There Really Is NO Dislike Button!

How many times have you wished that FaceBook had a “dislike” button?.  Well, I know that there have been many times when I wanted one, and my wife mentioned the same thing just yesterday.  Want to guess what hackers are targetting next?  At some point in time, you are going to see a message posted on your wall, offering you the opportunity to install a Dislkie Button.  Don’t frickin’ believe it!  If FaceBook were to introduce such a feature, it will be amid a big media fanfare, and with mucho publicity.  Not some scurvy little wall posting out of the blue.

This is not a new scam, it has been around since 2010, as evidenced in this MSNBC article, it’s just being revived and making the rounds once again.  Clicking on the link within the bogus message will cause the same consequences whcih you might have experienced with the “Check who is visiting your profile” scam.  The link contains obfuscated javascript, and will be posted on the walls of random friends, continuing the infection cycle.

Trust everyone at your FaceBook table, but always remember to cut the cards.

PM Challenges

I was at yet another interview last week, and one of the questions posed to me by the interviewer was “What was the greatest challenge that you faced as a Project Manager?”  I stated that I would answer that question in two parts.  Firstly, the single greatest challenge that I have faced as a Project Manager has been attaining good knowledge transfer from the project team Subject Matter Experts (SME) to the operations teams.  Most of the larger projects that I have been engaged with have required parachuting in an expert or team of experts due to the amount of research and experience that can be provided quickly.

The SMEs move the project along in a timely fashion, answering questions and solutioning problems with the wisdom that they have gained or the network of connections that they have built performing similar work over a period of time.  There is generally some aspect of the project that was given short shrift or took longer than expected, that gobbles up cycles unexpectedly.  This always nibbles into a couple of areas that sit on the final edge of project closure.  End-user training and knowledge transfer.

Hmmm, training and knowledge transfer…  Aren’t these the same thing?  No, they are not.  Training, and especially end-user training is designed to provide an introduction to the new program or tool, and demonstrate how to perform the simple, basic, day-to-day operations that the program or tool was designed to perform.  Knowledge transfer is the transfer of knowledge from one part or member of an organization to another member or organizational part.  This knowledge consists of how the architecture was designed, what are its full capabilities, how was future enhancement conceived, what is the development roadmap, how does the system and its component processes integrate with others, where can one go for assistance or guidance, and other questions that make up “professional wisdom”.  Knowledge transfer seeks to organize, create, capture or distribute knowledge and ensure its availability for future users.

I believe that it is imperative that a knowledge transfer plan be developed at an early stage in the project life cycle, so that the critical knowledge components are identified.  Success can then be measured against this list in order to avoid premature project closure.  If you don’t make this investment up front, expect to spend up to several years building this knowledge base.

The second item that I discussed was probably what the interviewer was actually looking for, something more tactical than strategic.  I spoke about gaining management buy-in for security based projects.  Security based projects have little to no actual, demonstrable return on investment, making them very hard to sell to upper management.  Their focus tends to be on the bottom line, and they have the board and share-holders to answer to for their spending decisions.  I have gained buy-in by offering up several points for persuasion that are commonly used by vendors and solution providers.  FUD factor.  FUD meaning Fear, Uncertainty, and Doubt.  These 3 words have been dragged through the mud in the media.  However, when discussing security, they have their place.  Security has so few metrics, and the metrics that do exist mean little to executive management staff who have little exposure to security risk management theory.  My arguments boil down to hanging on to the money you have already earned is more effective than trying to earn more.

Second interview scheduled for next week, so I guess one of those responses was correct…

Beware PIN Pad Swapping

According to an article on The Star Pheonix website, police have released surveillance images of a number of suspects behind a recent series of fraudelent pin pad switches in Saskatoon.

Six businesses in Saskatoon have recently had their pin pads switched with units containing a skimming device allowing the scammers to gather account numbers and passwords of anyone who uses the non-chip type keypad.

The men are likely from out-of-province, travelling to  different cities to conduct skimming activities.  Police believe at least four men are involved in the operation.

Anyone who has had their debit or credit cards compromised are encouraged to  contact their financial institution and the local police.  Anyone with information about this or any other crime is asked to contact Crime Stoppers at  1-800-222-8477.

Related Items:

Common Vulnerability Reporting Format 1.0 Released

A major gap has existed for years in vulnerability standardization: there is no standard framework for the creation of vulnerability reporting documentation.

The information security community has made significant progress in areas including categorizing and ranking the severity of vulnerabilities in information systems with the widespread adoption of the Common Vulnerabilities and Exposures (CVE) database and the Common Vulnerability Scoring System (CVSS), a lack of standardization is evident in every vulnerability report, best practice document, or security bulletin released by any vendor or coordinator.

This white paper proposes CVRF version 1.0, a common and consistent framework for exchanging any security-related documentation.  The Common Vulnerability Reporting Framework is an XML-based language that will enable different stakeholders across different organizations to share critical security-related information in a common format, speeding up information exchange and digestion.

The XML-based framework of CVRF predefines a large number of fields, with extensibility and robustness in mind.  These fields are consistent in naming and data type, so any organization that adopts and understands CVRF can produce documents easily, or read documents that another CVRF-equipped organization has produced.

Vulnerability researchers, vendors, security analysts and incident responders worldwide can all write CVRF documents to share critical information.  Widespread adoption of CVRF will accelerate information exchange and incident resolution as a result.