments.

SECURITY B-SIDES COVERAGE

Security B-Sides: Perfect Authentication Remains Elusive Everyone realizes passwords have their shortcomings. But alternatives like two-factor authentication are not as powerful as one would expect. The problem? As always — human behavior.

One Man’s Life on the Security D-List At Security B-Sides, infosec author Andrew Hay explains the four pillars for moving from the bottom of the IT security shop to a place of respect, and why getting to the A-list isn’t all it’s cracked up to be.

Security B-Sides: Rise of the ‘Anti-conference’ The RSA 2010 conference had some nearby competition. Here’s the story of Security B-Sides as the conference alternative.

At what point do we as a society realize this is getting out of hand? As more and more stories surface of Twitter accounts being hacked, Facebook accounts being sold on the cybercrime black market, Gmail accounts being compromised, etc, one would think sooner or later, folks would start getting the message that putting your private information online is not a good idea.

I’ve just happened across Blippy, a Twitter-like site, where users can sign up to publish all their online purchases. I mean, really?? We already know that retailers track your purchases and use it for marketing purposes. Why in the world would you publish all your credit card transactions to the world??

I have a Twitter account ( Follow me ) that I use for one purpose: publishing my blog posts and other security related articles I come across on the web. That’s it! I doubt anyone cares to know what I do with my every waking moment nor do I care to tell.

Good luck though. Sigh.

Steganography is the means of “hiding” information within a larger file of data It poses a risk to ecommerce security because it allows data or malicious programming instructions to be hidden in other media. In the case of the former, malicious insiders (i.e. employees, contractors, etc) with access to customers financial data may improperly access that data and use steganography to forward it to their accomplices without being detected. In the case of the latter, hackers can embed malicious code in other files, such as images, audio and video files. These files can be forwarded to users as spam or made available via web sites and peer-to-peer networks in the guise of items that would attract the interest of web surfers.

Digital steganography requires special software and organizations involved in ecommerce can mitigate the risk of insiders using steganography to steal customer data by controlling the applications that can be installed on employee workstations. Network and Host-based Intrusion Detection Systems can also be used to detect unusually behavior. User education and awareness training can help make users more aware of the risk posed by downloading files from the Internet. Users can also be trained to verify the origin and authenticity of files using the hash files before downloading them.

If one suspects his/her financial information has been compromised by any means, including steganography, one should immediately communicate the fact to all affected financial institutions and close the affected accounts. Keeping an updated antivirus provides some level of protection however antivirus is ineffective against malware whose signature hasn’t been provided by the vendor. Often times, it is nearly impossible to detect ecommerce-based attacks until after the fact. It is important to closely monitor your accounts for unusual activities to be able to respond as quickly as possible

The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most widespread and critical programming errors that can lead to serious software vulnerabilities. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.

The Top 25 list is a tool for education and awareness to help programmers to prevent the kinds of vulnerabilities that plague the software industry, by identifying and avoiding all-too-common mistakes that occur before software is even shipped. Software customers can use the same list to help them to ask for more secure software. Researchers in software security can use the Top 25 to focus on a narrow but important subset of all known security weaknesses. Finally, software managers and CIOs can use the Top 25 list as a measuring stick of progress in their efforts to secure their software.

Find the full list and guidance on using it here.

I often reiterate to my students that security is more about people and process than technology…dispite what vendors try to tell you. Many organizations spend a lot of money on security appliances and neglect the soft underbelly of any security program. The USERS. I’m not talking about a lack of security policies. There are policies galore. These are usually on intranet sites that no one visits or on a shelf gathering dust.

This presentation by Johnny Long is a must-see for anyone interested in security. Hackers are very familiar with your soft underbelly. Are you?