Friday, 11 March 2005

The Councils Of Advisors

I do a bunch of independent, part-time consulting gigs. To help me get them, I joined The Coucils Of Advisors...
The Councils of Advisors is a global network of executives and industry professionals who are compensated for providing their insights to the world's leading investors. Members of The Councils of Advisors improve investment decision-making and accelerate business innovation by providing collaborative consulting to leaders in the investment community.

Council Members provide their industry knowledge to investors through telephone consultations, online surveys and scheduled in-person meetings. These exchanges provide Council Members with unique opportunities to consult with the investment community; in turn, investment managers gain a sharper understanding of the issues fundamentally related to their investments.

I'll let you know how I get on. You can apply to The Councils at this affiliated link.
Posted by at No comments:

Thursday, 3 March 2005

New web host

If you can read this, you're looking at my new site, hosted by Easily.

Hit me up with a comment, if there's a problem...
Posted by at 1 comment:

Appearing on Security360

Categories: , , .

I'm going to be participating in one of Microsoft's "Executive Circle Webcasts" later this month. For details, see here.

I'm off to Redmond to videotape a panel segment for it next week. The title is "Phishing: Don’t Get Hooked."

On this month's Security360 webcast, host Mike Nash, security executive at Microsoft, identifies emerging technologies and best practices that can help you reduce online fraud and phishing scams. Learn what you can do to protect your customers and employees and prevent your company brand from being hijacked. As with every Security360, this session will include the insights of industry experts, a checklist of recommendations and resources, and a live Q&A.

Insights of industry experts? Yeah, and Richi will be there, too.

Posted by at No comments:

Friday, 25 February 2005

ITsafe safeword concerns

Categories: , , , , .

Yesterday, I talked about the UK Government's ITsafe security alerts system, and how it uses a "safeword" in an attempt to reduce spoofing attacks. I have some concerns:

  1. This doesn't reduce the perceived authority of spoofed messages; it only increases the authority of legitimate messages.
  2. The safeword may be stolen by hackers, either by spyware, packet sniffing, or via an "inside job."
  3. There seems to be no way to periodically change the safeword, as one should with a password.

The reality is that these sort of weak measures can lead to a false sense of security. Arguably, that's worse than no measures at all.

Imagine the situation if virus writers managed to steal the ITsafe signup database. They could spam consumers, pretending to be the UK Government. Their messages could contain a dire warning that they should install a patch.

  • Naturally, the patch would contain a virus.
  • Naturally, the text of the message would employ the usual, proven social engineering tricks of such virus vectors.
  • Naturally, a significant percentage of consumers would be fooled into installing the virus.

Would the presence of the "safeword" make the consumer more likely to take the bait? I think so.

Posted by at No comments:

Thursday, 24 February 2005

UK.Gov has idea, shocker

Categories: , , , , .

As reported elsewhere, The UK government now has a service, ITsafe, for advising citizens about viruses and other threats. It comes from the NISCC (National Infrastructure Security Coordination Centre).

To quote the website:

ITsafe is designed to provide both home users and small businesses with proven, plain English advice to help protect computers, mobile phones and other devices from malicious attack. It consists of both the Advice on this website, and a low-volume Alerting Service.

While this is potentially good news, that's not directly the point of this post. However, one tiny aspect of the alerting service shows an interesting idea.

When a consumer signs up to receive alerts, they're asked to provide a "safeword": this is to reduce the risk of spoofing. All messages the service sends will use this word in the subject line. A consumer can then quickly check that the message has really come from ITsafe, as someone else would not know the safeword.

This is an interesting idea, and one that banks and credit card companies could learn from. It appears to be a lightweight, yet powerful way to foil phishing attacks. However, there's the potential for this to cause a false sense of security. We'll cover this tomorrow.

[Edited Feb 25 2005 7.30pm UTC: adds concerns about false sense of security, a subject for a future blog entry.]

Posted by at No comments:
Subscribe to: Posts (Atom)