Guest lecture to UKZN 2014 MBA Class : Security & Ethics

Posted on August 24, 2014

In this past week I once again had the pleasure of speaking with the UKZN MBA Class. It is always a pleasure to speak to a large group of some of the brightest minds in KZN. Unlike other presentations, these sessions are normally quite interactive and the class willing to share their ideas, experiences and questions.

What stands out for me in this set of discussions were three key diversions.

1. Bank fraud, and the divergence in opinions between the bank representatives and victims (customers)

There is always a lot of interest in, and debate over on-line frauds as they affect individuals. We all know someone, if not ourselves, who has been hit through some kind of bank fraud. In the class were a number of (un-named) employees of various (nameless) banks. They were adamant that the banks do their utmost to refund their customers in the event of frauds. The victims, however, had a polar opposite view and experience. They contended that the banks make it difficult to get your money back, denying, obstructing and delaying in the process while the victim suffers through no having access to the affected funds. For a bank dealing with hundreds of thousands of affected customers and millions in losses, a month may be a short period to resolve such an incident. For a victim needing access to their funds, a month is a payday away and that money could mean the difference between being able to pay your bills or defaulting.

2. Online identities (and password management)

Online identities are increasingly becoming integrated with your professional life. When being hired more and more organisations scan these to see whether they wish to employ you. Whether this is done as part of the background checks (for which prospective employees normally sign permission) or through other means varies. However, needing to take control of and responsibility for your on-line identity is important. Also don’t forget about your children. They may not yet comprehend the gravity of the situation, and could be creating a fun-filled but wholly undesirable persona that they come to regret later in life when they join the job market and are unable to control or erase their past sharings.

Related to this discussion was the age old one of passwords and password re-use. The dangers of password re-use were discussed in detail with some schemes for password protection. The example of people using the same password across all on-line services, and then having the local camera club hacked, with usernames and passwords being revealed and then those same passwords being used to log into gmail, a facebook “I lost my password” event resulting in the password being mailed to gmail, and very quickly the entire on-line identity can be stolen.

Some tips :  Use different passwords on-line, and at very least don’t use your primary mail account password anywhere else. It is better to use a password manager on your mobile (LastPass, Blackberry password keeper etc) then to re-use passwords. Also don’t use your phone address book to store passwords or bank pins and account numbers. If you use an iPhone or Android phone then this information is generally synchronised to the cloud, so when that Gmail account is hacked they also have all of your phone book without you ever knowing.

3. Return to old school

There was a comment / view put forward that with all of the information security breaches and discoveries of organisations and nation states lying to citizens about what is happening in this space that it would be better to return to the (golden) “olden days” . While that may appear to be the case, memory can be a strange thing. We often remember the good and forget the bad. Not so many years ago when cheques were still in common use cheque fraud was rife. The banks didnt like to disclose information on fraud (and still don’t) but some of the stats I remember seeing flashed up at fraud conferences indicate that the fraud we are seeing now is just a fraction of what was experienced at the peak of cheque fraud. Social media and the online information era just increase the level and speed of information sharing. The fewer incidents that happen now are just more widely reported and shared then ever before. Instances of misrepresentation and abuse by companies(and countries) are now more widely shared and reported, what is not clear is whether the actual occurrences are on the rise or just more visible.

We cannot go back in time, we need to move with the times. That said a dose of healthy skepticism in all we are doing can only be a good thing. Ask questions until your are satisfied with the answers. You may choose to trust, but trust and verify, don’t trust blindly.

Finally

Embedded below is a link to download the slides. Thanks for attending the sessions and for participating.  Feel free to drop me any questions you may have (or leave them here).

Information Security and Ethics 2014 August 2014

 

Thanks Andrew for the invitation and facilitating the discussion.

 

Security considerations for Cloud Computing (ISACA publication)

Posted on October 13, 2012

ISACA has released their latest book on cloud computing : Security Considerations for Cloud Computing, earlier in the week I received notification that my personal copy is with FedEx on it’s way to South Africa for me, one of the perks of being an expert reviewer on the panel for the publication.

This guide is Another publication in the Cloud Computing Vision Series, Security Considerations for Cloud Computing presents practical guidance to facilitate the decision process for IT and business professionals concerning the decision to move to the cloud. It helps enable effective analysis and measurement of risk through use of decision trees and checklists outlining the security factors to be considered when evaluating the cloud as a potential solution.

There are five essential characteristics, three types of service models and four major deployment models taken into account relative to cloud computing. To ensure a common understanding of these models, this publication describes the characteristics of each characteristic and model.

This guide is meant for all current and potential cloud users who need to ensure protection of information assets moving to the cloud.

If you are making any significant use of Cloud Computing I would recommend you get your hands on the publication. It’s free for members to download, otherwise $35 for a hard copy, $70 for non-members.

20121013-222714.jpg

High volume banking spam purporting to be from FNB

Posted on June 28, 2012

I have received High volume banking spam purporting to be from FNB for the last number of days. The only difference between these messages is the embedded link. Most are just URLs, some though have an x-apple-MSG-load in them.

Message and links below.

From : FNB (ibt@onlinedata.co.za)
Subject : Return on Charges

You are hereby notified that FNB is giving back all accumulated fees on taxable income that have been carried out over a period of one year. This is as a result of the new regulation imposed on banks by SARS. Please note that you have to follow the instructions below to the latter in other to ensure the funds is remitted into your account .

If you have an account with us, Kindly click here now.

Regards,
© 2012 FirstRand Bank Limited.
An Authorised Financial Services and Credit Provider (NCRCP20). All rights reserved.

I have received 10+ of these a day for the last week or more. I have removed the link from the above so it isn’t live. In the mails the link varies between a number of sites some of which are listed below:
http://sushilcheema.com/charge_deposit_fnb_paid2/index dot php
http://sushilcheema.com/charge_deposit_fnb_pays/index dot php
x-apple-msg-load://4CEA18FC-4FDA-4797-8DBD-F85A077F3B3D/
http://istudymedia.com/charge_deposit_fnb_paid4/index dot php
http://digitalarborist.com/charge_deposit_fnb_pays/index dot php
http://createemailcampaigns.com/charge_deposit_fnb_payee/index dot php

Has anybody else been flooded with these?

The painful process of recovering from an Identity Theft

Posted on May 20, 2012

The last while has been a painful hassle filled experience. It seems that somebody (or bodies) stole my identity and opened accounts at Truworths and Identity in my name. They bought goods for thousands of rands, and of course never paid any of it back.

Then the phone calls and SMSs start, and they go on an on and on. They start by asking me for my personal information (which I refuse to give) and then proceed to tell me I owe this money, which I refute. They don’t listen to what I am saying, seem not to record it on whatever system they use to keep track of calls, and just keep calling and SMSing. I am on the stubborn side, so when these people tell me what I have to do, (go to police station, make affidavits, send copies of ID and proof of this and that) I simply say no, I have no contract with you, haven’t done any of this so I am not doing your bidding. Perhaps a less than sensible approach, I’m not sure. Perhaps if the call centre agents did more this could be avoided.

This all came to a head a few weeks ago, I tried to take out a new cell phone contract and was then told that my request had been declined. I must call TransUnion ITC. This I then did and ended up with a less than satisfactory experience. The whole thing had now snowballed and I was listed for :

  • Debt owing to Truworths
  • Debt owing to Identity
  • A trace alert for some debt collection agent (acting on behalf of one of the above) who could not get hold of me (i.e. I refused to call them back in response to SMS’s sent to me) – the cheek of it!

On many calls to TransUnion ITC I found out that this is all governed by the National Credit Act. TransUnion representative love to say that they operate in terms of this legislation and I must do X or Y in terms of it. However, once I had downloaded it and read it, and seen what my rights were in terms of the Act and how they were supposed to behave, then I found that the representatives of TransUnion ITC actually hadn’t read the act in their recent past, didn’t know the Act and couldn’t tell me why they hadn’t behaved in terms of the act.

I also discovered that their supervisors take an awful lot of loo breaks, smoke breaks and generally over the course of a Saturday morning/afternoon are never available when they should be, and that despite promised to have them call back they just don’t. Really bad customer service. Makes me wonder whether a) the call agents were covering for dudes who aren’t at work or b) the supervisors don’t know how to deal with customers who ask awkward questions so just don’t call back and then have the call agents lie to customers when asked. Either way a pretty unsatisfactory situation.

Download yourself a copy of the National Credit Act of 2005 here. You can also visit the site of the National Credit Regulator (NCR) here.

Some key extracts here :

62. Right to reasons for credit being refused

62. (1) On request from a consumer, a credit provider must advise that consumer in writing of the dominant reason for- (a) refusing to enter into a credit agreement with that consumer;
(2) When responding to a request in terms of subsection ( l ) , a credit provider who has based its decision on an adverse credit report received from a credit bureau must advise the consumer in writing of the name, address and other contact particulars of that credit bureau.

All credit to Makro here, they provided me with immediate verbal feedback on the fact that my credit had been rejected on the basis of an adverse report from TransUnion ITC, and even gave me the (wrong) phone number for them. They tried to be very helpful. Any credit provider rejecting you has to tell you why, if they won’t, insist on it.


66. Protection of consumer credit rights

66. (1) A credit provider must not, in response to a consumer exercising, asserting or seeking to uphold any right set out in this Act or in a credit agreement –
(a) discriminate directly or indirectly against the consumer, compared to the credit provider’s treatment of any other consumer who has not exercised, asserted or sought to uphold such a right;
(b) penalise the consumer;

This one is interesting. I have yet to go back to a credit provider after having filed all the documentation so haven’t yet had a need to do this. The consultant at TransUnion ITC did advise me however that I shouldn’t bother trying to take out a contract while a dispute was underway, as although the law says it can’t be held against me, I won’t be given credit. Mmmm, more on this later.


70. Credit bureau information

70(2) A registered credit bureau must-

(a) accept the filing of consumer credit information from any credit provider on payment of the credit bureau’s filing fee, if any;
(b) accept without charge the filing of consumer credit information from the consumer concerned for the purpose of correcting or challenging information otherwise held by that credit bureau concerning that consumer;
(c) take reasonable steps to verify the accuracy of any consumer credit information reported to it;
(i) not knowingly or negligently provide a report to any person containing inaccurate information.

Point (c) above says that TransUnion should take reasonable steps to verify the accuracy of information reported to it. When I asked them what they had done to verify information, they said they had done nothing. Since the info was provided by “reputable” companies they don’t check anything. I’m pretty sure that this is not in accordance with the letter or spirit of (c) above. Further, now that I have lodged a complaint against the false information against my name, if they provide any incorrect information to another credit provider then I am pretty sure they will be acting contrary to clause (i) above too.

72. Right to access and challenge credit records and information

72. (1) Every person has a right to-
(a) be advised by a credit provider within the prescribed time before any prescribed adverse information concerning the person is reported by it to a credit bureau, and to receive a copy of that information upon request;
(c) challenge the accuracy of any information concerning that person-
(i) that is the subject of a proposed report contemplated in paragraph (a); or
(ii) that is held by the credit bureau or national credit register, as the case may be, and require the credit bureau or National Credit Regulator, as the case may be, to investigate the accuracy of any challenged information, without charge to the consumer; and
(d) be compensated by any person who reported incorrect information to a registered credit bureau or to the National Credit Register for the cost of correcting that information.

(3) If a person has challenged the accuracy of information proposed to be reported to a credit bureau or to the national credit register, or held by a credit bureau or the national credit register, the credit provider, credit bureau or national credit register, as the case may be, must take reasonable steps to seek evidence in support of the challenged information, and within the prescribed time after the filing of the challenge must-
(a) provide a copy of any such credible evidence to the person who filed the challenge, or
(b) remove the information, and all record of it, from its files, if it is unable to find credible evidence in support of the information, subject to subsection (6).

(5) A credit bureau or the National Credit Register may not report information that is challenged until the challenge has been resolved in terms of subsection (3)(a) or (b)

Section 72(1)(a) says the credit providers are supposed to notify me that they are blacklisting me and give me a copy of the information. They never did this. Perhaps they sent it to the fraudulent person, however, I don’t live at that fake address. I own a house, the details of which would be on my credit record since I still have a bond on it. Surely they can put two and two together. Seems they couldn’t be bothered. Either skip that step, or do enough to cover themselves without actually doing what is intended.

In terms of the above, I had to lodge a challenge (c), which I did. TransUnion required copies of my ID, Proof of address, three copies of my signature, and an affidavit from the local police station stating that I did not incur the debt. I did all of these, still waiting for the 20 working day period to receive confirmation that it has now been removed. In this 20 days it will be up to Truworths and Identity to provide evidence to the contrary. Let’s see how this plays out.

Section (5) above is also interesting. In terms of this, TransUnion can’t report any of the challenged information until such time as the challenge is resolved. Great, since I am challenging the adverse reports on my credit record, my record must then be clean, right? Wrong, or so it seems. Despite the clause above the friendly consultant happily told me about the “get out of jail free” mechanism that the credit bureau’s and credit providers have dreamed up. So, since the bureau can’t tell the provider about the issues under dispute, they simply “block” the whole account by telling the provider it has been “flagged” as dispute. What? Yep, that’s right. Since I have challenged the false information against me, my credit record is now flagged in such a way that I can’t get credit. Seems pretty damned unfair to me. Other than being against the spirit of section (5) above, it also seems to be against Section 66(1)(b) which said that I shouldn’t be penalised for exercising my rights in terms of the Act.

After lodging all my documentation, it took TransUnion a couple of days to process the documentation faxed through. So much for being able to apply again the next day. I received a confirmation SMS that the “trace” against me had been removed. Though I neglected to say above that it took a 15m argument with a call centre agent and a discussion with their supervisor, pointing out the clauses above, and again pointing out that I had the right to dispute anything on my record, and they had a duty to check the accuracy of information, before they would agree to remove the trace.

When I get time (probably next weekend) I will try and apply again for credit. Partly because I am trying to get rid of Vodacom as a service provider (see earlier posts) and partly because I am curious to see if TransUnion ITC are actually blatantly breaking the law as their call centre agents seem to be implying.

I am interested in hearing from others who may have had similar experienced. Just how widespread is this? And what has your experience been with both the credit providers and TransUnion ITC?

P.S. I am still waiting for that supervisor to call back 2 weeks later. That’s a terribly long toilet break, perhaps somebody should be sending a search and rescue team, he must be pretty constipated in there.

P.P.S. I am not a lawyer. I have listened to people from various service providers and read the law (quoted above), which seems to be more than I can say for them. They may well have a whole bunch of lawyers who are smarter than I, and found ways around the law, or are just taking a chance that most consumers don’t have a copy of the law and wouldn’t have read it. Still, read it for yourself, and if you are acting on the above in a way which is going to prejudice you, rather consult a lawyer first.

 

Oops Vodacom, minor privacy violation occurred (updated, Vodacom response)

Posted on September 02, 2011

Tonight I picked up my Vodacom statement/invoices from the Post Office. A few weeks late, my delay not the post office. Inside were the statement and invoices for the 3 phones I have with Vodacom (all good) and the invoice and itemised billing for one Dear Doctor (name withheld). Oops.

So this (minor?) mistake gives me this (previously unknown to me) person’s name, address, phone number, and details of all the calls they have made in the last month. This most certainly constitutes a privacy breach as well as violation of the Protection of Personal Information Act (which is not yet law). It would be interesting to ask the good doctor how he/she feels about their information being disclosed to me.

This also gets me wondering, how often such “incidents” happen and what Vodacom (or any other services provider) does when these mistakes happen. If I tell them the details, will they at least be so kind as to let the good doctor know? Interesting question indeed.  If you have experienced similar incidents in the past, please share. I am curious as to how often this happens. In the 15 years of being a Vodacom customer this is the first time I have experienced this problem, so using some simple (and statistically unsound) extrapolation, 1 / (15*12) = 0.5555%.  I couldn’t find recent stats on how many customers, but found a figure of 1.4million in June 2004. Lets assume this has grown to 2 million by name (could be way more). Apply our disclosure percentage, then we have 11,111 (eleven thousand one hundred and eleven) subscribers information being accidentally disclosed every month. That’s rather scary.

Questions for Vodacom : 

1. What is the real number ?

2. What does Vodacom do when they mess up like this?

Care to provide us with some answers?

 

Dear Readers,

If this was your information that had been provided to me, what would you want me to do with it?

  1. Destroy the page and tell no-one?
  2. Report it to Vodacom and let them deal with it?
  3. Drop you a call/sms so you could take it up with them?
Please share your thoughts.
Update 3/9/2011 4pm: 
Vodacom picked up on the tweet of this article (@uyspj on the ball as usual) and tried to call me this afternoon. Unfortunately I missed the call and no return number was left. They then communicated via twitter, obtained an email address and we are trying to organise a time to talk on Monday.
The email indicated that this is an isolated incident and that no such incident has been reported before. Glad to see them taking this seriously.
Update 6/9/2011 8:30am: Vodacom responds

Vodacom was in regular contact with me yesterday, I provided the account number of the affected DR and they investigated the circumstances around the issue as well as contacted and apologised to the affected parties (according to them).

Per an email I received this morning, Vodacom explained the cause of the problem as follows :

” The miscellaneous error crept in due to the manual insertion of an Internet tariff brochure to some of our data customers which was a deviation from our normal automated billing run. Because some bills had to be picked out of the process and manually put into envelopes, this is where the problem occurred. Please be assured that this was an isolated incident and that this is certainly not a recurring problem.

We do thank you for alerting us to this particular incident and would like to apologise to you for it, as we will also do with Ms xxxxx (name removed by me).”

This explanation is believable given my original statement that as a Vodacom customer for around 15 years and this is the first incident that happened.  Good to see Vodacom responding so promptly, investigating, coming up with the answers and sharing with the affected parties.

Once again, @uspj is on the ball. I am really impressed by his commitment to customer service and keeping his finger on the pulse, and handling it personally.

Sony PlayStation Network hacked, the mea culpa letter and some tidbits

Posted on April 29, 2011

Update :

So now it turns out that Sony have been hacked again, this time it is the turn of Sony Online Entertainment (SOE), the publishing division responsible for maintaining Sony’s numerous online gaming titles, like EverQuest,  EverQuest II,  DC Universe Online and Free Realms. This affects 12,700 credit card numbers and 24.6 million accounts, including accounts in Austria, Germany, Netherlands and Spain.

Read more here : Source: http://www.lazygamer.net/#ixzz1LIYYzCK4

A copy of the press release can be see here : http://www.soe.com/securityupdate/

After the previous PR disaster Sony have been quicker to react this time around, their situation does however go from bad to worse.  The Sony PSN is supposed to be coming back online shortly, along with a few “freebies” to say sorry to all their users. If you are still willing to trust Sony with your info there may be some goodies in there that interest you (the specific ones available to SA haven’t been announced yet), and 30 days free use of PSN+.

Out of interest, there are over 100 000 SA users of PSN : http://www.maxconsole.net/content.php?45820-Revealed-PSN-account-numbers-broken-down-by-country

Original post :

After days of hearing about the Playstation network breach on Sky News and on various sites, and reading about it on various hacking sites, that elusive mea-culpa email finally arrived from Sony.

It says a lot without really saying it. We might have lost your credit card details? Watch your statement?

This really isn’t good enough. Currently being out of the country for a few days, having to cancel a credit card and get another issued would be a real real pain, apart from being rather expensive. There is no talk of compensation for loss in the mail, but then I guess if you have managed to “lose” the details of millions of customers that could be a rather expensive exercise.  My card replacement fee is in excess of R150.  7million x R150 =  over R1 billion just for card replacement fees, before any fraud claims. Expensive mistake? Sony do claim that the database had an encrypted table of credit card details, with no CVS numbers or expiry dates, so perhaps the risk is not all that high of widespread abuse.

It shall be interesting to watch what happens from here on in, and see how the class action suites already being filed play out. Sony has already lost a lot of support and goodwill with the “OtherOS” fiasco and the GeoHot saga. Neither of which are really satisfactorily resolved.

Out of interest, it seems that when Sony first found out about the hack, it was more in the context of people being able to access paid for content without paying. Seems they had insecure methods of requesting that content, and the changing of a simple flag meant you didn’t need to pay. Hackers had produced custom firmware for the PS3 which allowed these changes to be made. It seems that there wasn’t a whole lot of security in the client/server requests. Read some of these here on IRC logs. No certainty on the validity, but sounds plausible enough.

Mocking of Sony abounds on the net (Source: tweet by @mxatone (Thomas Garnier) : http://img.clubic.com/04217086-photo-hack-psn.jpg):

Would you like to download some credit card details?

For those of you who didn’t get the mail (lucky you), here it is :

This is an email from Sony Computer Entertainment Australia Pty Ltd. If you can’t see the images in this email, please click here (link removed)

Valued PlayStation Network/Qriocity Customer:

We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network. In response to this intrusion, we have:

  • Temporarily turned off PlayStation Network and Qriocity services;
  • Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and
  • Quickly taken steps to enhance security and strengthen our network infrastructure by re-building our system to provide you with greater protection of your personal information.

Read the rest of this entry »

Standard Bank phishing attacks

Posted on August 16, 2010

Over the last few weeks I have been getting emails “from” Standard Bank on a regular basis, probably one or two a week. Today I received two more. I am not a Standard Bank customer, so it is immediately obvious that they must be fake. Perhaps a little less so for those who bank with Standard Bank? Both of these mails look a little different, originate from different email addresses, and have slightly different profiles. Standard Bank (or someone) is on the ball (thankfully) as when I tried to follow up on the mails to see how the attacks were working both had been blacklisted with Firefox/Mozilla as phishing sites, and the offending pages had also been removed. There was one a few weeks back that had not yet been blocked at the time I tried to access it, so I have a little more info on that attack, which I will post as an update when I get a chance (probably on only the weekend).

Read the rest of this entry »

Sophos mid-year 2010 Security Threat Report

Posted on August 03, 2010

IT security company Sophos has released its mid-year 2010 Security Threat Report. The report provides some insight into Cybercrime as well as other IT security trends and developments for the first half of 2010.

The report provide a short history and background into the cybercrime economy, then covers some noticeable arrests and sentences over the last 12 months, making for interesting reading. Of particular interest is the particularly “tolerant” attitude of those survyed to government cyber-crime activities.

Some thoughts around social media as an attack vector are also explored, as well as some insights into the threats to the major mobile platforms (iPhone, Blackberry, Android).

The report also provides details on the top malware/spyware hosting countries for January to June 2010.

Download the PDF copy of the full report here.

Reports on DLP, Service Auditor Standard & Social Media Security

Posted on August 02, 2010

Social Media:  Business Benefits and Security, Governance and Assurance Perspectives (ISACA)

This week, ISACA released a white paper outlining the five biggest risks posed by social media in the workplace–and how to manage them without banning the technology.  The download page also includes links to a number of other usesful reports on social media by Forbes, Enisa, Web-strategist, and socialmediagovernance.com.

Download the ISACA report here

New Service Auditor Standard (Replacing SAS70) : A User Entity Perspective (ISACA)

The International Auditing and Assurance Standards Board (IAASB) and the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) have recently approved new standards for reporting on controls at a service organization with a truly global constituency in mind. Under the approach adopted by the IAASB and the ASB, Statement on Auditing Standard No. 70 (SAS 70) will be replaced by two new standards:  an attestation standard that will guide service auditors in the conduct of an examination of, and the resulting reporting on, controls at a service organization and an auditing standard that will guide user auditors in consideration of internal control when processing is performed by a service organization. While these new standards are intended to be a communication from the service auditor to the user independent auditor that permit a user entity independent auditor to fulfill auditing requirements, management at user entities also has recognized its responsibility for designing and implementing internal control over financial reporting, whether performed internally or by a service provider, and acknowledged the benefits of SAS 70 reports as part of their risk management, vendor management or regulatory compliance processes. This paper will address the changes in the new standards and will focus on providing management of user entities with valuable practical guidance on their responsibilities to help ensure that they are ready for the changes.

Download report here

The 2010 Data Loss Prevention Report (Aberdeen Group

AberdeenGroup have temporarily made their 2010 data loss preventation report available for free download.

Report Intro:

Companies achieving top results successfully use content-aware technologies to identify sensitive data across multiple channels, and to invoke a range of remediation options to enforce established security policies. In doing so, they reap the substantial benefits of fewer incidents of data loss or data exposure, fewer audit deficiencies, and lower operational cost.

Download from here

Help out an MBA student by completing questionnaire on Phishing

Posted on July 23, 2010

I, RAJAN MUNIEN, an MBA student, at the Graduate School of Business, University of Kwazulu-Natal, hereby invite you to participate in a research project entitled “Internet Phishing – Hook, Line and Hopefully not Sunk…” The aim of this study is to gain a better understanding about online user’s awareness to the problem of Internet Phishing (IP). Through your participation I hope to determine the level of awareness amongst users and to present a strategy in creating further awareness on the problem. The results are intended to contribute towards implementing an awareness programme that will prevent further users from becoming victims to the threat of Internet Phishing. Your participation in this project is voluntary. You may refuse to participate or withdraw from the project at any time with no negative consequence. There will be no monetary gain from participating in this survey group. Confidentiality and anonymity of records identifying you as a participant will be maintained by the Graduate School of Business, UKZN.

If you agree to the above and want to proceed to the questionnaire, please click on the link below. This survey will take you approximately 10 minutes to complete.

http://internetphishing.questionpro.com

If you have questions at any time about the survey or the procedures, you may contact the author hereunder:
Rajan Munien, Cell : 084 – 5800 176, email : rajan.munien@gmail.com

The lurking dangers hidden in .PDF’s

Posted on June 13, 2010

A couple of days ago there was some noise around some nasty payloads being delivered through .PDF’s. So just in-case you thought that opening a PDF file was safe, take a read of the blog post that Z0nbi put together on the actions of a spam PDF that he received :

” Today I was trawling through my Gmail spam folder like a good little mail monkey when I came across a rather strange bit of spam. Usually you just get rubbish about making your manhood the size of a small country or the latest twitter/gmail support/facebook AV malware. Most of the time I just ignore the messages due to them being very boring and not really worth a coffee and a few hours in Terminal…Today’s message was a little different. It was a very simple email with the subject line “New Resume” and one line in the body of the email saying “Please review my CV, Thank You!“. So, seeing as I have NO idea who the sender was and that there are no issues with the PDF format that I know of, I saved the PDF document to my desktop as I had a virtual machine I just knew the PDF would love immediately. ”

Read the rest of his great post here

Reminder : ISACA KZN Chapter meeting 17th June

Posted on June 13, 2010

Region: Durban, KZN
Date: 17 June 2010
Time: 2:30pm for 3pm
Topic : Compliance Services (Financial Risk Management) will be presenting: “Privacy – Protection of Personal Information”

See the original post for more details

Knowledge Cafe on the proposed Personal Information Protection Act and impact on CRM (Jhb)

Posted on May 27, 2010

CRM SIG EVENT

Date: Tuesday 8 June 2010, SAP Woodmead Offices (9am – 1:30pm)

We expect the Personal Information Protection Bill enacted later this year. The purpose of this act is to define personal information, align with international laws on data protection and regulate the use of personal information. Imagine the end of cold calling. Imagine knowing your rights when your information is misused.

The Bill introduces the new office of the Information Protection Regulator and in your organisation the Information Protection Officer. Do you know what the impact of this Bill will be on CRM in your organisation? Have you done an assessment to identify the personal information stored and processed? Are you ready for information with purpose and consent?

We have the privilege of Grant Brewer’s (E&Y Advisory Services) company to unpack the Bill and provide insights in what will be expected of CRM in our organisations.

Please join us in the CRM Knowledge Café in Woodmead for a conversation on the proposed Bill and CRM.

TIME     Conversation Menu
09h00 – 09h30     Registration & Refreshments
Starter
09h30 – 10h00     Privacy Matters, Grant Brewer – Head of Strategy and IT Advisory Services – Ernst & Young
10h00 – 10h10     In the Knowledge Café, Manti Grobler – SAP CRM Solution Manager
10h10 – 10h30     Conversation on Privacy Matters
10h30 – 11h00     Feedback
11h00 – 11h20     Break
Main
11h20 – 11h50     The 8 Core Information Protection Principles and you, Grant Brewer – Ernst & Young
11h50 – 12h15     Conversation on CRM and these Principles
12h15 – 12h45     Feedback
Dessert
12h45 – 13h15     Act Readiness, Grant Brewer – Ernst & Young
13h15 – 13h30     SIG & Saphila discussion, Warren Hero – CRM Chairman
13h30     Lunch

To Register Click Here

Should you have any problems registering for this event, please forward all details to juanita.schirmer@sap.com. The invite is also posted on the website.

%d bloggers like this: