User awareness videos

Tuesday, July 12th, 2016 | Mark Borrie | Comments Off on User awareness videos

Here are a couple of videos to help people become a bit more aware of social engineering risks. It would be interesting to hear from you as to which one you think is more effective.


Here is another good one from a bank


LinkedIn Scams

Tuesday, September 1st, 2015 | Mark Borrie | Comments Off on LinkedIn Scams

In recent weeks there has been an increase in fake requests on LinkedIn for users to connect with people. These are likely to be precursors to attempted scams or fraud.

Some examples I have noticed are from people claiming to be from financial companies based overseas. After connecting with the person a message quickly follows asking for more information about yourself.

If you are unsure about these connect requests there are a few things you can do. Check out the company affiliation. If you cant find the company then there is a good chance it is fictitious.

Also check the profile picture. This is easy with Google. Open the Google search page and select the images link. Now drag the profile pic into the search bar and see if there are any matches. You might be surprised at where that profile picture originated from.

Now there is no requirement that someone will use an actual picture of themselves on LinkedIn, however you may want to think about why someone uses a picture of someone else.

So what to do with these requests. There are options on LinkedIn to report people that appear to be misrepresenting themselves. Alternatively, simply don’t connect or disconnect from people you don’t trust.

Above all else, keep safe.

Passwords, policies, and cracking

Tuesday, May 22nd, 2012 | Jim Cheetham | Comments Off on Passwords, policies, and cracking

Here’s an overview of a new OWASP project called Passfault, that tries
to help assess password strength in ‘real world’ terms :-

One of the developer’s assertions is that password-creation policies are
not helping users to create secure passwords.

His examples provided on the Analyser website suggest that the problem
he is attacking is what I would call “the fallacy of the pass*word*”.

 Weak Passwords that pass typical policies:
qwerQWER1234!@#$ – !1cracked – cracked7& –
Strong Passwords that fail typical policies:
udnkzdjeyhdowjpo – seattleautojesterarbol

I ran my diceware script (grabs random numbers from and looks
up on the diceware wordlist) and tested the pass*phrase* “52nd temper
musk” (this was the first output from the script).

The passfault analyser said “Time To Crack: 17 centuries Total Passwords
in Pattern: 50 Quadrillion”. I’m not sure that his approach is
completely useful …

However, the overall idea is interesting. Instead of saying how
passwords should be formed, he is suggesting that they should be assessed in terms of how long they would take to crack. I have a few issues with that … First comes a glance at the Verizon Data Breach Investigations Report 2012, which tells us that “Brute force & dictionary attacks” are a reducing technique (although still at 29% a useful one). Their fuller results table for the Hacking mechanism shows :-

  • 55% — Exploitation of default or guessable credentials
  • 40% — Use of stolen login credentials
  • 29% — Brute force & dictionary attacks
  • 25% — Exploitation of backdoor or command & control channel
  • 6%  — Exploitation of insufficient authentication (e.g. no login needed)
  • 3%  — SQL injection
  • 1%  — Remote file inclusion
  • <1% — Abuse of functionality
  • 4%  — unknown

So having a “stronger” credential takes us out of the first 55% category — but so did even a weak password policy. Inside the 29% is still the best place to find password cracking carried out.

There are of course two main approaches to password cracking — online and offline. The Verizon stats don’t differentiate between the two, but I’m sure that online (where you just try credentials against the live service) is more common, because it is the easiest. In order to exfiltrate a stored password database, you have to have penetrated the organisation already, to some extent, and at that stage the password db is just an additional weapon.

Online password cracking should be dealt with by having account lockout and retry delay systems; there should be no way that the attacker should be able to test more than a small handful of potential passwords before the source of the attempts is blacklisted from the network, and the target accounts are locked (at this point you have to stop and consider your account lockout procedures: if your response is to send a “reactivate” link over external email, how do you verify it isn’t an attacker who is reading the target’s mailbox?).

So instead of instituting a password policy, even one that guides you to make selection by strength directly instead of indirectly, you’d be better off making sure that attackers can’t continue knocking at the doors all day long without being detected & blocked.


Facebook Timeline – Now for Everyone!

Wednesday, January 25th, 2012 | Gene Teo | Comments Off on Facebook Timeline – Now for Everyone!

In 2011, Facebook introduced Timeline – a new profile layout emphasising photos, videos, and life events. From what I can see, Timeline has attracted surprisingly little opposition – it’s a versatile, clean design, and Facebook has obviously put a lot of resources into making it look good.

Facebook has just announced that Timeline (which was opt-in at first) will now be activated for everyone.

If you’ve held out until now, it’s time to act – you’ve got 7 days to preview and change what shows on your Timeline before it goes live. While Timeline activation doesn’t change your privacy settings, the new layout makes it easier for people who can see your profile to view historical events. Now would be a good moment to check for and remove any pictures that should stay private.

To change who can see your pictures, go to your Facebook profile > Photos and click on the button at the bottom right of each album (what Facebook refers to as a “Privacy Dropdown”). See the screenshot below.

Picture of the Privacy Dropdown for Facebook Photo albums

Privacy Dropdown for Facebook Photo albums

The blog post has more detail on how Timeline works – now would be a great time to check it out. While you’re doing that, why not double check your privacy settings?


Thursday, December 8th, 2011 | Jim Cheetham | Comments Off on Netograph

Dunedin-based security researcher Aldo Cortesi has just launched, a project that analyses the data websites store on your machine when you visit them.

It reports on the off-site resources that make up a page, things like remote images and third-party JavaScript. It also identifies persistent storage in the form of browser cookies, HTML5 cookies and Flash object storage.

Sample Netograph website report

Plugins are available for Chrome and Firefox that allow you to preview the Netgraph report for a site before visiting it. Currently the project is scanning all links mentioned in submissions to Reddit, Hacker News, Delicious, Pinboard, and Digg.

Privacy Monitor

Wednesday, December 7th, 2011 | Jim Cheetham | Comments Off on Privacy Monitor

The Information Security Office is dreaming of a White Christmas this year.

Especially now that we have a Privacy Monitor …

Following on from the post on that showed how to hack an old LCD monitor by removing the polarised film and re-inserting it into a pair of glasses ( we did pretty much the same thing to create our Christmas Decorations this year :-

Direct Link:


Porn and gore posted to Facebook? [updated 21 Nov 2011]

Wednesday, November 16th, 2011 | Gene Teo | Comments Off on Porn and gore posted to Facebook? [updated 21 Nov 2011]

Update (21 Nov 2011, 12:54pm NZST): This may be caused by malicious Javascript that is being copied and pasted into browsers address bars. It is speculated that people are being tricked into doing so.

Many reports are surfacing that pornographic or disturbing images are appearing on Facebook, via news feeds. On Facebook, a news feed is a list of someone’s activity that is seen by their friends (or the entire internet, for posts that are public).

Often, these events are caused by inadvertently giving permission to a malicious Facebook Application to post on your behalf. Often people are tricked into doing this by clicking on a link that promises something else – like a free iPad.

The Sophos blog post about this problem suggests that the people whose news feeds have been hijacked don’t seem to be aware of what is being posted under their name. As far as I can tell, it’s impossible to hide a post from the person who posted it – you should always be able to see what you, or any apps you’ve authorized, are posting. Just click on your name at the top right of the Facebook page to see what is in your news feed.

To revoke permissions from any rogue Facebook applications, click the down arrow at the top right, then go to Account Settings > Apps

Survey results: Social Networking Security & Privacy

Wednesday, October 19th, 2011 | Jim Cheetham | Comments Off on Survey results: Social Networking Security & Privacy

Barracuda Labs have released their 2011 survey on the Security & Privacy issues in Social Networking.

You can view the infographic version of the report, which presents findings like

  • One in five people has been negatively affected by information that was exposed on a social network.
  • Nine out of 10 people have received spam, and one in four have received a virus or malware, on a social network.

Let’s be careful out there!

Understanding Facebook Privacy settings

Tuesday, October 11th, 2011 | Gene Teo | Comments Off on Understanding Facebook Privacy settings

It’s not exactly well-publicized, but Facebook have lots of information about the privacy settings and features that you can apply to your Facebook account.

A quote from one of the documents:

Facebook is designed to make it easy for you to find and connect with others. For this reason, your name and profile picture do not have privacy settings. If you are uncomfortable with sharing your profile picture, you should delete it (or not add one).


Google+ is the new Twitter

Monday, August 8th, 2011 | Gene Teo | Comments Off on Google+ is the new Twitter

Google+ (also called Google Plus) does “tweets” better than Twitter. Your post can be as long or as short as you like, and include pictures, links, videos, and location information. You can make the post public, or limit it to a subset of people in your various circles.

You can edit posts or delete them entirely if you change your mind. There are also options to prevent re-sharing or comments.

Twitter should be very, very afraid.