If It is Too Good To Be True, It Probably Is – Cross Post

Leave a comment

(Originally Posted on Information Security Buzz on 15 January 2014)

There are plenty of tips on the internet that give great advice on how to avoid phishing scams, and there will be other authors on this site that will be giving very similar advice. For me though, it always comes down to the following three thoughts that I keep in mind whenever I see an email that could possible lead to a scam.

1. Is it too good to be true?

Infosecurity-Buzz-January-2014.002.jpg.001-300x168If the email in question is offering me something for nothing, especially if there is money, or a monetary value involved, this type of email falls into the “too good to be true” category. I have yet to come across an example of when someone really was giving away iPad’s, cash or holidays without some kind of quid pro quo involved. If your answer to the above question even looks like it might be a “yes”, the email and its contents can probably be ignored.

2. Don’t Click it!

Infosecurity-Buzz-January-2014.002.jpg.002-300x168I have borrowed this particular phrase from Jaded Security who coined it a few years ago, and I like it because to be honest it is simple and memorable advice. There are nuances to this of course, but unless you are experienced just don’t click links in your email (see number three). As you get used to looking out for this kind of email there will of course be other telltales that will help you know if an email is genuine or not. For instance, is the email from a close friend, but they haven’t addressed you by your nickname, and seem to be oddly formal, or have more spelling mistakes (or even not enough) in their message? It could be that they have been compromised and you are in their address book and therefore being targeted.

Some people regularly send links in emails, others almost never; if that’s the case, ask yourself why they have suddenly started today seining you a link to a sneezing panda clip.

Finally, if your bank sends you a link to change your password because of system upgrades, don’t click the link they send, but go to your usual bookmark for them. Your bank should never do this anyway, but clicking on a link in an email like this is almost guaranteed to not send you to your bank, but a very convincing fake site set up to harvest your usernames and passwords. Just don’t click it.

3. Fail Safe

Infosecurity-Buzz-January-2014.002.jpg.003-300x168It is always better to mistake a genuine email for a scam rather than the other way around. The consequences of clicking something are very serious whereas the consequences of not clicking on the attached link are rarely, if ever, serious. Additionally, if it is a genuine request, the sender is likely to send a reminder or contact you through another medium such as SMS, letter or telephone. Of course there are plenty of scams through these mediums too (another topic perhaps?), but you will have the balance of probabilities on your side, and the knowledge you haven’t done anything stupid.

A late start back to 2014

Leave a comment

YEAR+IN+REVIEW1This time last year I posted a WordPress summary of my blog and stated I was going to focus on “growth” for 2013. Fortunately WordPress sent the same summary as last year and so I am very pleased to say that I have achieved that, certainly in regards to posts, content and followers.

It was a hugely busy year as regards me and this growth, with just some of the highlights including;

* Establishing Host Unknown alongside Andrew Agnes and Javvad Malik, and making a start in showing that security education really doesn’t have to be dull.
* The opportunity to be a mentor to Gavin Holt for the Rookie track at BSides. Gavin is an extremely talented and intelligent InfoSec professional and I was thrilled to have been able to help him present.
* The inaugral RANT conference and being able to play a part in the day for the lovely people at Acumin.
* Presenting at RSA Europe again.
* Getting involved with The Analogies Project, curated by the very talented Bruce Hallas,  in addition to being asked to be a regular contributor to the Iron Mountain Information Advantage blog.
* Winning Best Personal Security Blog at the inaugral European Security Bloggers Awards.

Combine the above (just the tip of the iceberg) with a dramatic increase in followers of the blog and of Twitter and an increase in the number of requests to present I am extremely pleased with 2013.

The word for 2014 therefore is “maintain”. Much as I would like to grow last years levels of activity it did cut into my day job quite considerably so I need to be a little more selective in my activities. That said, I have already presented at Securi-Tay3 in Dundee and have another one for the 451 Group in a few weeks. I will post something about Securi-Tay3 in a few days time when the videos have been published.

There are so many people to thank for the success of 2013, some of whom are mentioned above, but there are many others out there to whom I thank; I have very much been fortunate enough to stand on the shoulders of giants, allowing me to grow as a professional in the infosec field.

(View the full WordPress blog report here)

Moving forwards I have plenty of thoughts for content for this blog over the coming months so stay tuned for more details, and thank you for following me in 2013!

Really Silly Attitude? Ropey Sales Approach?

Leave a comment

cashRSA has had a tough few years; the subject of a high profile phishing attack in March 2011 resulting in the loss of information related to their SecureID product. They denied it was an issue until three months later when information gained from that attack was used against other companies, including Lockheed Martin, and had to subsequently replace a large number of the tokens.

In September this year they recommended that customers of their BSafe product should stop using the built in, default, encryption algorithm because it contained a weakness that the NSA could exploit using a backdoor and therefore would be vulnerable to interception and reading. How very open and forthright of RSA I thought at the time. Despite the potential damage they may be doing to their brand by giving this information freely out, they are doing so in their customers interests and at the same time offering secure alternatives. It reminded me of the early nineties and the pushback against the Clipper chip, with RSA at the forefront protecting client interests and pushing back against the spooks of the three letter agencies of the USA. Here is what D. James Bidzos said at the time:

“We have the system that they’re most afraid of,” Bidzos says. “If the U.S. adopted RSA as a standard, you would have a truly international, interoperable, unbreakable, easy-to-use encryption technology. And all those things together are so synergistically theatening to the N.S.A.’s interests that it’s driving them into a frenzy.

Powerful stuff. The newly formed Electronic Frontiers Foundation would have been proud.

 Now this is where it gets interesting and has raised the shackles of many in the Twittersphere and internet echo chambers. A few days ago it was revealed that the real reason for RSA to have used a flawed products for so many years was because the NSA paid them to. It wasn’t a huge amount of money although it possibly helped save the division that runs BSafe in RSA that was struggling at the time.

Businesses change. Leadership changes. Market forces steer a company in different direction to one a degree or another. To my mind though, to deliberately weaken your own product for financial gain is extraordinarily unwise. By taking the money, RSA have declared that profit is above patriotism, whatever your view of patriotism is. If they took no money at all, there would be a good defence that the decision was taken in the national interest and to work harmoniously with the governmental agencies that protect the USA from danger. Unfortunately organisations that have relied on RSA’s products to secure their data have been let down simply to make a fast buck,

In October this year Art Coviello spoke about “Anonymity being the enemy of Security” at his Keynote at RSA Europe. That statement takes on a very different viewpoint now.

The response has been fairly unanimous, but here is one that got me thinking about my relationship with RSA:

Mikko RSA

I personally wouldn’t go this far as I go to network with friends, peers and colleagues, as well as listen to folks from the industry talk and present; I don’t necessarily go to listen to RSA as such. However this kind of reaction is going to have an impact on RSA that is likely to be felt for a number of years to come. Most security people I know are somewhat distrusting in the first place (hence why they are in security very often!). To have these revelations is going to have an impact both in their mainstream business as well as their conference business, so often seen as the gold standard of conferences globally.

If the last few years were tough for RSA, what is the next few years going to be like for a giant in our industry?

A fun filled week, moderating, presenting, acting.

1 Comment

leader-summit-headerLast week was a very busy week for me in the information security arena, which given not that long ago I said I was winding down for the end of the year into Christmas was a little surprising.

On Tuesday I was asked, somewhat last minute, to moderate a panel on Threat Intelligence at the InfoSecurity Leadership Summit. This is not a primary area of interest for me, but given I was moderating the panel and not on the panel itself I felt I had nothing to lose. With about 10 days notice, one short conference call and a rapidly drawn up set of notes the session went very well, although we had a very limited amount of time resulting in no questions from the audience which was disappointing. I do think I achieved my three key objectives for the session though:

  1. Start and finish on time
  2. Keep the panel from drifting off topic
  3. Make the panel look good

Moderating a panel is somewhat less glamorous (if that is the right word) than presenting or being on a panel, but I like the good folks at InfoSecurity so was happy to help out. The experience was useful for me as well, as moderating is very different to being a talking head. The conference itself was also very good, especially given it was the first one the folks at InfoSecurity have done in this space. I look forward to next years.

The day after, on the 4th December I flew to Frankfurt to attend the World Class Mobile Collaboration conference, where I was asked to present an old favourite of mine, An Anatomy of a Risk Assessment. Due to some technical difficulties I had to present an hour before I was scheduled to which somewhat put me on the spot, but actually worked out rather well. I had some great conversations with people in the break afterwards and swapped contact details with a number of them too. It was a very enjoyable but exhausting day though as I had to return that evening to get back to my day job. They kindly recorded the presentation, below:

http://vimeo.com/81118214

And finally, on Friday 6th a Christmas Message video was released that I was involved with in collaboration with Host Unknown and Twist & Shout. I blogged about it on the day but I wanted to mention it again as I do think it is a good example of putting points across in bite sized chunks that are memorable and effective (Twist & Shout are very good at this). There will be some behind the scenes footage being released next week, so look out for it on Twitter and the Host Unknown blog.

Back to work for a rest for the next two weeks I think!

Announcements, Presentations and Work!

Leave a comment
Banyan tree, Bangalore, India

Banyan tree, Bangalore, India

It has been an incredibly busy five weeks since 44CON, with a lot of travel, projects coming to fruition, conference talks and preparation as well as more writing than is reflected in this blog.

I have spent three weeks (over two trips) in India carrying out five security risk assessments and hosting one three day client visit, and all I can say is that my India based colleagues continue to impress and amaze me with their knowledge, analytical skills and above all friendliness. I had the good fortune to spend some time with them at a team outing, discovered a mutual friend in London and also hit the dancefloor with them (if you have never danced in an Indian nightclub, you haven’t really danced!).

I was also able to spend an evening with the lovely folks of the Delhi chapter of NULL in Noida, and had a great couple of presentations (WAF and compliance) as well as an engaging conversation on interviewing in the infosec world. I had struggled for the last couple of years to find good conferences and forums in India, but apparently I missed an incredibly vibrant and widespread community. I’m glad to ay that is no more the case and I look forward to attending more in the future (along with my India based colleagues). On my return I attended the IT Security Forum and spoke on “Throwing Shapes for Better Security Risk Management” covering three ways to manage your security programmes more effectively.

A project I have been working on with my good friends and colleagues @sirjester and @j4vv4d finally came to fruition with the help of @jimshout, called Host Unknown. I am extremely proud of this project and we have spent many hours agonising over the details, honing the performances and getting website, YouTube and social media coordinated; in fact it was a lot more work than we expected! There is so much more in the pipeline, and if you would like more information please contact us, I promise you will only be mildly disappointed! (I am also legally obliged to point out that it was all my idea, despite what some of you may have heard.)

My other piece of news is that I have been asked to be a guest blogger for Iron Mountain, something I am absolutely thrilled by! I have already posted my first article, and I am looking forward to writing many more. As someone who can often struggles to  get down to the process of actually writing int he first place, (once I am started I seem to be OK!) I see this another incentive to flex that particular creative muscle more frequently, as well as getting used to writing on specific subjects, somewhat to order. I will of course be cross posting back to this blog, but I would encourage you all to head over and see what they have to say. My particular favourite is @christiantoon who is certainly one of the more prolific writer on the site (and a great guy to boot!).

It’s the RSA Europe conference next week, and I have been busy preparing my presentation “Playing the Game of Thrones: ensuring the CISO role at the King’s Table”. While there is an element of content that I have covered in other presentations before, this is nonetheless a new presentation with plenty of new content, somewhat more research based (although by no means academic) and very much pushing me out of my comfort zone. That said I think it is going to be a strong presentation which should generate some good discussion; here’s a podcast where I explain what I am going to be talking about, and I will of course be covering the conference in my next blog.

With all of this going on I haven’t been able to post as regularly as I would have liked, but I am building up a great stash of content that should see us through the winter months. Winter is coming after all!