National Cyber Security Awareness Week at 7:06 PM

It's National Cyber Security Awareness week this week (6–11 June)

From the website:

National Cyber Security Awareness Week is an annual initiative of the Australian Government held in partnership with industry, community and consumer groups and state and territory governments.

It is designed to raise awareness among Australians of cyber security risks and simple steps they can take to protect their personal and financial information online.

National Cyber Security Awareness Week 2010 is from 6 to 11 June. It will promote six easy tips for better online security:

1. Install security software and update it regularly.
2. Turn on automatic updates so that all your software receives the latest fixes.
3. Get a stronger password and change it at least twice a year.
4. Stop and think before you click on links or attachments.
5. Stop and think before you share any personal or financial information about yourself or your friends and family.
6. Know what your children are doing online. Make sure they know to stay safe and encourage them to report anything suspicious.

Security the Amex way at 10:36 PM

While there are arguments against the effectiveness of PCI-DSS (Payment Card industry Data Security Standards) compliance, it's going nowhere soon.

With that in mind, a recent article caught my eye about how one of the big credit card companies handles it's own Information Security.

Some gems from the Amex response:

I would like to inform you that our website has a 128 bit encryption. With this base, passwords that comprise only of letters and alphabets create an algorithm that is difficult to crack.

This is one I've encountered before where transport-layer security is confused with authentication security. Their website could have 128,000 bit encryption, it won't help them when I guess your password is 123456.

We discourage the use of special characters because hacking softwares can recognize them very easily.

More easily than non-special characters? Wow.

The length of the password is limited to 8 characters to reduce keyboard contact. Some softwares can decipher a password based on the information of "most common keys pressed".

Therefore, lesser keys punched in a given frame of time lessen the possibility of the password being cracked.

Would that not mean a single character password was even more secure?

Scary. Although a friend did comment "Well at least they have a password policy!"

Airport Security Antics at 6:17 PM

Not strictly Information Security, but certainly pertaining to organizational security culture,
News.com.au ran a story today that just makes me sad..or is that mad? Or both?

A security gate at Dubbo Airport has been found to have the access pin number to a printed out and stuck above the keypad.

According to the article, Government officials will review security at Dubbo airport next week. I wonder what else they'll find?

Something this balantly idiotic is a sign of a generally poor (or non-existent?) security culture. Sure you may have one 'helpful' person who decides to post the PIN number (along with the helpful "please touch pad softly" message), but for others using the gate to not step in and remove the sticker is a worrying sign. Some more of those airport security dollars may need to be spent on basic staff security awareness and less on security theatre like confiscating nail clippers but not cigarette lighters...