What happens to your old computers, they end up in a West African market stall.

A hard drive has turned up in a Ghanaian marketplace containing multi-million dollar deal info between the Pentagon and a military contractor.

If it can happen to a computer with confidential US defence data it can happen to you.

Do you have a policy in place for disposing of your old computers, do you rely on third-parties to recycle them, do you audit those third parties? If you need help with these questions contact FaberBrent.

more here...

FaberBrent's groundbreaking solicitors CPD infosec course gets glowing approval from the SRA

Not wanting to blow our own trumpet but we are delighted to go live with our new CPD course for solicitors.

"Holistic Information Security - Understanding the Threat, UK/EU Law and Practical Steps for Risk Reduction" is a 90min course providing practical, real-world information security advice and an update on EU/UK data law.

Full details here...

Shock horror - SpyPhone software exposed

We are always flattered when something we have been publicising makes an appearance and now spyphone software have reached the attention of Homeland security.

Shame they didn't see fit to tell you how to identify and avoid it (as we do).

more here...

Understanding insider risk

A good article detailing the difference between insider threat and risk. We are all human and often the single biggest risk to information security is biological, not electronic. A holistic approach to your security policy will help minimise these variables.

more here...

20% of IT professionals admit to cheating on security audit figures

If 20% admit to this what is the real figure?

more here...

Parcelforce website reveals customer data

Customer names and addresses were exposed online due to a Parcelforce system error. the extent of the exposure is not known.

more here...

56% of employees frequently see confidential documents on office printers

A survey by Samsung of 4,500 European office workers has shown over 50% frequently access confidential documents not intended for them.

This is not an IT or access failure but simply people not taking care of documents and printers. An effective security policy must be holistic, it is not enough to just control hardware.

more here...

Shock horror - wireless keyboards are a security risk

A presentation has been released detailing how to intercept data from some Microsoft wireless keyboards.

We are a little surprised that anyone with security concerns would ever have considered a wireless keyboard!

more here...

LSE are critical of Home Office Internet surveillance proposal

The London school of Economics have claimed that the Home Office proposal for Internet interception won't work, is too expensive and has poor safeguards.

more here...

Majority of Employees admit to breaking infosec rules

A new survey has shown that 69% of employees are happy to break security policy.

There are two pillars to successful policy observation: education for all and systemic controls wherever possible (of course the rules and procedures have to fit with your business practice).

For help creating an effective security culture contact FaberBrent.

more here...

IT pros almost as bad as general public when it comes to mobile passwords

I find the findings of this survey unacceptable but is some ways predictable.

The reality is IT professionals rarely have a security mindset, this is not to be confused with configuring IT security systems. Speaking recently to a long-serving military man who has recently joined a major defence contractor, he has found the lack of a real security culture shocking.

Do not rely on your IT professionals to have a true security mindset, employ specialist external auditors for genuine piece of mind.

Be sure to activate pin codes on both your phone and voice-mail. This is a basic security requirement and not a chore once you are in the habit.

more here...

Robotic one-eyed snake cam

The Israeli military have developed a robotic snake complete with a wireless camera 'eye' for reconnaissance missions.

more here...

UK mobile phone directory, opt-out or be listed

There have been many headlines regarding this controversial service. The bottom line is that many millions of us have found our mobile phones in a public directory with very questionable authority.

The company responsible, Connectivity, claim they give out no actual data but only connect with consent. We wonder how long until their data is breached and we all have to get new mobile phones?

To opt out text 'E' to 118800 from the phone you want taken off, it takes up to 4-weeks to be removed. Why 4 weeks when this is an automated database function (surely it should be almost instant?).

What ever way we look at this development it appears to be a significant erosion of privacy.

more here, and here, and here, and here...

British Consulate-General sets good InfoSec example in New York

Nice to report a positive public-sector infosec story.

The British Consulate-General in new York has gone public with its use of BeCrypt's USB token authentication system. This multi-factor system allows remote working and data access with a good level of protection.

In our opinion this kind of system should be rolled-out across the public sector.

more here...

36% of IT pro's have used their position to view sensitive company data

In another example of insider threats Cyber-Ark's 2009 Trust, Security & Passwords Survey found some very serious results on just how much snooping IT staff are prepared to do.

It is worth considering that often even junior IT staff have access to huge amounts of very confidential company data.

If you don't have checks and processes in place to mitigate this significant risk contact FaberBrent now.

Take a look at our Drilling guide for some ideas to detect insider snooping.

more here...

Undercover investigation discovers sensitive military technology can be easily purchased

A US federal watchdog group has discovered poor enforcement of regulations when it comes to the sales of sensitive military technology.

This kind of problem is common across many industries. When times are tough cash is king and people will stretch the rules to make a sale.

If you are concerned about your internal company security, or need help ensuring your third-party suppliers are observing the rules contact FaberBrent for advice.

more here...

NY State Court judge allows surreptitiously obtained emails as evidence - does not constitute a 'wire-tap'

NY State Court judge has allowed covertly obtained emails to be used as evidence in a divorce case.

The judge stated that since the emails were 'viewed' in the husbands account, not 'intercepted in transit' it did not constitute a wire-tap.

more here...

Claimed hack of entire T-Mobile US network data

The following has been posted by hackers seeking a reward, so far their claims have been unconfirmed but if true would be shocking.

"Date: Sat, 6 Jun 2009 15:18:06 -0400

Hello world, 

The U.S. T-Mobile network predominately uses the GSM/GPRS/EDGE 1900 MHz frequency-band, making it the largest 1900 MHz network in the United States. Service is 
available in 98 of the 100 largest markets and 268 million potential customers. 

Like Checkpoint Tmobile has been owned for some time. We have everything, their databases, confidental documents, scripts and programs from their servers, 
financial documents up to 2009. 

We already contacted with their competitors and they didn't show interest in buying their data -probably because the mails got to the wrong people- so now we are 
offering them for the highest bidder. 

Please only serious offers, don't waste our time."

The first British Standard on management of personal data has been published, say hello to BS10012

BS10012 is a long overdue, framework standard for establishing best practice and compliance with the Data Protection act.

Overall it appears to be a very solid standard which clearly identifies a cross-organisational ownership structure and and emphasis on awareness, dynamic improvement and education.

This new standard looks very promising although there will be some challenges integrating it into legacy procedures and policies. If you want to implement BS10012 contact FaberBrent for expert advice.

more here...

BSI's shop (to download full policy)

Business Software Alliance asks 1,000 London companies to provide a software audit

The BSA is the body that checks compliance for software licencing. This crack-down follows similar campaigns in Manchester and Glasgow.

A company-wide software audit is a very healthy thing from a security view-point. Employee's may have downloaded pirated software which is illegal and could contain spy-ware designed to extract your company info.

more here...

US Govt accidentally releases secret nuclear list

266 pages of "highly confidential" information regarding civilian nuclear sites and programs was accidentally published  by the federal govt according to the New York Times.

more here...

Watch out for the Men in Black - just like the films, only real.

Unsuspecting workers on a construction development in Washington got quite a response when they accidental cut through a fiber-optic cable.

Within moments 3 SUV's (black of course) pulled up and 6 men in suits jumped out. "You just hit our line". Whose line was never quite revealed but one could probably assume it was a 'black line' (private, unlisted, secure) belonging to the FBI/CIA/NSA (delete as applicable).

Hollywood would be proud.

more here...

65,000 employee records compromised

A job application website page may have exposed 65,000 current and former employee information at Aetna (one of the largest health-care benefit companies in the US).

Once again the breach appears to be with a third-party partner. It is essential that you specify, educate and enforce security policy with third parties as clearly as you do with your own systems. 

If you have data with third-parties and need help contact FaberBrent.

more here...