You’re only as strong as your weakest link – Jacqui Henderson

If Australian comedians Hamish and Andy are able obtain enough sensitive information to potentially steal the London 2012 Olympic flame, then there’d better be big red lights flashing somewhere.

Having never been trained in social engineering, rather merely a comedian who is capable of putting on a disguise in attempt to get a laugh, Hamish with his bogus British accent, managed to get the “inside scoop” on security, from just one 5 minute phone call to the London 2012 help desk.

Through his impersonation of an elderly ex-Olympian concerned about his personal safety, Hamish was able to build rapport and trust with the lady on the end of the line. He used his charisma to informally feed her probing questions in regards to what security will be surrounding the Olympic flame and she proved eager to assist. Her willingness to answer all of Hamish’s questions, no matter how outrageous, left the duo with nearly enough information to ‘launch a strike’ and potentially steal the Olympic flame. Continue reading

State of Information: Annual Report – Are you publishing one?

Updated from Beast or Buddha (August, 2010).

As a CISO/CSO/Security Manager, you were hired by your organisation to perform a role. How many people go back to the advertisement they responded to and check-off what you are actually doing now, versus what the original role description stated the role would/should be?

I know talking with many people out there that this is one of their biggest issues in their role today – either the role not being as it was promoted/advertised and/or you not having the support to perform the role your were hired to do.

It’s made cynics of so many people in our industry and in a weird way, has also kept people, albeit unhappy in organisations longer, given the fact that there’s a belief that wherever security people go, it will be much of the same… so at least, “better the devil you know”. Many in our industry have a continual battle trying to do their job and fighting every step of the way for even small gains. It’s always been like this. Continue reading

LinkedIn – (In)Security by Design – Drazen Drazic

The reactions to the recent LinkedIn hacking “scandal” were interesting.

On one side, and rightly so, there were serious questions asked of LinkedIn and their security practices. Certainly the consensus was that their practices in regards to passwords left a lot to be desired. Furthermore, a large company of this size, in terms of the number of users it has should be taking the security of those users’ data more seriously – this type of breach just should not be happening.

Taking aside the technical security issues now, I put to you the question; Does a hacked LinkedIn present much more risk to an individual and the company they work in than a non-hacked LinkedIn?

Looking at the consequences of the current security breach as reported, what has been the impact to an individual LinkedIn user? LinkedIn by nature of its business model is the sharing of “personal” information. That information is there already to one degree or another and what isn’t directly accessible, can be, with a few clicks to “connect”. Continue reading