Stories by Joan Goodchild

It doesn't matter how many locks you put on the door that is your security plan, because criminals who use social engineering techniques will still sail right in. Why bother breaking down the door if you can simply ask the person inside to let you in? That is the question posed by Lenny Zeltser, head of the security consulting team at Savvis and a SANS Institute faculty member.
"There is often a debate about what is more prevalent and more dangerous: Is it the outsider threat or the insider threat?" said Zeltser. "Once you accept the success of social engineering, you will recognise there is no distinction anymore. If you have an outsider, and they use a social engineering technique, they become an insider."

The FIFA World Cup games kick off on June 11 in South Africa. One of the largest sporting events in the world, it features multiple games occurring across numerous cities, posing myriad logistical and communication challenges in an already volatile, high crime area.

After several weeks of criticism about complex privacy controls that made it difficult for users to keep information to themselves, Facebook officials have announced changes that they say will make things simpler for people to understand.

Let us be perfectly clear: While Facebook has received a lot of criticism lately about its new privacy policies and Open Graph concept, which allows them to partner with other sites which will also have access to some Facebook user data, Facebook isn't explicitly keeping secrets from you. But some security professionals and users continually knock the site for what they say are less-than-clear explanations about where your data is going, and how secure the site really is.
Joey Tyson, a social media security expert who maintains the site Social Hacking, says there are important data security and privacy issues happening under the radar of the Facebook experience. This is what Facebook isn't saying outright to members.

In almost two decades of work in the financial services industry, Brad McFarland has spent most of that time heading up fraud investigations. McFarland, currently director of corporate security with The South Financial Group, a South Carolina-based financial services holding company, is also responsible for the organization's physical security and loss preventions in addition to fraud investigation.

Sophos recently reported malware and spam rose 70 percent on social networks in the last 12 months and 57 percent of users report they have been spammed via social networking sites. Another 36 percent reveal they have been sent malware via social networking sites
The "Social Security" survey is part of Sophos' 2010 Security Threat Report, which looks at current and emerging computer security trends and found that social networks are opening up new opportunities for cyber criminals to locate so-called "soft" targets and pull of precise and targeted attacks.

According to data released last month from research firm TeleGeography, Skype, the popular software that allows computer users to make calls over the internet, now accounts for 12 percent of all long-distance calls. The company saw its user base grow to more than 500 million accounts in 2009 and is making a run at a new market this year.
So far, the popular VOIP provider has been primarily used in personal, consumer settings. But in 2009, Skype launched Skype for SIP, a service that lets its peer-to-peer VoIP clients interact with existing IP PBXs and is aimed at small businesses looking to get in on the cost-savings of internet telephony. Skype for SIP (also know as Skype for Business) was launched in beta early last year and brought into public beta at the end of 2009.

The collaboration and sharing made possible by Web 2.0 technologies also bring along a specific set of risks. In Slapped in the Face: Social Networking Dangers Exposed, security researchers Nathan Hamiel and Shawn Moyer explain how attacks are made easy because of the very nature of these sites, where users can upload and exchange pictures, text, music and other types of information with little effort.
"Social networking sites are meant to get as many users in one place as possible on one platform, and for attackers there's a lot of return-on-investment in going after them," Moyer said, describing the climate as a perfect storm of social engineering and bad programming.

Heading into 2010, internet service providers (ISPs) are most worried about botnet-driven distributed denial-of-service (DDoS) attacks, according to a report by network security firm Arbor.
Attacks are shifting to cloud-based services and nearly 35 percent of service providers believe that more sophisticated service and application attacks pose the largest operational threat in the next 12 months. Large scale botnet-enabled attacks came in second at 21 percent.

Several hardware-encrypted USB memory sticks are now part of a worldwide recall and require security updates because they contain a flaw which could allow hackers to easily gain access to the sensitive information contained on the device.

Banging the drum for security awareness never gets old. As much as CSOs try to get folks to bone up on safe practices (both online and in the office), there are always going to be some who need reminding.
Online, the biggest battle these days is against botnets: networks of infected computers which hackers can use -- unbeknownst to the machine's owner -- for online crimes including sending out spam or launching a denial of service attack.

There is a new kid in town in the world of botnets - isn't there always? A heavyweight spamming botnet known as Festi has only been tracked by researchers with Message Labs Intelligence since August, but is already responsible for approximately 5 percent of all global spam (around 2.5 billion spam emails per day), according to Paul Wood, senior analyst with Messagelabs, which keeps tabs on spam and botnet activity.

The bogus ads are everywhere. A pop-up tells you: "Your computer may be infected" and urges you to download security software that will scan your computer for viruses, protect it from future infection or both. The problem is most of these products are scams that give you software which is useless. In some cases, the software is even dangerous because it downloads malicious code onto your computer.
The threat from these "scareware" tactics is growing, according to the results of a report released this week by Symantec. The Report on Rogue Security Software reveals that cybercriminals are profiting from a highly organized affiliate-based business model that rewards scammers for selling bogus security programs to users caught off-guard by persuasive online scare tactics.

Most people lie, whether they're covering up something sinister or just embarrassed over a mistake. Research conducted a few years ago at the University of Massachusetts found that 60 percent of participants lied at least once during an observed 10-minute conversation.
If you're trying to get to the bottom of a work incident, or just asking the kids who broke the TV, it's useful to know how to spot a lie .

Business continuity planning has evolved from simply something companies hope never to roll out, to an important focus of security operations, according to a new survey from AT&T.
AT&T surveyed IT executives from companies throughout the United States that have at least US 25 million in annual revenue to get their views on disaster planning and business continuity trends.