David to Delores - MI5 whistleblower transforms into transvestite Jesus incarnate

One of those stories you just couldn't write.

Not strictly on topic but many in the security community read "Defending the Realm", David Shayler's MI5 expose. As with most of these types of books there were plenty of inaccuracies but there were also some accurate information.

David (sorry Delores) is now living in a squat in England and claiming to be the "spirit of Jesus".

You don't have to be mad to work here.......

more here...

How to set up a spoof wireless Access Points - if you use wifi you need to know this

Perhaps one for the techies here but a message for all of us.

The video here shows how to set up spoof wireless networks. Basically it means that if you connect to this network (whilst looking for a wireless connection) you may well have all your data stolen, login and passwords compromised and malware delivered to your computer.

All the software being used is available off-the-shelf but requires some technical knowledge to use.

Lesson - do not connect to a wireless network just because it is available! (are all your staff aware of this?)

NB - we provide this link for awareness and education, stealing peoples information is illegal!

more here...

The Times publish guide to new scams

The Times have published an interesting guide on some new and upcoming frauds.

Whilst this guide is not in any way exhaustive we think it makes interesting reading for all.

more here...

Upto 570,000 credit-card records breached at Network Solutions

Network Solutions, a major Internet hosting and systems company have discovered a major breach of their network security.

Malicious code was installed and credit-card details harvested and exported.

Once again we see that keeping systems secure is a major challenge and having ones data with third-party companies needs the same level of due diligence as your in-house systems.

We will see more details of how this breach occurred as the investigation develops.

more here...

SMS to be trailed by Visa as a means of payment verification

Visa are trialing a system where you receive a SMS message whenever you make a purchase as a tool to identify fraudulent payment. This is not a new idea but previously only been used for unusual pattern transactions.

There is a significant concern regarding fraudulent spoofing/fishing attacks with false messages. An example would be that one receives a message along the lines of "This is a security message from Visa, can you please call our team on 0845 123456 now".... I'm sure you can work out the rest. The challenge here is user education as apposes to systems performance.

We wrote about this risk just a couple of weeks ago.

more here...

FSA fine HSBC £3M over data breaches

Following an investigation HSBC have been fined £3M by the FSA for repeated incidents of sending large quantities of unencrypted personal data in the post!

Their are two clear lessons here; systems need to be designed to prevent the ability to dump unencrypted data onto removable storage and all staff need to have awareness training so they will know that posting disks full of data is akin to posting envelopes of cash.

more here...

Lucid Intelligence live with database of 120 million stolen records

We reported on the Lucid database before and now it is up and running. It enables you to search the millions of record they have obtained from sales of stolen data on the web. This allows you to get an idea as to whether your personal information has been compromised.

There are questions surrounding data protection of this base and potentially the ability to obtain details about somebody else by using their search.

They have also published a very useful DIY guide to finding out if your data has been published.

more here...

SMBs can't keep up with ITSec in tough times

Probably not a surprising article but an important on never-the-less.

If you are a SME and have reduced your ItSec spend it is time to think smarter. We may seem a little strange to advocate more spending but a full (independent) review of legacy systems, procedures and cost centres often reveal significant savings.

We understand the preasures on SME's (we are one!) but also understand the conciquences of ignoring significant exposure. Security spend can only be justified against a threat and risk annalysis (just like an insurance policy). If the exposure is to big to accept sutiable measures must be implermented (head in sand is not an option).

For impartial advice contact us.

more here...

Laptop repair shop exposed - essential viewing

In a long overdue journalistic endeavour Sky sent in an undercover reporter to several laptop repair shops with a simple known fault and a laptop loaded with spy software to see what the repair shops got up to.

It will come as no surprise that they trawled through files and folders, attempted to access online banking account and more.

There is something important to understand here. You simply cannot give a computer to an unknown repair agent. Your laptop is not the same as another appliance as it far more that just hardware. It is akin to inviting a person to repair your office, letting them take all your bank books, photos and diaries off premises for investigation.

So what can you do? Some ideas include: buy laptops where you maintain the ownership of the hard drive, so in the event of a repair you keep you hard drive; create a second login called 'guest' with no data on it and only allow repair agents to use this login (please note this is not foolproof); establish a relationship with a respectable repair company and have them sign a privacy/NDA type contract. If you need help keeping your data private contact FaberBrent.

more here...

London Borough of Wandsworth has as many cctv cameras Dublin City Council, Johannesburg Police Dept, Boston Police Dept Sydney city Council combined!

A new BBC report on actual numbers of CCTV cameras in the UK makes for interesting viewing.

The much banded 4.4M UK cameras number is very questionable and is more like 3.2M (still quite a lot!). The original figure was calculated by using Wandsworth as an average!

more here...

UK Phone Tapping plans prove unworkable under current legislation

During secret testing Gordon Brown's proposed use of phone tapping has shown to be unworkable under current legislation.

A mock trial was run and the validity was examined. Quotes attributed to Sir Paul Kennedy, the Interception of Communications Commissioner, said that under RIPA there were “real legal and operational difficulties” and would “welcome the Government’s acceptance that intercept as evidence should not be introduced".

more here...

£3 Million scam rocks the Royal Protection Police

A former royal Protection officer Paul Page was found guilty on Friday of committing a £3 million scam revolving around an investment fund.

The really shocking thing here is that at least 20 SO14 (the police Royal Protection Command) officers were investing in the fund, yet none of them performed any due diligence or questioned how Page could pay cash returns on property investments that had not yet matured.

In a tale worthy of a Hollywood movie the court heard of brown envelopes of cash, bank transfers to strangers accounts and multiple death threats.

One would imagine Her Majesty was not amused.

more here...

Chateau Pétrus, Lafite-Rothschild and what you need to know about your alarm system vulnerabilities

A French wine thief has been caught during his second robbery on top Paris restaurants wine cellars.

Our interest in this story was almost lost in the copy but there is a very important bit on information for many people.

"Police found gloves and mobile telephone scramblers used to disable the restaurant's alarm systems."

"mobile telephone scramblers"... these are better known as jammers. Basically a small hand-held device that transmits radio noise on cellular frequencies causing the phones to drop to 'no service'. Why is this important, well an increasing number of our alarm systems are using GSM as a back-up to alert the police of an alarm (indeed a number of them advertise 'GSM protected' on their front panel!).

We have been advising our customers for a long time that this is a very poor method of alarm backup as it can be defeated by a £50 jammer which are freely available, although almost certainly illegal to turn on (info here, here, and here ).

I wonder when the alarm companies will take this seriously and stop just pushing product?

If you are concerned about asset protection be sure to engage a specialist independent audit of your systems and procedures.

more here...

ID's for sale - 4 million UK to the highest bidder

The Times are reporting that there is currently 4 million British ID's for sale to the highest bidder on the internet.

This problem is only going to get worse.

The best advice we can give for individuals to minimise the impact of credit-card theft is keep one credit card exclusively for use on-line. Set a low limit and monitor your statements closely.

If your business involves peoples personal data take your security seriously and contract external security experts (it is not reasonable any more to say 'I thought my IT guys took care of it'). Contact us if you need help.

more here...

Australian cops treating unprotected wifi networks as crime risks - plod-driving is born

In Queensland Australia police are hunting for unprotected wifi networks and advising owners as a crime-prevention measure.

more here...

Watch out for unknown and spoof wireless hot-spots

A good article from Fox news reminding us of the danger of unknown (or believed known) wireless hot-spots. If in doubt do not use.

more here...

UAE BlackBerry update full of Spyware!

The Etisalat network in the United Arab Emirates have pushed out a BlackBerry update that aparrently contains spyware that can intercept emails and messages.

Apart from the obovious concerns it make us wonder what happens if you are just visiting (and roaming) and then return to your home country. Will the UAE continue to get sent all your info?

RIM - are you going to comment?

more here...

IronKey USB Drives - the best just got better

If you care about the security of your mobile data we have yet to find a better solution that IronKey. These are the only USB drives we use and the only ones we recommend and we are not alone, take a look at this review.

Not wanting to sound like an advert but if your data is worth more that $100 get one.... or several, they have enterprise level software control.

more here...

SMS TXT message phishing - next big scam, you need to know about this.

You receive a text like this....

"This is a secure message from Abbey National. There has been some unusual activity on your account, please call our security team on 0845 123456"

You call the number and hear "Thank you for calling Abbey National, this call may be recorded for security and training purposes. We need to perform some security checks, please enter your card number followed by the hash key, please enter the 3 digit number on the back of your card followed by the hash key, please say your 'security' password......."

I think you get the idea.

The best way to protect yourself is to keep the real service numbers for your various accounts pre-programmed in your phone memory so if you receive a text you can call up the genuine security centre and validate (or not) the text.

more here...

New threat claimed, Keylogging via mains voltage emissions.

Two security consultants have claimed that they have developed a system for monitoring the variance in mains ground current to monitor keyboard strokes.

They say they can do this on a mains socket up to 15 meters away from the target computer for a hardware cost of $500. They are planning to demonstrate the device at the BlackHat 2009 conference at the end of July. We will report back on the results.

more here...

Shocking drive-by reading of RFID tags on passports, drivers licences, credit cards and more...

Clear and scary demos of how easy it is to read various RFID chip based devices in peoples pockets while driving or walking down the road.

This has very serious implications for cloning pass-cards (to gain entry to buildings) and tracking/identifying people on the move.

drive-by video here...

cloning video here...

electronic pick-pocketing here...

more here...

SpyPhone Software released for iphone 3GS

If you do not already know about SpyPhone software you need to take a look at our guide.

This software converts you mobile into a surveillance device and is designed to be invisible on the victims phone.

The latest phone to be effected is the iphone 3GS.

To protect your iphone go to settings/restrictions/installing apps and switch off. You do, of course, have your pass-code lock on.

If you are concerned you may already be infected back up your personal data (not apps) and perform a factory reset.

SpyPhone software guide here...

Story here...

Connectivity, the controversial mobile directory, is down but not out....apparently

The much debated 'Connectivity' mobile phone directory has been down pretty much since its launch.

A barrage of complaints about the opt-out only nature of their data (and a barrage of requests to de-list numbers) appear to have had an effect. Of course (and according too the company) this is nothing more that early technical problems and all will be well soon, we shall see.

We suspect this service will succeed or fail based on public opinion on what is (in any real-world translation) an opt-out system, at the moment it is not looking good.

more here...

70% of UK orgs hit by a data breach in the last 12 months

A new survey of 615 companies and public sector organisations has shown that 70% have experienced some kind of data breach in the last 12 months.

It appears (not surprisingly) that the biggest problem is lack of encryption.

Once again we say, encrypt all mobile storage now!

more here...

Trading system secrets stolen by former Goldman Sachs employees

In a rare example of public disclosure the FBI arrested an employee of Goldman Sachs who is accused of stealing computer code used for complex, high speed market trading.

The activity was detected by GS's automated monitoring systems that scan email for any transfer of code.

The suspect was on $400,000 a year, makes one wonder how much the code is worth?

Would you know if your employees were stealing data, if your answer is no, or don't know, contact us for help. Check out our Drilling info for some ideas.

more here...

UK ID cards to be optional for UK Nationals - govt U turn

So the next chapter in this farce unfolds. The new Home Secretary effectively destroyed the long lauded Labour plan for compulsory ID cards for all UK citizens.

Many (ourselves included) have opposed the scheme from the start but there are other issues here:

How much has this scheme cost so far?

How many SME's have geared up to bid and put forward products and now face financial difficulties?

more here...

The biggest single point of failure with laptop security - people

In another survey once again the common failings of laptop security revolve around users, not hardware.

A few numbers to get you thinking:

50% of business managers switch off encryption

12, 000 business laptops are left at Airports in the US every week

67% of left laptops are never reclaimed

For security to be successful a holistic approach, combined with staff training and buy-in are essential.

more here...

Russians accused of corporate espionage in Germany

Germany's counter-intelligence chief has openly accused the Russian intelligence services of corporate espionage, stealing commercial information to give Russian commerce an edge.

We see more and more state sponsored corporate espionage. If you are dealing with international bids or develop original ideas (hardware and software) contact FaberBrent for advice.

more here...