* You are viewing the archive for the ‘security’ Category

Got Worms? Conficker or con-foolery?

I think we’ve already seen the worm–in the form of all the hype oozing its way into our media outlets. I checked a couple of IT departments in Australia where it’s already 4.1 and don’t see much activity. So perhaps this is much ado about very very little. At my staff meeting this a.m. we had two votes for “hoax/social engineering attack; two undecided, and one person freaking enough for all of us. We’ll see…

Marchons, Marchons! (Soldiers of Spam, pt. 2)

We continue to have people hand out their passwords to phishers as if candy at Halloween. And now our entire mail domain has been blacklisted because the compromised accounts are sending spam faster than you can say “NOOOOOOOO…” I wonder, is there a geographic difference in the efficacy of social engineering techniques? For example, are people in New England (where the stereotype includes being distrusting, independent, and skeptical) less likely to respond to phishing than folks in the Pacific Northwest (where the stereotype involves being laid back, a little passive, and, yes, possibly stoned)?

Soldiers of Spam: click on links and download stuff WITHOUT DISCRIMINATION

A member of the President’s Cabinet forwarded an email to me that asked for her password so the “IT staff” could “unexpire” her account which presumably had been “expired” because she used up too much space on our system. The Cabinet member wanted to know if she could just get more space on our system.  I noted that the mail was a phishing attack and pointed out the various signs, the most obvious being that the sender’s email address was not from our domain and bore no relation (spoofed or otherwise) to our help desk email address. Meanwhile, a bunch … Continue Reading

It’s Friday: do you know what my password is?

Courtesy of thinkgeek.com

Courtesy of thinkgeek.com

I’m trying to convince my staff that we should require really long passwords, never expire them, and run crack every year to check password strength. But they disagree, especially about the expiration issue. Any thoughts? Gurus I can consult? I checked Schneier but haven’t found a good reference yet.