A while back I came across an article about a website that tries to reunite lost photos with their owners. People who come across cameras, memory sticks, or photos are asked to upload a few of them onto the site with information such as location, date, or other specific details that may be recognizable by the owner. These photos are public to everyone on the Internet and the goal of the website is for people to browse through the pictures and to connect the photographer back to the photos.

While I can appreciate the spirit of the site, as a security person, I'm very skeptical about introducing a found memory stick or photo memory card into my computer. As noted in the ISTR XIII, memory sticks (or USB thumb flash drives) represent a serious security concern...

Digging into our honeypots and spam-trap systems to look for malicious attachments is always an interesting exercise. We can identify different spam campaigns and map together malicious binaries by correlating attachments and filenames. Nevertheless, it's also funny to see how the bad guys are still trying to entice users to run executable attachments-pushing their creativity and social engineering skills to extreme levels. Invoices, contracts, delivery notices, and all types of tickets are travelling by mail everyday, hitting millions of mailboxes; all in the hope that a few users, sooner or later, will be fooled by a perfectly orchestrated malicious e-mail (yes, it does still work, and old tricks are always the best).

Just for fun, I tried to create a picture of the breakdown of the most common malicious spam campaign observed on a set of emails received during...

Security professionals understand the risks of social networks better than anyone. So, given the concerns they may have, do they actually use social networks? Earlier this year we surveyed 87 security administrators from companies in North America and Europe, from both large companies and small, in order to find out.

Our first discovery was that security administrators are not much different than anyone else-they do use social networks. In our survey, only 30% say they do not use social networks; however, they are cautious about them. They are concerned about the ability to separate work and private friends (60%). They want to make sure that "coworkers don't see my personal contacts." Some only use business related sites. Or, as once security admin put it: "I never mix anything like serious work and my social network."

It is not surprising that the vast majority will refuse an invitation they receive on a social network (70%). Why do they refuse a...

Tell me if this sounds like a familiar scenario. You’ve come up with a brilliant password – it’s strong, easy to remember, and you’ve finally mastered the finger gymnastics required to type it in quickly – only to find that the usage window, mandated by IT password policy, is up. So you come up with a new one, double it, add 32, and then subtract the letters from your mother’s maiden name. Only now IT requires you to include at least two punctuation characters, but that just throws the logic of your method right off.

Password creation is a constant dance between security and convenience, where good passwords that bridge the gap are hard to come by. On the one hand, strong passwords, changed on a regular basis, do reduce the likelihood of success for a wide range of attacks. On the other hand, if you make something too complex, you run the risk of forgetting it–somewhat ironic evidence of its security.