Just read the short, but interesting, post from shauninman.com where he comments on the cookie disclaimer on allthingsd.com. For some reason this post jumped out at me and made me realise that “oh yeah, cookies are taken for granted”. I mean it’s not like many people stop each and every cookie and inspect their content then pass judgement on whether to allow them or not. In fact, it is probably true that in many cases cookies are taken for granted by the same people who try and advocate against widespread acceptance of cookies.

So as a security expert I like the idea of providing an open disclaimer to your web-visiting-clientele explaining just what sort of cookies your website is going to create, but I can’t help but think that as a web-designer wanting to make any sort of money off your traffic you want to make sure that these sorts of things continue unhindered. So which is it? Explain how to remove the cookies, just don’t use the cookies? Remove your adds? Keep your adds?

I don’t know the answer and most likely it can only be decided on a case by case basis. Either way I like the initiative that allthingsd.com have taken in explaining what third-parties are involved in cookie placement.

On a side note I’ve been really interested in reading jungsonnstudios.com, recently renamed to 0×000000.com. A recent entry that I found REALLY informative was his link to a presentation presented in Dubai on Hacking Web 2.0. Not entirely unrelated to the first half of this post, as cookies do play a minor role in user experience and web2.0 stuff.

Just finished having a skim of the KPMG Profile of a Fraudster Survey for this year, which I found from the recent Risks Digest post. I have to admit that this survey interested me not only in the professional sense but also personally given my family history. Some of the more interesting statistics do not surpise me at all:

• 70 percent of fraudsters were between the ages of 36 and 55 years old.
• 85 percent of perpetrators were male.
• In 68 percent of profiles the perpetrator acted independently.
• Members of senior management (including board members) represent 60 percent of all fraudsters. An additional 26 percent of profiles involve management level persons bringing the total to 86 percent of profiles involving management. This result highlights a risk that every company faces: executives are entrusted with sensitive company information and yet are also often in a position to override internal controls.
• 91 percent of perpetrators did not stop at one single fraudulent transaction but rather performed multiple fraudulent transactions; every third perpetrator acted more than 50 times.
• Greed and opportunity (when taken together account for 73 percent of profiles) are indicated to be the overriding motivations for fraud.
• No prior suspicion existed in more than half of the profiles…
• Perpetrators were able to commit fraud by primarily exploiting weak internal controls, in 49 percent of profiles.

I guess the only additional information I would have liked to have seen from this report is more international information, such as from Australia and the US.

This is my final week with my current employer and while I’m sad to be leaving I’m also very excited (and nervous) to be moving into a new consulting position. The position I’m moving into has been a long-term professional goal of mine for quite some time, and I seriously wasn’t expecting to be moving into this type of position for another couple of years. I think luck has played a small part in the opportunity presenting itself – firstly from a friend who I studied with and secondly from an interview I had last year with a different company.

I’m looking forward to stepping away from a lot of the generic IT work I do currently. While it has been something I’m good at, it’s not something that challenges me too much and while I will be stuck with problems from time to time the majority of the work is too generic for me. I guess I’m finding I spend somewhere less than 20% of my time focusing on information security problems and the rest on other IT work. It’s this shift in work-focus that is exciting me the most about the new job. Information security work will shift from somewhere around 20% to more around 90% to 95%, I hope.

The part that I’m most nervous about is the delivery of work. Currently I service one, or two, different clients, all of whom I’ve gotten to know exceptionally well over the last 2+ years. Stepping into a role where I’ll have to provide services for a number of different clients who are changing all the time will present some problems I’m sure, but I have no doubts that it’s only a matter of time before things fall into place.

This move also makes reading articles, such as this one on the Payment Card Industry Data Security Standard, much more relevant as hopefully I’ll be working on projects in this sort of field, expanding into web application security and other more IT security fields.

Here’s to change.

I actually thought this was old news.