I attended the AISA national seminar day earlier this week (which was a great day), and one of the panel discussions touched on whether there was a need for greater regulation or government intervention in IT Security. The prevailing view was that over-regulation would stifle innovation and government mandated minimum requirements would lead to businesses doing the bare minimum and no more.

I don't disagree with those points, but I do believe that Australia is stll behind the US/Europe in understanding Information Risk in the boardroom and one of the ways to make sure it gets on the radar and stays there is mandatory breach notification.

My view was somewhat echoed in a recent itnews story that made the good point that individual data breaches may be too small for authorities to really investigate but the implementation of a IC3-style centralized reporting body could assist in aggregating many small breaches into a large one and show a pattern of behaviour or negligence by an organization.

On a similar note I (re)discovered a link to a useful document that I had used in a Uni assignment last year that compares Data Breach Notification Laws around the world [pdf]. Although a little out-of-date (2009), it's still a great little summary.

On data breaches, there is of course Wikileaks. Wow. Infosec Island has a nice piece on how the forthcoming "megaleak" from a major US bank will be 'Enron-esque' in the fallout (if you haven't seen it, I recommend Enron:The Smartest Guys in the Room).

If it is as big as promised, it will be interesting to see the effect on corporate security (and is probably a great time to be a salesman with a good DLP solution...)

Oh dear. This is just depressing...

If the UK MoD can't get something this basic right, is there any hope for those of us tasked with educating uninterested corporate users?

The Toshiba Satellite A30 is an older laptop so was probably running XP rather then the bitlocker-capable Vista or Windows 7, but still.....

I hope the Taliban/Al Quaeda/Threat of the Month don't use eBay!

A friend passed along a link to the must-have accessory for the aspiring data smuggler this year: USB Flashdrive cufflinks!

Of course hidden USB drives is nothing new, from USB drive Barbie, a chap stick, chewing Gum or cigarette lighter to the 'hiding in plain sight' USB Bowling ball drive!

If they're all too big you can go for a MicroSD card hidden inside a coin instead (just don't spend it by accident!).

The point of bringing up these amusing and imaginative storage devices is that it's trivially easy to transfer large quantities of data in a non-obvious fashion (well except that bowling ball...). The best way to protect aganist them all is to have your defences on the data and if you allow the use of unfettered USB storage and are protecting portable confidential information, have some kind of host-based DLP strategy.

As for the USB cufflinks, I don't claim to know much about fashion, but they're ugly enough that a strictly enforced dress code might protect you...

By now it's a safe bet anyone working in the security space has heard about the leaked passwords from hotmail, yahoo and gmail.

The most interesting thing so far to come out of the leak is the results of an analysis of the passwords exposed. The results are an interesting mix and shed some light on how the message about using strong passwords is being received out there in user-land.

The most common password found was '123456' with '12346789' coming in second. It's enough to keep a security guy up at night!

Amazingly 'password' didn't make the top 20 list, but despite the fact the average password length was 8 characters, 42% of all the passwords listed were lower case only and only 36% were what we commonly consider 'strong passwords' (in complexity if not length). This shows the message is not being heard.

Why is this a concern to the security guy in the enterprise? Well the same users are likely to be in the office and these results show that the password message is not getting through. Not to mention employees with good intentions emailing work documents to themselves @hotmail so they can be diligent and work on them at home. That same hotmail address with the '123456' password....

The good news (comparitively!) is that the passwords have not been gathered due to a flaw in the security of these industry heavyweights, but by via phishing attacks against the users themselves.
The problem though is even when users are diligent and more complex passwords are used there is the problem of those same users being suckered in by phishing attacks. Even the head of the FBI was banned from online banking by his wife for almost falling victim to a phishing email.

A senior security engineer for nCircle recently presented at SecTor the results of a survey both technical and non-technical users that showed while 83% of users checked for the magic padlock in the browser when entering their credit card details, a dismal 41% checked for the same padlock when entering a password. Although the displaying the magic padlock can be easily faked.
Unsurprisingly almost 50% of users also clicked through security warnings without paying attention to them. In this we're paying the price for training end users to 'just click ok' through countless exposures to buggy software.

People can't be relied upon to pick strong passwords or read security warnings. Security guru Bruce Schneier has written about this back in 2006 when 100000 myspace accounts were exposed through a phishing attack. That wonderful password '123456' made the top 20 back then too, but the best performer was 'password1'.

Bruce comments that "We used to quip that 'password' is the most common password. Now it's 'password1.' Who said users haven't learned anything about security?"

He's completely correct and in fact I'd hazard a guess that they've continued to learn and the most common password these days (where complexity rules are applied) is 'Password1'.

What's the answer? Nothing simple comes to mind, but clearly our education of users isn't working today, we need to do better.

And finally a more humourous look at choosing a password...

The Register is reporting about a recent suicide bomber attempt on a Saudi Prince where the would-be assassin apparently concealed an explosive device in his *ahem* rear-end, which he then detonated upon meeting the Prince, resulting in more mess than injury (to the Prince anyway!)

I can remember flying out of Sydney not long after the infamous 'Shoe bomber' had been caught trying to destroy an airliner mid-flight. This was not long after the September 11 attacks and the already heightened airport security in place went into a new gear with the revelation that the humble shoe could be a new weapon.

I was pulled aside while going through a security check and asked to remove my shoes, which were then prodded, poked and flexed by a stern looking security guard before they were returned. No real inconvenience.

After reading the Register's article, I did give out a sigh of relief that Richard Reid hadn't tried to blow up that plane with explosives hidden elsewhere, otherwise those airport security checks could be even more painful!

What does the above have to do with information security? Not much, aside from raising awareness of the lengths to which people will go to accomplish their goals. For insiders intent on stealing data, even the most stringent security checks that may include inspecting laptops, cameras, thumbdrives and ipods would more than likely fail to find storage hidden in a pen, sunglasses, jewelry or coins.