Companies, System Administrators, (and your Clients) could all learn a lesson from the “Click-It or Ticket” campaign – launched a few years ago in the US to encourage the use of seat belts in automobiles to save lives. This article by Bruce Schneier discusses the fact that states with the strongest enforcement had the greatest success. The amount of money spend on media advertising was a less important predictor of success. Of course, with security awareness, or with any other attempt to change behavior, it’s not an either / or proposition. The important point is that enforcement is a key component. Without it, rules have little benefit.
Of course, the popularity of the iPad has brought about a new attack vector for the purveyors of malware. The attack does not actually affect the iPad, but is another way to trick Windows users into downloading malware. I suppose there is a touch of irony in using the iPad to attack Windows.
This story is a bit US-centric, but I suspect it’s only a matter of time until the same issue pops up in Canada and in other countries. The state of Massachusetts in the US has passed a law requiring ANYONE storing or transmitting Personally Identifiable Information about its residents to encrypt and protect that information. The fines for failing to do so are substantial. This is interesting because this law seeks to reach beyond the borders of the state. It will be interesting to see how this plays out in the courts over time. In any case, the growing problem is identity theft is likely to spawn similar laws around the world.
If you have clients who redact data from PDF documents before sending them, they should know that the “redacted” data may still be visible.
In an other round of the ever-escalating “armor vs. ordinance” malware battle, some malicious websites are now able to detect search engine “bots” and hide the malware from them. Detecting malware on websites is a priority for Google and Firefox, who use APIs to blacklist malicious sites.
On another front of that same battle, fake malware vendors are gaining ground and the legitimate AV products are having more difficulty detecting the “rogues”.
Breaches are going to happen. Here is an example of what a responsible dissemination of information looks like. Sadly, you rarely see this sort of transparency.
Dennis H in West Virginia, US
April 28, 2010