What does your father's middle name, first car, and high school mascot all have in common?

My bank recently upgraded it's architecture and web site, adding more features and "improved security." After logging in, I am directed to a page greeting me asking to update my account information and "security challenge questions." The drop-down menu of questions available (had to choose 5):

• How many brothers and sisters did your mother have?
• What is your father's middle name?
• What is your grandmother's maiden name on your father's side?
• What is your grandmother's maiden name on your mother's side?
• What is your mother's middle name?
• What month was your youngest sibling born?
• What was the make/model of the car you used to learn to drive?
• What was the model of your first car?
• What was the name of the teacher who had the most influence on your life?
• What was the name of your first best friend?
• What was the name of your high school football team?
• What was your first pet's name?
• What was your high school mascot?

Wow, what a list! Surely all my friends know what car I drive and what our high school mascot is. A little research will tell them my father's middle name and asking around can come up with answers to several more questions. So how do you deal with such supposed "security," where it's required? Surely, I can't count on these questions protecting me... so here's a tip: Pick a question you will remember using, and choose an answer that has nothing to do with that question, but only you will know. For example,

1. What is your father's middle name? A.) Dogbert
2. What was the model of your first car? A.) Chess
3. What month was your youngest sibling born? A.) 2112

The nicest part of the upgrade was the enhanced security:

• Last login: Month DD, YYY HH:MM:SS AM/PM
• 15 minute session timeout
• Mask account numbers

I really like seeing the last time I was logged in on any system that I use, be it online banking or my web and database servers. It's like network security monitoring, or IDS... Unusual periods of activity should raise a red flag, and you should react accordingly to it.

Posted by Marcin on Wednesday, January 24, 2007 in Security.

The problem with Wikipedia:

I love xkcd, and I just had to share this with comic with all of you. Sums up my experiences with Wikipedia entirely!

Courtesy: xkcd.com

Posted by Marcin on Tuesday, January 23, 2007 in Other.

Security Awareness Poster..

I made this poster back a couple years ago, telling users to think before they click. It shows a mouse pointer and "Format C:\" button with a red circle and a slash through it. (edit: click here for the *nix version) If anyone has some other sayings for it (I'm not great at coming up with catchy phrases), comment and I'll post a version of that poster.

|click.png|

Give it to your corporate bindery and have copies printed off and hang them around. :)

Posted by Marcin on Tuesday, January 23, 2007 in Security.

The Security Journal - Winter 2007

My good friends over at Security Horizon have released the Winter 2007 issue of The Security Journal.

Stories covered include:

• Fire up your Fox:a Browser Platform for Security Testing
• How I Cut Our Spam by 90%
• Risk Assessment with NIST SP 800-30
• Book Excerpt: IT Security Project Management

Posted by Marcin on Monday, January 22, 2007 in Security.

Storm-Worm and F-Secure WorldMap

F-Secure has a replay of their WorldMap from last night, 01/19/2007. It shows the spread of Storm-Worm Small.DAM, an e-mail worm and it's really, really cool. I want one! (not the worm of course, :P )

The video is also available on YouTube.

Posted by Marcin on Saturday, January 20, 2007 in Security.