Thankfully I am rarely ill and, because of that, don't often get the chance to 'enjoy' daytime TV.

In previous lives, I have had a chance to enjoy the likes of Countdown and Deal or No Deal, but these have been undone by the low-standard programming pumped out by terrestrial channels and adverts for no-win, no-fee legal services.

Among these productions is Heir Hunters, not a Discovery channel special on Nazi hunters, but a BBC programme "following the work of probate detectives looking for distant relatives of people who have died without making a will".

Now proof has emerged that the elderly, unemployed and undergraduates are not the only ones watching such shows, as phishing emails claiming to be messages from the producers have been detected.

The scammer says they came across the recipient "while searching through [a] genealogy database" and asks them to respond with their contact details to ensure that it corresponds with the information "we have [in] our database in order to enable us to carry out necessary verification processes and to get your claim across to you without any delay".

According to Sophos, the emails even include a link to an online episode of the TV show via the BBC's iPlayer in an attempt to make the message seem more legitimate. This has led to the BBC putting a message on its website which says "beware of emails claiming to be from Heir Hunters".

It warns: “We have been informed that someone has been sending out emails purporting to come from the Heir Hunters programme and referring to this website. Please be aware that these emails have no connection with the BBC or Flame Television, the makers of Heir Hunters, and you should ignore them.

“You should not reply to them and if you believe that persons are attempting to deceive you with a view to monetary gain, then you should contact the police.”

Sophos's senior technology consultant, Graham Cluley, says the BBC's advice is sensible. “If you believe you could be the beneficiary of the assets of a deceased person who didn't make a will, or died with no known heirs, then you could do a lot worse than visit the Government's Bona Vacantia website,” he advises.

If you think about this, it is a mean but clever tactic. The spammer is hitting a potentially vulnerable target who are likely to respond to the opportunity as they are familiar with the brand and are unlikely to question a tactic as niche as this.

That said, being aware of spelling mistakes and the validity of the sender is no bad thing, because the BBC prides itself on not making spelling or grammatical mistakes. Now, where did I put my Homes Under The Hammer box set?

One of the first meetings I did in this job was with nCipher, where the concept of encryption was explained to me.

Now you could argue that I should have just sat down and read the Whitfield/Diffie paper or talked to the founders of RSA, but a lot has changed in the three years since then. Not just to me either; nCipher was subsequently acquired by global defence company Thales and, following other acquisitions, Thales is now one of the primary encryption firms.

The main function of nCipher was SSL technology with databases with built-in encryption and support offered for cryptography. Sitting with Thales's director of product management Mark Knight, and strategy manager Steve Brunswick, both from the Information Technology Security division, I asked them if encryption had changed since 1976.

Knight said that one of the challenges for businesses is how to retro-fit end-to-end encryption and how to improve security without affecting the user so it is as transparent as possible.

“Technology is making encryption transparent. If you know you are using it then it has gone wrong,” said Knight.

One area where encryption has evolved is with mobile payments. Brunswick explained that a credit card chip has moved into the phone SIM card. “In the past, a factory would create a card with data from a tape from the provider, but with cryptographic details added to the account it is then added to the card. With the Global Standards platform, the cryptographic element is not in factory but over the air,” he said.

“With our hardware security module (HSM), within the SIM there is security but the domain is owned by the mobile network operator so you can use traditional push commands to set up a secure channel, and send a message that the application can run on the ‘card'. The bank has the server and an HSM attached, so the contact comes from the HSM and secures the message so the bank doesn't need to know anything about how the message gets to the phone.”

Knight commented that with end-to-end encryption, the bank has the data, but everyone should be hiding opaque information – although fitting this sort of technology is proving to be difficult.

Brunswick said: “Protecting a password with encryption is done everywhere. PCI-DSS says you need to protect data but does not say how to.”

A key area for chip-based security is in the US; Knight said this is a major case for retro-fitting, with a move to issuing and accepting chip cards getting closer.

Knight said: “A step to mobile payments is not about making payment cards more secure, contactless mobile card payments use the same standards. In the phone, the SIM connects to the near-field communication (NFC) chip via a single wire protocol to make the SIM look like a contactless card, so you can make a payment.

“We have got to see a communal relationship between the bank and retailers as the technology is ahead of the market.”

A Forrester report commissioned by PayPal last year said that by 2016, UK mobile retail sales will reach £2.5bn, and consumers will be able to leave their cash at home and use their mobile "as the 21st century digital wallet".

Brunswick said this capability is not one of technology as it is already there – 2011 saw industry groups created and the first real mobile payment applications – but now people are now investing more in security for the big push towards this reality.

“With mobile payments, the operator doesn't want a cut of the transaction, they want the data of users' shopping habits so they can give them offers. This is all aligned in a single application,” he said.

The president of martial arts body the Ultimate Fighting Championship (UFC) almost ‘did an HB Gary' last week when he called Anonymous "cowards".

Initially, president Dana White wrote a tweet to the Anonymous news feed ‘YourAnonNews' that accused the group of hiding "behind a screen name".

The hacktivists responded by breaching the UFC's official website and defacing it; White responded in turn by telling reporters at USA Today that the group should "keep hacking our site" and encouraged them to "do it again. Do it tonight".

He said: “You know what's happening? These guys look like terrorists now, and a bill that was about to die is about to come back. I'm not afraid of the internet. I love the Internet. It's fun to get on there and cruise around and stuff. I'm not afraid of you. You want to keep hacking our site, go for it. Watch what happens. You're hurting yourself.”

UFC parent Zuffa is a supporter of the US's proposed Stop Online Piracy Act (SOPA) and the Protect Intellectual Property Act (PIPA)

According to USA Today, the attack redirected the UFC.com domain to other sites multiple times, although servers that hold the company's data were not penetrated.

In a statement, the UFC said: “The UFC.com website was redirected by a criminal hacker to another website. The UFC website was quickly restored to the control of the UFC and there is no evidence suggesting that any confidential information belonging to the company or its customers was compromised.

“UFC representatives are continuing to investigate the matter and are working with law enforcement agents to prosecute those involved.”

Anonymous has also released personal information on White, including his social security number. Softpedia reported that S3rver.exe, who breached Sony Pictures, was one of those responsible for the defacement of UFC.com and UFC.tv.

The hacktivists told Softpedia that one of the two sites had at least 60 vulnerabilities, and that UFC.tv had XSS, BlindSQL Injection and other vulnerabilities. When asked about the reasons for hacking UFC, S3rver.exe cited Zuffa's president calling them terrorists. He said: "Standing up to those you deem to be weak may be at UFC's heart, and I am sure that there is little that scares their fighting machines. However in a cyber war, it is the keyboard, rather than the fist, that strikes the hardest blow and UFC can count themselves lucky for the moment, that no worse has been done."

Radical changes in the way business stores its data are looming, with massive implications for data security.

New Forrester research shows that 66 per cent of businesses are moving their desktops, servers and data into the relatively uncharted territory of the hybrid cloud. Recent events have made it clear that moving sensitive data into the cloud is not a silver bullet and will require a new awareness of the threats that need to be addressed before implementing a cloud storage strategy.

When a disgruntled employee recently succeeded in wiping out an entire season of a major US TV show, we saw how outsourcing sensitive data can render a business vulnerable to the security models of the service provider, while Amazon's notorious data-loss incident illustrated the inherent risks associated with keeping masses of vital information in a single repository.

With Microsoft's recent warning to the EU that the Patriot Act now renders its citizens' personal data vulnerable to seizure, we saw the potentially troubling implications of moving data outside national jurisdictions.

At its best, the public cloud is the epicentre of personal empowerment and the globalised information age; a vast, instantly accessible, global pay-as-you-go pool of corporate consciousness, which can be shrunk or expanded, accessed or updated on demand from any location.

With information set to become ‘the oil of the 21^st century' and mobile multi-national workforces spreading endpoints far and wide, it is clear that there can be no return to the days of fixed-endpoint data repositories.

Businesses now want to adopt a ‘pick and mix' approach, utilising the complementary benefits of different cloud models. The cost-saving benefits of the shared cloud-space, in terms of cheaper apps and limitless scaleable storage space, can be combined with the legal benefits of local clouds and the security benefits of private clouds, enveloping sensitive data in an on-site cocoon.

The hybrid enables cloud models to be moulded to the needs of differing industries and businesses, from companies trading information that require instant data recovery to ensure business continuity in the event of a disaster, to regulated industries that require some information to be stored within their own premises, and businesses requiring data space that can be rapidly scaled up or down in sync with fluctuating demand.

With private clouds increasingly being adopted in tandem with public-cloud models, virtual-machine sales were already outstripping sales of physical servers by 2009. A Microtrend 2011 survey found many businesses were using all three cloud models almost equally.

The next generation of hybrid clouds and the rapidly multiplying array of user endpoints are spawning a deadly new generation of security threats. The expanding cluster of mobile devices and cloud models is leading to an increasing fragmentation of corporate data across multiple clouds and devices with different types of data protection, placing corporate data at the mercy of vastly different security models.

A third (33 per cent) of businesses already support mobile operating systems, and many businesses already make corporate information available through tablets, yet 66 per cent of businesses polled by the Ponemon Institute had recorded mobile device losses in the past year alone.

The modern ecosystem of mobile devices interconnected with multiple cloud models creates an interdependency between cloud providers, businesses and end-users with alarming implications. Imagine a scenario where an employee using mobile device support could have both the corporate data and personal data stored on their phone accessed by anyone who hacked into the cloud provider.

Conversely, if the employee later misplaced their tablet, it could provide root-level access to sensitive business data stored in private or public clouds and available through easy-to-use apps. Also, employers are at risk of prosecution if they wipe personal data stored on employees' tablets when attempting to remove corporate data.

With 40 per cent of businesses planning to manage hybrid clouds through in-house teams, the implementation of data-security policies across different cloud models, devices and tiers of data could become an admin nightmare for corporate IT staff.

Businesses need solutions which can safeguard fragmented corporate data across multiple devices and clouds in line with corporate policy. Yet companies are currently adopting only patchwork solutions, which fail to take into account the abundant array of security threats.

Datacastle's RED software automates the process of integrating all business data-security policies through a central policy framework, by combining remote deletion, remote port-locking, automatic encryption, device trace, automatic backup and data restore through a single agent, tailored to the policy needs of the organisation and designed for a hybrid-cloud model.

A unified cloud-computing infrastructure will only help business get the best out of cloud technology if it can be protected under the umbrella of a unified security framework.

Gary Sumner is CTO and founder of Datacastle

In a presentation last week, Barclaycard head of payment security Neira Jones said "every time someone says APT, an angel dies in heaven".

Aside from the unseasonal Clarence-isms, is it the case that people are tired of hearing buzzwords, abbreviations and acronyms without any real clear explanation as to what they actually mean?

Talking last week to Graham Nash from Fortinet, he used the more PC term of 'targeted attacks', but said that often people have their own definition of what an APT actually is. He claimed that what was seen in 2011 was not a revolution, apart from the new term and concepts; rather it is the availability that has changed in the past 12 months.

He said: “Look at the key components and challenges; there is the attacking engine and crimeware-as-a-service that enables more and more people to be able to do this. In 2012 I see mobile becoming a factor too.”

Nash said the APT was often carried out following a "long gestation period" and attackers will "always find a victim", with phishing or spam messages often just precursors that deliver some malware or get an endpoint to be part of a botnet, in order to figure out a weak link in the chain.

I asked Nash if he felt then that the APT, or targeted attack, was a tool in cyber warfare. He said: “Look at the key components and motives on cyber attacks: money; geo-politics; companies; and hacktivism.

“Attacks can be high-risk and low-cost with denial-of-service or ransomware, so from an eco-politics point of view, a website can be taken down and, at worst, that is a branding problem. However, using ransomware is a risky way of doing things from the attacker's perspective, as there is no easy way to extract money and the attacker needs a method of protection for them and their assets as they do need to cover their tracks, identity and location.”

Looking forward to the rest of 2012, I asked Nash if he felt that there would be any changes from a hacker's point of view. He believed that there would be attacks on new versions of Flash or Windows and new vulnerabilities, as well as more activity as part of the evolution of threat versus mitigation.

“Also, 2011 showed that no one knew what an APT was and did not understand it. 2012 will be when companies do something about it,” he said.

“Cyber crime is costing the UK economy £27bn a year, and the key thing is at enterprise level, about what companies are doing and how they are incorporating the threat and cyber crime into their overall risk management and security controls. That will have a major impact on how much APT is taken seriously.”

So it does still remain a buzz-phrase, but APT (or targeted attack) is something to consider when assessing your risk profile, as Nash said. Yet it has the abbreviation status that can put some people off, and it may be time for researchers and writers to be a bit more serious on this subject.

Through 2011, trust in a number of technological protocols, devices and companies came under attack.

We saw hacking collectives shout about their exploits on Twitter, high-profile companies suffer severe data thefts and entire governments come under attack from hackers. Clearly none of these security threats were new in themselves, but public awareness of them reached an all-time high, and the trust and confidence of users became increasingly fragile commodities.

2012 looks set to continue to test trust – and companies are going to have to work very hard to rebuild and retain the user confidence that is crucial for them to function.

For both individuals trusting the sites they visit to be genuine and organisations trusting the reliability of their certificate issuers, trust in the security and authenticity of the internet is paramount.

This trust came under particular attack in 2011, with the secure sockets layer (SSL) protocol demonstrated as badly implemented, and the website certification industry hit repeatedly.

Both DigiNotar and Comodo were hit by malicious hackers, KPN Corporate Market discovered a security breach that may go back four years, and Microsoft revoked trust in DigiCert Sdn. Bhd on the basis of poor security practices. This shows that the system is already untenable.

Quite rightly, authorities are already looking for stricter governance of this system, with the CA/Browser Forum approving baseline requirements for SSL/TLS certificates. Subjects including verification of identity, certificate content and profiles, certificate authority (CA) security, liability, privacy and confidentiality will be subject to best practice baselines, with a July deadline for implementation.

But the intractable issue is that there is no organisation sitting above the reams of CAs that are, ultimately, dealing in trust and confidence. There are more than 1,500 of them, it's complicated and convoluted and there's no overriding standard of security or quality.

Ultimately, it's far too easy for an organisation to become a CA. So what value is being placed on trust? Far greater transparency and clarity is required, with the security standards that CAs attain made public. If providers want to be trusted they not only need to unite, agreeing standards of security and scrutiny, but also undertake rigorous external audits and publicise the results.

Greater clarity also needs to be provided for the end-users who run the risk of their data being silently decrypted via earlier versions of TLS, or accidentally using websites that have been issued with false certificates. If diversity online is to be maintained, the confidence of those end-users is crucial.

What certificate authorities, websites and mobile device manufacturers have in common is that for most businesses they are third-party suppliers, companies whose goods or services have a direct connection on other organisations, but whose security procedures are out of reach.

It is not sufficient for organisations to strengthen their own security procedures and policies. If they do not also validate the security of those suppliers that may provide easy access to contact details or sensitive data, then a back door is being left open.

It is the fragility of third-party security that, ultimately, means that generating and sustaining trust is going to be vital in 2012. Whether manufacturers or service providers, businesses or governments, all organisations must not merely be secure, but be seen to be secure.

Rob Cotton is CEO of NCC Group

Think all security information and event management (SIEM) vendors are owned by big businesses?

This week I met with a new vendor in the SIEM space that has undergone a major expansion with the recruitment of some seasoned security professionals. Founded in Spain in 2002 and now based in California, AlienVault began with an open-source technology, with a commercial version following a few years later.

Executive vice-president James Yares said this commercial version was created to handle capacity and volume. “The value of the company is to be democratic and make it available to everyone, its roots are in open-source SIEM and to support and enhance that, and we continue to work with the open-source SIEM,” he said.

Rather than speaking as the old head corporate head, Yares was in his fourth week at the company, while senior vice-president of international sales Richard Kirk was in his third week. Both men were previously at Fortify, and moved on following the acquisition in 2010.

Also joining them are former Fortify chief products officer Barmak Meftah as president and chief executive officer and Fortify founder Roger Thornton, who assumes the same position as chief technology officer.

John Richardson, formerly vice-president of finance at HP Fortify, will serve as vice-president of finance and administration. Jack Marshall, formerly vice-president of customer success at HP Fortify, will become vice-president of customer success, while Gail Boddy, former vice-president of human resources at HP ArcSight, will have the same role at AlienVault.

AlienVault will continue to be led by co-founders Julio Casal and Dominique Karg, who will be general manager of the new MSSP business unit and lead of the open-source SIEM community as chief hacking officer respectively.

Yares told me that AlienVault enables users to deploy and operate cost-effective unified security management solutions for better threat management and easier PCI/SOX compliance, while its solutions come integrated with sophisticated open-source security tools such as Snort, OSSEC, OpenVAS, ntop, Nagios and NetFlow.

The past 18 months saw most SIEM vendors swallowed by IT powerhouses, with NitroSecurity now part of McAfee (therefore Intel), Q1 acquired by IBM and, perhaps most notably, ArcSight acquired by HP.

Yares said the SIEM market is "well-established and growing quickly", and while other vendors have been bought up and it was a "ton of fun" to be acquired, it was now their job to grow a new company and make it valuable.

He said: “What we always hear from CISOs is that there is value in SIEM systems and they have stuck with the AlienVault design and what comes with it. They like how it is engineered and how its sensors make use of the open-source computing and the fast time to deployment.

“It is deep technology that others do not do and an example is its reporting capabilities. Some users have said that they put it in to see what is in the network. With this there is an opportunity to grow rapidly.

“We have had 160,000 downloads of the OSSIEM; we find that people download enough to get going and enable security teams to learn about SIEM to use it.

Kirk said: “This was built for open source so we have had to make it so it works from the ground running, but we will continue to take advantage of our open-source roots.”

AlienVault later confirmed financing of £5 million from Trident Capital with participation from existing investors Adara Venture Partners and Neotec. Trident Capital has a track record of building successful cyber security companies including: AirTight Networks, BlueCat Networks, HyTrust, Qualys, Solera Networks, Voltage Security and Sygate.

Trident managing director J. Alberto Yepez is appointed as chairman of the AlienVault board, while Trident principal Michael Biggee also joins the AlienVault board of directors.

AlienVault said that the funding will be used to accelerate research and development and aggressively expand sales and marketing to meet increasing demand for unified security management from around the world.

The company has already staked its case in 2012 with research on attacks, and if you can overlook the brands that are now part of a portfolio, there is a space ready for AlienVault.

Yesterday marked ten years to the day since Microsoft founder Bill Gates sent an internal memo that led to the foundation of its Trustworthy Computing division.

The original memo is available here, but to summarise, Gates called Trustworthy Computing "the highest priority for all the work we are doing" and said "we must lead the industry to a whole new level of Trustworthiness in computing".

The concept was about more than trust and simple security, it was about capability; and, as Gates said, the 9/11 attacks and disruptive malware "reminded every one of us how important it is to ensure the integrity and security of our critical infrastructure".

With foresight of which HG Wells would have been proud, Gates said: “Computing is already an important part of many people's lives. Within ten years, it will be an integral and indispensable part of almost everything we do. Microsoft and the computer industry will only succeed in that world if CIOs, consumers and everyone else sees that Microsoft has created a platform for Trustworthy Computing.”

He also said that "eventually our software should be so fundamentally secure that customers never even worry about it". Well, we would like to think that it is, but has that actually been achieved? Of the key aims of the Trustworthy Computing project, Gates said it should include: availability; privacy; and security.

With regard to the latter, he said: “The data our software and services store on behalf of our customers should be protected from harm and used or modified only in appropriate ways. Security models should be easy for developers to understand and build into their applications.”

He also claimed that "our products should emphasise security right out of the box and we must constantly refine and improve that security as threats evolve"; he referenced changes in Outlook to avoid email-borne viruses, with any possible privacy compromise issues resolved first, as well as intention to better protect important data and minimise downtime.

“These principles should apply at every stage of the development cycle of every kind of software we create, from operating systems and desktop applications to global web services,” said Gates in 2002.

According to Threatpost, Microsoft held a small conference in Redmond on what it then called "trusted computing" ahead of the memo being sent, where software security experts discussed the principles and concepts that were the foundation of building more secure software. In the months following the memo, Microsoft began internal changes designed to refocus its developers on the idea of building secure software.

Yes, this led to some products being slower to market, but Microsoft saw the importance of building secure products – look at the long wait for Windows 8. Trustworthy Computing now focuses primarily on its monthly bulletins released on Patch Tuesday, identity and access management and the development of IT concepts, to name just a few.

My last direct dealing with Microsoft Trustworthy Computing was when I met with its general manager of communications, Adrienne Hall, at RSA Conference Europe, where she was evangelising on the future of the cloud.

It was not a great call to arms or a directive for all of Microsoft's staff to down tools and be more secure, but more about Gates's vision on the future of secure software and how his brand had to be a leader.

Warnings have been made about Quick Response codes as they begin to be impacted by cyber criminals.

A QR code is a two-dimensional matrix barcode and, when scanned by a camera phone, will link the user directly to the mobile web, usually a social media site, online video or promotional page.

Websense said its ThreatSeeker Network has begun to spot spam emails leading to URLs that use embedded QR codes. In the cases spotted, a spam email arrives with a URL; if clicked on, a QR code appears and, if a user scans it, it leads them to pharmaceutical spam.

Elad Sharf, security researcher at Websense Security Labs, said: “We've been looking at QR codes as a potential malware/spam route for a while now. Inherent in the design is a level of trust and novelty that can be abused.

“In many ways it was just a matter of time before we saw spam messages point to URLs that use embedded QR codes. This is a clear movement and evolution of traditional spammers towards targeting mobile technology.”

Paul Vlissidis, technical director at NGS Secure, an NCC Group company, said the concern with QR codes is that control is taken out of users' hands and there is no indication on the code of the URL you are being transferred to, so there is no way of checking in advance whether it is genuine.

“Even more worrying, while a computer will warn you if you have clicked on a link to an unverified site, a smartphone will take you there directly. QR codes on billboards are surprisingly easy to manipulate, all it takes is for a fraudster to place a sticker over the existing code, and unsuspecting users can be directed anywhere. Malicious sites can start downloading malware to a device without buttons being pressed or files opened,” he said.

One notable attack via QR code took place in Russia in 2011, where a Trojan disguised as a mobile app called ‘Jimm' was installed and started to send a series of expensive text messages that cost users £4 each. Paul Henry, security and forensic analyst at Lumension, said QR codes take URL obfuscation to the next level, particularly at a difficult time when malicious URLs continue to be a problem.

The problems with shortened URLs has been well documented, but could this be a new tactic that industry is falling behind? James Lyne, director of technology strategy at Sophos, said "convenience consumer technologies" are opening up new vectors of fraud; QR codes manipulated simply with a sticker over a corner of a legitimate code will direct the user to a spam site or worse.

Claus Villumsen, CTO at BullGuard, said: “While these are primarily used as a marketing tool for advertisers so customers can get more information on products or services, cyber criminals know that services that pique interest or offer ‘special deals' are often prime targets for spreading malware, stealing identities and phishing for personal information.

“In other words, QR codes make things run faster and easier, but they can also pose a threat to your mobile security.”

BullGuard recommended using a mobile QR code-scanning app that previews URLs and to avoid scanning suspicious codes and links that do not match the adverts they are incorporated into.

This is going to be a tricky one for security vendors to mitigate – it is being driven by marketing departments keen to embrace a clever new techhnology, and public adoption is hard to control. Perhaps this just needs better application development as BullGuard suggests, before it gets out of hand.

As many organisations rush to adopt technologies that enable their workforce to be more mobile and satiate user demand that IT support mobile devices, security often becomes an afterthought.

In this bring your own device (BYOD) environment, enterprises are struggling to lock down an ever-growing number of endpoints. So how can you give users the flexibility they want while maintaining the utmost security? These are the three basic steps that you need to take into account:

Adopt mobile management solutions that provide tiered functionality Provide yourself with the capability to quickly lock down any and all devices that are assigned to a user. The first level of capability should be immediate blocking of specific devices from corporate data, if they pose a threat.

Additionally, remote wiping capabilities should be a level-one capability for devices that are out-of-policy, non-compliant, include active threats or are lost or stolen.

Emphasise broad platform support and policy configuration Rather than viewing support at a device level (there is no way you can support every gadget out there), focus on supporting far-reaching platforms (i.e. Android encompasses a number of phones and tablets; iOS includes iPod Touch, iPad and iPhone). Also, leverage policy-based functions that allow you to set a precedent for which devices/operating systems are allowed in the network and what they are able to access.

In many instances, these policies can be implemented via technologies you already have in place to manage PCs. This way you don't have to invest in separate consoles, infrastructures and, in some cases, teams.

Adopt mobile management solutions that don't require active alerts by the user community Accept the fact that some users will inappropriately bring new devices into your corporate environment, as well as expose current devices to unsecured networks.

In this case, you will need solutions that employ agentless discovery capabilities. This will enable you to proactively intercept all devices and take defined actions concerning access and control between those devices and the rest of your infrastructure.

Devin Anderson is product line manager for LANDesk security suite

I recently came across a report by Signal Magazine on the Armed Forces Communications and Electronics Association (AFCEA) TechNet International 2011 conference that gave further attention to the reality of cyber space and crime.

As we saw with the National Security Strategy from 2010 and the recent government Cyber Security Strategy, cyber crime is now being taken seriously at that level. This article claimed that the advantages offered by cyber warfare (low cost, widespread applicability and ease of operation) mean "it is likely to be the weapon of choice for future aggressors menacing NATO and its allies".

The theme of the AFCEA conference was ‘Supporting NATO in the Next Decade' and was held in the German town of Heidelberg last October. Present were members of NATO, due to it being held in conjunction with the NATO Consultation, Command and Control Agency (NC3A) annual industry conference.

Major general Jaap Willemse, assistant chief of staff of Command, Control, Communications, Computers and Intelligence (ACOS C⁴I), claimed that "the ways of classical warfare cannot be applied to cyber war", yet most military and political leaders are still dealing with information technology as if it were just another minor technology that could be added easily to existing systems.

He said: “The first priority is an international definition of the term cyber war and what successful cyber defence - or even an adequate reply to a cyber attack - could look like.

“In classical engagements there has always been some code of conduct, but not in cyberspace. As military, we need to define what our role in cyber space is in order to take the right actions when NATO allies or our own countries are attacked.”

Also speaking was Lt. general Walter E. Gaskin, deputy chairman of the NATO Military Committee, who agreed that information superiority, and therefore information technology, will play a main part in future conflicts. “Cyber attacks are and will be a serious problem,” he said.

“The main problem with cyber attacks is that they are not costly to undertake. The hardware is inexpensive and can be purchased easily, although software needs some intelligent, skilled people. A cyber attack therefore is much less expensive than the classic types of warfare that consume a lot of money, starting with fuel for combat aircraft and ending with missiles used during attacks.

“NATO nations and organisations already are frequently facing attacks. We need to develop further capabilities on cyber defence and we need to enhance the cooperation between the NATO nations in the field of cyber security.”

The US government has made significant strides with its annual cyber awareness month, and the UK government's move was mostly welcomed too. However, with an international collective such as NATO, there is the real consideration of cyber warfare and defence against it.

As Willemse said, "the ways of classical warfare cannot be applied to cyber war", and governments, infrastructure and industry are all too aware of the extent to which the enemy is unknown and cannot be underestimated.

So will this NATO-led approval for cyber security make any impact? Since this is three months old now and only just came to my attention this week, it is sad to say that it probably will not. However, if 2011 was the year when high-level attacks became mainstream, perhaps 2012 will be the year when attention reaches the highest global awareness and defence is applied.

On a slightly lighter note, also discussed was the challenge of cloud computing. NC3A general manager Georges D'hollander compared the concept of moving data to the cloud to valet parking, as "it only works if you trust that the person can (a) drive and (b) won't steal your car". I have a feeling that we will see that analogy used again.

Usage of Internet Explorer 6 (IE6) has dropped below one per cent in the US.

Announced by Microsoft this week, when the software giant baked a cake to mark the drop in usage of the out-dated browser, Roger Capriotti, director of Internet Explorer marketing said: “As we kick off 2012, we call on the rest of the world: make it your New Year's resolution to end IE6 and move to a modern browser like IE8 or IE9.”

Microsoft launched the IE6 countdown website in March to encourage users to drop the browser, which was released in August 2001, by detailing how much the browser was used around the world. It is still prominent in China, which takes a 25 per cent share of global usage, while the UK accounts for 1.4 per cent.

Capriotti said he was thrilled that usage in the US had joined Austria, Poland, Sweden, Denmark, Finland, Norway, the Czech Republic, Mexico, Ukraine, Portugal and the Philippines in falling below one per cent, calling these countries "the Champions' Circle".

“We hope this means more developers and IT pros can consider IE 6 a low priority at this point and stop spending their time having to support such an outdated browser," he said.

A vulnerability in IE6 was pinpointed as the reason for the Aurora attacks two years ago; Microsoft said at the time that the vulnerability was an invalid pointer reference within IE and, under certain conditions, it was possible for the invalid pointer to be accessed after an object was deleted.

Since then Microsoft has tried to educate internet users on IE6's effective obsolesence by likening using it to drinking out-of-date milk and promoting the countdown website.

However, in August 2010, it was revealed that the UK government was persisting with IE6 - it said there was "no evidence that upgrading web browsers will make users more secure". However, two weeks later the Department of Communities and Local Government said it was looking into upgrading to the latest version of IE.

Microsoft has pledged to officially scrap support for IE6 in April 2014, when it will also end support for Windows XP. A number of sites, including YouTube, are no longer compatible with the IE6 browser.

Over the past few years that I have been working on SC Magazine, the Christmas and New Year holiday period has been traditionally quiet.

However, 2011 proved to be the exception. After an incredibly busy year in information security news, the holiday period saw some major technology stories break. In terms of impact, the one that created the most significance was when the Anonymous group posted 200GB of information on the customers of US security think tank Stratfor. The data was harvested from a hack earlier in the week from the company's website.

In a statement posted on Pastebin, the group posted the 75,000 names, addresses and passwords of every customer that has ever paid Stratfor for services, as well as the personal information of 860,000 people who registered with the company that specialises in "strategic intelligence on global business, economic, security and geopolitical affairs".

According to the statement, the goal was to pilfer funds from individuals' accounts to give away as Christmas donations, an operation that had been hinted at in a previous statement. It also claimed that 50,000 of these email addresses were .mil and .gov.

Anonymous said: “We call upon all allied battleships, all armies from darkness, to use and abuse these password lists and credit card information to wreak unholy havoc upon the systems and personal email accounts of these rich and powerful oppressors. Kill, kitties, kill and burn them down... peacefully.”

It also claimed that there would be "noise demonstrations" on New Year's Eve in front of jails and prisons all over the world to show solidarity with those incarcerated. “On this date, we will be launching our contributions to project mayhem by attacking multiple law enforcement targets from coast to coast,” it said.

However, a day later, on 25 December, another statement appeared on Pastebin denying any Anonymous involvement with the Stratfor attack. This said: “Stratfor has been purposefully misrepresented by these so-called Anons and portrayed in false light as a company which engages in activity similar to HBGary.

“Sabu and his crew are nothing more than opportunistic attention whores who are possibly agent provocateurs. As a media source, Stratfor's work is protected by the freedom of press, a principle which Anonymous values greatly. This hack is most definitely not the work of Anonymous.”

Yet just to aid confusion, a statement released on 26 December addressed the ‘denial' message, calling it "ridiculous" and saying that it "undermined our work while also making baseless accusations that we frequently see perpetrated by agent provocateurs".

It said: “Whether this is the work of malicious counter-intelligence, some butthurt pacifists or Stratfor employees themselves is unknown. Unfortunately, some main stream news agencies have picked up on this statement, looking for any reason to highlight and exploit any potential ‘inner divisions' within Anonymous.

“However, there has been no such squabble or infighting regarding the Stratfor target, or any other LulzXmas target for that matter. Anyone can claim to be Anonymous, but because of the inherent decentralised nature of Anonymous, without central top-down leadership, no individual is in a place to speak to the legitimacy of another individual or group's operation.

“Furthermore, our history of owning high profile targets as Anonymous has been well documented at the antisec embassy and is well known and respected within all Anon communities. Case closed.”

Fred Burton, Stratfor's vice-president of intelligence, said the company had reported the intrusion to law enforcement and was working with them on the investigation. He also said Stratfor has protections in place to prevent such attacks.

On the Stratfor Facebook page, the company said: “An unauthorised party disclosed personally identifiable information and related credit card data of some of our members. We have reason to believe that your personal and credit card data could have been included in the information that was illegally obtained and disclosed.

“We have also retained the services of a leading identity theft protection and monitoring service on behalf of the Stratfor members that have been impacted by these events.”

Anonymous poked fun at Stratfor hiring two outside consultants to resolve the situation. “Top identity theft protection? Professional security consultant? We'll see how that works out for you, if you ever dare to put your servers back online again. Until then, we'll be watching and waiting. And laughing, of course,” it said.

Another statement claimed that the next target would be SpecialForces.com, whose customer base is comprised primarily of military- and law-enforcement-affiliated individuals. The statement said the customers "have for too long enjoyed purchasing tactical combat equipment from their slick and professional looking website".

It said: “To be fair, at least SpecialForces.com did store their customers' credit card information using blowfish encryption (unlike the global intelligence and security industry ‘professionals' at Stratfor, who apparently remain confused as to whether their customers' information was even encrypted or not).

“Nevertheless, our voodoo prevailed and we were quickly able to break back into the military supplier's server and steal their encryption keys. We then wrote a few simple functions to recover the cleartext passwords, credit card numbers and expiration dates to all their customers' cards. That's how we roll.

“In reality, for the past few months, we have been in possession of approximately 14,000 passwords and 8000 credit cards from SpecialForces.com. Unfortunately a former comrade leaked the password list early, and the full story on this owning will be told in our upcoming zine. Until then, feast upon one hell of a juicy text file.”

It concluded this statement with a demand that US soldier Bradley Manning be released immediately. He was also referenced in other statements over the holiday period.

While nobody expected Anonymous, or any other hacktivist group for that matter, to be quiet over the Christmas period, the size of this data dump achieved many headlines for the operation.

The comments relating the actions to Bradley Manning, whose trial was also a major news story in the days leading up to Christmas, also demonstrated how serious this should be taken, but whether the unlikely release of the soldier would have prevented the actions is anyone's guess.

Either way, Anonymous has proved that its actions are not ending any time soon, and I suspect they will continue into and throughout 2012.

The holiday season is here again and many people will be giving and receiving new technologies this year, including mobile phones, laptops and tablets.

While this is good news for the consumer, come January all these new toys will present a headache to IT managers everywhere who will want to make sure they can keep company data secure.

Increasing numbers of workers today are bringing their personal devices to the company IT department to enable access to email and other productivity apps on devices such as iPads, iPhones and Androids. According to a recent Forrester report, three-quarters of US information workers pick the smartphone they want rather than accept IT's choice, and more than half of them pay for their smartphone and monthly plans.

According to our recent survey, increasing numbers of companies across all industries are supporting a bring-your-own-device (BYOD) model, and in more than half of those instances, employees shoulder the cost of their device and service plan.

So now employees can use their favourite devices for work, but what does it mean for the company? It means that companies must now support more platforms and deliver business apps such as email, chat and portals on iPads, iPhones, and Android and Windows phones.

That means data and apps will be used from any location over any network and can endanger sensitive company information, potentially getting workers or their employers into trouble.

To keep confidential data stored on personal mobile devices and stop it from falling into the wrong hands, many IT departments turn to third-party solutions to better secure, monitor, manage and support the variety of mobile devices used by employees. Using one of these solutions, IT organisations can implement security controls such as passwords and remote wipe and lock, which allows IT to erase corporate data from a mobile device if it is lost or stolen.

The challenge is that most employees don't want to enter a complex password every time they need to make a phone call, send a text message or update their Facebook status. Plus, when employees use their personal phones for work, a remote wipe could erase personal apps and data in addition to corporate data and applications.

Fortunately, companies such as Good Technology take a different approach to these BYOD security challenges and keep the best interest of both employees and employer in mind.

To keep your information secure this holiday season, Good Technology is offering some tips on what employees can do to help protect both personal and company information:

• Don't use cloud programs on your mobile device to share corporate files and data.
• Beware of email fraud. Don't send email to anyone you don't already know, or respond to emails that appear to be from known sources without first verifying that they are legitimate.
• Secure your device settings and have it automatically lock after five minutes.
• Don't forward emails from your corporate address to private email accounts, especially emails with attachments.
• Don't use check-in apps everywhere.
• Turn location settings off when not using apps that require it.
• Be careful of Beta programs/apps: they can be dangerous, as in many cases the developers haven't sorted out security yet.

Andy Jacques is EMEA vice-president and general manager at Good Technology

Most of September's news was dominated by the hacking and issuing of rogue certificates from DigiNotar.

After it admitted to an initial compromise, it was given a vote of no confidence by Google, Microsoft and Mozilla, and later Apple.

The hacker said he had access to four other certificate authorities (CA), putting fellow CA GlobalSign on alert, although it later said nothing had been compromised. In an email to SC Magazine, the hacker said his intention was to embarrass DigiNotar.

DigiNotar was later declared bankrupt and this proved to be one of the main cases of a cyber attack leading to the closure of a business.

Elsewhere a CD was lost by a primary care trust that contained the personal details of 1.6 million individuals, the University Hospital of South Manchester NHS Foundation Trust lost the personal information of 87 patients following the loss of an unencrypted memory stick, while the Scottish Children's Reporter Administration breached the Data Protection Act twice.

The Information Commissioner Christopher Graham called for custodial sentences after former Barclays cashier Sarah Langridge pleaded guilty to illegally accessing the account details of a customer, against whom her husband had been jailed for a sex attack.

A major DNS hack led to the websites of Vodafone, Betfair, Acer, National Geographic, the Daily Telegraph and the Register to be replaced with an image and a message that read: “h4ck1n9 is not a cr1m34. Sept. We TurkGuvenligi declare this day as World Hackers Day - Have fun ;) h4ck y0u.” Also, further arrests were made in connection to the LulzSec attacks, with two people arrested in the UK and Ireland and another in Arizona.

Research by Trend Micro uncovered a series of targeted attacks that compromised 1,465 computers in more than 60 countries, while the most notable acquisition of 2010, the purchase of McAfee by Intel, saw the DeepSafe technology launched.

In September I attended the Gartner security conference in London, and among the highlights were meeting the director of consumerisation from Trend Micro, proving how far the trend has come, and SABMiller CISO Mark Brown saying that CISOs "have to become business enablers and talk at board level if they want to retain their status".

At the end of September, SC Magazine exclusively revealed that businesses would face a 'mandatory data breach disclosure' law as part of the new Data Protection Directive, the legislation on which the Data Protection Act is based.

While the law will go through a process of consultation over the next 12 months, this is expected it to become law in the UK by early 2013. Just how ready will businesses be? Probably about as prepared as they are for the cookies law; still, there is no fighting the regulator.

In another botnet takedown, Microsoft confirmed the end of the Kelihos botnet, which primarily sent out the MacDefender virus, while it faced a false positive nightmare as it flagged an update for Google Chrome as the Zeus Trojan.

In acquisition news, it was all about security incident and event management (SIEM) as McAfee grabbed NitroSecurity and IBM snapped up Q1 Labs. The news on 6 October was dominated by the passing of Apple founder Steve Jobs, with tributes paid from around the world by people involved in technology and government.

Also in early October, I attended the Symantec Vision conference in Barcelona. New announcements were led by its launch of a data loss prevention (DLP) solution for the Apple iPad and its declaration that "reputation-based protection is the future of anti-virus". I was also given my first demonstration at this show of the capability to Trojanise mobile applications, a trend that may grow in dark popularity.

The following week was dominated by the RSA Conference Europe, which opened with an apology and executive chairman Art Coviello quoting Nietzsche's epigram, "what does not kill you makes you stronger".

Coviello also said the attack on his organisation was done by two groups, with one definitely from a nation state, and he later said that security technology should be advanced so that it is risk-based, agile and has a contextual capability; he added: "While we may try, we will never keep up with individual attacks, but we can create a system to withstand certain attacks."

At the show I met with HB Gary CEO and co-founder Greg Hoglund, who detailed how the company was stronger following its attack, while Sony confirmed that it detected attempts on the Sony Entertainment Network (SEN), PlayStation Network (PSN) and Sony Online Entertainment (SOE) services to test a massive set of identities and passwords against its network database, possibly impacting 93,000 accounts.

The RSA Conference Europe was closed by internet godfather Tim Berners-Lee, who expressed his dismay at a lack of user control over data, calling it "disfunctional". Also in October, the research paper ‘BEAST', which detailed a method of defeating SSL, was praised for being "technically clever but over-sold" by SSL inventor Taher Elgamal.

Into November and the US stuck its neck out and dared to name China and Russia as key cyber threats in a report, while sportswear giant Adidas was forced to take down its websites after suffering a "sophisticated, criminal cyber attack".

Another incident at a certificate authority (CA) caused KPN Corporate Market to stop issuing SSL certificates after it discovered a security breach that allowed hackers to store tools for denial-of-service attacks on its servers. Microsoft also said it would revoke trust in Malaysian intermediate CA 'DigiCert Sdn. Bhd' after the CA had issued 22 certificates with weak 512-bit keys, and issued certificates without the appropriate usage extensions or revocation information.

In less of an acquisition, more of a save, Cryptocard acquired GrIDsure after the latter went into liquidation, while Southwark Council was told off by the ICO after it left a computer and papers containing the personal information of 7,200 people in a skip

Also in this period, Prolexic reported the largest packet-per-second distributed denial-of-service (DDoS) attack of the year, while seven people were charged with using malware to manipulate online advertising and infect more than four million computers in more than 100 countries in ‘Operation Ghost Click'.

It had been more than a year since the Stuxnet worm impacted SCADA systems, but attacks on water systems in Illinois and Texas hinted at fresh attacks. Sourcefire EMEA technical director Dominic Storey said these "would be just the beginning", while the attacker of the Texan system told SC Magazine that the SCADA-based system was controlled by a three-character password.

While North Somerset Council and Worcestershire County Council received ICO fines for "serious email errors", the Government announced its Cyber Security Strategy that will open a new national cyber security ‘hub', a cyber crime unit within the National Crime Agency and a single reporting system to report financially motivated cyber crime.

Generally the strategy was welcomed by the security industry, but some called it too political or reliant on unlikely collaboration. Among those proposing changes were former Home Secretary Jon Reid, who said a lack of investment in innovation would harm industry.

There will be an impact on ISPs, as the strategy said government will work with them to create a voluntary code of conduct to help people identify if their computers have been compromised and advise them on what action to take.

Also in regulatory news, it was announced that new data protection laws will compel European businesses to appoint a data privacy officer, something that could have saved Powys County Council from the largest ICO fine to date, £130,000, after child protection case details were sent out incorrectly in two instances.

At the half-way point of the year's grace on 'cookie compliance', the ICO announced there had been little progress on the issue and encouraged collaboration to understand the road to regulation.

In the world of the CA, another was reportedly hacked, although this did not appear to have affected certificate issuance from Gemnet. At the same time, CA GlobalSign said it had found no evidence of any rogue certificates being issued or any compromise of its CA infrastructure, following rumours in September to the contrary.

Wrapping up the final headlines for December, rumours abounded that a European processor had been breached, but at the time of writing there was no further confirmation.

Microsoft confirmed it will offer ‘silent' updates of Internet Explorer for those who want it, while Google pulled 14,000 malicious applications from its Android market.

What I hope these three 'year in review' articles have proved is what a busy 12 months it has been for all of us in security. Security hit the headlines of the national press around the world many times, with stories and angles that I could never have predicted. So here's to 2012, when I hope there will be some more good news!

I was on holiday when the first announcement was made about the Sony attack. My first reaction was that it would not be as big a deal as the RSA attack, but in fact this would be the more ‘persistent' on the ground that it went on and on.

Sony promised to improve its security by appointing a CISO after the initial hack, as board members publicly apologised for the incident. Sony went on to blame Anonymous for the hack after discovering a file on a server that was named ‘Anonymous' with the words "we are Legion". Also suffering from a loss of data was the US version of the X Factor with popstar hopefuls impacted.

The killing of Osama Bin Laden caused warnings on scams, while Baroness Pauline Neville-Jones stepped down as security minister to be appointed as a special representative to business on cyber security, later playing an important part in the government's cyber security strategy.

Acquisitions continued with Tripwire acquired by investment firm Thoma Bravo, Astaro by Sophos and Shavlik by VMware.

Just when you thought data-loss stories couldn't get more ridiculous, former data controller of ACS:Law Andrew Crossley was fined just £1,000 for failing to keep sensitive personal information relating to around 6,000 people secure. The Information Commissioner's Office (ICO) said the fine could have been £200,000 if the firm was still trading, but the unencrypted document which listed the personal details of more than 5,300 BSkyB Broadband subscribers belonged to a company that had closed down.

The ICO also announced that the details of 82,000 people were accidentally published online when a data file, which had been repaired by Co-operative Life Planning's software support contractor, was hacked.

Yet the ICO's big announcement of this period was in regard to cookies, when it gave companies a year to get consent from visitors to their websites in order to store cookies on their computers. The Chancellor announced at this time that the Treasury faces one email attack every day; just the one, Mr Osborne?

More realistic was the announcement that the Ministry of Defence faced more than 1,000 cyber attacks in 2010.

The rise of advanced malware for mobile and Apple products has been predicted for some time, and in 2011 we had some of the first real examples. Android phones were said to be vulnerable to a third-party snooping flaw, Apple users were warned about using an outdated, vulnerable version of Opera, and the detection of a rogue anti-virus product named ‘MACDefender' made malware for Apple all the more real.

The RSA incident came back to life when US defence contractor Lockheed Martin announced that its network had come under a "significant and tenacious" attack and, according to reports, RSA's SecurID tokens were linked to the access. Later it was suggested that at least one prime defence contractor (not Lockheed Martin) made the decision to stop using RSA SecurIDs for its senior staff and found a completely different vendor to supply its security tokens following the incident.

RSA executive chairman Art Coviello later admitted that SecurID data was compromised during the attack, and that it had been "used as an element of an attempted broader attack on Lockheed Martin". Lockheed Martin said the attack was thwarted and no sensitive information was intercepted. Is this the last we have heard of this incident, I wonder?

Attacks against Sony continued; an attack of the Sony Pictures website revealed one million passwords which were unencrypted and stored in plain text, as a hacking group named LulzSec (internet slang for laughing at security) emerged as the responsible party. The same group attacked the Sony BMG website and computer entertainment developer network.

LulzSec later intercepted a Nintendo configuration for one of its US servers, but said its focus was on Sony and it was not planning to do anything with the file. Games developer Codemasters was also attacked, but no claim was made by LulzSec; likewise Sega's pass portal was hacked with around 1.3 million user details compromised, but cardholder data was unaffected.

Proving that its attention was not wholly focused on gaming, LulzSec hit the US Senate and the website of the CIA, while long-term Anonymous target PayPal denied that login information had been accessed after LulzSec claimed to have released login information for Facebook, PayPal, dating sites, Xbox Live and Twitter accounts. LulzSec also denied responsibility for hacking UK census data, although the office of National Statistics later said that no data had been compromised.

At the peak of their infamy, on 25 June LulzSec announced it was ending its campaign, with its final act to dump more than half a million user credentials. The end of its operations brought many comments on what it had achieved, and it has mostly stayed true to its retirement, although its members later merged with Anonymous to continue the latter's operations.

In more positive news, IPv6 Day demonstrated the capabilities of the modern protocol, and Google launched a new social networking site named ‘Google +', although its first flaw was found a few days later.

The ICO said the NHS needed to do more to protect user details following a spate of data breaches, yet the private sector was named as being responsible for a third of data breaches. In this period the ICO handed another fine to Surrey County Council.

In malware, the most complex botnet of all time was discovered and named the TDL-4, while LulzSec made a brief return to redirect visitors to the Sun newspaper site, which claimed Rupert Murdoch had committed suicide. The Sun also admitted to a potential data loss because of the attack.

In fact, the shadow of LulzSec remained during July, as arrests were made and LulzSec responded by saying: “Arresting people won't stop us, FBI. We will only cease fire when you all wear shoes on your heads. That's the only way this is ending.”

However, one of the arrests was of an 18-year-old from the Shetland Islands named Jake Davies, who was suspected of being the LulzSec member Topiary. He was later charged with computer offences by the Metropolitan Police.

The police also warned off wannabe hackers, but not before ‘TeaMp0isoN' emerged defacing the BlackBerry blog in response to RIM's announcement that it would co-operate with police following the London riots.

Facebook announced a bug bounty programme, but said flaws in third-party apps would not be rewarded. Microsoft offered $200,000 for the inventor of the ‘next great security technology', although this offer was criticised by research and development firm Subreption, which said "entrants should not sell themselves so cheap".

Anonymous returned to the news once again in August with plans announced that it would 'kill Facebook' on 5 November, while it hit the San Francisco Bay Area Rapid Transport (BART) system following the latter's decision to shut down mobile phone services.

In a good bit of vendor tussling, McAfee launched its ‘Shady RAT' report detailing multiple and lengthy intrusions; Eugene Kaspersky dismissed it, calling it "shoddy rat". McAfee responded to Eugene's claims, saying he had "missed the point".

In other news, Google passed an ICO audit following its Street View cars collecting data from unsecured WiFi transmissions, LinkedIn was forced to change a proposed policy on using members' photos on its 'social ads' following a user backlash; and, to bring things to a full circle, the email that brought down RSA was identified by F-Secure.

The month ended with members of Anonymous leaving the movement and criticising its direction, while Dutch certificate authority DigiNotar admitted to being hacked with rogue certificates issued, to become the next major trend of 2011.

With 2011 proving to be the year that information security hit the national headlines over and over again with some of the biggest stories in years, rather than looking back in one article, I have decided to take an extended view of the past 12 months.

The year began without a major flurry and, following 2010's Aurora attacks, information security news had a lot to live up to a year on. Following a flurry of acquisitions in 2010, this continued at the start of 2011 with Dell's acquisition of SecureWorks and Sourcefire's acquisition of Immunet.

The first of many data losses in 2011 that were reported to the Information Commissioner's Office (ICO) concerned the Scottish Court Service disposing of documents at a local recycling bank. Another major 2010 story, WikiLeaks, was addressed with US government agencies encouraged to create 'insider threat' programmes to find disgruntled workers who could leak state secrets.

One of the major and consistent themes of 2011 was consumerisation, and my first blog of the year focused on this theme and asked if the smartphone was to blame. If your concern was the security of open source software, then Trend Micro chairman Steve Chang agreed with you.

On a wet Friday afternoon in January I was one of a select bunch of journalists invited to meet finalists from the Cyber Security Challenge; it later confirmed the winners, and this experience gave me an insight into what was going on with the next generation of security folk.

Those who thought they were untouchable were arrested on a charge of stealing iPad user data from AT&T's servers; however up to ten million smartphone users may have been impacted after a breach in Trapster's username and password database was revealed.

The end of January also brought an end to Lush's website, after it revealed a four-month-long compromise that caused it to jokingly offer a job to the hacker. Less amusing was the revelation by Imperva that major European and US government websites had been hacked, with access to the sites put on public sale.

As January came to an end, the Arab Spring began with Egyptian ISPs ordered to cut connectivity, and Anonymous sent a warning to the UK government after the arrest of five men.

Into February and the ICO issued its third and fourth fines to Ealing and Hounslow Councils over the loss of unencrypted laptops, Google announced new CEO Larry Page, while Qualys called for the open source development of the web application firewall. The status of this project is now unknown.

McAfee launched the ‘Night Dragon' report that talked of targeted attacks on oil and gas field bids and operations, although comments from Sophos later suggested this did not have enough depth for it to be taken seriously.

Over at the RSA conference in San Francisco, Art Coviello talked about trust in the cloud, demos were given on drive-by downloads and mobile malware, but the organiser's biggest news was to follow later.

Robust attacks hit the headlines again, with controversial Westboro Baptist Church taken down; initially it was suspected that it was the work of Anonymous, but responsibility was later claimed by pro-US hacktivist ‘the Jester'.

If malware is your bag, we saw OddJob in February, Android pulled 21 suspicious apps from its marketplace, while my first encounter with Zeus came courtesy of IronKey at its lab in California.

March saw the release of the iPad 2 from Apple and blog platform WordPress was hit by a huge distributed denial-of-service attack that was ‘multiple Gigabits per second and tens of millions of packets per second'.

In fact, March saw a number of attacks, with the French budget minister, 29 government and other agency websites in South Korea and Broadcast Music (courtesy of Anonymous) all taken down.

On the same day as Wolverhampton City Council was reported to have dumped "confidential personal information in a skip", Twitter introduced a full HTTPS session as an option; it later made this mandatory for all users.

Now you could remember 18 March as the day Microsoft announced the takedown of the Rustock botnet, which otherwise would have been a major headline-grabber, but that news was superseded by RSA's announcement that it was hit by an advanced persistent threat (APT).

Looking back at that story, there is nothing much in it that gives any clue to the impact of the incident, but at the time it was earth-shattering: executive chairman Art Coviello said that a "an extremely sophisticated cyber attack" was detected while in progress, and its investigation revealed that the attack resulted in certain information, specifically related to RSA's SecurID two-factor authentication products, being extracted.

The story would run for days, weeks and months, and remains one of the most referenced of the year. In the following days, Play.com revealed that it had breached data laws, while Trip Advisor also admitted to a breach of user data rules.

The European Commission announced that it was hit by an APT, while a BP employee lost a laptop containing the personal details of 13,000 Louisiana residents who had filed compensation claims after the Gulf of Mexico oil spill. Another bad day for the oil giant.

In possibly one of the most distressing stories of the year – a data leak at an HIV clinic revealed test results for adult actors, while marketing company Epsilon suffered a breach that caused it to inform its customers of the potential breach; in other words, a nightmare for everyone involved. However, it did lead to Twitter users ‘counting' how many notifications they had received: just the one for me.

Further light was shone on the RSA ‘incident' as it was found to be caused by a spear phishing message that took advantage of a vulnerability in Adobe Flash for access to be granted. RSA also acquired the company whose technology helped it detect the attack – NetWitness.

In slightly more positive news, the Jericho Forum introduced one of the first thought leadership pieces of the year, with its guidance on identity management launched in London. We also saw another botnet, Coreflood, taken down as the FTP server turned 40.

April ended with the InfoSecurity Europe show, where a demonstration of how easy it is to run a rogue WiFi point snared 300 visitors, the Information Commissioner denied, and got rather confused about, some Freedom of Information Act findings, and, most importantly, the SC Magazine Europe Award winners were announced.

A very busy four months then, and as the world enjoyed the Easter and Passover holidays and waited for the wedding of Prince William and Kate Middleton, the headlines were not about to relent.

With just over two weeks to go until Christmas, it may be a case of winding down for some while others will fail to see the holidays as a time to take a break.

According to research from SecurEnvoy, 46 per cent of adults so fear losing their job that they will sneak a peek at their emails on 25 December. Only 34 per cent said they will not look at any work emails during the festivities.

The survey of 1,000 people found that while 21 per cent of people say that it isn't necessary or expected of them to be in touch with their company over Christmas, one in five people felt competitively disadvantaged if they didn't keep on top of their emails this Christmas.

The survey also found that security is far from the first thing on the mind, as 46 per cent of respondents also confessed to not using any sort of security on their phones, including a PIN, even though almost half will be looking at their business emails, which could include sensitive information and unencrypted documents.

Another survey, of 3,000 adults in the UK by online backup vendor Mozy found that Brits are becoming increasingly connected to their work as a result of technology, with the average person working an extra three hours a week and 22 per cent never straying more than ten feet away from an internet-enabled device. However, only 32 per cent save data to their corporate networks when working remotely.

Claire Galbois-Alcaix, senior manager of marketing at Mozy, said: “The results of the survey show the lines between work and personal lives increasingly blurring as more and more of us work in our personal time and space as well as carrying out personal tasks in work time and locations.

“Both employers and workers appear to benefit but, if workers are only saving data to their laptops, tablets or smartphones, this leaves businesses at significant risk should they be lost, stolen or broken. In most cases, the consumerisation of IT and workplace flexibility leads to a more ‘switched on' and connected workforce, but UK businesses need to ensure they are able to properly back up data when employees are working outside of the office to protect important information from loss.”

However, the research found that 70 per cent of respondents are more productive when given the flexibility of remote working, while three quarters stated they enjoy working at home more than being in the office.

Eoin Blacklock, managing director of online backup company KeepItSafe, said: “Businesses need to wise up to protecting their mission-critical data over the Christmas period and ensure they are not relying on outdated or insecure technologies and manual processes. It is a period when offices close for long periods of time, employees are in and out at irregular intervals and the weather can also play havoc. This often leads to data backups falling by the wayside, unforeseen downtime and the potential for data loss when a restore fails.”

So whether your unexpected issue over Christmas is one of remote workers accessing email, a data loss by well-meaning employees or simply an act of God, there is no time like the present to make sure preparations are made. Until then, pass the cranberry, not the BlackBerry.

As we enter December, the human factor in information security becomes a continued issue, but with an air of alcohol about it as the office Christmas party season swings into life.

So it is now time to think about strong password deployment, patching of systems, securing external devices and more as usual; while staff shop online, possibly take the foot off the pedal and get stuck into the Cadbury's Celebrations.

It is not all office staff that cause an issue at this time of year though, as according to research by Lieberman Software, 26 per cent of IT security staff will use their privileged login rights to look at confidential information

Its survey of more than 300 IT professionals, exclusively seen by SC Magazine, also found that 42 per cent of respondents said that their IT staff are sharing passwords or access to systems or applications, while 48 per cent of respondents work at companies that are still not changing their privileged passwords within 90 days.

Philip Lieberman, president and chief executive officer of Lieberman Software, said: “Our survey shows that senior management at some of the largest organisations are still not taking the management of privileged access to their most sensitive information seriously.

“When someone can admit that they have unsupervised, unaudited and unauthorised access to all their colleague's and superior's bonus details then the IT security of that organisation is seriously flawed.

“These fundamentally careless practices and procedures revealed by the IT departments of the organisations we surveyed could cost them dearly in 2012. In many ways they should be breathing a sigh of relief that they have not been breached yet, but it's just a matter of time.”

So better ensure that staff lay off the eggnog and make sure that they don't attempt to change their grades, view the MD's salary or intercept emails, as it could be a new year full of repentance.

1 - Compliance gets increasingly commercial - With increasing evidence that companies are less likely to be data breach victims if they comply with security standards, such as those promoted by the Payment Card Industry (PCI) council, compliance will become a pre-requisite for good business practice in 2012.

In a difficult economic environment and with increasingly more stringent government regulations, the need for taking full advantage of business opportunities will increase interest in prudent, holistic security approaches.

Companies and governments will change how they interact with their extended network of partners, increasingly choosing to do business with those that can demonstrate a comprehensive multiyear and standards-based approach to security.

2 - The high-IQ network effect - With each new smart device or software application added to a network, all endpoints and devices will become inherently smarter, each benefiting exponentially from additional connections. Whether the connections are people-to-people, machine-to-people or machine-to-machine, new opportunities will be created to solve societal challenges such as employing IT to address the rising cost of health care or deliver smart energy solutions.

However, because of the network's importance, any security threat or interruption of service will have a profound impact. As a result, there will be an even greater demand for carefully designed and well-managed services at the core of the global IP backbone and high-speed wireless networks.

3 - To the enterprise cloud and back - As we begin to move away from the 'is cloud secure' scare-mongering, the enterprise cloud will finally come of age and deliver substantial benefits, dramatically reducing capital expenditures and creating business efficiencies and better economics.

Cloud services will give companies powerful new options to move workloads easily between the corporate data center and the cloud of a company's choice. Whether a public, private or hybrid cloud model, the enterprise cloud will play an essential role in mobilising enterprise apps that enable both workforce mobility and new business paradigms.

4 - The social enterprise - The already web-centric enterprise will become even more social and the ability to tap intelligence at all levels of the organisation will become the new norm. Of course, alongside this, organisations will need to adapt their security procedures to fit this new model but the potential benefits are clear.

With the right tools, such as high-definition video for richer collaboration and intelligent 'crowdsourcing', enterprises can produce, find and convey information with much less effort and greater velocity and efficacy than ever before. This will foster innovation and enhance productivity with exponential benefits.

5 - The consumerisation of IT - Just as personalisation is driving a new approach to customer service, IT departments are increasingly being influenced by their users. Many companies are now trying to improve the user experience and enhance productivity by tailoring their enterprise IT policies to support employees who bring their own devices - such as smartphones and tablets -- to the workplace.

Companies are now looking to experts to help equip today's mobile worker with cloud-based applications that work just as securely and reliably on portable devices and are integrated with traditional desktop applications.

Gavan Egan is director of security services at Verizon EMEA

This week at the Cyber Security Summit in London, a statement was made by one of the key speakers that caught the attention of delegates, press and other speakers alike.

Major General Jonathan Shaw, head of the defence cyber operations group at the MoD, singled out a Baltic state as a leading light when it comes to cyber readiness and being prepared for "a one-nation response".

His focus was Estonia, a country of just under one and a half million people and which marked 20 years of restored independence in 2011. Its cyber history is well known, with attacks made against it in 2007 when a series of distributed denial-of-service (DDoS) attacks were made over a period of time and government, financial and political party websites taken down.

The blame was placed on Russia, and a Russian Youth group claimed responsibility two years later. However a year after the attacks, seven NATO countries agreed to fund a centre of excellence in Estonia. It was built that year and is one of 15 accredited Centres of Excellence (COEs) for training on technically sophisticated aspects of NATO operations. It conducts research and training on cyber security.

Shaw said: “Estonia represents a country that is in a post-attack mode, not like UK which is in a pre-attack mode. We need a national response with GCHQ as the pillar.”

This led me to think that with so many looking at the MoD or the US Department of Homeland Security, you would assume that one of those would be the pillar of global cyber defence for others to follow. After all, despite its 20 years of independence, there may be some who would view Estonia as somewhat suspicious because of its Soviet heritage, or even because of the arrest and charge of Estonian nationals in cyber-crime-related activities.

I turned to some Estonian government agencies to see what they felt about such high praise. The MoD in Estonia told SC Magazine that its 'cyber leader' role stems from its highly developed information society where the Estonian public and private sector have a long tradition of providing online services, which include e-voting, e-prescriptions, e-schooling and some of the highest adoption rates for online banking and payments in the world.

A statement said: “It naturally follows that we put effort into ensuring the safety and security of our information society. This was already the case prior to cyber attacks against Estonia in 2007. Cyber defence is not merely a military affair, but requires the participation of all sectors of government and society.”

It also claimed that Estonia's approach emphasises that every owner and user of a network is responsible for its security, to include critical service providers particularly in the private sector, but also individual users.

“Citizens should be knowledgeable about cyber security issues from their first contact with networked devices. We currently include basic cyber security training in our elementary school curriculum, though our National Cyber Security Strategy also foresees expanding this to preschool,” it said.

“All IT-related university curricula include a module on cyber security. Two of Estonia's leading universities also jointly offer one of the world's first masters-level programmes in cyber security.”

So cyber security is taught in schools in Estonia and rules on responsibility are well detailed; some in the UK would argue that such an established method is something of a pipe dream here.

I also spoke to the Estonian Information Systems Authority, which helps state, and private and public sector organisations, maintain the security of their information systems.

A spokesperson said: “Being seen as a leader (by any country) has a double effect: first, if attack vectors are being tested, it is reasonable to test them with the strongest opponent you can find. So, the reputation of the leader results in the heavier workload for our cyber security specialists.

“On the other hand, being the 'Test Site Estonia' brings the newest trends in the cyber security field right to us - our experts see the latest.”

It called Shaw's compliments "exceptional", but said that the reason it takes so much interest in cyber security lies within the structure of Estonian society. “As we have 1.4 million inhabitants, the only way to stay effective is to make our society digital. In November 2011, 99.6 per cent of all bank transactions were performed electronically. This spring, 94 per cent of tax declarations were filed electronically; it takes only 15 minutes to establish a company electronically, etc. For Estonia, cyber security is unavoidable to keep our vital services running and maintain our way of life,” it said.

So if Estonia is the key leader in cyber security as a nation state, what advice would it pass on to public and private sector companies when it comes to protecting against an attack?

In short, it said "co-operation and awareness raising". The spokesperson added: “One of the Estonian risk managers once said 'only the strong ones can afford talking about their weaknesses'. There have been large (politically motivated) cyber attacks before 2007 and after, but one reason many know about Estonia is the amount of information.

“We talked about everything we knew: about the assumed motivation, the methods used, the timelines and mitigation. We shared graphs and gave data to be analysed by specialists in other countries. After 2007, people in Estonia were really interested in cyber security, we responded with awareness raising campaigns and activities.

“As the 'weakest link' of cyber security is often seen between the chair and the monitor, the attitude and behaviour of computer users is very important aspect for us.”

The reason Estonia is perceived as a cyber leader by Shaw is that it experienced an attack, dealt with it, learned from it and moved on with this knowledge and education. I am not suggesting that the best way to become stronger is to be a victim of an attack, but Sony, RSA and others will stand stronger in the future due to their experiences in 2011.

Estonia also faces different challenges to the UK and US due to its population size and 'age' as a nation, but to see how to survive and be praised by the MoD, the future may be to go east.

If you believe its critics, Android is about the worst thing to hit the mobile space since the emergence of the smartphone.

It has been criticised for the ability to Trojanise applications; its apps are apparently not filtered as stringently as Apple's, and it is open source so inherently unsafe. However, be prepared, as this could mark 2012's mobile wave.

Stephen Midgley, vice-president of global marketing at Absolute Software, says Android and the forthcoming Windows Phone will be taken up by users who have held off on buying Apple devices.

“Many developers are concerned about the open nature of Android, but the reality is that people develop in-house apps,” he says.

So if the development and filtering process of Android apps is a much easier process, could it become easier to build in-house apps for Android, therefore making Android the smartphone device of choice for next year?

This week saw new mobile management software launched by two security vendors.

MobileIron launched version 4.5 of its device management software to offer security on a wide set of Android devices.

With support now added for Android 4.0 (Ice Cream Sandwich) and technology partnerships with Android leaders Samsung and Cisco, MobileIron gives enterprise IT departments the most complete Android security platform.

Features of MobileIron 4.5 include encryption enforcement for data at rest on Samsung GALAXY devices, as well as those devices running Android 3.0 and above, secure SSL VPN connectivity for data in motion via an integration with Cisco AnyConnect, and the ability to disable camera, WiFi and Bluetooth functions in high-security environments.

Ojas Rege, V-P of products at MobileIron, agrees that 2012 will see a massive influx of Android devices into the enterprise, and companies want to know they can count on enterprise-grade security across those devices.

Talking to SC Magazine, Rege said: “In 2012 there will be a main trend that will rapidly increase the take-up of Android: bring your own device (BYOD) policies. Companies are talking about it and users have Android devices so the mix at work looks like the mix at home. Users do not want to learn about the different ‘flavours' of Android, they want to get mobile device management and figure out what it is capable of.”

Also released this week was a mobile security product from Bitdefender, its first security product for the Android market.

According to the company, Bitdefender Mobile Security combines in-the-cloud technology with the company's threat database, with the result including features such as an Application Audit that keeps an eye on the permissions of installed applications, Anti-Theft, which allows users to track down a lost or stolen device, and Web Security, which alerts Android users to lurking threats such as phishing or malware on web pages.

Alexandru Balan, senior product manager at Bitdefender, said that following beta testing by 120,000 users, it is a product that lightens the load on both the device's battery and operating system.

“Security can be iron-clad and feather-light at the same time – Bitdefender Mobile Security proves it,” he said.

“The security is guaranteed by Bitdefender's years of experience on the front lines of the war against e-threats. At the same time, our in-the-cloud technology prevents battery strain, updates continuously and takes it easy on the operating system. Mobile security is, finally, truly mobile. Android device users can now be secure without having to constantly carry around their phone chargers.”

In a few weeks we will take a more concise look at what the security industry predicts to be major trends for 2012, and I expect Android to be one of the key pillars of the year. You can't say you weren't warned.

Of all of the proposals in last week's Cyber Security Strategy, most seemed to be government or public sector led with little direct immediate impact on UK plc.

Apart from one section, where the government said it would ‘work with internet service providers (ISPs) to create a new voluntary code of conduct' that will ‘help people identify if their computers have been compromised and what they can do about it'.

As the first and only point of call for connectivity, the ISP is a good place to start for guidance to consumers; after all, is the end-user going to start calling the Paymaster General for advice on how to get rid of a virus? Then again, is the ISP in a position to be able to advise an end-user on security issues, thereby lending no benefit to the ongoing ‘need for education'?

One recent instance of an ISP helping its users with online security was when Virgin Media wrote to around 1,500 customers, warning them that they had been infected with the SpyEye Trojan. It offered advice on how to clean their computers after they were found to be part of a botnet by the Serious Organised Crime Agency (SOCA). 

I asked Virgin Media what it felt about the new proposals for ISPs; a spokesperson said it takes a proactive stance against malware, providing all its customers with free security software, as well as support and guidance on how to  stay safe online.

"Virgin Media has an active partnership with leading security organisations such as SOCA, to help advise customers of particularly nasty malware infections and how to resolve them. We look forward to working with the Cabinet Office and industry more broadly to share our learnings and experience in this area to help create a safer environment for consumers across the UK,” the spokesperson said.

I asked Ross Parsell, director of cyber strategy at Thales, if he felt that this focus on the ‘middleman' will help users. He said: “The strategy does call for industry to draw on its own factors, and the outline from Virgin is a good example, but it needs to be endorsed by government – but they are shying away from setting a standard. It needs to be recognised and entered into something to abide by.”

Rik Ferguson, director of security research and communication EMEA at Trend Micro, said it was "heartening" to see that there will be a review of legislation.

He said: “Security companies have been saying for some time now that ISPs have a greater role to play in informing and assisting their customers who have fallen victim to cyber crime, and this report promises to explore that capability although without a concrete timeline.”

Most would say that any efforts for user education should be welcomed, and starting with the ISP, which can help  users, is positive. How long this takes to begin and whether all play ball will be the next challenges.

Small business disaster can strike at any moment, from a computer virus to a flood, fire or theft.

For any type of business, no matter how large or small, a man-made or natural disaster can be highly disruptive to business continuity. Inventory and accounts, physical office space, and the computers that hold a business's records and files can all be destroyed in a matter of seconds.

The risk of losing a company's most valuable asset – its business data – is real, and losing data can set the wheels of a business's downfall into motion.

Few small businesses have plans in place to protect against data loss, instead concentrating efforts on protecting physical assets such as buildings and equipment. This is reflected in research from Carbonite, which suggests that while small businesses do recognise the negative impact data loss will have on their business, more than half (57 per cent) still do not have disaster plans for business data.

Eighty-one per cent of small businesses consider data to be their organisation's most valuable asset, according to a Carbonite study, which surveyed small business owners in the US.

The permanent loss of data ranked as the number-one challenge in maintaining normal business operations in the event of a disaster. This was considered to be more devastating than the loss of company products, materials required for production and even the physical premises of the company. Simply put, loss of business data jeopardises a small business's viability as an ongoing enterprise.

Customer and financial records, marketing databases, email and personnel files represent just a few examples of business-critical data that businesses use every day to drive continued success. If this data is lost, it may be gone forever.

Even if the business is lucky enough to retrieve their data lost in a disaster, downtime is highly detrimental to the company's performance. A business may lose sales, or be unable to manage day-to-day accounting.

In the wake of a business disaster, immediate access to business data will reduce downtime and allow businesses to reestablish operations quickly and function again post-disaster, even if physical infrastructure is compromised.

So why are small businesses inadequately prepared for a data disaster despite their recognition of the need to do so? The Carbonite study revealed several reasons the majority of small businesses have neglected to develop a disaster plan, including: they simply haven't thought about it; the belief that a data disaster could not happen to them; the belief that their business can withstand disaster without financial loss; and the perception that disaster plans are too costly to implement.

Data backup technology will help a business survive a disaster. Small businesses simply need to find the right solution that meets both their backup requirements and their budget.

It is worth noting that the most expensive options are likely not the best fit for small businesses, as these are often repurposed enterprise-level solutions that offer more features than a SME will ever need, and at a sky-high price tag. The right backup solution should offer reliable, easy-to-use options, with affordable and predictable pricing.

Online backup offers precisely that – easy to use, affordable, real-time and continuous backup, with no management of physical devices required. With online backup, business data is backed up securely offsite, far removed from any disaster that might impact physical office space, making that important data accessible 24/7 via the click of a mouse and remotely.

Plan and take action to protect valuable business data to ensure the business survives and thrives, even in the event of a disaster.

Pete Lamson is senior vice-president and general manager of the small business group at Carbonite

I recently spoke with Imation, which was announcing the roll-out of its range of ‘mobile security' following several acquisitions.

Except this is not mobile security as we know it; vice-president for EMEA and APAC Nicholas Banks told me that the launch of Imation Mobile Security relates to its range of data storage and security products.

This includes solutions acquired from IronKey, MXI and Encryptx in 2011, with the brands carrying certifications such as FIPS, CAPS (with additional DIPCOG approval), AIVD and NATO. It also offers its own range of secure hardware and software management products named ‘Defender'.

Speaking to SC Magazine, Banks said: “This is a strategic decision to become involved with security and provide organisations with a number of solutions for the modern workplace. What we are providing is a range of products that are easy to use, deploy and manage.”

According to the company, it provides ‘best of breed' solutions to protect ever-increasing amounts of data against loss, theft or security breaches.

Imation Mobile Security general manager Lawrence Reusing said: “Our commitment and investment in new product development is so that we can bring the best possible solutions to market, enabling both Imation and our partners to take advantage of the rapidly expanding high-security USB device market by providing world-class solutions for the mobile data and mobile workspaces.”

I asked Banks about the decision to name the division of the company ‘mobile security' when it does not offer that specifically; he said ‘mobile' means the mobile workforce.

“You can use the technology in the working environment for what you need it for, you can run a fingerprint over the USB with the technology that comes from MXI,” he said.

Imation's background is in data storage. It launched Defender in 2010, acquired encryption and removable software security solutions vendor Encryptx In March 2011, and acquired MXI Security in June, adding technologies and solutions for device security, including the Stealth Zone platform for secure computing environments.

The acquisition in October of IronKey's secure hardware business has put it in a strong position as 2012 bears down. Banks said that 2011 has been a successful year for the company, but challenges such as consumerisation and 'bring your own device' (BYOD) is leading more and more companies to realise the potential of being more mobile.

He said: “More companies are realising that they cannot have information lying around; they need a secure environment where information needs to be encrypted and made safe while it is in the business. We will look to grow our reseller and channel partners for 2012.”

The remote storage device space does not have a huge amount of vendors, but the problems of data being stored on unsecured media have been well documented. Imation Mobile Security will find a market ready and waiting for such needs.

Highly publicised data security breaches serve as important reminders that data access governance must be an ongoing corporate imperative.

Too often, however, the process of controlling access to vital information assets is inefficient, ineffective and lacks the agility to adapt easily to dynamic growth and change. According to a Gartner report on security and risk management, data access decisions should be based on an assessment of the risks and benefits of a given level of data sharing, as well as an assessment of the process, people and technology that can securely enable that sharing.

Quest Software uses a six-step process for guiding assessments and improving data access controls:

1.      Discover users and resources: the first step involves an infrastructure inventory of important data (or access points to that data), which can and often does reside on multiple platforms, network-attached storage (NAS) devices, SharePoint sites, Active Directory group memberships, mobile computing devices, etc. In particular, it's important to identify the resources of unstructured or orphaned data.

2.      Classify data and assign rights: data must be classified in terms of confidentiality, correlation to regulations (eg credit card numbers), overall relevance and archive requirements. Appropriate owners of business data should be reviewed and assessed to ensure they are in accordance with security policies.

3.      Assign data owners and approvers: assign appropriate business owners based on roles, locations and other attributes. Separation of duties must be taken into consideration to ensure compliance and security.

4.      Audit and report on access: schedule and perform continuous business-level attestation of access to ensure accuracy, compliance and security.

5.      Automate access requests and problem remediation: automating access fulfilment workflows based on access rights and the requestor's role in the organisation is ideal for security purposes. Automated responses that remediate deviations can proactively prevent potential threats or breaches.

6.      Prevent unauthorised changes: lock down certain data, groups or access rights that should never be altered. All changes should be logged in a secure depository that cannot be manipulated to ensure a high level of forensic analysis.

Automated, multi-platform data access governance can remove the barriers to satisfying compliance requirements, while preventing unauthorised access to sensitive data residing on physical and virtual file servers, NAS devices, SharePoint sites, Windows file servers and more.

Improved access control is a key driver in reducing security threats, as well as preventing them in the first place. Finally comprehensive, 360-degree visibility of company-wide user access gives IT, business managers and data owners the insight needed to enforce policies and comply with regulations without creating an adverse impact on operations.

Nick Nikols is vice-president and general manager of identity, security and Windows management at Quest Software

In research last week, Prolexic revealed that distributed denial-of-service (DDoS) attacks were increasingly being targeted at the technology designed to mitigate them.

The company claimed that DDoS mitigation equipment was being targeted as most technologies "do not have the capacity to process the high packet per second attacks that are being used".

Ahead of this research, I had been thinking that with the DDoS attack being so prevalent, was it really possible to divert the excessive traffic and page requests? It is almost a year since the Anonymous group began its campaign of DDoS attacks in support of WikiLeaks founder Julian Assange, and since then it has become the attack du jour.

Prolexic's report was, not surprisingly, followed by a service announcement: the roll-out of its security engineering and response team (PLXSERT), which provides pre- and post-attack data to clients as a subscription service. It said that with intelligence gleaned from monitoring threats, it is possible to identify botnet characteristics without any DDoS traffic having been received.

Prolexic is far from the only company offering DDoS mitigation technology. Products and services have been launched by Tata Communications and Imperva, while Adversor has unveiled its True Dynamic Mitigation service.

Adversor said its technology uses continuous monitoring of network traffic, early threat detection and a combination of filtering and mitigation techniques. It said it is able to blocks DDoS attacks close to the source and implements more than 30 techniques to protect against the largest and most sophisticated attacks.

Speaking to SC Magazine, Rob Rachwald, director of security strategy at Imperva, said mitigation is the best alternative to going onsite and physically stopping hackers.

Asked if there was any way of mitigating and/or 'cleaning' traffic, apart from in the cloud, he said: “Many companies provide technology (network firewalls) that stop DDoS as well. However, this puts the onus on enterprises to manage this themselves.  As more and more companies, especially smaller ones, become targets, a cloud option becomes very appealing due to lower cost while retaining effectiveness.”

Following Symantec's acquisition of the identity and authentication business of VeriSign, the latter has remodelled itself as an enterprise-level DNS and DDoS mitigation service provider. Sean Leach, vice-president of network intelligence at VeriSign, claimed that "enterprises need something and what we are offering is similar to other carriers.

“The DDoS is the number-one threat. Our research found that 66 per cent had experienced an attack, while 13 per cent had more than six attacks. Now they are attacking at the application layer and it is hard to tell the real traffic apart. A 100GB connection cannot provision for it, you can have a massive headache or you can buy the capability.

“It is very difficult to mitigate, but we now offer a service to smaller enterprises. This will 'scrub' the traffic in the cloud and send the genuine traffic back to you.”

Darren Anstee, solutions architect at Arbor Networks, said that while the 'classic' DDoS issues a 'get' for a website, with an attack on the application layer it is hard to tell what a real query looks like.

He said: “Most DDoS attacks are against the application layer, but if the attack is larger than the pipe then there is nothing you can do and, if you are saturated with traffic, then your customers cannot get through. If you get overwhelmed, our Enterprise Edge solution uses cloud signalling to call for help from a 'parent'. A service provider will sell this to a data centre and enterprises.

“There are a lot of operators offering DDoS mitigation; an MSSP will offer DDoS protection and risk services, they will monitor it and divert traffic to cloud cleaning. This is a big growth area as people want protection from a DDoS.”

Leach claimed that the DDoS tool is very sophisticated compared with the brute-force style of earlier attacks, with them now designed to look like real traffic. “They are now attacking the DNS and they are not using all 'members' of the botnet, but just enough to get the job done,” he said.

While the first year since Anonymous took action against the likes of PayPal, Amazon and MasterCard is unlikely to be 'marked', the first action did take online attacks to a whole new avenue. From that point, anyone could be an attacker, and while there have been arrests to warn other wannabe attackers off, the threat to businesses remains.

That said, the solutions that have been launched could solve these problems and mitigate the threats, and attackers may be forced to find another way to bring their targets down.

Recent news reports on City trader Akweku Adoboli, who cost UBS billions of pounds through unauthorised activity, have questioned whether the qualities he was hired for were in fact early warning signs of the rogue trader he would later turn out to be.

Adoboli's competitive nature, level head and financial self-interest have made the headlines, whereas lax identity and access management procedures, and irresponsible risk management systems, which allowed him to temporarily succeed in his undertakings, have come away fairly unscathed.

Without wanting to trivialise the situation, any sports fan will be acutely aware of the dramatic and controversial effects a red card can pose when translated into a business context. Auditing firms are the closest we get to referees in the commercial world, and they hold the red and yellow cards in business.

Organisations that do not heed the warnings of an auditor's yellow card risk slipping very quickly and publicly towards the red. The Adoboli scandal is a timely reminder of the risks employees can impose when technology is not doing its job, particularly as a red card in identity and access management can be extremely damaging to an organisation's reputation and market valuation.

Organisations need to be savvy about the risks posed by IT administrators and the privileged access rights they own. In Adoboli's case, he was reportedly clever enough to log into systems using passwords belonging to others – breaking basic access management etiquette – and getting information he was not privy to.

However, our own research has shown that one in ten employees admits that they still have access to systems from previous jobs, which is a huge threat to any business.

The silent assassin can log into a system using an anonymous privileged account and then cover their tracks by deleting log files associated with the activity. It is therefore not surprising that more than 51 per cent of IT professionals are concerned about insider threats to network security in their company's current infrastructure.

Without good control over privileged user accounts, organisations are at risk of exposing themselves to the loss of intellectual property, fraudulent or insider training, and loss of personal identifiable information on their employees and customers.

Internal risk controls, or ‘yellow cards', are not something that can be ignored either, particularly in highly regulated industries. Real-time transaction monitoring and surveillance are essential in preventing fraudulent activity, particularly in the financial sector when handling large sums of money can evidently lead to some employees questioning their ethics.

Responding to detections of unexplained or unauthorised activity is also a must in order to prevent additional occurrences, contain a situation, and for action to be taken. This is something auditors are increasingly monitoring, particularly in relation to compliance regulations including COBIT, PCI-DSS and SOX.

Without a thorough governance plan, organisations risk losing information and revenue, while increasing expense and damage to corporate reputation. By implementing an access governance plan, you can effectively balance the demands of regulatory compliance and management of access-related risk, while still meeting the demands of the business.

Kevin Norlin is general manager and vice-president (EMEA) at Quest Software

This week I met with a new mobile security start-up, which was making the first efforts to break into the European market.

Established four years ago in San Francisco, Lookout offers a consumer mobile security product with application and link scanning, device discovery and back-up functions.

CTO Kevin Mahaffey said internet security is too often sold on fear, uncertainty and doubt, and this leaves customers frustrated as they often choose a product based on necessity, rather than because they like it.

He said: “People care about their phones, so we launched security software that aims to solve all security problems on a phone. You should have this on there because it makes you happy, not because you are scared.

“Our mission is that we want to solve problems rather than putting anti-virus everywhere. We have to solve real problems that benefit people, and security companies don't always do that.”

The solution, also called Lookout, runs a scan when it is downloaded to look for malware and spyware on the device in three to five minutes. Among its features are a privacy advisor so users are aware of what applications are accessing data; Mahaffey said this feature will tell the user which applications require location data.

Also included is a layer of security to the browser so any URL is scanned, while the back-up solution allows contacts, photos and call history to be stored on a server.

Mahaffey said that one of the most popular functions among users was the ‘missing device' option that will show where a lost device is on a map, and can play a siren upon instruction.

“Our goal is to give people peace of mind with their phone and not make them worry. We do not believe in being annoying, we want to help people use their phone,” he said.

Lookout is powered by the company's mobile threat network, which analyses threat data worldwide, identifying and blocking new threats and automatically delivering the appropriate protection.

Mahaffey said that while Lookout was founded to provide a consumer solution, it has been deployed by 50 per cent of the Fortune 500 in 170 countries. The launch this week added the capability to buy the premium edition in sterling, and Canadian and Australian dollars.

On the threat to mobile operating systems, he said: “I hate to say a year, month or date for when it will happen, but malware has been successful with the desktop and its economic drivers are the cost of infection and how it makes money. There are two levels for infiltration: one is botnets; the other is carrier-specific malware. I believe it will change, but it is all about economics at this point.”

You may deem that a consumer application on a personal device is not in the interest or for the benefit of the organisation, but if it is a security application, that makes things different. After all, is there such a thing as negative security?   

In the day-to-day job as a security manager, one of the biggest challenges is managing people and making sure they don't do things they shouldn't.

However, what if you were the CISO at a major security company, surely all your staff would be well-versed in secure practice with the talent at hand? Also, surely you would never have a product dilemma if you shared a building with the creator?

I met with the CISO of Symantec, David Thomson, to find out what sort of challenges someone in his position faces.

Do you find people are so familiar with what you are doing that there is not a huge problem?

"We train our employees on security, use of our products, and the behaviour to keep themselves secure personally. That is a key attribute that we focus on in our company because our reputation is really key to our future and key to customer confidence, but we are one of the largest attacked companies in the world, so much of our time is spent on looking for the weakest link, and typically that is the well-meaning insider.

"Individuals are trained on what a targeted attack looks like, and we constantly update our emails to employees. If we see a wave or trend internally on our attack analysis, we alert employees; they are exposed to it, we always have our radar up."

Did the RSA incident open your eyes to what could happen to you as a security company?

"Our board of directors did ask me to take a look at our risk profile, which we do on an annual basis, but they asked us to do a fresh look at our operations, our certificate issuing authority and how we operate, and one thing that we did identify was a separation of duties.

"We made sure that infrastructure has the best of our technology, but we are also reviewing our procedures so that we have extreme due diligence to those that access those infrastructures. One thing that you have to be cautious of is that we have third parties that assist Symantec, and we require the same level of diligence with those providers as we do with our own employees, so that is the extra work that is required at Symantec.

"It is a cultural assimilation that has to occur, you have to indoctrinate the employees that come on board through an acquisition; our customers look to us with confidence, and that is a thing we focus on."

When talking about security issues, do people usually understand what you are telling them?

"There are different subsets of users in the company that are more technically-savvy and security-aware, so we have to take extra steps in restricting access for certain roles that maybe are not as skilled as others. We also hold ‘brown bag sessions' between security professionals and our staff, designed so that the administrator can focus on staff who are not as technical or security oriented, and they can come and learn specifics.

"They have been very valuable and we hear from employees who say that had they not attended, they would have probably done something that maybe would have been inappropriate. Our tools help too to catch something before an employee makes a mistake.

"From an IT perspective, we deploy our technologies internally in the alpha and beta stage. The advantage we have in our tools is that we are trained on them and we have full production reference for our clients internally – that is a key role we play from a support perspective. Our customers like it too as they can ask ‘how did you deploy it?'. It is a critical part of our strategy and I like to be part of it."

Tech-savvy employees probably want to add patches and upgrade operating systems immediately. How far in advance do you prepare for this?

"Well we are like any other corporation whose user population is asking for more mobile devices and current technology. What we find is that Apple is no different from Microsoft in that they release a product to the marketplace and in a period of time, typically a week or two, IT needs to evaluate the product and develop the deployment methodology, and in many cases you do not get an early warning with the technology providers.

"If they download iOS5 and we have not approved it, then they could potentially be locked out of our infrastructure. So we have educated our employees so that they are not authorised to use these devices, they need to wait for an all-clear message from IT, and we work quickly to deploy it shortly after it is released. That gives us a chance to update all of our firewalls, all of our signatures, make sure all of our products and technologies work with that operating system, implement it and then employees can download it.

"As Apple gets into more corporations, that will have to change. We would need a week's notice before release, or put large corporations interested in beta in the enterprise, as it allows the big clients to be primed. But you also don't want to slow down innovation; a challenge in any tech firm is that you want to work with your companies as closely as possible and have them involved in the technology, but you also want to be quick to market and meet market demand."

Has the consumerisation of IT been a real problem for you this year?

"We were ahead of this from a company perspective in that we saw early demand from our customers, so as we reflected internally, one of the things we have done is give employees a pretty lengthy list of devices and carriers that they can select from, so there is significant choice.

"However, we do not allow personal devices on our infrastructure, it is against our policy and that allows us to remain focused on our company assets. Long term, I would love to have any device, any time, anywhere, and we are getting closer with our technology to enable that, but fundamentally we have a position that devices should be company-owned."

Day to day, what sort of team are you working with?

"We have a team of 393 IT and security professionals in my group – that does not include the enterprise support functions. We have two major suppliers that provide services to Symantec externally, and those teams are really focused on governance of our suppliers and business requirements, information security and operations. The majority of our team is in Mountain View, California.

"We have a programme called ‘the way we work', where employees who have been authorised to work from home have the technology so that they can connect through a VPN. We have data-loss prevention (DLP) on those connections, so it allows us to protect our intellectual property, protect our customer data, alert the employee that may be outside the bounds of their role and block access to classified information inside the company."

How does it work with you having software engineers in the same building?

"We do meet with our engineering staff and we build an annual deployment roadmap for our products, and if we have a new release coming of the desktop encryption, we will work with engineering to get it as soon as it is in alpha stage to deploy it. We deploy it in IT first, then we deploy it to the remainder of the organisation.

"We put the customer hat on internally, you want to be as much of a customer as possible – just because the engineer is down the hall, doesn't mean we tap into that.

"The feedback we give is genuine from a IT information security perspective, versus an insider view, because I want our team to be a key advocate for our customers. My team is responsible for deployments also, so they can be prepared for any step that a customer might miss; we are prepared for that ahead of time."

Finally, 2011 has been such a busy year for information security news, do you think the job has become more difficult?

"Well, I tell you that more boards of directors have become aware of security and the risk associated with the loss of intellectual property, customer data, the risk to brand and shareholder value, so the conversation has shifted to a much higher level of discussion – so there is more risk management inside a company. It has made the job in many ways more difficult, but it has made the job a bit easier too as the conversation has been about 'if you highlight a risk, you get more attention to that risk'.

"We are just like any large corporation: we have people that operate our infrastructure, we have technology that we leverage and, in the end, frequent training, frequent update to our procedures – constantly reviewing our risks is the key to success."

‘We have ways of making you compliant' – not a secret service threat, but a promise from many providers and third parties.

At the outset it is worth remembering that whoever is used to ensure the company meets its compliance mandate – internal, service provider, or cloud provider – the ultimate responsibility stays with the company. Using a third party does not change the equation of liability and impact to your reputation, so can compliance be outsourced?

Yes. Compliance-as-a-Service is possible, but only if you have the correct mix of logging, patching, scanning (both patch and vulnerability), and device-configuration and build-validation checking. For many mandates, such as PCI-DSS and GPG-13, this means having to focus on all the disciplines above.

How many companies can say they have all these covered and would pass a thorough audit? Our guess is well below 50 per cent.

Compliance should be similar to a trip to the dentist, something that is far less painful if done on a regular and scheduled basis. It's the same old story, relating to chaos theory: all systems if left alone entropy, but if checked and maintained on a regular basis they will perform better and the costs of maintenance will be less.

That's why we say Compliance-as-a-Service delivers positive benefits to any company. Lower costs equals more to spend on other IT projects, and less pain means more resources available internally if activities are performed regularly.

Compliance-as-a-Service contains all the consultative and externally serviced elements that allow the customer to achieve and maintain compliancy. While responsibility undoubtedly still resides with the company, many do need help with the identification of their compliance mandate and the subsequent monitoring and alerting to compliance violations.

A good externally sourced service should begin with a consultative phase that analyses the customer estate and identifies the events that needs to be monitored, ticketed, alerted on and, of course, responded to. While the logging aspect is important, a service should also deliver patch and vulnerability scanning, build-validation and configuration checking are all key to maintaining compliance. 

Maintaining compliance should be seen as security best practice; the two go hand-in-hand. This is highlighted when evaluating intelligent logging of key events in the infrastructure, events that the consultants or internal IT have deemed necessary to maintain compliance.

A compliance event is often a security event, so what happens next is crucial. Compliance-as-a-Service should include customer escalation based on the nature of the event, anything from log- and ticket-only for the auditors, to 'call me within 15 minutes 24/7' if the event is serious and requires immediate attention.

Additionally, compliance mandates such as PCI-DSS require acknowledgements of events within 24 hours, and an externally sourced service should undertake a daily inspection of the logs plus checking for credit card data in the logs.

While it is true that companies are responsible for their compliance adherence, many never inspect their log files, struggle to determine what to monitor and alert on and how to respond when an alert occurs. An external service can provide significant value in this area. 

So, look your service supplier in the eye and ask to see their operation, inspect their processes, ask about their incident management and response process and, if satisfied, sit comfortably and feel the pain ease away as the compliance worries dissipate. 

Martin Dipper is head of managed services at CNS

Not a month seems to go by without a report of a new high-profile data theft. The hacking of The Sun's customer database was followed by a breach in the Sony PlayStation Network, and cosmetics retailer Lush has also slipped on the proverbial bar of soap.

Each and every time a credit card transaction is made, the consumer voluntarily hands over his or her details to a multitude of companies involved in processing, authorising and recording the transaction. The Payment Card Industry Data Security Standard (PCI-DSS) exists to ensure that online retailers and others involved in payment processing meet the specified criteria relating to the handling of this data. It is enforced by credit card issuers and is not a legal mandate.

So as long as it is not a legal requirement, some card data processing organisations will try to find low-cost ways of achieving certification, and smaller retailers may not bother at all and simply hope to remain below the radar. Companies need to view security as an investment rather than a cost, and stronger enforcement of the standard will be needed to make this happen.

Take the case of Lush. In August, it was found to be in breach of the Data Protection Act (DPA) by the Information Commissioner's Office (ICO). The Government data and privacy watchdog investigated hackers' access to customer data, including the payment details of 5,000 customers who had made online purchases from the company.

A spokesperson for the ICO explained: “Lush took some steps to protect their customers' data but failed to do regular security checks and did not fully meet industry standards relating to card-payment security. The retailer's methods of recording suspicious activity on its website were also insufficient, which delayed the time it took to identify the security breach.”

Lush was lucky to escape with having to sign an undertaking to ensure that future customer credit card data will be processed in accordance with PCI-DSS. While there was no fine, this would have been a very embarrassing episode for Lush's managing director.

The ICO has the power to fine companies up to £500,000 for poor data-protection practice, but last year it emerged that it had issued fines for less than one per cent of the breaches it had investigated. However, the ICO recently announced that companies will face harsher fines if they fail to protect personal data.

PCI-DSS exists to ensure retailers meet specified criteria related to handling this data, but so long as this is enforced by credit card issuers rather than through legislation, some organisations will undoubtedly ignore it altogether or try to find a low-cost way of achieving certification with the minimum of effort.

Protecting a user's card details means building credit and debit card processing systems with security in mind from the ground up. It is not about treating standards such as PCI-DSS as a mere box-ticking exercise applied retrospectively to an existing system for the minimum possible cost.

There were more than 31 million people shopping online last year, and the number of credit card transactions will continue to rise. Retailers need to recognise the value to their brands of the information that they hold and the importance of protecting it.

Do we need to wait for the inevitable Enron-style breach before being forced into a knee-jerk and heavy-handed Sarbanes–Oxley-type legislation?

We think not. Security is an investment and not a cost, and we need to start investing now. While we recognise the value of what the payment card industry has set up and the role that the ICO plays in policing the field, what we really need is for these security requirements to be enshrined in law.

We need to make them part of the legal fabric of doing business in the UK. By enshrining them in law we will reduce slip-ups in the future and, if they do happen, ensure that offenders are properly chastised for their lack of care.

Reducing credit card security breaches, particularly relating to online retail, will result in increased consumer confidence and higher spending, benefiting all retailers – but only if they make the investment in security now.

Ray Welsh is head of marketing at The Bunker

This week saw the release of Imperva's latest 'hacker forum analysis' report which drew statistics from its monitoring of discussions from the dark corner of the internet.

Collecting information from a number of forums, Imperva claimed that one has almost 220,000 registered members, although many user accounts are dormant. Imperva monitors hacker forums "to understand many of the technical aspects of hacking" as they are used by hackers for training, communications, collaboration, recruitment, commerce and even social interaction.

It said: “Forums contain tutorials to help curious neophytes mature their skills. Chat rooms are filled with technical subjects ranging from advice on attack planning and solicitations for help with specific campaigns. Commercially, forums are a marketplace for selling of stolen data and attack software. Most surprisingly, forums build a sense of community where members can engage in discussions on religion, philosophy and relationships.”

I ran through the reports' key findings with Rob Rachwald, Imperva's director of security strategy. Among the most discussed topics were distributed denial-of-service (DDoS) attacks (22 per cent of discussions); SQL injections (19 per cent); and spam (16 per cent). Ruchwald said: “Look at the types of attacks: DDoS followed by SQL and XSS; these last two are about data theft to steal something from a database – all of these topics show a similar mindset.”

He added that generally, DDoS is not a sophisticated method of attack, as it is a case of whether you "punch in the face or in the gut".

“The discussions are on how to do a DDoS, how a strategic attack works and how to increase the Gbps. The discussions show how to innovate and make an attack stronger,” he said.

Another key finding revealed the amount of discussion on mobile platforms; in 2010, more than half of the 2,000 discussions were on the Apple iPhone, with only around 300 discussions on the BlackBerry, Android and Nokia platforms.

Rachwald said these mainly focus on the future growth of hacking in mobile devices, with the iPhone central to this discussion. He said: “On the positive side, look at it from the perspective of the IT security guy who knows what to secure. This gives some number that shows what is going on within the underworld.”

Another key finding was on the level of training in hacking. Statistics showed that 25 per cent of all discussions were on "beginner hacking". Rachwald said: “A person can go to a site and learn skills by watching a video and, over time, they will boast about what they can do and build a reputation based on that. Some will then recruit you and from that we see how these forums give birth to groups like Anonymous or LulzSec.”

Imperva also found that 22 per cent of discussions were on hacking tools and programs, 21 per cent on website and forum hacking, and eight per cent on botnets and zombies.

Concluding, Rachwald told me that by definition, hackers are early adopters and there is value in the way that they use forums and their standing in them.

As with any job, you need training to be able to perform a trade, and with black-hat hacking, it is not a case of heading to your local Job Centre and selecting 'cyber criminal' as a career option. These forums exist, are real and are alive with discussion. Statistics such as these can only help those on the other side to remain a step ahead.

As more high-profile data-theft stories continue to dominate the news, organisations are increasingly under pressure to have a clear understanding of their data and how it can be accessed.

Despite efforts to stem the flow of breaches, the emphasis needs to be on prevention rather than cure.

Last month, Yale University acknowledged that a recent change by Google to include searches on FTP servers had led to the potential exposure of sensitive personal information affecting more than 43,000 students.

Given that FTP servers are often used to share corporate information more securely, many organisations may find themselves having to manage similar data security issues that are not within their control.

With this in mind, businesses need to have stringent controls for data that is managed both internally and elsewhere. As both insider and external threats continue to rise, below are a few best-practice points to counteract potential breaches.

Separate externalised data It is crucial to ensure that all data published or presented externally (including FTP repositories) meets your organisation's requirements for privacy, security and authenticity. With a number of file transfer methods available, it's important that employees are aware of policies that categorise which data can be externalised.

Understand the implications of social media Data and information can now be exposed through a multitude of social media channels. Organisational policies and checks must be extended to keep up with the various data sources to highlight and plug any potential gaps or vulnerabilities. Social media represents one of the greatest risk scenarios if not managed with care. Organisations are liable for the data that is captured from social media streams, so it is vital to implement policies and restrictions that control what is exposed.

Ensure appropriate security is applied to internal data repositories and stores, particularly those containing personal information Historically, many organisations have responded slowly to data storage requirements or failed to remove duplication of records. Users may have selected tactical storage solutions such as removable media drives, cards and online storage solutions, such as Mesh and Dropbox. Although these solutions can provide effective storage, the data moves outside of your control and must be secured. Understanding, policing and managing encryption on removable and online data repositories enables businesses to blend flexibility with the security needed to safeguard integrity.

Audit your controls Changes made by others (including third parties) may impact on your strategy. Ensure you do not rely on the security policies of others to enforce your data controls. Know your data, publish data security guidelines to your staff and ensure these guidelines are enforced, particularly for new starters or when staff members leave your company. For the latter, ensure you recover the data and restrict access to the appropriate users.

Understand mobile working Businesses are becoming more mobile with their data and it is up to each organisation to ensure they are aware of the risks associated with a change in their working practices. Laptops, memory sticks and external hard drives need to be encrypted and strict controls should be applied to limit access to wireless networks to authorised users only. Clear guidelines on the creation and usage of passwords can help to secure devices that are accessed remotely, for example, via the use of two-factor authentication on your VPN.

Failure to manage sensitive information both inside and outside the office can have severe consequences for an organisation's reputation and profitability. Today, information can be exposed in a variety of ways and it is important that organisations meet the challenge of securing their data.

Matt Lovell is chief technology officer at Lumison

A year in the headlines has left HB Gary in the same position as the likes of Sony, RSA and Lockheed Martin.

CEO and co-founder Greg Hoglund recently admitted that after a slow first quarter, 2011 was shaping up to be "a great year for HB Gary".

Earlier this year, HB Gary Federal (a separate entity) was hacked following a call by its CEO, Aaron Barr, to release information on the Anonymous group. A password was discovered that allowed multiple data sources to be discovered and held to ransom by Anonymous.

Hoglund told me that Anonymous was not a group but a brand that anyone could use. “My experience was around hackers who later became LulzSec and at that time they were Anonymous, they have now all been arrested,” he said.

“I was very impressed with the UK law enforcement as there has been lots of high-profile arrests. There has been a string of cyber disasters but this did not end up hurting us. Anonymous wanted it to hurt us, to get some satisfaction.”

He was keen to point out to me that HB Gary was not hacked. HB Gary Federal had a web server with an SQL Injection vulnerability; the attacker stole the password to log in to a private Gmail account.

“HB Gary Federal had three employees and they used our Google Apps account as it is expensive to set up, and Barr was the administrator; so when they got the password they got into the account. It is simply unacceptable and they deserve to be caught and go to prison,” he said.

As this was my first meeting with HB Gary, I asked Hoglund what the company actually does. He said firstly that it is not a defence contractor, as has been falsely claimed, but a software producer with no government contracts. He said the company manufactures enterprise endpoint software that can detect malicious software and botnet infections on the physical memory of a computer.

Hoglund said the advanced persistent threat has always been a focus for the company, but it was nothing to do with what occurred in February.

He said: “We are finding that it is often Chinese state-sponsored attacks and threats; customers are working with us to figure out if they have a problem. It is an epidemic but it is not a problem forever. Any large enterprise has a compromise, we come across it but often enterprises need to see a smoking gun.

“In the US, the government has completely got it and they are trying to start to work with industry; they are making some efforts, but you cannot depend on government as they are not going to solve the problem – you need to detect in your environment. You need to contain or detect where they have been.

“You will never keep people out of your network and there is no silver bullet as security is not a technology problem, but an intelligence problem. If you can detect an intrusion and make a list of attack methods, then the attacker has to think of something new each time.

“Attackers are leaving their fingerprints all over the computer and it is not hard to detect an attack as malware often looks like it has been written by a kid, but it is looking for weapons programs and defence technology. It does not have to be sophisticated, as security products and staff focus on the perimeter.”

Hoglund concluded by claiming that the APT will continue and "we are in a cyber cold war now".

Hoglund and HB Gary will head into 2012 as major names in security, and I dare say that this is not the last we will hear of them.

Month after month, the frequency, size and complexity of attacks against businesses online are increasing.

Rather than becoming more civilised, the internet is becoming less so; even as businesses are moving greater parts of their revenue stream to online channels.

Attacks near the end of 2010 were reaching 10,000 times the normal traffic seen by e-commerce sites, with thousand-fold increases in other sectors – and these attacks were targeting more businesses than ever before. If this trend continues, how can businesses protect themselves?

In the last quarter of 2010, we saw more attacks against our retail and financial services customers than we'd seen against our entire customer base in the previous three quarters. That growth has increased into 2011, with attacks to deny service – or compromise the servers behind the service – increasing each month.

This ‘de-civilisation' is being driven by the increased anonymity present as more systems, which are often insecure, are online and permit adversaries to hide in the ever-spreading shadows on the internet.

Yet adversaries are attacking for many different reasons. The profit-motivated attackers are either after extortion (using Distributed Denial-of-Service attacks) or black market profits (using theft of marketable valuables, like credit cards).

Politically motivated attackers might target national entities (like the 2009 attacks on South Korean and US government and financial services sites), or companies that have engaged in activities they disagree with (as in the Anonymous Operation Payback attacks in 2010). They might want to simply satisfy an agenda (as in the case with many anti-globalisation and environmental organisations).

Whatever their motivation, adversaries can easily and cheaply amass significant assets to conduct their attacks. Botnets have become a commodity. The rise of broadband around the world gives attackers new pools of machines to compromise, with increasing amounts of bandwidth at their disposal.

Even as online assets become more critical, the environment in which they exist is becoming more dangerous and our systems are often not robust enough to scale well and survive in a hostile environment.

The problem isn't that our systems aren't robust enough, it is that when we build them, all too often we assume reliability, rather than failure. With that foundation, adding reliability often requires complex and fragile overlays to provide a semblance of robustness (consider the complexity involved in synchronous multiple-geography database replication, the bugaboo of many disaster resilience projects).

If instead we begin with an assumption that everything will fail, we can build robustness into our designs from the beginning. Consider the case of the Domain Name Service (DNS) as an example: built atop the most fragile of architectures (UDP) at each layer, additional robustness is added until DNS failures are the exception, rather than the rule.

Perhaps we can learn from systems like DNS that, in designing for failure and success, will prove to be robust into the future.

Andy Ellis is chief security officer at Akamai

The software company Red Lambda announced its entry into the European market this week with the launch of MetaGrid.

Intended to offer a form of crowd-sourcing to increase the scale, speed and efficacy of security and operational intelligence for companies with big data IT challenges, the company describes the technology as "next-generation security and operational intelligence software".

Talking to SC Magazine this week, COO Todd Krautkremer said the company was formed in Orlando following an establishment at the University of Florida by founder and CTO Rob Bird, and now has bases in Minnesota and Southern California, with its UK office in London.

Krautkremer said the concept of the company was to "apply virtual super-computing technology to security". With a full public launch just over a year ago, a team was hired to take on the security market, and the first result was MetaGrid.

Krautkremer said: “This is a software application that sits on our platform ‘AppIron', which is essentially a super-computer with MetaGrid sitting as a layer on top to do unusual anomaly detection and situational awareness.

“This brings computers together to pass out tasks to create a response. Our grid is a combination of distributed computers, P2P networks and surface technology. These are brought together to create a super-computer, and the knowledge can be applied to security.” 

It said it is the first company to combine big data technologies to create an ultra-scalable, purpose-built software platform designed to keep pace with the increasing volume, variety and velocity of IT operational data and find the threats and opportunities buried within it.

Krautkremer said the idea of a crowd-sourced grid network of intelligence allows threats to be seen outside of the perimeter, while current tool-sets focus on known threats.

“Attacks have changed and the network has changed, so securing big data is a problem, and in trying to solve the new security problem we analyse new information at every moment to determine an investigation,” he said.

“We believe that bringing all of the big data together and analysing it, we can determine if it is a threat or not. We are capturing data and developing for ‘unknown unknowns'. This is a whole new era of security that we are focused on.

“If you can consolidate and work in the way that your adversaries are, you can crunch petabytes of information to provide an advantage.”

Once data is captured and analysed to find anomalies, it is shared across the grid and compared with other knowledge. Krautkremer said this is similar to how hedge-fund technologies index and parse data, and by the time it gets to a user it has been analysed with intelligence in the memory.

Bird said: “Security, as with most aspects of IT operations, has been a big data problem for years. AppIron and MetaGrid fuse massively scalable grid computing, relational stream processing and breakthrough artificial intelligence into a single, cohesive solution that transcends the capabilities of conventional approaches and delivers true situational awareness.”

It is almost a year since I was told that 2011 would be the year of consumerisation, and I recently met one executive who has been gifted with managing the challenge.

Ever since I was introduced to the concept of the ‘consumerisation of IT' (to give it its full title), I have been given opinion, perspective, research and solutions to address and mitigate the problem.

Last week at the Gartner security conference in London, I met Cesare Garlati, senior director of consumerisation at Trend Micro, who said businesses' staff were forcing IT decisions.

In terms of productivity, Garlati said this was a "no brainer" as employees will often work beyond standard office hours when they have access to mobile devices.

So what is the way forward according to a senior director of consumerisation? He said: “Embrace is the optimal approach. Create a plan that spans the whole organisation; say yes for some but not for everyone by determining a group of users and figure out what technology is allowed; and figure out what tools are needed and put the right infrastructure in place.”

The survey found that security (64 per cent) was the main concern in allowing personal devices to be used in the workplace, followed by data loss (59 per cent) and compliance (43 per cent).

Talking to SC Magazine, Garlati said: “Mobile is part of consumerisation but people do not understand it. People like it and use it. IT wants you to use it, but do not want to be held liable. This is a civil war.”

Garlati added that often, IT is not the driving force of technology, but the end-user adopting what they feel comfortable with.

I concluded by asking Garlati what his role as senior director of consumerisation actually involved; he said he is mainly looking at solutions and driving these to customers. With no real solution in sight, perhaps theory is the way forward.

I recently met with a consultancy based in Cheltenham that, like many others in its sector, describes itself as "a bit different".

Started by three people in a living room, Electric Cat is now a CESG-CHECK-approved company with around 15 full-time staff, including nine consultants

.

James Wootton, managing director of Electric Cat, said its customers are primarily in the government sector "who came to us, so we tried to form a company that had some integrity to it". The company achieved its CESG-CHECK mark in order to work with government departments.

Wootton said: “A lot of the approval is in live tests, as exams do not make you a penetration tester. Almost all penetration testers were born with the skills – they want to see how a toy works, rather than just play with it.”

Acknowledging the work of the Cyber Security Challenge, Wootton said this type of practical assessment was the way forward for the industry. “Just because it looks great on a piece of paper, it does not mean you are going to be able to do it,” he said.

Robert Vaughan, CLAS consultant at Electric Cat, said there is a gap in the market for penetration testing. “You can talk to people about information security and see them understand it and figure out how it applies to you, but some have no concept of applicability to themselves,” he said.

“You need to talk to people at the simplest level, as nobody is prepared to understand what they do not already understand. They do not understand what it means to reveal too much information; there is a massive need for it.”

Electric Cat has worked on cyber education projects with schools and universities, and Vaughan said there is often a lack of understanding about correct procedures. He added that businesses often lack an understanding of what to do with a vulnerability once it has been identified, because they do not know when it is applicable to them.

So is there a lack of general interactivity with technology on a user basis, or is there a lack of people who are generally interested? Perhaps with its interaction at several levels, Electric Cat is aiming to create the next cream of the crop.

With so much furore over data-loss prevention, it is rare that we look at the capturing technology, in particular intrusion prevention systems (IPS).

I asked Jonkman the most basic question about IPS: should it stop malware coming in? He said: “We have one major target: an IPS that is good at catching malware. Companies have moved away from that as they are not getting hardware based on how comprehensive the ruleset is.

“Our focus is always on malware; IPS is better with an anti-virus client, but Suricata uses the session's command and control centre. With the major ruleset in the first version of Suricata, people took to it and decided to put in new features – from this we created a ruleset and this is where we came to be where we are. Our real focus is on malware and we publish a new ruleset every day.”

I asked him if a new daily ruleset was standard. He said most providers will issue a new ruleset once a week or once a month, but as Emerging Threats Pro takes in more than 50,000 malware samples a day and delivers 20-40 new signatures every day, it feels the need to issue a ruleset daily.

“A ruleset is around 1MB and the rule manager will see what it did not have and push it to the sensors,” said Jonkman.

“We are very much vendor agnostic and work with partnerships; we do not compete and hardware companies see us as a partner and an OEM.”

Emerging Threats Pro claims to be the only IPS company serious about identifying and analysing malware before it becomes effective. It also called the reliance on desktop-based anti-virus "a very short-sighted decision".

I asked Jonkman how it deals with zero-day threats; he said these were not the biggest threat as the company will get an initial sight of the command and control centre.

Emerging Threats Pro produces the ruleset for Snort and its own Suricata IDS that is based on, and supports, the Emerging Threats open source project. Jonkman explained that it was initially funded by the US Department of Homeland Security to build an open infrastructure; eventually the Open Software Foundation (OSF) built a next-generation engine, which it acquired and called Suricata.

Suricata remains an open source development owned by the OSF. It was recently boosted by Kaspersky Lab after the anti-virus vendor, which uses this ruleset for its in-lab research, began a co-operation, with malware samples exchanged and further work made on extending Emerging Threats Pro ruleset coverage.

Kaspersky Lab said its specialists had begun feeding data into Emerging Threats Pro to improve the ruleset for all its users.

Nikita Shvetsov, director of anti-malware research at Kaspersky Lab, said: “We are happy to be collaborating with the Emerging Threats Pro Team, the open source team to go to for the best IDS/IPS ruleset. Our combined efforts will [allow] both organisations to optimise their signatures, which will then trickle down to better internet security for all.”

Jonkman said Suricata is being used extensively and it continues to support the open version, which has been downloaded 170,000 times. He added: “We want people to realise that IDS is the best protection against malware and would like to say to administrators, 'why do you not just focus on catching malware?'."

Media headlines and warnings from security experts and government agencies pale in comparison to the sure knowledge that you have been targeted.

Would you change your attitude if you knew someone, or some organisation, was after your data? In 15 years of talking to people about improving their security, I repeatedly hear the response: "But we are just a [insert benign industry here]… who would want our data?"

Industry by industry, organisations have learned the hard way that their data is valuable to someone. Banks, stock traders, software vendors, payment processors, retailers, hospitals, NGOs, militaries and governments have discovered through very public breaches that their data is indeed wanted by some bad actors, be they hacktivists, cyber criminals, competitors, insiders or foreign agencies.

So imagine for a minute that you get clear intelligence that you or your organisation has been targeted. It could be as blatant as Anonymous threatening you for some perceived slight. You may see your organisation's name appear in the press, or you may get an alert of a spear phishing attack against an executive.

Once you realise you are the target of an adversary, your approach to security transforms. You circle the wagons; you check your access logs; you take the results of your vulnerability scans seriously. You consider updating and patching your operating systems and revisiting your firewall policies.

However, this does not go far enough. It may protect you from attacks that target a broad swath of targets, but if the adversary is determined, they will bypass even systems that are patched and running the latest anti-virus signatures.

They will use zero-day vulnerabilities, target your more-vulnerable partners or find systems that do not even run anti-virus software. To protect your endpoints from this level of targeting, you need to lock them down so no unauthorised code can run. This is what whitelisting does. The droppers, remote access and Trojan applications used in targeted attacks will not run.

Is that all you have to do? Of course not. Targeting involves a lot more that computers and networks. A determined adversary will go to great lengths to get what they are after. Bribing, blackmail, breaking and entering, and infiltrating, take data protection into the human and physical realms. Why make it easy for your attacker? Preventing desktops and mobile platforms from relatively simple attacks is the first step. Beefing up your background checks and internal monitoring is next.

Richard Stiennon is founder and chief research analyst at IT-Harvest

The laptop detection technology from Absolute Software has always interested me from a consumer perspective, but what benefits does it actually offer to businesses? After all, how many laptops are stolen on a regular basis and need to be recovered?

I talked to Lorrayne Smith, distributed systems team leader at communications firm KCOM Group, who helps to oversee IT hardware assets including 1,100 laptops and 900 desktops. Add to the equation the company's 2,000 employees across nine locations, and the fact that many of them work on customer sites, and the challenge becomes a big one.

Ahead of the deployment of Absolute Software's Computrace three years ago, KCOM Group chose to lease its hardware, rather than buy it outright, meaning it needed to take extra care in tracking the whereabouts of its IT assets.

Talking to SC magazine, Smith said: “The main reason we used Absolute Software was because we had PCs and desktops and needed to get hardware back. Once it was implemented we used Computrace to do a data wipe so, if a laptop is stolen, we have not lost data.

“It has solved an issue in tracking PCs, as often they are used for working from home by engineers. We send out replacements too, and sometimes it is a challenge to get the laptop back, which is why we use Absolute Software to track PCs if they have not ‘called home' in 30 days.

“We use it as a capability, but it is all about keeping a close eye on the assets, as we are low on number of stock and it is important to get them back. We find that if someone has [a laptop] and is leaving, they tend to keep it back for the next starter.”

Computrace is able to pinpoint a laptop's location as soon as it connects to the Internet, so KCOM Group can identify a missing machine and know precisely where it can be retrieved from.

“Keeping track of employees' laptops can be a nightmare in terms of administration and organisation, and that's before you've made allowances for human error. No matter how hard you try, it is inevitable that laptops will occasionally be misplaced,” Smith said.

She added: “We had a laptop stolen and I got an email saying it had been recovered by the police. We left this in Absolute Software's hands and they tracked it – we did not have to do anything.”

The deployment has also reduced 'PC drift', as information obtained from the Absolute Customer Centre can determine when a computer has not been used for some time; the device is then located so it can be redistributed elsewhere.

“Without Computrace, we would not have known where a faulty laptop was and it would have sat in the drawer for months, when it could have been repaired and given to another employee to use. More importantly, a laptop left in an unlocked drawer presents a big security risk when the data is potentially confidential,” said Smith.

A recent report by The Information Commissioner's Office (ICO) on an NHS trust's loss of patient data highlights a new challenge for businesses generally.

In the incident at the University Hospital of South Manchester NHS Foundation Trust, a medical student lost the personal information of 87 patients after mislaying an unencrypted memory stick.

The student, who had been on a placement at the hospital's Burns and Plastics Department, copied the data onto the personal device for research purposes. According to Chris McIntosh, chief executive of ViaSatUK, the incident demonstrates the risk of a complacent approach to data protection, as well as the need for training to be carried out across all levels within an organisation.

He said: “There is little point in having a policy in place if it is not adhered to by everyone. Sensitive information on patients needs to be secured and, if it is stored on portable storage devices, these devices need to be encrypted.

“Data protection training needs to be instilled at an early stage for those working with sensitive data in the same way that health and safety training is undertaken before staff begin work. It should also be transparent who has, and who has not, received this training so that presumptions are not made, rules are adhered to and the risk of further losses like these are prevented in future.”

Mark Fullbrook, director of UK and Ireland at Cyber-Ark, said the story was "hardly encouraging" as the NHS holds the most sensitive of our personal information and the public expect it to adequately protect this data.

He said it was particularly disappointing that the trust assumed the student had received data protection training. “Given the importance and sensitivity of the information in question, this should have been checked properly and addressed immediately,” he added. 

Christian Toon, head of information risk at Iron Mountain, said the case highlights the need for adequate information management training for staff at every level.

“The NHS needs to integrate corporate training and self-regulation into its organisation and build a genuine culture of 'doing the right thing', so that mishaps can be avoided. While no information management system is fool-proof, correct training and regimented checks as part of a cultural shift will ensure that the human factor is less of an influence and limit data-loss incidents,” he said.

Another worrying aspect of this incident is the negative implications of the ‘bring your own device' (BYOD) concept. Stephen Midgley, vice president of global marketing at Absolute Software, said this case was a prime example of the challenge companies face in light of the BYOD trend. “They must take appropriate measures to enable central management of devices, as this is the only way they can ultimately ensure the protection and integrity of their data,” he said.

Marc Lee, EMEA sales director at Courion, said the case illustrates the need for organisations to better understand the assignment of appropriate risk levels and user access rights to everyone accessing the corporate network.

He said: “Enforcing strict access rights management will help organisations control not only who is accessing sensitive data, but also how this information is being used and who is entitled to copy confidential data on personal devices such as unencrypted USBs. This will inevitably minimise the risk of inappropriate data use and will help organisations ensure that only the right people have access to the right information and are using it in the right way.”

This incident, then, has implications that go beyond simple data loss prevention and robust policy management. It is a clear warning about the perils of giving temporary staff access to data, the use of unapproved personal devices and a lack of training.

As well as the various security tools that are available to IT teams, it is great to see the in-house development of solutions and even better when they choose to talk to the press about them.

I was recently contacted by a member of Stockport Council's ICT department who told me about a new in-house development to allow remote access to desktops. Calling it the '.Roamkey', it is ‘a secured operating system stored on a bootable USB pen drive' that allows a user to make use of an unmanaged computer to access ICT services in a secure manner.

I asked Mark Doyle from the ICT department what the circumstances were around the solution being developed. He said that the solution was developed in order to resolve a number of issues, namely that employees were previously using insecure or unmanaged equipment to access Stockport Council's ICT services and not only did this pose a risk to security of the internal networks, it also presented a risk of data leakage security.

He also said that users were experiencing difficulties configuring their personal computers to access Citrix, creating a support overhead on unsupported IT equipment, while providing extra IT equipment (laptops or thin clients) for casual home workers was proving to be ‘prohibitively expensive'.

Asked if he was inspired (either positively or negatively) by other available solutions when creating this, Doyle said: “We began developing the .RoamKey purely in response to needs identified via IT service management. We believed that we had the skills and knowledge already available within operational ICT to develop a solution.

“We had previously looked at using removable media to initiate client rebuilds. We were not aware of any similar products until after it was developed, although it became apparent at that time that a number of expensive but very similar alternatives were becoming available.

“We did review some of these but found that they offered nothing additional (for Stockport Council) to what our own .RoamKey could provide. The .RoamKey is CESG compliant (but not approved) as all our GCSX/GSI users are office based we do not have a specific requirement to implement a CESG approved product.”

Asked how this is meeting the needs of the council, its IT team and employees, Doyle said that employees are now able to make use of their own ICT equipment to securely access council provided ICT services and there is no longer any need for users to configure their own equipment or to request support form ICT.

“There is a cost saving as dedicated ICT equipment no longer needs to be purchased for casual or ad-hoc home workers and ICT can now provide .Roamkeys to staff for remote working in compliance with the Code of Connection,” he said.

Doyle said he believed that Stockport Council's ICT department was the first in the public sector to do something like this, and it has plans to sell .Roamkey to other public sector bodies and private industry.

Earlier this year I talked with some leading identity and access management (IAM) solution providers after some notable movement in the sector.

I spoke with Scott Morrison, CTO and chief architect of Layer 7 Technologies about some of these topics, specifically about the Jericho Forum's suggested changes earlier this year that people should control their identity. 

The guidelines also suggested that a person's own username and password should be accepted universally, I asked Morrison if this is workable or something that is impractical as each site needs to know who is logging in with the credentials they provided.

He said: “This was the dream of OpenID, a credential that could be used across a range of websites. At first look it seems counter-intuitive as traditionally, owners of a service have always issued credentials to access a service.

“For example to get your corporate email, you need to use corporate-issued IDs. But if you stop and consider the lack of ceremony and validation that most websites demand for creating an account and issuing an ID (usually little more than the hoop of getting past a CAPTCHA), it becomes logical to think that maybe we should just accept credentials that come from another identity service. In the end, these are as valid as credentials issued locally by the website and from an architectural perspective, has a nice elegance to it.

“Of course, identity provisioning remains an issue. If I show up as Scott Morrison with credentials issued somewhere else, most sites still need to create some record of me in a database to run effectively; it may just no longer need a local password and this is a pretty big step forward.

“So the idea is certainly practical and technically feasible; the real barriers to adoption are cultural. Web developers aren't accustomed to developing sites that use this idea. An awful lot of web development is template driven and if the template you are using already has a user signup section that includes local passwords, that's what is usually used.

“What is interesting is that six months ago I would have maintained that OpenID was dead, just another good idea that failed to take off. But interestingly enough Oauth seems to be giving it a new lease on life.”

It had been suggested to me in some meetings that ‘identity' and ‘access management' should be considered separately. I asked Morrison if he felt that if they are separate, do they need to co-exist as you cannot have one without the other?

He agreed, saying that identity is about ‘the claims we use to prove who we are who we say' while access management uses identity by running authentication (validation of security tokens and thus establishment of claims) and authorisation (is an identity allowed access to a resource).

“They are linked, but it helps to consider them separately because they are each important concepts in their own right,” he said.

Talking with other providers this summer about hosted IAM solutions led me to wonder if this is something businesses should be demanding from their service providers.

He said: “Business should look for the cloud access management solution that meets their unique needs. A specific cloud provider may not offer the best of breed access management system. However, I do think it is reasonable to push cloud providers to accommodate existing standards such as security assertion mark-up language (SAML) and emerging standards like Oauth on their access control.

“For example, many SaaS providers, such as Salesforce.com or Google docs can use SAML to allow federated sign on with enterprise IAM equipment on premise, or with cloud-based solutions. In 2011 this should be a pretty basic requirement.”

Finally, a conversation I had with Extreme Networks and Courion earlier this year said that businesses should look at Active Directory settings and privileges as a simple method of ensuring that users have access to the right applications and services.

Morrison said that businesses with an existing investment in Microsoft technologies and ActiveDirectory should look closely at what IAM capabilities this technology offers.

He said: “Certainly the latest versions of Active Directory Federation Services have offered a very rich and capable federation model that works well in Microsoft environments. However there are certainly non-Microsoft equivalents that might be a better fit with a businesses' existing technology infrastructure.”

As people are forced to consider their online identities more and more, perhaps it is worth knowing that there is concepts and solutions ready to solve the dilemma.

There have been some notable botnet takedowns in recent times, including BredoLab and Mariposa.

Most recently, the Rustock botnet was taken down by a group of companies led by Microsoft's digital crime unit. I spoke with Alex Lanstein, senior security engineer at FireEye, who was involved with the takedown. He explained that the project to bring Rustock down began 18 months ago ‘when there was initiatives to do something good on the internet'.

Lanstein said: “We went after a major threat and the decline in spam shows how good the takedown was. Microsoft was involved in this, but it needed industry collaboration to take down such a threat.”

I asked him about how this compared to the takedown of Mariposa a year ago. Lanstein said that the difference in the botnets was significant, as Mariposa was more kit-based and was sold to many users, while Rustock was developed and used by one party, so one person was responsible for its output and activity.

Lanstein said that in order to take down a botnet, you need to hit each command and control (C&C) server that is being used by every variant of the malware. “We spent over a year identifying each one so 100 per cent of the botnet was taken down,” he said.

“You have to watch every server and variant and know what the malware looks like. It can seem easy to look over the C&C, but if there is a backup access to the botnet can be recovered. We had to hit six or seven data centres within minutes as otherwise, if they knew what we were doing, they may have been able to wipe files.”

Speaking to Symantec.cloud, it confirmed that there had been no activity with Rustock since the takedown. To date there has been no arrests made in connection with Rustock, however there was some speculation on the identity of the person behind the botnet. Lanstein said that logs that he had seen suggested that the owner would keep a low profile should the botnet be taken down.

I asked Lanstein if he felt that copycat botnets would appear following the capability of one person setting up Rustock. He said: “I don't think so, as spam has been harder to get through due to anti-spam and spammers being reliant on rogue credit card processors, fake anti-viruses and pharmaceuticals. The whole spam model will not go away as there is money to be made from spam.

“You could say that the spam problem is over because the threat now is about specific attacks with customised malware. We are seeing increased attacks over the last six months, and state-sponsored attacks that have no economic impact at all.”

Botnet takedowns are a very remarkable part of our business that require collaboration between professionals and individuals, a lot of hard work and expert timing. With other botnets still live and likely to be constantly sending out spam, there's no time to sit back and admire the work.  

The Anonymous movement has come under fire from its own members this week, as at least four members have publicly criticised its recent actions.

At the start of this week, a former Anonymous member known as ‘SparkyBlaze' publicly left the movement and criticised the recent actions, saying that when he started out he thought he was helping people, but over the past few months things inside Anonymous had changed.

This was followed by a Twitter tirade by another member who called himself JohnDoeJKM, who also spoke out against Anonymous actions against the public. He also criticised the merger with LulzSec for removing the option to collectively decide on targets and said that Anonymous ‘is fractured and wild with no focus or direction'.

A statement appeared from a member from Nigeria, who identified himself as ‘SanDel' and admitted hacking into the Federal Airports Authority of Nigeria and launching a distributed denial-of-service (DDoS) attack against the Aero Contractors, Air Nigeria and Arik.

However he said that when people got arrested, the Anonymous leadership did nothing. He said: “To other Anonymous members I recommended that you quit. You are not doing anything that can make a change. The best is to contact your politicians and make a change.”

In a letter to Anonymous from someone simply signing off as ‘anonymous', it said that ‘lately something has been wrong', in particular targeting members of the public. 

It said: “Because of your recent acts you've gone from liberators to terrorist dictators. I'm posting this as a guest because I feel that by simply disagreeing with you, I run a risk of attack.

“You'll never gain popular support in the way that you're going, attacking corporations and releasing customer information makes them blame you, not the corporations. Whoever has told you that this was the logical approach has misled you.”

This member also criticised the ‘OpBART' operations for hacking databases and releasing customer information.

“BART is public transportation for those without transportation, this is the last resort for most people. BART customers may not have a choice but to use BART, so you hurt them further by releasing their personal information like you're a bunch of lowlife scum. This is why you are thought of as cyber terrorists, this is why the people don't follow you,” it said.

Personally I doubt that the public resignation will make much of an impact upon Anonymous. It has continued to insist that it does not have leadership and operates as an umbrella term for global activists to work under.

I spoke with James Lyne, ethical hacker and senior technologist at Sophos, who said that you have to assume that the Anonymous membership ‘is pretty huge'. In terms of members leaving, he said that what may make a difference is the comments from those leaving may ring true with other members.

He said: “What may create a response was what was in the open letter, that the actions of the group infringe on people's privacy that the group was meant to uphold. The actions are moving to human harm and while a massive DDoS against SOCA is not condoned or right, the difference between that and releasing information that harms people who have no idea of the concept of information security is huge.

“There does seem to be a change in the stakes with the actions of the group, but four people will not cause a change, but what will be interesting to see is if the comments have any impact on other members.”

While Anonymous has not officially responded, it did acknowledge that not all members would all support the same cause.

There has been no comment via its AnonOps blog page, but in a tweet, it said: “Some Anons support ‘OpBART', others don't. Some support ‘Antisec', some don't. Some support both, or neither. All valid Anonymous stances.”

Rik Ferguson, certified ethical hacker and director of security and research at Trend Micro, said that Anonymous' PR originally gained public sympathy from the technologically engaged to encourage people to take part in DDoS attacks.

He said: “Although illegal, attacks against high-level targets is some form of a legitimate protest in some eyes, but hacking and releasing the data of innocent users impeding their privacy and putting their identity at risk is a different ball game.

“I have not seen any movement from Anonymous but it is difficult to determine who Anonymous is. With operation Facebook, it was not sanctioned by Anonymous but was done by members, so it seems that there is no control.”

Looking to the future of the movement, Ferguson said that he believed that members may splinter off into different groups in different countries as they feel empowered under the antisec flag.

“It could mean that the current tactic could become the norm and we could see groups with the same common belief but not working under the umbrella of Anonymous,” he said.

The Anonymous group is facing another member revolt in a week after a second 'anon' spoke against its actions.

Naming himself simply ‘John Doe' and tweeting at JohnDoeKM, he began by criticising the proposed ‘opFacebook' which encouraged other to target the social networking site on 5^th November, and went on to claim that the movement's aims had changed ‘since Lulzsec made random hacks ‘cool'.

He said: “What happened to the old method of discussing new ops (operations) and voting on their worth before announcing them? It used to work. It also stopped numerous fail ops that lacked potential. Made Anonymous more effective and focused. Is needed desperately.”

Looking back at the efforts against PayPal and MasterCard last year, he said that this was ‘all great work done by focused anons'. “Now there are millions of stupid ops. We are divided and have lost direction. This makes us ineffective and weaker,” he said.

“For example, as much as I commend people looking after the homeless, we dont need an op for it. People should just be nice without ops. Anonymous used to do great, world changing work. That's how we got where we are. Let's not throw it all away with stupidity eh?”

He also claimed that the public opinion of Anonymous is at an all time low because of ‘stupid lulz and retarded ops.' And that ‘the public loved us last year when we fought for good'.

“Now, no-one seems to know what they are fighting for, and the public tires of us. Media think we are failing. We need to unify and focus,” he said.

He also claimed that Anonymous members used to vote on operations, but ‘stupid ops got ridiculed and declared unofficial', but that does not happen anymore.

Looking to the future, he said that Anonymous should reform, show that stupidity will not be tolerated and that good work will be done again, that it should go back to the days before Lulzsec with ‘voting, focus, organisation', when it would not stand for trolls and lame operations.

He said: “Good, solid work that not only helps on a global scale, but that the public can get behind. That makes us proud to be Anonymous.

“Right now brothers, I am not proud of Anonymous. It is fractured and wild with no focus or direction. Overrun by cancer. Change is needed.”

He also said that the old system of voting worked but the new system of ‘free for all' does not and a movement ‘back to IRC for voting is the only option'.

He also called the ‘Antisec' operation a failure, as nothing of any real worth has been ‘leaked' yet and ‘it simply makes us look bad'.

During the series of tweets that have been going on for over four hours at the time of writing, he said that the more he was talking about his thoughts, the more other Anonymous members were admitting that they felt the same.

Earlier this week a former Anonymous member, who was known as ‘SparkyBlaze', publicly left the movement and criticised recent action in a statement. In that he said that when he started out he thought he was helping people, but over the past few months things inside Anonymous had changed.

The search for a secure computing solution for its tuition centres led Explore Learning to consider a sandbox solution with a difference.

A provider of private maths and English tuition services, Explore Learning is a national network of learning centres for children aged between five and 14 years. The scheme is designed to enhance knowledge, confidence and enjoyment of learning by using interactive computer-based tools that mirror the National Curriculum.

Speaking to SC Magazine, Stuart Morgan, IT director at Explore Learning, said that he has been looking for a solution that allowed users unrestricted access without compromising the network.

This led him to discover Faronics' layered security suite, Deep Freeze. The company said that it automatically restores workstation configurations with every reboot and prevents unwanted or unwelcome changes from sticking, ultimately reducing IT support and callout costs.

Morgan said: “We first looked at Deep Freeze in 2003/4 and have since rolled it out. This installs an agent on the desktop that is separate from the user and when a computer boots up, the whole session is in Deep Freeze. So rather than starting up in Windows, any activity gets stored in a temporary area and this is rebooted and in education this is fantastic.

“You can reboot the machine so if something detrimental has been done to the machine, you can wipe it. There is a constant battle with policies and needs of security and users, but with Deep Freeze you set up profiles and with the sandboxing option there is not this problem.

“We started with the standard version but moved to the enterprise edition so we can reboot the machine. Also, if we want to install software, we can do it in a ‘thawed' state so once it has been updated, we reboot and it re-freezes.”

Morgan explained that his three members of staff are responsible for 2,000 desktops in 48 centres across the UK that are used by 13,000 people. In the past issues were resolved using re-imaging tools to restore PCs back to their original state, but this took 15-20 minutes, however with Deep Freeze it is a standard Windows start-up.

I asked him if there is any problem with malware, or had been in the past. He said that there had not been a problem, as all activity was done in the Deep Freeze sandbox and executables were not relevant either.

He also said that the capabilities of the secure session in Deep Freeze enabled him to remove anti-virus software from the desktops that are running the client, so if a computer gets a virus, it is rebooted.

“We did not remove the anti-virus straightaway, and I would be cautious to recommend doing that but in terms of cost, Deep Freeze is lower per user than anti-virus,” he said.

Kristina Bell, vice president, international at Faronics, said: “This is an excellent example of how our solution can afford peace of mind in a large-scale networked environment that relies on PC performance, security and self-management for business critical operations. With a track record of reducing IT support tickets by up to 63 per cent, Deep Freeze effectively removes helpdesk headaches and lowers the associated costs, as demonstrated by Explore Learning.”

Earlier this year, CNS looked at how a network could be run without a firewall, so could a network being run without any anti-virus be the next frontier?

Research emerged last week that claimed that the Advanced Encryption Standard (AES) was ‘broken'.

The cryptanalysis project, carried out by Andrey Bogdanov (from the Katholieke Universiteit Leuven in Belgium, visiting Microsoft Research at the time of obtaining the results), Dmitry Khovratovich (Microsoft Research) and Christian Rechberger (ENS Paris, visiting Microsoft Research) found a ‘clever' new attack that can recover a secret key four times more easily than originally anticipated by experts.

According to the research, weaknesses were identified in 2009 when AES was used to encrypt data under four keys that are related in a way controlled by an attacker. It found that while this attack was more intriguing from a mathematical point of view, what was interesting was that the attack applies to all versions of AES even if it used with a single key.

The research also claimed that finding an AES key is four times easier than previously believed, yet the effort to recover a key is still huge: the number of steps to find the key for AES-128 is an eight followed by 37 zeroes.

It said: “To put this into perspective: on a trillion machines that each could test a billion keys per second, it would take more than two billion years to recover an AES-128 key.”

Therefore, the research found that because of these huge complexities, ‘the attack has no practical implications on the security of user data'. However the researchers felt that the flaw was significant enough to publicise, as it was the most critical that has been found in the widely used AES algorithm, this was also confirmed by the designers.

The research created plenty of conversation online, as researcher Dan Kaminsky called it ‘excellent', but said that there is ‘a serious language gap between press and cryptographers that needs to be addressed'.

The story on this research by the IT news website The Register claimed that there was concern over the use of the word ‘broken', as this term in cryptography is the result of any attack that is faster than brute force and here, ‘AES may not be completely broken, but it's broken nonetheless'.

The AES algorithm is used worldwide to protect internet banking sessions, wireless communications and data on hard disks. AES has been standardised by the National Institute of Standards and Technology (NIST), the ISO and IEEE and has been approved by the US National Security Agency (NSA) for protecting top-secret information.

The claims that AES is broken are rather extreme, but the research shows that there is a distinct flaw in AES by way of a sophisticated attack vector and this can be latched upon by hackers.  

A 13-year mainstay of McAfee, Greg Day was among the best-known spokespeople for the company but this summer he switched sides to Symantec. Dan Raywood spoke with him about the move and the future of information security.

Day started out with Doctor Solomons in 1991 and then stayed with the company after its acquisition by McAfee in 1998. At McAfee he rose to become the company's director of security strategy.

In his new role at Symantec, as EMEA security CTO and director of strategy, he explained that he will be leading a team of security strategists across EMEA, whose remit will be ‘security through leadership for Symantec'. Day said that the team will provide content for event and speaking with customers, as well as focusing on trends and identifying where security is going.

“We want to talk to clients about what they should be doing and sharing industry practises. Not only with clients, but engaging with government and their activities,” he said.

“I will remain as vice chairman of the Intellect cyber security group and we will remain engaged with government on guidance to viewpoints on policy and direction. I work for a vendor but I look at it as other directors would.”

Last summer saw the acquisition of McAfee by Intel and recently, Dave DeWalt resigned as president of McAfee to be replaced by Michael DeCesare and Todd Gebhart. Day said that in his time at McAfee, he felt he had worked for ‘six or eight different companies' with his roles in the company's various divisions and under different CEOs, but he felt that it was now a completely different company.

He said: “I hope that they continue to do great things, but McAfee looks at security, while Symantec are making a transition into security and information and these have to go hand in hand and they are the only company bringing them together.”

Day said that another driving force for his decision to move from one security giant to another was Symantec's efforts with cloud technology via MessageLabs and its interest in mobile security.

He said: “More progressive companies have corporate app stores now and this is a big area for Symantec as there are two serious options now: either with more security on the devices; or with a built sandboxed model. Most companies will start with a sandbox and that is often a stopgap, as they need more native control and need to adopt an application quickly.

“People are looking and becoming more efficient and want things to work rather than figuring out whether it works or not.”

With vendors such as Good Technology, MobileIron and Zenprise now firmly setting their mobile management stalls out in the security space, I asked Day if this was a specific move forward for Symantec. He said that the company has had mobile solutions already but they had not ‘been shouted about'.

Looking forward into the future of information security, Day said that along with the advanced persistent threat, the real challenge is regarding information at the broader level and specifically at a business level.

He said: “Cyber crime against the public will continue but against businesses we do not know when it will stop. You start with social engineering that businesses have not woken up to and it is the age-old question of 'if the internet was started again, would we be in a better place?' I say it would be smaller but we would make other mistakes.”

“If someone wants to get in then they will, so you have to think about how long that will be sustained for and when they get in, what is going to stop stuff getting out. How do you defend against exfiltration?

“I am hearing ‘cyber defence' more and more and it is about whether you defend or prevent. You spend relevant to your risk, but you are never 100 per cent secure.”

A former IT administrator at a Japanese pharmaceutical company has pleaded guilty to hacking the company network and deleting 15 VMware hosts.

According to a report by nj.com, Jason Cornish said that he was avenging the dismissal of his friend who was a former IT supervisor when he used a public internet connection at a McDonald's to access the Shionogi network.

Court documents said that Cornish used a company user account to gain unauthorised access to a computer server and to take control of the vSphere that he had secretly installed on the server weeks earlier from his home internet connection.

He then used this to delete the contents of each of the 15 virtual hosts on Shionogi's computer network, each of which contained the equivalent of 88 servers that represented most of Shionogi's US computer infrastructure to support email, Blackberrys, its order tracking system and its financial management software.

The attack left Shionogi without the ability to ship products or communicate via email for several days, and it estimated that it cost the company almost £500,000 in losses.

Cornish pleaded guilty and is scheduled to be sentenced on 10^th November. He faces a maximum penalty of ten years in prison and a fine of up to $250,000 (£150,000).

Mark Fullbrook, UK and Ireland director at Cyber-Ark, said that this was the latest case of an IT administrator gone bad and highlights the dangers that can ensue from unmanaged privileged access. 

He said: “We've seen the San Francisco city network come crashing to a halt through Terry Childs and Sam Chihlung Yin threaten Gucci's global brand in similar incidents, all at a cost of hundreds of thousands of dollars. When will lessons be learnt?

“Whilst the punishment that Jason Cornish looks set to face sends a powerful message to the rest of the world on the repercussions of such actions, it's time that organisations start to take a proactive approach to security.

“Ultimately, organisations looking to avoid a similar fate need to ensure that networks are fully locked down and privileged access to systems is managed, controlled and recorded. This is the only way to prevent such incidents occurring in the future.”

Eric Chiu, founder and president of HyTrust, said: “The breach at Shionogi is a great example of how vulnerable virtualisation infrastructure and the cloud can be. Critical systems like email, order tracking, financial and other services were impacted, having been virtualised without the proper controls in place.

“The $800,000 in damages and multiple days of downtime at Shionogi could have been easily and very cost-effectively prevented with the right automated controls in place. Most significant is that a compromise at the virtualisation infrastructure layer is a potential compromise of everything else above it in the stack.”

Yesterday the talk was around whether a new video from the Anonymous group, where it pledged to kill Facebook, was genuine or not.

According to a blog by Gawker, the threat was genuine but was effectively inactive. It pointed to an Anonymous statement by ‘Speakeasy' where the beginnings of ‘opFacebook' were detailed as having ‘began several months ago and had between ten and 20 members'.

According to the statement, opFacebook initially had one goal ‘to bring attention to the fact that Facebook stored the data of user accounts' which morphed into a second goal ‘to develop an ethical, anonymous Facebook alternative'.

The statement, said: “Development began on the site (albeit slowly) and all was well for a few days. Then came news of anonplus, an Anonymous social network, similar to the one that was being developed at opFacebook. The site in development by opFacebook was slowing to a halt and so I decided to offer the source to the team at anonplus. This came as a relief as I was growing tired of the project.

“I expected them to accept my offer of free source code and a mostly functioning site that would have reduced the embarrassment they subjected themselves to with the epic fail of announcing a site before they started coding. Unfortunately however, the ‘leader' (I lol'd) was a bit of a bitch and I was subjected to a number of attempted doxes and then kickbanned.”

Speakeasy continued by claiming that the opFacebook channel was never removed and it was decided by others that a mass deletion of Facebook accounts would occur on November the 5^th, which spiralled into the rumours of an attack on Facebook.

The Gawker article claimed that the current panic ‘springs from some overeager hacktivists and media stumbling over the remnants of that abandoned operation and spinning it into a dastardly plot to destroy Facebook'.

Speakeasy said he did not know who created the opFacebook video and told Gawker he was surprised as to how the failed protest had spiralled out of control. “An attack on Facebook would be ridiculous. Even if it succeeded, Facebook has a lot of users and we want to help people, not hurt them,” he said.

As for the ‘official' line of the support for opFacebook, the Anonops Twitter said that opFacebook was ‘being organised by some Anons' but ‘this does not necessarily mean that all of Anonymous agrees with it'.

Another tweet from a different account at Anonyops said that ‘an Anonymous board meeting was held' and it had ‘decided to renounce opFacebook'.

So will there be any action on November 5^th against Facebook as the video called for? It is possible that a small number will remain charged enough to create an attack against the social networking giant, but as Imperva CTO Amichai Shulman told SC Magazine yesterday, the video was likely a call to arms and without enough horsepower, any attack will likely fail.

The Anonymous group has appeared to make social networking giant Facebook its next target with a new video.

While it is unclear whether the video is a genuine call to arms against Facebook or simply a member with a vendetta, it claims that ‘Facebook has been selling information to government agencies and giving clandestine access to information security firms so that they can spy on people from all around the world'.

The two minute video, which can be viewed here, also said that ‘everything you do on Facebook stays on Facebook, regardless of your privacy settings' and that ‘deleting your account is impossible even if you delete your account, all your personal information stays on Facebook and can be recovered at any time'.

It ended with a message that said: “One day you will look back on this and realise what we have done here is right. Think for a moment and prepare for a day that will go down in history.”

It called on other activists and those keen to protect privacy to join the cause to bring Facebook down on November 5^th this year ‘to kill Facebook for the sake of your own privacy'.

Despite media requests for clarity on whether the video is genuine or not, Anonymous had not responded at the time of writing on either its Twitter feed or via its Anonops blog page.

Speaking to SC Magazine about the threat, Imperva CTO Amichai Shulman said that these announcements are often a call to arms.

He said: “I don't have reason to believe that it is not true, maybe they are trying to build up momentum as they will need a lot of horsepower. They may be able to disrupt specific servers on a geographical basis but they may need more people to interrupt the service.

“It will be very hard to bring them down and most likely they will share toolkits, but my guess is that they are trying to create momentum to recruit. If they had people why would they wait until November 5^th? My guess is that they will target specific geographical regions.”

Rik Ferguson, director of security and research at Trend Micro, agreed that the video should be treated with suspicion for now, as it was posted almost a month ago and had not been widely publicised on the usual Anonymous channels.

Looking at the group's points, he said that Facebook's own Privacy Policy states ‘when you delete an account, it is permanently deleted from Facebook' and while backup copies will be kept for 90 days after removal and deletion, he added that the point seems to be invalid.

He said: “The biggest and most important point though is this. Facebook is voluntary. You join Facebook because you want to. You provide information of your own volition and essentially at your own risk.

“If Facebook does know more about you than your own family, it is only because you told them. Conversely, while the social networking provider does provide relatively granular controls over how and who you share your data with, it is certainly my opinion that the default settings on an account are still too open and the mechanisms for controlling sharing are too complex.

“Posting information anywhere online is similar to pasting up a notice in a global meeting hall and should be treated in that way. Even if you restrict access to your information to only your friends, you cannot control how that information is further shared by people within your circle of trust.”

If the video does prove to be a fake, it would not be the first time that the hacktivist's lines of communication have been duped. Back in February, a statement appeared threatening Westboro Baptist Church and instructing it to cease and desist its protest campaign in the year 2011 demanding they 'return to your homes in Kansas and close your public websites'.

The statement was enough to warrant a response from the church and a few days later an Anonymous spokesperson denied that it was directly responsible, with pro-US hacker The Jester claiming responsibility and mounting a lengthy denial-of-service campaign.

To prove that insurance is sometimes worth considering, I recently spoke with a computer services company who deployed software which recently proved its worth.

Paul Tomlinson, managing director at Mirus IT Solutions, told me he had deployed software from IT automation company Kaseya four years ago and last week the company suffered a break-in which saw four customer laptops stolen.

Tomlinson said: “Our Kaseya setting takes a screen shot every five minutes and sends it back to us, so it is not too resource hungry. After the break-in at 4.149am, the computer was turned on at 4.30pm and we saw the user go to eBay, Facebook and use online banking, so we knew their name, phone number and address.

“We sent this to the police who arrested three people. So far we have recovered one laptop while police recovered a lot more too, so from the loss of four we recovered one, but if they turn on any of the laptops we have a chance of finding them.”

Tomlinson told me that the laptop ended up only two miles from the company's managed offices in Milton Keynes, but felt that without the Kaseya capabilities the laptops would have been lost.

“Kaseya sends an image which we use as a way to examine scripts, we have been using it for almost four years and we looked at the product for our managed service space. It has benefited us with the stolen laptops but it can be used for more in the future,” he said.

A further three training courses have been added to the line-up for September's 44Con.

Raytheon are running a one-day ‘Executive Cyber Training Course' aimed at non-technical staff who need a thorough and pragmatic understanding of the risks of online threats and defences.

Judging by the detailed synopsis, this looks like an ideal course for management and will benefit both the attendees (by dispelling the common myths and misunderstandings surrounding ‘cyber' threats) and the staff who work for them. The coverage is extensive and the course could perhaps be subtitled 'How to know if your vendor or techies are trying to scare you!'

The ‘SensePost HBN Developer Edition' course is a hands-on introduction to identifying and removing vulnerabilities in web applications. Programming language neutral, the course is aimed at developers and is delivered by Ian de Villiers of SensePost and Daniel Cuthbert of the Open Web Application Security Project (OWASP).

If you want to avoid being the next announcement on the LulzSec Twitter feed, this course will certainly pay for itself in application security improvements in no time.

Finally, the TigerScheme QSTM examination from Encription gives you the ideal opportunity to get a well-established penetration testing qualification that is recognised by CESG for the CHECK scheme. Successful candidates will receive a University of Glamorgan certificate and three-year membership of the TigerScheme.

The 44Con training page has been amended to include details of the new courses and many of the other courses now have more detailed synopses, so it is well worth checking out.

All of the 44Con courses are competitively priced, include refreshments and come with free entry to the conference, which itself promises to be a great way to enhance and update your security knowledge.

Also recently announced is the 44Con ‘capture the flag' contest, where groups of attackers will compete to exploit and subsequently defend a number of systems on a diverse and novel collection of IT systems. Prizes will be offered for the overall winner and also the best attackers and defenders. See http://www.44con.com/ctf.html for details.

Finally, the videos of many of the excellent talks from the BSides London event are now available for free at http://blip.tv/bsideslondon. There's a diverse collection of topics and they are all well worth the time. If you check out Alec Muffett's great ‘Sex, lies and instant messenger' talk you can even hear me contributing in the Q&A (but thankfully not see me!).

As children break up from school for the summer holidays and trips away from home are planned, the subject of remote workers and the problems surrounding external access arises.

While the challenge of managing personal devices has been well documented, remote workers accessing the network externally presents its own challenges too. Do you provide a VPN for them to connect securely through and if so, how do you ensure that they will use that capability to connect into the network?

Also, if someone does use a corporate-owned or approved device, how can you be sure that security updates and patches are pushed out and applied if an employee is out of the perimeter for one or two weeks?

To get an idea of the scale of a likely connection this summer, a recent survey of 1,000 city workers during July 2011 found that 73 per cent of workers will check their emails whilst on holiday, while 83 per cent of C-level staff will be in touch with their offices throughout their entire vacation.

According to the survey, of that 73 per cent, 54 per cent will check emails at least once a day, while 41 per cent will take a mobile device on holiday for work purposes.

Andy Cordial, managing director of Origin Storage, that conducted the survey, admitted that when corporate information is accessed from a mobile device, whether it is personal or company owned, and it is misplaced there are consequences.

“Who is to blame? Is it the employee who just can't let go or the employer for making them feel that they have to be accessible in the first place? Regardless of why it's happening, our advice to the corporate world is: if you expect to contact your staff while away then it is down to you to secure their devices,” he said.

However with remote working, there is plenty of opportunity to be prepared throughout the year with union and transport strikes not uncommon. Another survey of 1,000 commuters by SecurEnvoy found that 55 per cent of respondents believe that the threat of future strikes would encourage their employers to introduce IT measures that would allow them the flexibility to work from home, should they be affected in the future.

The survey also discovered that the majority of people who are able to work from home do so securely. It found that 89 per cent use a secure connection when communicating with the office, while 44 per cent use a password and two-factor authentication technology.

Bernard Parsons, CEO of Becrypt, whose Trusted Client solution has won the SC Magazine best remote access award for the last three years, said that this is one of the demands that IT managers have to face with workers these days.

He said: “One of the main problems has been business continuity. How do you enable business continuity for workers and guarantee connection for mobile workers? With the US it has been teleworkers with federal departments obliged to provide devices for teleworkers and companies recognise this in terms of the quality of life.

“Honestly it is no longer good enough to be on a home-based machine and this has raised awareness of threats, as companies have allowed employees to enter via their own home machine, we are the only one on the market to offer a service to scale to demand.”

If you are not offering secure connection then this is the season to be prepared as the year of consumerisation meets with a summer of connection.   

The shortlists have been announced for this year's Pwnie awards.

The awards are set to be presented at an event to coincide with this year's Black Hat USA conference in Las Vegas, Nevada next week. A total of nine awards will be presented for best server-side bug, best client-side bug, best privilege escalation bug, most innovative research, most epic fail, epic 0wnage and ‘lamest vendor response'.

Sony has received five nominations for Pwnie for ‘Most Epic Fail', including one nomination for releasing ‘a significant number of their network security team'.

In the nominations for the Pwnie for ‘Epic 0wnage', that ‘goes to the hackers responsible for delivering the most damaging, widely publicised or hilarious 0wnage', are Anonymous for hacking HBGary, LulzSec for hacking everyone, Stuxnet and Bradley Manning and WikiLeaks.

An award will also be given to ‘best song' and videos can be seen on the official website http://pwnies.com/nominations/.

At last year's awards, the award for best server-side bug went to Apache Struts2 framework remote code execution (CVE-2010-1870), while the best client-side bug went to Java trusted method chaining (CVE-2010-0840).

The awards for best privilege escalation bug went to Windows NT #GP trap handler (CVE-2010-0232), and for most innovative research to Dionysus Blazakis for Flash Pointer inference and JIT spraying. The Pwnie for ‘most epic fail' went to the Microsoft Internet Explorer 8 XSS filter, which was released with built-in cross-site scripting filters that, for nearly a year after release, enabled cross-site scripting on otherwise secure sites.

A man has been sentenced to ten years in jail for allegedly of stealing 675,000 credit card numbers that led to $36 million (£22 million) in losses.

According to the Washington Times, Rogelio Hackett Jr. was sentenced in a Virginia court to ten years in jail and ordered to pay a $100,000 (£61,000) fine on charges of trafficking credit cards and aggravated identity theft.

The weight of the sentence was described as a ‘strong deterrent to others who may be tempted to engage in identity theft' by US attorney Neil H. MacBride for the Eastern District of Virginia.

According to court documents, US Secret Service agents executed a search warrant in 2009 at Hackett's home and found more than 675,000 stolen credit card numbers and related information in his computers and email accounts.

Hackett admitted to trafficking credit card information, obtained either by hacking into business computer networks and downloading credit card databases or by purchasing the information from others using the internet through various carding forums since 2002.

Credit card companies have identified tens of thousands of fraudulent transactions using the card numbers found in Hackett's possession, totalling more than $36 million.

The BlackBerry PlayBook has been selected as the first tablet certified for deployment within US federal government agencies.

The PlayBook has Federal Information Processing Standard (FIPS) 140-2 certification received from the National Institute of Standards and Technology (NIST), which is required under the Federal Information Security Management Act of 2002 (FISMA).

Launched earlier this year, the PlayBook has been sold on the same security capabilities as the smartphone, while other devices have been snubbed for their locked or open source operating systems.

Does this mean that the PlayBook could become the primary choice for governments? The Apple iPad proved to be a capable option for the Norwegian Prime Minister Jens Stoltenberg when he found himself stranded in New York due to the Iceland ash cloud last year, but this was more of a case of necessity than choice.

It was recently suggested to me that security departments will look to UK accreditation body CESG (the Information Assurance arm of the UK Government communications headquarters for approved solutions). At present, CESG does not have any approved devices but it has approved the BlackBerry Enterprise Server.

Described as a ‘multi-tasking powerhouse' in its adverts and as an ‘ultra-portable tablet that fits comfortably in one hand' in its marketing, according to Research in Motion, the PlayBook allows for secure pairing with BlackBerry smartphones via the BlackBerry Bridge application, which enables users to access their BlackBerry smartphone's email, calendar, address book, memo pad, task list, BlackBerry Messenger and browsing functionality using the larger display on the tablet.

The company was in no doubt as to the importance of US federal government approval to its security focus. Scott Totzke, senior vice president of BlackBerry security at Research in Motion, said: “This certification demonstrates our continued commitment to meeting the needs of security-conscious organisations and enables the US federal government to buy with confidence knowing that the PlayBook meets their computing policy requirements for protecting sensitive information.”

CESG were unable to tell me if there was any testing being done on other devices, but this could be a major stepping-stone for global acceptance of tablet and ‘consumer' devices in the workplace. After all, if it is good enough for the US government, then many others may follow.

The upcoming 44Con security conference has announced its training line-up to run on the two days preceding the conference and the first speaker in the 'Infosec specialist' track.

Alex Lucas of Microsoft is currently a principal security development manager at Microsoft and will be speaking on the role of the security development lifecycle in improving the security of large projects, something of great interest to most commercial development organisations.

For the first time, the authors of the Web Applications Hacker's Handbook are running a course on the content covered in the soon-to-be-released second edition. Widely recognised as one of the best technical resources on web security and ranked number one in Amazon's web security section and number three in its network security section, this handbook is a detailed guide to practical and detailed security issues surrounding web applications. The course is being run by the authors, providing first-hand knowledge and insight into the latest web application security issues.

Traditional topics such as database and wireless security are also well covered. The wireless security training includes live 'hands on' work and is being run by Vivek Ramachandran, founder of securitytube.net, and well known for his work on wireless security attacks and defences; in particular the 'Café Latte' attack that allowed WEP cracking for the first time without prior access to the wireless LAN itself.

The Oracle security course covers both attacks on Oracle and how these can be mitigated by secure development practices: so will be of interest to database developers, penetration testers and technical security staff.

Social engineering is a mainstay for both penetration testers and criminals and is currently a hot topic in information security. In a course on social engineering tailored for the IT professional, Sharon Conheady and Martin Law will cover the theory and practice of integrating social engineering into security evaluations and penetration tests, with a particular focus on the tricky topic of keeping such tests ethical.

Social engineering is often an extremely cost effective attack and one that most technological barriers are powerless to prevent, so a thorough knowledge of it is valuable for any security professional.

With the increased deployment and associated security issues of mobile technologies, ensuring the security of applications that are deployed on them is an important issue and 44Con's Android security workshop will provide a detailed explanation of the security issues surrounding the Android platform from both a developer and a security auditor perspective.

Finally, Adam Laurie and Zac Franken are presenting a course on RFID technology security. Given the widespread deployment of RFID tokens in security access control systems, understanding its weaknesses and how they can be addressed is essential to ensure that such systems are deployed correctly and do not offer a false sense of security.

The 44Con training sessions are competitively priced and run on the 30th/31st August, immediately preceding the 44Con conference itself. Attendees get free admission to the full conference included in the training price. Full details and booking information are at http://www.44con.com/training/

With problems regarding missing documents and their relation to data breaches, I recently spoke to a company who have a solution that aims to solve the problem.

Formed in 2007, Israeli company Watchdox created a technology that fingerprints a document when it is sent and allows the document to be tracked along its path to the recipient. According to Watchdox's VP marketing and business development Adi Ruppin, this offers more than encryption or data loss prevention (DLP) as it is something that it embedded into the document.

Ruppin said: “A digital rights management (DRM) solution is often so complicated as people do not know how to use it. Often people will work around it, what we have is more traditional and easy to use and it can be provided as a Software-as-a-Service (SaaS) service.

“You can wipe out documents or revoke them so they cannot be accessed anymore. There is a plug-in for Outlook so every document has a policy and you can give different levels of permission: tracking only or enforcement, and if you have enforced everything, you can revoke if it is compromised. “

I asked Ruppin where this sort of technology has been deployed, he said that one customer set is Hollywood studios to protect scripts, as well as more typical enterprises who need to protect sensitive documents.,

Typically SaaS-based, the company recently launched a virtualised appliance version of the technology to enable an on-premise offering. According to the company, the virtual appliance addresses the needs of organisations that are required to meet specialised, strict security and privacy requirements.

Ruppin said that the channel has been waiting for a secure document exchange solution that can be deployed both as a cloud and as an on-premise solution and this allows companies to deploy advanced, scalable document security with no hardware or software installation.

A private cloud option offers dedicated cloud configurations for large customers as it gives organisations their own dedicated server infrastructures that are not shared with any other customer. The virtual appliance will be widely available in Q3 of 2011.

Ruppin told SC Magazine that the idea came from wanting to offer a range of options. “With SaaS it is easy and everyone has been using it, but also private cloud is being introduced and you can locate a specific data centre if you want to, so you know where it data is being hosted,” he said.

“For the virtual application, we repackaged the cloud offering into a form factor so it is the same offer to host internally. We see companies with the requirements to do this where a virtual application comes in and we see virtually any use for it.”

I asked Ruppin about the future and its next steps, he said that he expects more movement in mobile devices, specifically tablets, as security is needed there in some form. He said: “You do get some security with a PC to encrypt it. There will be a few additional functions for the iPad in the next month. We focus on the last user, and make sure that it does not leak once it gets to its destination so it makes sense to use in conjunction with encryption.”

With every data breach there is a victim.

While it may often ‘just' be a username, password or email address that is leaked, someone is bound to be affected. The announcement of a potential compromise of data could scare some more than others.

That said, some people are blase about data breaches so probably don't really care. So in an 'anonymous henchman' style, does anyone really care about the victim?

Well maybe a recent class action suite could cause someone to take action. In a report I read recently, around 80,000 people are seeking $40 million in compensation for their data lost by the Canadian Durham region on an unencrypted USB flash drive.

According to durhamregion.com, the data was personal information about people who had been vaccinated against the H1N1 flu virus. The class action suit was given the go-ahead by Justice Peter Lauwers of the Ontario Superior Court of Justice in late April, with Bowmanville resident John Sherlock Rowlands appointed as the 'representative' of the class.

It said that among the claims in the suit are that the region was negligent, there was a breach of a fiduciary duty, violation of privacy and breach of the Canadian Charter of Rights and Freedoms.

The USB key was lost in the parking lot of the regional headquarters by a public health nurse in December 2009. On the key was information on the 83,524 people who had been vaccinated between October 23^rd and December 15^th, 2009, at flu vaccination clinics provided by the regional health department.

The information included names, addresses, phone numbers, dates of birth, health card numbers, the name of a primary physician and personal health information provided when they got the vaccination.

Anders Kjellander, chief security officer at Blockmaster, said: “It is apparent that the loss of the data is catastrophic for everyone included; the person that lost the device, the organisation that has acted negligently and the people that had their information exposed, all are in a very painful situation.”

At the recent SC Magazine conference on securing and managing mobile devices I met with a new vendor in the sector.

Based in Sydney, Australia, janusNET offers email filtering technology without any need for software for the mobile, ensuring no dilemma for a business if it is a personally-owned device.

Managing director Greg Colla said that the janusNET technology separates the LAN from the mobile, connects to the Exchange server and allows for layered best-of-breed deployment to the server.

Colla said that often a problem with mobile security software is that it affects the performance of the device and annoys the user, so technology needs to be transparent to the user so that they have control.

“With email encryption you might forget to select it and if it is going outside your country it may go via somewhere where traffic may be monitored, so we brought in a policy to enable a civil servant to classify information,” he said.

“So when you send a message, you must be able to classify it and prior to policy, you use a secure network but the problem is a user does not know what a secure network is, so all backend rules should be automated.”

The janusGATE technology allows users to connect to the Exchange server via ActiveSync. Before a message is out of the firewall and organisation, you can inspect for keywords, attachments and if you see an important document attempting to be sent, an administrator can classify it as sensitive and deliver a notification to the recipient informing them that they cannot do that.

Colla said: “At an organisation, an architect can use the best solution and allow a 'bring your own device' (BYOD) policy. They can use a complete Active Directory group to subscribe users to a policy on deployed devices so they are locked down and you can set policy to protect information to the phone. With the non-approved devices it is less so, as you cannot lock down the phone, but it will allow filtered information.”

He concluded by talking about the ability to decrypt an encrypted message on a phone, commenting on there being decryption applications available, but he said what will be interesting will be when the operating system can decrypt itself.

The debate on mobile device management will roll on and on, but so will the solutions.

As LulzSec has proved with its recent antics, it sometimes takes an attack to demonstrate how secure your systems are.

Whether it is penetration testing or simple configuration, if someone informs you that there is a security issue that is related to your company then it is probably best not to ignore it. On the other hand, it can take a prank to prove a point. A couple of years ago a Macworld keynote was interrupted when Phil Schiller's presentation was hijacked, with messages posted that Steve Jobs had died.

A not too dissimilar report emerged this week stating that a former employee of Baltimore Substance Abuse Systems had hacked into the chief executive's presentation and replaced it with pornography. According to media reports, Walter Powell was fired from his job at the company in 2009 and began hacking into the computer network. The incident with the presentation to the board of directors landed him with a two-year suspended sentence, 100 hours of community service and three years of probation.

Graham Cluley, senior technology consultant at Sophos, said that this sort of case underlines the importance of having processes in place when staff leave, including changing passwords and removing access rights.

Marc Lee, sales director for EMEA at Courion, said: “While we all hope that our trusted employees don't do anything malicious and most of the times they don't, when they do it can be costly and devastating.

“It is important to make sure that those who have the ‘keys to the kingdom' are also overseen. Using access assurance solutions, including privileged account management that enables organisations to require administrators to ‘check out' privileged credentials, can better track which individuals are using and have access to these credentials.”

While Powell's actions may be harmful to the company, I am sure the CEO is glad that this was only a presentation to the board and not to shareholders or customers. Then the results could have been a lot more embarrassing.

As it marks 1,000 tweets with a declaration of what it has and wants to achieve, there is no doubt that the actions of LulzSec are to be taken very seriously.

However it seems that over the weekend the mask of LulzSec has dropped slightly to reveal its members. A blog site appeared, named http://lulzsecexposed.blogspot.com/ that named the various members as Sabu, Nakomis, Topiary, Tflow, Kayla, Joepie91, Avunit and BarrettBrown.

According to an Imperva blog, Sabu was responsible for the hacking of HBGary and is the leader, Nakomis is a coder, Topiary handles donations and payment for services including botnets. Tflow and Kayla are rumoured hackers; Joepie91 is responsible for website administration, while BarrettBrown is the spokesperson, although he later denied this and said that he does not approve of Lulzsec's activities.. Full details can be found on the members from the exposed website.

Interestingly, Nakomis has also used the Twitter handle ‘real_j35t3r', as opposed to hacker ‘The Jester' (th3j35t3r) and has been exposed as Casey Gardiner. A social networking profile from 2004 also seemed to confirm this.

The Jester, who posted a detailed investigation blog on Nakomis/Gardner, said: “I am merely presenting relentless observations, having myself been hounded by these f***wits for months. As you will see if you read everything from the top.

“Let's not forget they went from lulz (mal-nourished basement dwellers) to terrorists around this time when they attacked CIA.gov and tried to extort Karim. You draw your own conclusions.”

LulzSec responded with a statement that acknowledged the logs, saying that the logs are primarily from a channel called ‘pure-elite', which is not the LulzSec core chatting channel.

“Pure-elite is where we gather potential backup/subcrew research and development battle fleet members, i.e. we were using that channel only to recruit talent for side-operations. Our core chatting channel remains unaffected. Our core LulzSec team is at full strength. The Lulz Boat sails stronger than ever, nice try though,” it said.

So even if those behind LulzSec have been identified, will it make much difference? Arguably not, as with any global online collective, those involved can assume new identities quickly and easily and new members and supporters will be drawn in constantly.

This week sees the arrival of the third annual Cloud Computing World Forum in London.

This is rather a fitting time for the event to be held, particularly with Apple making its debut into the cloud world a few weeks ago. While Apple will not be at the event, its impact upon ‘the cloud' could be pretty far reaching in terms of public awareness.

Launched a few weeks ago, according to Apple, the iCloud offers an entire backup of a user's device of files and apps to the cloud so that it is accessible from an iPad, iPhone, iPod Touch or desktop. It also does not require any syncing to keep email, contacts and calendars up to date and new users get 5GB of free storage upon signing up.

It is probably fair to say that many businesses will not be using this and that Apple has released it as a consumer-facing technology. While 5GB is not to be sniffed at and for file storage it is more than reasonable, the choice to outsource and use a service provider would require more storage than this. What Apple has done is it has drawn attention to the sector in the way that it did with music downloads (iTunes), smartphones (iPhone) and tablets (iPad).

I asked Ed Dixon, director of enterprise services at Cobweb, what he thought of the announcement and if he thought it would generate more public interest in cloud computing.

He said: “Apple's recent iCloud announcement will no doubt generate greater public interest in cloud computing. However, there is an increased security concern associated with consumer-based cloud services compared to business-to-business models, so Apple will need to be mindful of this.

“This element of the unknown will produce a level of risk that Apple will have to manage. The IT industry only has to look at recent Sony and Amazon security breaches to see the concerns currently associated with cloud solutions. There is also potential enterprise risk as the line between personal and corporate device use blurs due to future adoptions to the Apple iCloud.”

Costin G. Raiu, director of the global research and analysis team at Kaspersky Lab, called the launch of iCloud for developers the beginning of ‘the battle for domination in the market of cloud-centric OS'.

He pointed to the launch of iOS5, saying it meets with Google and Microsoft by designing and planning to deploy an operating system that is fully integrated with the cloud, particularly as Steve Jobs' enthusiasm is for the creation of an OS that does not rely on local file system storage.

Raiu said: “Interestingly, Apple has chosen a different path from Google here: while Google, with Chrome OS, is trying to push users into using their cloud storage, iCloud is presented as an added feature, which can be purchased separately from the hardware.

“So, what does this mean from a security point of view? Basically, we are talking about the same class of risks as the Chrome OS. All your digital content might be available to anyone who knows your password. I believe it's completely reckless nowadays to provide such a service without two-factor authentication, which makes it prone to basic data theft techniques.

“Of course, even if security is indeed improved through multi-factor authentication methods, we are still faced with the issue that all the data is available on the cloud, in one place. Just as Sony recently learned, the cloud is not always impenetrable, its fundamental nature makes it an interesting target for cyber criminals and no doubt it will continue to be a focus for them.”

Writing on the channelnomics.com website, analyst Larry Walsh said that while Apple is not looking to take a bite out of the enterprise, what it does in the cloud may change the way enterprises and the channel approach the cloud. He also believed that Apple's entry into cloud computing will not impact the channel.

He said: “Apple's strategy is purely aimed at the consumer market. It's about making all those consumer devices work better. Most Apple users have more than one device and each device has variable storage capacity, so giving them a seamless cloud resource from which to draw files will make them more practical for users.

“For Apple, its cloud service will provide a recurring revenue stream and decrease the cost of its devices. If storage is in the cloud, there's little need for big, expensive embedded drives.

“Some enterprise users will take advantage of this service. Solution providers have become quite adept at engineering business solutions with Apple consumer products. Some solution providers are using the popularity of Apple's products to open enterprise deals, delivering Apple products integrated with virtualisation software to give users access to backend business resources."

A separate issue may prevent Apple from getting this off the ground, with reports emerging that iCloud Communications had filed a lawsuit against Apple. It alleged that Apple had infringed on its trademark and called for an injunction that would block Apple from launching or promoting the iCloud service.

Is this something business can work with? Effectively if you use it as an FTP site for storage then it may be worth looking at, alternatively enterprise-level options do exist for a reason.

So in short, it seems that Apple may not be about to change the world with iCloud, as this consumer-facing development is not suitable for business. A consumer-facing technology not being compatible with business, now where have we heard of that before?

This week's news about the NHS losing a laptop with a suspected eight million records on it has once again raised the issue of security on removable devices.

While hardly a new issue, three of the Information Commissioner's Office (ICO) fines have been issued over lost laptops (to Ealing and Hounslow and A4E). The storage of eight million records on one unencrypted laptop raised many eyebrows.

Mick Gorrill, former head of enforcement at the ICO and now consultant at Field Fisher Waterhouse, said it is ‘inconceivable' that a laptop or USB stick would be unencrypted in this day and age.

The news also follows a recent discussion in Parliament where Keith Vaz, MP for Leicester East, asked John Thurso, MP for Caithness, Sutherland and Easter Ross, how many cases of theft from the parliamentary estate were reported in each year since 2006 and what the items reported stolen were.

Thurso revealed that between 2006 and 2010, six laptops were reported stolen, but so far in 2011 25 laptops have been reported stolen along with two ‘computers'. A Freedom of Information Act request from a year ago from the Ministry of Defence (MoD) found that 340 laptops were lost between 2008 and 2010, with less than half containing encrypted data.

Stephen Midgley, vice president of global marketing at Absolute Software, said that specifically with regards to the parliament case, what is interesting is that theft has increased year over year begging the question about premise security and what was stored on those mobile devices.

He said: “Have constituents' personal information been exposed? Were Government documents exposed?  What is Parliament doing to eradicate such theft and what actions have been taken to ensure the data on these stolen devices does not fall in harm's way?”

“When a laptop is stolen, an organisation's first and most immediate concern must be the data stored on the device. The faster an organisation can react to the loss, the quicker it can mitigate the risk to both itself and, more importantly, to its customers.”

Specifically with regards to the NHS case, Midgley said what concerned him was the time lag between when the device was lost and when the police were informed. “This will be certainly disconcerting to the 8.63 million people whose data may be exposed. In this age of mobility, it is a business necessity for organisations to have complete visibility into all of their devices, where are they, what is on them and most importantly, be able to take action when a device is lost or stolen,” he said.

“In such instances, action must be quick and decisive. Organisations do not have the luxury of days to contemplate next steps. Their primary concern must be data protection/retrieval and the secondary concern has to be how the device was lost or stolen in the first place.”

Benjamin Boulnois, UK manager of endpoint protection vendor DigitalPersona, said that the proliferation of devices these days multiplies the number of vulnerabilities that an organisation faces.

He said: “Encrypting centrally-held data is useless if the same information is allowed to exist on devices, such as laptops and mobiles, which can easily be lost and stolen. Encrypting the full disk on a laptop is the easiest way to accomplish encryption.

“While this applies to any organisation, it is especially true for healthcare providers, who deal with extremely sensitive, personal and confidential patient information such as medical records. Data must be protected wherever it resides.”

Don Smith, VP of engineering and technology for EMEA at Dell SecureWorks, said that the NHS incident shows the importance of protecting data and applying basic data protection principles.

He said: “People at all levels within an organisation need to understand that a data loss or breach will have consequences for them, their employer and of course the individuals whose information has been lost and potentially obtained by those with criminal intent.”

Gorrill said that in the event of a data breach, a local authority has to inform the ICO, while it is different for the private sector. He said: “The ICO is interested in harm or distress to individuals; you should put technologies in place to protect data subjects. It is best to be upfront with the ICO and my advice is to tell them early even if you are not aware of the circumstances, as not telling the ICO will only increase a penalty.”

Smith said: “Often, companies wait until they have been the victim of a data loss event before ensuring they are fully protected. However, legislative measures such as PCI DSS, Sarbanes-Oxley and Basel II provide essential legal guidelines for organisations to follow and ensure data assets are protected.”

The reports about the NHS ‘losing' the laptop are fairly vague and there is still every possibility that it may reappear. What this case has proved though is the need to know where your data is, wherever it resides, and how it should be secured. If it is not secure, it is not just the bad press that you need to be concerned about.

At the recent EastWest Institute Worldwide Cybersecurity Summit, BT Group chairman Sir Michael Rake suggested that the introduction of a cyber security treaty would be difficult but worthwhile.

In his keynote address, Rake said: “The move to introduce a cyber security treaty, it will be difficult to administer but it is critical to talk about these areas. Compared to a nuclear proliferation treaty, it will be easier.”

Despite the difficulties, is it worth trying rather than abandoning?

Talking to SC Magazine, IronKey CEO Art Wong said that while the idea of creating a global treaty has its merits, the organisations that run vital global infrastructures, such as the global banking system and utilities, must first set about creating a secure computing environment through which they and their customers can conduct business.

“Once this has been established, a global treaty would stand a much better chance of being successful,” he said.

David Harley, senior research fellow at ESET, said he was not convinced that it would be easier than a nuclear proliferation treaty to implement.

He said: “It's easy in principle to define restrictions on nuclear processing, missile deployment, agreed terms of engagement and so on, which isn't to say that it was easy in practice. Cyber warfare is a different kettle of fish.”

One of the problems, he said, is that most people could draw up nuclear guidelines but there are no authoritative definitions to distinguish between various cyber issues such as espionage, sabotage and warfare.

“Even if you can get enough agreement on definitions of what activities should be subject to the terms of a treaty, the practical difficulties of monitoring, attribution and enforcement would probably make its existence of little more than academic interest,” he said.

“It is worth trying anyway, as long as no one is relying on a gentlemen's agreement to keep the world safe. Obviously, some nations will not see any need at all to sign up to any such treaty and those who do will not always honour it.”

Following last year's billion pound acquisition by HP, ArcSight's security information and event management (SIEM) platform is under the control of a technology giant, but some of Arcsight's former employees felt that there were a few things HP could also be doing to improve the solution.

Last week I met with EdgeSeven, established by former ArcSight employees Jon Inns and Rick Wilkinson who rather than setting up a competitor to their old company, are now working on a complimentary tool to the SIEM technology.

Inns explained that a problem with SIEM is that people do not understand what it does and what it can do and it is all well buying tools but if the technology is not being used correctly it is a poor investment.

“This is what we are about,” he said. “What we are trying to do is different, we believe ArcSight is the best technology as analysts say, and if the technology is done right it can bring riches but few people understand what it is about and how to approach it.”

Wilkinson said that SIEM is a complex product but invariably it is trying to solve a complex problem. “People look at the technology but they are not ready to, they look at the questions but are not sure what questions they should be asking.”

Inns said: “This is a method to walk the customer from the question to the solution, if they have got a product are they sweating it? If not, do they need it? You can address this with a managed service or an in-house development.”

Inns explained that the product and service is around SIEM, data analysis and compliance ‘bolt-ons', as well as trying to monitor black spots to enrich data in real-time.

Wilkinson said: “This is adding to relevance and specific standards, you can enrich it with niche applications. This is a clear move within the mid-market, with log management price and correlation this is the same problem, but some people have got the same problem, as they do not have a security guy.

“We see an absolute market for providing technology for the mid-market who do not have the resources to achieve situational awareness.”

An added service to a technology that is supposed to do the work for you may not seem like the best business plan, but what EdgeSeven were saying did seem to make some sense if you are not getting the best from your investment. After all, there is no shame in asking for help to get a better result.

This week's announcements by Apple about cloud developments is likely to encourage many board-level executives to consider the cloud for other services.

However it may be worth considering keeping business-critical applications such as email where you can see them, according to Sam Cece CEO of StrongMail.

Talking to SC Magazine, Cece said that while it is up to every business to decide the best option for them, it is important to make a decision from a strategic position on whether to do email in-house or outsource it.

Cece said: “From an outsourcing perspective, you pay cost per use fees, so how important is email to your business? Data security is an issue and when it is on-premise you can be your own email service provider. You can have integration with the firewall and analytics, you can do that when it is outsourced, but the servers are not dedicated to yourself.”

Asked if he felt that if email services being in-house and within your own perimeter was a safer option, Cece agreed; saying that ‘the closer you are, the more secure you feel'.

“Customers take the metrics in-house and are able to do additional programs that they cannot do in an outsourced model. Being behind a firewall is a key driver, not just from a data security perspective, but that data is intellectual property that can be used as a competitive weapon and you would not want competitors to see that,” he said.

He said that the decision on whether or not to outsource goes back to the business. Those who choose not to outsource say that email is important and want it in-house, as they want it dedicated, close and want 100 per cent control.

He said: “Email has been around for 25 years and it is full of good and bad things and as you now have Facebook, Twitter, LinkedIn, they are all new and there is no new data security model. Our vision is to combine that into a single platform and treat it like email.”

There is some truth in what Cece says, after all it makes sense to have something within your perimeter if you want control of it. With ‘deperimiterisation' now a key area for businesses, it may be that even with the strongest controls, your boundary is penetrated legitimately on a constant basis.

A report from (ISC)² from the start of this year suggested that there were not adequate capabilities in training or knowledge on how to deal with new technologies.

The research found that 59 per cent of its respondents were not following key security and quality processes rigorously, is this because there is too much confusion on the jargonised terms used and not enough training on these new technologies?

I asked John Colley, managing director EMEA at (ISC)², on whether technologies such as cloud, SaaS and mobile device management were posing a challenge to businesses.

Colley said: “If you look at social networking or mobile devices and think about what is going on in most people's personal life, I don't hear of any relationships between what people are doing at work and what is used in a commercial environment and what to do about securing it. People do want to do it so you need to know what the security implications are.

“Interestingly consumerisation is driving a lot of this; people are using stuff and the boundary is becoming very blurred between a home and work life. We have added questions on the cloud and what the risks are and how they learn is part of the CISSP exam. It is not in at the moment, but we continue to address the tasks and add topics in and update references and the training material that comes with it. That is for the new people but for the CPD, they can choose what they want to learn about it.

“The business model is very different and consumerisation is also driving cloud as you can buy access to a cloud service on a personal credit card and how it is controlled is quite different. The business does not know what critical information is being run or stored on it and for a CIO to say that they do not know is not an excuse, as the CISO is meant to be responsible for it.

“Instead of getting ahead of the game, it is all about catching up and organisations are using the cloud and need to know about it. The CISO has to be on top and think about new technologies and have to have skills to deal with them, we have found some organisations have a network security champion or a database security champion.”

A survey by Check Point and the Ponemon Institute found that 31 per cent of its 140 respondents believe the primary concern with emerging Web 2.0, cloud and mobility technology adoption is compliance.

I asked Jericho Forum board member Paul Simmonds on whether he felt that IT executives were struggling to keep up with new technologies. He commented that the problem is often that users cannot keep up and often go back to old methods that they have been using for years.

“People are using Android and Apple for applications, saying that with the existing model you can tunnel through the firewall into the environment. Jericho Forum has been saying for ten years that this is a real no-no. You can secure identity and on corporate owned machines, with anti-virus and a VPN, but now with Android, you have unsecured devices with third party software doing the same and proliferating. Three times the connections into the perimeter and access is made,” he said.

“With a lot of new technologies, we are playing catch-up and the issue is we get told ‘we have bought this and we want it integrated'. Consumerisation is the shift in power and business is saying ‘you interact with me'. Provide an application and seeing with corporate IT department and ‘want you to interact with us'.”

How adept you are at keeping up to date with modern technologies could be a factor in how confusing new technologies are, but then again the business could be the biggest driver in your rushed adoption. Either way there is an opportunity to learn and it may best to be prepared for, rather than behind the wave.

In many ways a new range of products is only as efficient as the campaign used to market it.

The concept or message has to stand out, it has to be noticeable and memorable and most of all, it is nice if someone notices it. Two that particularly stand out in recent times are those from Webroot and Check Point, Webroot encouraged the security industry to turn itself upside down (if it had not already) while Check Point pointed at 3D security to incorporate people, policy and enforcement.

I spoke with Gerhard Eschelbeck, CTO of Webroot at the Infosecurity Europe show in April about the upside down concept, asking initially if that was what it was. “The theme is adopted from a visibility to create awareness on the challenges that the security industry is facing, words are being used but it is not clear what things do,” he said.

“There is a real need to build clarity on solutions and what their limitations and capabilities are. Some articles are ‘jargon-ised' and what is happening is people are using ‘techno-lingo' and they need to realise that technology has limitations. It is getting more complex.”

Eschelbeck confirmed that this is an awareness campaign, a concept, but something that the company plans to stick with for 2011. He said: “It is a concept to raise awareness and a topic is and will continue throughout, it is not just a one time thing.”

A pretty straightforward idea – if it doesn't make sense you try and make sense of it and if that does not work you flip it over and start again. Well, true in a sense, but what Webroot are suggesting is that rather that rebuild security from scratch you can consider a different perspective, although it does involve a rush of blood to the head.

Not completely different is the 3D security concept from Check Point. Launched at the company's conference earlier this month in Barcelona, CEO and founder Gil Shwed agreed in part with Webroot that security does not need to be redone, rather work more efficiently with modern challenges.

He said: “We want to propose an agenda that is not centred around our products. We have plenty of things that we are dealing with every day and what we want to do is provide a higher level vision of what we think about. We want to import the visions in our product in time, but the main vision is not about the product you are using.

“We still need quality things but people are important, policy is important and technology is important and at a high level we need to start with policy and understand what we are trying to achieve, rather than hearing about a security problem and thinking ‘let's implement another security product'. The first thing is what is the policy and the second is that people are a political element.”

So while not as potentially revolutionary as Webroot's proposal, Check Point is pointing out three areas that relate to its UserCheck technology that aims to go beyond policy to educating users.

So is there an element of promotion and brand marketing in these ideas? Of course, after all both companies want to stand out and be used by customers but at the same time it takes a brave company to say ‘let's do it differently' and expect an honest rather than critical response.  

Last week's announcement that Sophos was set to acquire unified threat management (UTM) vendor Astaro was one of the major security acquisition stories of 2011 so far.

Primarily, because I felt that it lent a lot of credibility to the UTM sector, which has been perceived to be only of use to the small business community, this could be a masterstroke by Sophos to buy into a market that is fast developing.

I asked some of Astaro's competitors on how they viewed this acquisition and whether they felt this added some gravitas to the UTM sector. Eric Aarrestad, vice president of marketing at WatchGuard, called this ‘an expected and positive development and further reinforces the UTM proposition and category'.

He said: “Endpoint security vendors are keenly aware of the market need and opportunity for comprehensive network security solutions. This acquisition substantiates and validates the strategic importance and value that UTMs provide in protecting business networks, applications and data.

“The acquisition also validates the importance of extending their ‘best-in-class' security solutions to customers. WatchGuard similarly leverages a best in security class approach by using: the best AV technology from AVG, Kaspersky and McAfee; best web blocking software with Websense; and best IPS and application control with Broadweb, etc. From an end customer perspective UTMs and endpoint security solutions are complementary and everyone should benefit from the two working closely together.”

Francois Lavaste, CEO of NETASQ, who this week announced the planned launch for the next version of its UTM platform, also called this good news for the industry and for the company.

“Gartner is releasing the magic quadrant for UTM and we have been on the same spot as Astaro in the past, so it means that both companies are perceived in the same way. It validates our position and the industry in general and could create opportunities for us,” he said.

Also welcoming the news was Paul Judd, UK and Ireland director at Fortinet, saying that it ‘adds strength to our sector' but questioned how well the two technologies will merge.

He said: “A lot of people are trying to build companies with solutions that look like what we have got. Sophos has got a part of the solution (anti-virus) and with Astaro it has got the other part. Can it try and put it together? In my experience it never quite gels, as it is never the same solution.”

While some people may not deem this move to be as comparable to those that saw PGP and MessageLabs acquired by Symantec or Intel's major acquisition of McAfee, what it does is lend credibility and shows that there is a serious consideration for small-to-medium business security. Sophos are undoubtedly aware of this and I suspect that others may follow.

The source code for the Zeus banking malware has been leaked online, leading to a frenzy of activity on what the consequences could be.

This led to a media frenzy of reports about the ‘leak', with The Register plausibly claming that the release could erode the paid market for the DIY malware kit and could also spawn entirelu new kits that clone the existing code and build new features or services on top of it.

The code was found by IT security firm CSIS Security Group, that said that it found it on several underground forums in a compressed zip archive, which under test conditions worked fine. In a recent article CSIS Security Group reported that the source code was being sold online for $5,000, half of its standard sale price of $10,000.

Peter Kruse, partner and security specialist at CSIS Security Group, previously told SC Magazine that the source code for Zeus had been leaked and was in circulation, saying that ‘this is no longer speculation'.

Learning of the new development of Zeus being available to be downloaded for free, Kruse told SC Magazine that the reality of making a non-modified/improved version of the Zbot crimekit was worth less than $0.

He said: “This is the source code, it is complete and it compiles just fine but expect backdoor code to begin circulating shortly. Today we saw URLs for the source code being tweeted and these might be slightly modified packages. We are still running through the code.”

I asked Kruse what the leak of Zeus could mean for its future and whether it could devalue it or did he think that we will see more (or even less) infection than before?

“My guess is that we will see re-brands starting to show up as this code goes into the public mainstream. Future re-brands could just be crimekit using the Zeus base code and with slight modifications, including a new UI/GUI on the client and server, but this could also lead to more advanced functions being added,” said Kruse.

“I remember the same thing happening with SDBot when that source code was released. This resulted in lots of new variants and an ‘open source like environment' where functions and add-ons were shared openly. With Zeus this would be a scary scenario. It has already made SpyEye a much more potent threat that the first variants.”

Orla Cox, senior security operations manager at Symantec, said: “Now that the Zeus source code is public, it's likely that the additional people able to access it will result in more attempted attacks. However their affect is likely to be limited due to the fact that the security community now has this code too and that attack kits are predominantly used by cyber criminals with limited technical skill.

“This leads them to use the code almost ‘as is', which will not be very effective now that the code has been compromised. In short, there may be more attacks but no more successful than they are already. However organisations and end users should continue to exercise appropriate policies over browser software and plug ins which attack kits typically exploit.”

Cox also claimed that the Zeus developers may see a temporary dent in their revenue as a result of this leak, however they may ultimately evolve the Zeus code to engineer modified attack kits that will sell in the underground economy.

“If the owners of Zeus are also creating these add-ins, then they may believe that they can make more money out of these additional modules than out of the app itself. This would create a “Crimeware Freemium model.”

In recent times the advanced persistent threat (APT) has become more prominent in information security jargon, partly due to the RSA incident. SC Magazine asked recently whether this should be taken seriously as a threat or if it is just another strong malware attack.

A combination of malware, spear phishing and vulnerability is advanced, but is it really as much as a threat as Stuxnet? Another question that came to me recently was regarding advanced evasion techniques (AET).

On meeting with Ash Patel, country manager UK and Ireland at Stonesoft, recently, I wanted to know what the difference is between APTs and AETs.

Patel explained that an APT is ‘an individual or group intending to attack a network by any means necessary and will continue to do so until successful', while AET is a delivery mechanism.

Patel said: “What do you do to stop Scada from being attacked, you can take it offline and put the intrusion prevention system (IPS) in the next-generation firewall, but will that stop Stuxnet? AET is a wrap around the malware so now you cannot see it; it is a payload delivery system for targeted malware so are you protected against all APTs? No!

“What we found out with APT, IPS and next-generation firewall is that they are not capable of protecting as they cannot see them and the payload. If you speak with your IPS vendor ask them if they can protect your technology to protect you from an AET.

“A lot of vendor protection is inaccurate, how can you protect everyone against APT if you do not know what you are using?”

Six months on from the initial announcement on AET, Patel said that there had been complex AETs being used and he had spoken with customers who were concerned. “I am finding organisations who would never willingly say that they have been attacked, but they have no idea how it happened. If you have to give a reason, speak to the people who do the research and they will say that the AET is very real, credible and a threat.

“We realise that the AET is not too much of a concern for the small business but it is a major one for governments and FTSE 100 companies, people with a lot to lose. It is very complex, we are not talking about a new virus or malicious code, it is a new way to deliver it and that is where the market needs to understand.”

So in the first six months, the AET has proved to be a credible threat and not just another method of sending malware. As for what the difference between an AET and APT, perhaps it is the case that many people are prepared to take the former far more seriously.

Barclays' ‘Think Privacy' campaign of a few years ago demonstrated a capability to bring awareness to staff on sensible information security practise.

The company has recently begun a new campaign to make staff aware of the consequences of unsecure actions. Talking to SC Magazine, Barclays' head of information risk management Stephen Bonner and Mark Logsdon director of information risk management explained that the new venture took them down some interesting alleyways.

The book ‘Consequences' is a collection of short stories, haikus and illustrations highlighting real-world cases of common information security themes, including social engineering, secure passwords and records management. The challenge, they said, was to bring these issues to a level that the average employee could understand and relate to.

The book contains short tales from notable writers and celebrities such as Ricky Gervais, Ben Goldacre and Roger McGough. The chapters vary in their depth and style in order to cover for different tastes and interests and each finishes with an after word on what the message was from it.

I asked Bonner and Logsdon how these writers came to be included in the book and involved with the project. Bonner said that all of the stories were written for the book apart from a podcast extract featuring Gervais and comedy partner Stephen Merchant, but ideas were left open to the writers to decide what they wanted to write about.

Logsdon said: “You can dip into it or take a piece like Goldacre's in 20 minutes, so the accessibility of it was crucial. You can read it at a time of your choosing too, we also have Kindle and other e-versions for other readers and audio podcasts that used various actors.

Following the Think Privacy campaign of 2008/9, Consequences has proved to be a slow-burning success for Barclays. Bonner said: “We have a clear distinction between our awareness and our training, everyone does training but the mindset for training and awareness is very different, so we don't mandate that they read this but find that they want to read this.

“There are important messages that we need employees to read that are vital to the success of the bank, our belief is that employees want to do the right thing but if we spark their imagination they will find innovative and safe ways to solve the problem. Once they understand the consequences they make the right decision, [we] do not treat employees like kids but you have to capture their imagination and understand that the way information is concentrated has changed the way it works.”

Logsdon agreed, claiming that he has a theory that a lot of this stuff is not new, as files have gone missing in the past and people have forgotten to dial ‘nine' on a fax or sent the wrong document, but what has changed in his mind is that it is easier to lose a lot more quickly.

“My frustration is we dress simple issues in sophisticated language; social engineering for most people means nothing. So we have tried to make the concepts simple, we made the language accessible and put them into a context that the user is not used to seeing. Everyone thinks the idea of the loss of data is a 21^st century thing, we have taken it back to 1605. That helps the user understand it and we deliver it using multiple channels as one size doesn't fit all,” he said.

So far the company has seen over 500 podcasts downloaded by staff and most of the 5,000 print editions distributed, but Bonner admitted that this is not being used as a training or IT policy tool and instead is about the company trying to change people's behaviour.

He said: “If people understand it then in time we will see a change in incidents. That is the real measure and our core goal of this work. In a regulated industry, it is important to know that everyone knows what they should be doing but clearly we are responsible from taking knowing what they should be doing to actually doing it.

“One of the things we have always done is be willing to take risks, if the pictures we put up do not work then who cares? We are trying to work out things that haven't been done before and try things that work. We were not making a book for us; we were making it for our internal audience. It feels like you are reading a story and it resonates.”

Logsdon and Bonner admitted that before the year-long process began they knew nothing about making a book and the passage ‘was a journey for all of us'.

Barclays has laid down an effort of education with remarkable consequences. I read the book in around three hours and as an information security journalist, it is easy to see the themes emerge in the text, but what is interesting is how they would be understood by an individual not familiar with common information security terms.

The company is monitoring responses via surveys and admitted that it is challenging to know how many people are reading the book due to its pass-on readership, but a professional effort should produce professional results.

FTP was written by Abhay Bhushan on the 16^th April 1971 and published as RFC 114, it was later revised in 1980 and 1985, while security extensions were proposed for RFC 2228 in June 1997.

My own personal dealings with FTP are very limited and have not been needed for some time. However Frank Kenney, vice president of global strategy at Ipswitch File Transfer, said that despite it being the 40^th anniversary it is still misunderstood.

He said: “The deployment of file transfer on FTP is still growing, yet users are still vague on how companies and service providers tie together and are still using this protocol.

“What is disheartening is that FTP is used with no considerations for security and management. People are quite unaware that FTP has no provision for governance and it was never meant to. Why it has lasted and works so well is because it appeals to the lowest common denominator when moving files.

“What do we do? How do we connect if we use FTP along with something else in the configuration, we make the decision not to. The build has not changed and nor does it have to, there is plenty of technology that gives a capability to better manage connections and that is why it does not have to change, but it has to be made in conjunction with the protocol.”

He continued to claim that FTP did serve a strong purpose in the mid-to-late-1990s as game files were downloaded from websites via FTP servers and there were vendors using FTP in combination with SSL/SSH to download fixes. The beauty of FTP is that it can be embedded in the page.

Although not completely critical, Kenney said that there are still things with FTP that are useful, but he said he does not see adoption rates changing anytime soon.

“What will change is what kind of technologies people will use in conjunction with FTP. The ease of use of the technologies could cause security nightmares and headaches as you are dealing with technology that is 40 years old or custom scripts that were created 25 years ago, so when it does come time to enhance communications,” he said.

Stuart Feargrieve, managing director of Axway UK, said that he still sees ‘security savvy' people using FTP and its unreliability lies in part in not being able to track or see something until there is a problem.

He said: “There is a four per cent loss in FTP traffic and exploring this can turn into millions of pounds of loss for the provider. Somewhere in the chain the provider is on an FTP and with managed file transfer they can be certain it will get to the other end.”

Tony Pepper, CEO at Egress Software Technologies, agreed with these perspectives, saying that he sees FTP as nothing other than an internal business solution to sharing large files rather than a mechanism to easily allow external parties to access confidential information that is perhaps too large to send by email.

“Evidence of this is the proliferation of hosted file transfer services. However there are real security concerns surrounding many of these 'point' solutions which offer no consideration to information security and invariably help fuel the argument that cloud services cannot be trusted,” he said.

“Here at Egress we believe that sharing large files is one element of a broader collaborative data security strategy and as such buying disjoined solutions that only address elements of business process will not last either. Remember, over 70 per cent of our customers buy Egress Switch to cater for email encryption requirements as well as secure large file transfer and this popular trend is gaining increased momentum throughout public and private sector markets.”

For some FTP is enough and that is why its use has persisted, however it is hard to look past the security arguments and considerations and wonder if this is a time for stronger technology use. Either way, happy coming of age FTP.

The RSA incident of last month has led to debate on the way that the company was hit by an ‘advanced persistent threat' (APT).

Last year Dwayne Melancon, vice president of log management at Tripwire, looked at how APTs work and impact the target. With APTs being back in the headlines it led me to question what exactly an APT is. David Jevans, chairman of IronKey and chairman of the Anti-Phishing Working Group, said that an APT is advanced because it uses several latest techniques and multiple channels and ways to get control.

He said: “There are very intelligent people on the other end who are stealthy and doing intelligence in a way that is not being detected and making their efforts look like regular traffic.”

Blogger Jacob Appelbaum said on his Twitter feed that ‘the joke about the APT paradigm is that it is rarely advanced. The threat is merely just persistent and the target is simply vulnerable'.

I asked David Harley, senior research fellow at ESET, what he thought an APT was and what was so advanced about it, other than that it is persistent. He said that he felt that the term was ‘too fuzzy to tell anyone anything much' and in the case of RSA, it was too hard to understand anything about the threat from what it had said that the RSA statement, or what RSA understands by an APT.

“My first thought was that it might be an incursion initially based on a successful targeted phishing attack. Would that count as an APT? I can't say without more detail,” he said.

Breaking down the definition, Harley said: “I don't think advanced really means advanced. Rather, it seems to mean ‘as sophisticated as it needs to be'. So it could be unremarkable social engineering or a known and mitigated/patched vulnerability, escalating to one or more advanced zero-days if needed.

“I don't think persistent means persistent either, at least in terms of a repeated single attack. I think it means pursuit of a long-term goal that might merit a highly adaptive attack strategy.

“The distinction in the commonly used APT definitions between a threat and an attack using automated code could be viable and even useful, but it's by no means universal. In fact, our labs use the term threat routinely to describe malware without necessarily making any implicit statement about the originator(s) of the code or their motivation, and I don't particularly see why we should.

“But then, I don't actually find the APT term particularly useful. Perhaps that's because of the market segment I currently work in, but I don't see what makes the common definitions (which seem to be remarkably close to the Wikipedia definition or vice versa) authoritative rather than buzzwords.”

A blog by SecuriTeam also criticised the APT term, as it said that ‘Advanced Persistent Threat' is pretty meaningless and actually hides what is going on.

“Yes, I know that it is embarrassing to have to admit that you have been tricked by social engineering (which is, itself, only a fancy word for ‘lying') and tricked badly enough that somebody actually got you to run a virus or Trojan on yourself. It's so last millennium. But it's the truth, and dressing it up in a stylish new term doesn't make it any less so,” it said.

Chris Eng, senior director of security research at Veracode, said: “The recently acknowledged existence of APTs encourages companies to feel less accountable for security breaches. What I mean by this is that companies will take cover under the APT umbrella to detract from the fact that they have not been following best security practices with respect to application security and other parts of their infrastructure.

“There's an expectation that the media thrashing will be more restrained if you claim to be a victim of APT, because the attack must have been so unbelievably sophisticated. From a PR standpoint this is preferable to admitting that one of your laptops was stolen or that an attacker broke in via a SQL injection vulnerability in a website that you neglected to test. The added bonus with APT is that you can withhold information and claim that it's too sensitive to disclose!

“APTs, or whatever you want to call them, do exist. There are nation-states building sophisticated information warfare capabilities and there is incentive to target prominent companies. Many attacks may go undiscovered. Those are the real APTs. Just because an attack uses social engineering or gains access to your intranet does not make it ‘advanced'. Let's not be so quick to call everything an APT.”

These perspectives suggest that in fact there is a lot of opposition to this term and the generalisation created by those three words. While this is a concern to businesses, it could be argued that there is no more of a threat than with a malware attack. If RSA had been hit by a malicious threat would it have had experienced such an incident and caused such headlines, or does an APT just sound a bit more cool?

Following on from recent claims that access management needs to be separated from identity and that changes are needed to make business more productive, a new company entered the UK this week to shake up the access rights management space.

With a message that elevated privilege management can be easily achieved with the right tools, Protected Networks have come from Berlin with a strong footing in the German and Swiss markets following its founding in 2009.

CEO Stephan Brack said that the company was conceived in 2007 when he said that the state of IT security interested him.

He said: “With access rights then, it set groups and then found more groups within that and sorting that out could take days. Our customers said that they wanted full transparency and documentation. Every company has unstructured data and it should be accessible to those who need it, we want to generate awareness of taking care of assets.”

Stephen Bennett, head of channel in the UK for Protected Networks, said that he had seen instances where there is no overview of the organisation, so there is a discrepancy on who has access to what folders and what privileges they have.

This research led Protected Networks to launch the tool ‘8 Man', in order to categorise and retrieve information on users. Brack said that such discovery tools should be interactive and simple and easy to understand. The name, Brack explained, is ‘the man who helps you', or the 12^th man in football terms.

This is a platform for transparent enterprise-level privilege management and when assigning privileges, it takes into account existing workflows within the organisation. According to Protected Networks, the clear presentation of privileges is its USP, as this makes it easy for administrators to detect and fix configuration errors or to correct inappropriately assigned privileges.

Bennett said: “It will run a first scan of the directory and give you an overview of the situation and drill down on the data. You want to know which users are addressed and allow you regulate access rights management to allow and take off users. It creates easy to read lists and makes an analysis of people and notes down who made changes, at what time and when. It can also set a date for when access rights can be terminated for a contractor.”

Brack said that support is planned for SharePoint and Exchange in the future. Another issue for the company to address is in access control for those who are able to get into the network. “People come in through a firewall but once you are in you are in and no one is taking care of those people,” he said.

“It is not going to stop access if you want to be malicious but it creates awareness of the problem and drives accountability. Companies now have more roles than employees, this will create a template to define people and adapt it as a bottom-up scale for identity management.”

Brack finished by saying that the company is looking for channel partners and to set up its support office in the UK. While this sort of problem is not really common, it is easy to understand how it could be a challenge and such technology could be welcomed with open arms.

Events such as April Fool's Day and Mother's day are no excuse for security lapses.

After sending out an email mailshot this week promoting its cupcake range that it describes as ‘cakes better than sex', coxcookiesandcake.com failed to hide its mailing list and displayed around 80 email addresses.

However four hours later it sent out another email to its followers apologising for the gaff ‘that occurred with our Outlook earlier in the day'.

It said: “The Mother's Day email should have been sent with your details ‘bcc'd' and not ‘to'. It was a manual mistake and we can assure you that all the data is perfectly secured.

“We have taken care of the situation and have removed the email addresses off the list from people that wished to be unsubscribed. Again we are very sorry and can assure you that we have taken this matter very seriously to make sure that it never happens again.”

To mistakenly put email addresses on show is not the worst form of data breach but as we have proved before, having a person's email address can be used for malicious activity and social engineering tactics. Sometimes it pays to double check before sending that email to make sure you have not clicked on the reply all button or done something that you may later regret.

It was recently suggested to me that within the access space, there would be a capability for an employee to open a door with a smartcard that simultaneously boots a computer up ready for their arrival.

Now I don't know if this a pipe dream or something that already exists, but it took a step towards reality last year when smartcard specialist HID Global acquired secure access solution provider ActivIdentity.

The company claimed that it is time for a convergence between a physical and logical card. Julian Lovelock, senior director of product marketing at ActivIdentity, said that he was seeing growing interest in a convergence to one card, as it makes sense on paper and it allows a combination of administration services into one place.

Why has this great idea not happened to date then? He said: “There still two different companies selling the technology so a unified solution was unlikely until now, this is the one thing that we have as a company and we have the potential to make it a reality.”

The acquisition in December 2010 allowed ActivIdentity to tap into HID Global's sales channel, as well as utilise its development capability, but in the first three months of the new ownership, Lovelock admitted that there had been no major changes but its set of trusted channels ‘were hungry for products'.

Following incidents such as the recent RSA SecurID breach, the case for software tokens has been brought to the fore. I asked Lovelock if he felt the smartcard technology could be adapted to a smartphone. He said that while this was a technology not currently in development, there was no reason why it could not work.

“At this point that is an evolution and the next step is with cards being widely accepted with tokens and convergence, in five years the phone will continue to evolve to that,” he said. With a secure grounding moving forward, I am sure this is not the last we have heard of this concept or technology.

Looking at two-factor authentication and identity and access management last week, it seemed that there is a much more modern method of login that is perhaps possibly used even less.

The concept of biometrics is pretty straightforward from an end-user perspective: you scan or swipe and access is granted or denied as appropriate. From an administrator point of view, this makes life easier when it comes to controlling access, but could present some security problems.

In the past SC has considered whether there is a flaw in biometric authentication if the data was hacked, but could this advanced technology be a solution for technophobic employees?

This week I met with DigitalPersona, a provider of fingerprint biometric solutions. Its regional manager for EMEA, Ben Boulnois, claimed that there is a big gap in technology, as people struggle to programme a DVD player, let alone manage multiple passwords and logins.

Jim Fulton, vice president of marketing at DigitalPersona, said that strong authentication is generally used to achieve better security or compliance. He said that the company's aim is to bring strong security and authentication to the people who have not had that before.

“People have a right to claim services to which they are entitled and biometrics is the easiest way to exercise that right. It is often about saving and not security, but it has cut password reset calls from 800 to zero with one customer and enables a teller in a bank to help customers,” he said.

I asked if, like two-factor authentication, this technology is purely the realm of internal business rather than business-to-consumer? Fulton said that the use of software on employee facing applications was most common and it was not often consumer facing.

With laptops now becoming common hosts for biometric authentication, I asked if mobile devices could be the next device to be utilised for this? Fulton said that Motorola has the mass market in this area and he knows of other companies that are working on voice biometrics.

“I also expect to see face recognition come about. Apple's FaceTime has set the bar and it makes sense for them to extend it to biometric authentication. I have had some vendors talking about biometrics in remote controls and toys, there are many angles that are starting to come into play and security is one, but efficiency is another,” he said.

“Technology needs to adapt to people, not the other way around and biometrics is an extension of that. Passwords are an unnatural act.

“It is all about trying to help businesses know who you say you are and we are seeing early systems that offer an alternative to passwords. In time there will be a different variety of technologies, but it is about how strong you want the system to be and how much you want to impose on the user.”

It was suggested to me recently that authentication methods will allow a door to be opened and a desktop to be started up in the same action, but this would be a concern if that smartcard were to end up in the wrong hands. Such a theory may become reality, as the beginnings of Mission Impossible-style technology may not be far off.

Today sees the tickets for the 2012 Olympics go on sale and as usual there are warnings on the likelihood of fraudulent websites appearing.

Even though the tickets are only on sale via a single website, ticket buyers are warned to be extra vigilant when making their purchase to avoid leaving themselves vulnerable to fraud and online ID theft.

VeriSign Authentication (now part of Symantec) advised sports fans to be prudent and thoroughly vet websites before making a purchase, particularly when searching for tickets that appear to be sold out elsewhere.

Danilo Labovic, director at VeriSign Authentication EMEA, said: “Fake sites may look like the real deal, however the tickets they advertise will never be received by would-be buyers. While these sites may look authentic, consumers should look out for obvious give-aways and be sure they are on the official page.

“Poor spelling or lack of business details such as a valid UK address and phone number should be a warning sign. To stay safe online, consumers should always look out for the green address bar in their web browser. It indicates that the website you are looking at has been authenticated and is who it claims to be.”

Greg Day, director of security strategy EMEA at McAfee, said: “It is no secret that cyber criminals view high profile social events and sporting occasions as prime opportunities to target users with spam that re-directs them to malicious sites.

“Cyber criminals often use sophisticated tactics to effectively launch short notice attacks on an often unsuspecting public, but due to the heightened level of awareness around the Olympics ticket release date, consumers have the best chance of pre-empting these scams by informing themselves of the dangers of sourcing tickets through unofficial channels.

“The London 2012 ticketing team also have a responsibility to ensure that the official ticket checker, that has been designed to weed out illegitimate sites, features prominently in search results across a number of key search terms.”

There is one very reassuring thing about the Olympics ticket portal. When setting a password the minimum complexity requirements not only ensure that it consists of six to 16 characters with one number, it also insists that london2012, Olympics, a user's first name, last name or full name are not permitted.

For London 2012 Olympic tickets, use the official website at www.tickets.london2012.com.

The end of last week saw a new campaign from Microsoft to get users to stop using the troublesome Internet Explorer 6 browser.

For a time it was the top trending topic on Twitter, while the campaign website shows how many countries are still using IE6 and the share of the browser usage globally. China (34.5 per cent) and South Korea (24.7 per cent) are the largest users of the browser while the lowest are Scandinavian countries Norway and Finland (both 0.7 per cent). The UK has a reasonably low user percentage at 3.5 per cent while the United States is even lower at 2.9 per cent.

All interesting statistics I am sure you will agree, but does this effort really address the problem? The negative headlines for IE6 really began around the start of last year following the link to a vulnerability being a factor in the Aurora attacks on Google, leading to a trickle of stories regarding slow migration away from IE6.

Writing on the Security Garden blog, Corrine said: “I understand that not everyone has the latest and greatest computer. These are hard times and we all need to watch our budget. However, there have been numerous advances in IE since version 6 was introduced ten years ago. Forget the pretty-pretty new features. Most significant, from my point of view, are the enhanced security features in the newer versions of Internet Explorer.

“Granted, IE9 is not compatible with Windows XP. However, you can still upgrade to IE8. IE8 has significant built-in security features, including SmartScreen, cross-site scripting filter, click-jacking prevention, data execution prevention, InPrivate browsing and InPrivate filtering.”

As for me, I have always believed that a lack of migration away from the much-used XP operating system in a business environment is down to cost and practicality factors. It is hard to generalise IT departments because there are so many differing factors between different them, but I would suspect many financial institutions and public sector companies are using up-to-date technology, but a quick look at workstations in my local supermarket informs me that they are still on XP and I am willing to bet, still on IE6.

As for personal users, it is more a lack of appreciation of the need to upgrade. Also I am sorry to say it but fear, uncertainty and doubt (FUD) does sell and perhaps more than a social media and website campaign is needed to ‘scare' people into upgrading. A look at the public information films from the 1970s were either set to inform or scare in an educational capacity, so perhaps something more hard-hitting may be more effective?

For the moment I really hope this campaign works for Microsoft and it sees its IE8 and IE9 take-up soar.

While I was attending the recent RSA Conference in San Francisco, I was accosted in the street by the marketing team from Trend Micro.

There was nothing physical you should understand, however they asked me about ‘the cloud' and ‘was it secure'? Answer in ten words or less. A tricky one for any security expert let alone this journalist!

However this endless debate did lead me back to one recent interview that I read on the BBC business page earlier this month. In this case it was with Facebook CTO Bret Taylor, also co-founder and former chief executive of FriendFeed, which was acquired by Facebook in August 2009.

Among his comments was a very interesting statement on FriendFeed. He said at its start it had to choose with whether to purchase its own servers or use one of the many cloud hosting providers.

He said: “At the time we chose to purchase our own servers. I think that was a big mistake in retrospect. The reason for that is despite the fact it cost much less in terms of dollars spent to purchase our own, it meant we had to maintain them ourselves and there were times where I would have to wake up in the middle of the night and drive down to a data centre to fix a problem.

“What I realised was that you can't measure the quality of your life in dollars alone. I think that most of the people that worked at FriendFeed would agree that if that part of the company were just taken care of, it would have been worth all of the extra money we would have spent on it.”

So, if the CTO of the world's largest social network with the data of 600 million people on his database trusts the cloud, should we? Well, perhaps.

After all he did say that this would have been a better solution for his start-up FriendFeed. While Facebook is a cloud-based operation now, I wonder what Taylor or Zuckerberg would have chosen in hindsight – eternal patch management or outsourcing?

He concluded: “Very few of the start-ups I know in Silicon Valley actually purchase their own servers now, they're using these cloud hosting providers and I wish we had as well.” In other words, everyone else is using the cloud, so why don't you?

A lot of headlines have been written about Zeus since it was first identified in July 2007 but until now I have not had much insight into how it operates or looks.

While over in the US for the RSA Conference, I travelled to Sunnyvale, California to meet with IronKey and its employee 'Ryan' (he asked me not to reveal the rest of his identity) who gave me a demonstration on how the 'king of the bots' actually works.

He told me that the version he had downloaded, version 1.3.11, set up in under an hour. As it works, Zeus captures details and allows the user to add scripts to capture more information, such as a social security number, or select credentials from a banking page. Ryan called it a ‘man-in-the-browser attack that encrypts its own data' and said that once a computer is pwned, the malware can reboot.

He said: “Zeus is a format for running commands on HTTP and HTTPS, it will look at port 666 but not 80 or 443. It is not good enough to have a username or password and it needs to have more and needs a social security number or your mother's maiden name and it will track you for a long time and drain your account.

“This is a long time growth plan rather than a small score. The targets do not know that they are part of a criminal enterprise, as it wants to be stealthy. It is a very easy attack that fools the user and with more time, they can get it just right so that it has more Java so more data can be put in.”

Ryan showed me that if a Java window is open an alert can be made to the ‘owner' when a target is online and even if they use a one-time password it can be captured by the cyber criminal. “Then in real-time they can login when you do payroll, for example, and login using the same one-time code. It is good protection unless you are being cyber stalked,” he said.

In regard to the weaknesses, Ryan said that the screen scraping and keylogging in Zeus are pretty weak, but it has the ability to download software that will bypass security software.

I also asked him how he came about it and how easy it was to locate and download. Ryan said that to buy it is pretty difficult, but he searched for two to three hours trying to find it and downloaded it offline.

“It is an example of the new age and with the skills, you need people with the right skill set, it is easy to do a lot of damage. It is no work for an unemployed guy to spend time setting it up. It took me one hour to set up and I can see people spending time on it and working on it,” he said.

Of all of the headlines I have written about Zeus and the threat it poses and its capabilities, it was unremarkable in its appearance on a screen and there was nothing to give me a sensation that I was viewing one of the greatest malicious threats in action.

It was not really ‘in action', as no banking customers were harmed in the demonstration, but using another sandboxed computer it was demonstrated how simply it can change an infected user's website with little effort.

Spamina is not the first company to have set up shop in the UK after establishing itself in Spain. It admitted to having a good relationship with Panda Security, but comes with a new and established product offering.

Meeting with international sales manager James Tyer and UK country manager Dan Power, they explained that the company had been established for five years and focused mainly on spam. However Tyer said that it was looking beyond anti-spam, with a firewall already offered and archiving and data loss prevention (DLP) solutions to follow later this year.

Tyer said that the product was developed seven years ago by an ISP for its customers, which was then redeveloped by Spamina and aligned into its own product range. The company then established offices in Latin America, with additional offices in Mexico, Brazil and Argentina.

Power said: “We have been looking at 2011 and building a roadmap and fleshed it out and it includes email security, archiving, encryption and DLP. These are the four fundamental pillars of email security and that is our roadmap. We are talking to people who are uncertain on how they will develop in the next two years. It is our job to determine what happens.”

He went on to claim that spam goes through 600 different filters with its offering. With spam amounting to 93.8 per cent of total email (135 billion messages per day according to Cisco's security report), Tyer said that security managers are spending too much time dealing with spam and Spamina's full and private cloud solutions were its way around the problem.

Power said: “These are appliance-based not cloud-based, you can use it in the private cloud and use a personal node and can use resources as they are needed. We sell on a concept and what has to be tested on your own infrastructure is more difficult to do. With a cloud-based solution, there is no impact on the infrastructure, it is easy to move into and simple to implement. You cannot mess with email.

“We keep the window of email there, filtering but continuing to keep it on and switching so the engine goes through a booster to send and retrieve email. If an exchange server goes down you can use us as a moving window for up to eight days, we believe that is a long time and the right amount of time.”

The company is currently at an initial stage recruiting resellers. Power said that with a cloud solution, it is easier to sell, as the reseller wants to find things to sell without the cost of the implementation.

Asked if they felt that the UK was falling behind other nations when it came to cloud adoption, Power said that he felt that the UK is accepting the cloud, as people accept that it is not a bad solution, that service is better managed in the cloud and it is easier to have an infrastructure and deliver a level of robustness.

“It is too early in our first month but customers say it is an issue, but what is interesting is it is as much about email archiving when it is seen as high end security," said Power. “Now the cost of storage in the cloud has gone down it is a realistic option as a backup. I am very excited in what we are doing in the space.”

Tyer confirmed that the archiving solution will be launched in this quarter, with its development currently in the final beta stage. He also said that encryption technology would follow in this quarter, while a DLP solution would arrive sometime in the first half of 2011.

With companies such as Cloudmark, CronLab and Websense among many offering email filtering solutions, some may say that it is too crowded a market for another name, but at the same time any level of variety can be healthy. Clichés aside, I am sure that this offering will be welcomed for its directness and capability as much as any other.

Just when I thought the presence of the Infosecurity Europe show was keeping its distance, it turns out that this will not be the only thing keeping security folk busy in April.

Already heavily discussed on Twitter, the ‘middle day' of Infosec, the 20^th April, will also be home to a new event called ‘Security B-Sides'.

Held at the Skills Matter eXchange in London, it said that it presents delegates with a place to see a stripped-down view of the information security industry, with a forum to tackle current issues and set the agenda for the industry.

Following events held in the USA in Atlanta and Las Vegas (held alongside the Def Con event), where there more than 33 different talks and 41 presenters, Security B-Sides London reportedly sold out of its 200 tickets within eight days.

Matt Summers, founder of Security B-Sides London and consultant at Symantec, said: “Security B-Sides is a movement by the information security community. It is not your typical conference, as the events expand the spectrum of infosecurity discussions by encouraging participants to give voice, creation and refinement to the ‘next big thing'.”

Mike Dahn, co-founder of Security B-Sides, said that Security B-Sides is about collaboration, not merely exposition, and will provide an opportunity for attendees and speakers to directly connect and create trusted relationships with key members of the security community.

So in case you found yourself at a loose end it seems that there is plenty more to keep you occupied during the Infosecurity Europe event. More information is available here - http://www.securitybsides.org/.

Earlier this week HP security evangelist Rafal Los published a question and answer article with a hacker named ‘srblche srblchez'.

Los, who calls himself ‘Wh1t3Rabbit', said that the effort was ‘to try and see if I could get a peek into the mind of the hacker who was selling pwn3d sites'.

Los said: “I don't think you can adequately protect yourself unless you understand your enemy, so with that in mind I fashioned some questions which the hacker would likely answer. I hope we are able to learn something here.”

The Q&A is as follows:

• Are you really making any money on this hack, now that it's public? - Yes up to thousands of dollars. Depends on value of targets
• Aren't you afraid of being caught, arrested and prosecuted? -  I didn't force the law. (Law does not protect fools).
• Why target government-related websites? - Customers [are] dying to know edu/gov/mil's database information such as military actions/papers/documents. Evidence of staff such as real names, phones, contact email, address, etc. for their special operations. Such as spamming or private operations. CPA leaders.
• How long did it take you to gather this list of targets? - Couple of minutes. Thanks Google to make hack easier.
• Did you write all your own scripts, exploits or code? - Yes. Mostly perl/python.
• How long did it take to actually pop those sites? - Couple of seconds.
• Do you have a favourite exploit (XSS, SQLi, RFI, etc?) - Remote exploits mostly and SSH brute forcing.
• Do you think any particular framework, or dev language (PHP, etc) is any more vulnerable than others? - PHP, ASP, CFM are the most stupid code frameworks and the most vulnerable.
• Do you think the administrators of these sites would ever notice these sites were hacked if this didn't become public? - Well honestly [I] am not a defacer (the ones who change the whole database, remove the target files and makes a big notice even the stupid system administrators will notice). No, I just finish my goals, which gather the information, which is the most valuable in my case. Then I remove my logs then I disappeared like a ghost.
• Why are the prices so low? - Well in marketing as much low prices and much more customers depend on your product quality. So [I] am providing a good quality with a good price and that brings more customers.
• Do you have any ethical problems with exploiting and then profiting from poor security on these sites? - No at all. Each vulnerable site I face I directly email the web admin. If I see no reply I publish it.
• Do you think the website/application security is getting any better over the last five years? Three years? - Am into security since 1996. Simply I see no changes and it has become worse than ever.
• Are you part of an organised group? Or do you work alone? - I used to be a member of m00p crew but all my friends has been arrested, or most of them. I used to be a member of milw0rm organisation, but no more since str0ke's quit.
• Can you give any advice for people who build websites? How to protect themselves from people like you? - There's a bunch of useful website vulnerability scanners, it is good if you give your site a couple of seconds for checking for vulnerabilities.

In conclusion, Los said: “Clearly our hacker isn't afraid of being caught and has no moral issues. An independent attacker who writes their own scripts and hacks in ‘a couple of seconds' is your worst nightmare as a security professional mostly because the velocity of attack is so great and the likelihood of being caught in a detection system like an IPS is so low.

“What I do find interesting is the method of penetration which the attacker explains as ‘remote exploits and SSH brute forcing', so a combination of attacks like SQL injection at the application layer and an SSH brute force at the system-level to achieve a complete compromise.

“System admins thought they had things figured out and the hackers were moving exclusively to the web layer, apparently that is not as true as we would like to think.  Passwords are still your weakness (SSH brute forcing) and we all know that web applications are written just as poorly today as ever, so we've got serious issues out there.  What's perhaps most telling of all is that the hacker sees virtually no changes (maybe even things getting worse) since his/her entry into security in 1996.  I suppose an ‘I told you so' is inappropriate at this point, but the industry is still not getting it.”

In terms of remediation and lessons to be learned, Los recommended taking a few seconds to test your applications and to consider incident response (responding to being told your site has a vulnerability), as this is consistently missing from most organisations' software security assurance programs.

As far as footballers go when it comes to free speech, it is fair to say that there have been some ‘incidents'.

The introduction of Facebook and Twitter has allowed sportsmen to speak their mind in a way that the professionals of yesteryear would not have been able to do.

Take Darren Bent for instance, this week he signed for Aston Villa for around £20 million without the drama of his move from Spurs to Sunderland in August 2009, which caused him to rant at Tottenham chairman Daniel Levy telling him to ‘stop f****** around'.

In recent weeks a new incident has led to considerations about a possible landmark legal case involving a player and his use of social media. Following Manchester United's 1-0 win over Liverpool, the Anfield striker Ryan Babel questioned some of referee Howard Webb's decisions and re-tweeted a posted picture of the referee in a Manchester United kit.

A bad idea? Well yes, Babel immediately deleted his post and apologised but has since been fined £10,000 by the Football Association (FA) and is now looking at a transfer abroad.

So is this a case of someone being fined for an outburst on a website that is neither club nor FA affiliated and could it lead to further instances of a similar nature? This week I spoke to Internet Security Forum (ISF) principal research analyst Adrian Davis and asked him if he felt if this is a landmark case.

He said: “Well it sets a precedent but interestingly enough he is a member of a profession and if you play under FA rules, you are not allowed to bring the game into disrepute. Admittedly it is not very well exercised, but he did bring the game into disrepute so the FA is well within its right to exercise its code of conduct.

“I am sure if an employee did it or an accountant did it there would be similar punishment, but being a footballer they are higher profile. The other point is do professional bodies have a role to play in this? Like the institute of accountants, does that mean that they need to be more social media aware?”

I asked Steve Durbin, vice president of sales and marketing at the ISF, what the case was, considering Babel was not on ‘working time' when he posted the messages. He said that there is a blurring line between work and social lives with added responsibility.

He said: “With Twitter you are always on, most employers do have clauses in their contracts that state that you cannot do anything even outside of work that would bring the business into disrepute in anyway, so you are still an ambassador and that is the tactic that has been taken now.

“A few years ago he would have probably got away with it as he would have had a joke in the pub with his mates but now it goes global and it has cost him £10,000.”

Davis commented that it is a legal precedent and as most English law is based on precedent, it has to be considered an important case.

So for the prolific football tweeters and for those of us who use platforms for communication that others can view, maybe there should always be time to stop and think before posting.

Speaking to Al Jazeera's Listening Post, a weekly insight into major stories from the week, SC Magazine's online news editor Dan Raywood talked about distributed denial-of-service (DDoS) attacks against websites that had taken a stance against WikiLeaks. In particular, Dan talked about how the DDoS attacks were conducted and what effect they had. The video can be viewed here.

While recently researching for an article on the future of security software, I caught up with David Harley, senior research fellow at ESET and a director of the anti-malware testing standards organisation (AMTSO), to collect his views.

He made some interesting points that I thought were worth highlighting on the selection of anti-virus products by consumers.

Harley claimed that there is a non-technical issue that has been highlighted this year by an upturn in free anti-virus applications. When choosing a solution, he said that it is looking more positive, as more people (including those who would not normally buy anti-virus) are protected by a commercial grade anti-virus whether it is free or paid for.

He said: “I am coming round to the idea that security companies are going to have to do a better job of explaining their business models in order to make clearer the difference between the rogue approach to marketing and provision and the legitimate approach.

“That means a lot more than mimicking rogue anti-virus ‘FUD (fear, uncertainty and doubt) marketing', it is an educational initiative and it involves educating the business user, the end-user and the people who market and sell products. Every time someone tries to sell a product using quasi-rogue approaches, they trade a short-term possible economic advantage for a long-term drop in the industry's credibility. That's bad for the industry, of course, but it's also bad for the consumer.

“It exposes him to further confusion between rogue and legitimate, and he will tend to go for what sounds like the better (something for nothing) deal. How this gets done is another question.”

The concept of promotion of a product is key in challenging economic times. Harley agreed claiming that even open-source applications will have to tread this route eventually (or at least charge for documentation and support).

He also claimed that the consumer and business markets have never been as far apart as we tend to assume, especially with the proliferation of mobile devices these days causing headaches for IT staff.

“That exposes their employer to risk if they behave incautiously or inappropriately, and exposes them to risk if their employer isn't as well protected as they assume. The trouble is that now the same messaging channels and social media that expose home users to risk are also being used in corporate contexts now, where for a while many enterprises were trying to block obvious problem services,” he said.

Over recent weeks I have been following Trend Micro's senior security advisor Rik Ferguson on his investigation and story about the evolution of the robot network (botnet).

Now I could re-tell the story in my own words or cut and paste Rik's words onto this page, but instead I know I would prefer to read a summary and give you the opportunity to read the complete detail via the links below.

Part 1 details the beginnings of the botnet from the Melissa and Iloveyou worms, with the Sub7 Trojan and Pretty Park Worm that both introduced the concept of the victim machine connecting to an internet relay chat channel to listen for malicious commands. Later the mIRC client influenced the GT bot, which could initially run custom scripts in response to IRC events and had access to raw TCP and UDP sockets, making it perfect for rudimentary denial-of-service attacks, a major duty of the modern botnet.

In Part 2, we are moved to 2003 when the criminal interest in the possibilities afforded by botnets began to become apparent with the development of the first spamming bots Bagle, Bobax and the malware dropper Mytob. Ferguson said that this enabled criminals to build large botnets and distribute their spamming activities across all of their victim PCs, giving them agility, flexibility and helping them to avoid the legal enforcement activity that was starting to be aggressively pursued.

In the period leading up until 2007, there was the development of the likes of Zeus, Rustock, Storm and Cutwail, which still rank among the most prevalent botnets, with the creator of Zeus regularly updating, beta testing and releasing new versions of the toolkit, all the while adding or improving functionality.

Ferguson said: “Right now, the Shadowserver Foundation is tracking almost 6,000 unique command and control servers and even that figure does not represent all the botnets out there. At any one time Trend Micro is tracking tens of millions of infected PCs that are being used to send spam and that figure does not include all the other bot infected PCs that are being used for the purposes of information theft, distributed denial-of-service or any of the other myriad of crimes.”

In Part 3, Ferguson looked at how since the second half of 2007, criminals have been abusing the user-generated content aspect of Web 2.0, with the first alternative command and control channels identified as blogs and RSS feeds. With open websites such as Twitter, Facebook, Pastebin, Google Groups and Google App Engine all being used as surrogate command and control infrastructures, Ferguson said that the 'public forums' have been configured to issue obfuscated commands to globally distributed botnets and the commands contain further URLs, which the bot then accesses to download commands or components.

Ferguson said: “Of course we can fully expect criminals to continue this unceasing innovation as we move forward, more botnets will take advantage of more effective peer-to-peer communication, update and management channels. Communications between bots or between bot and controller will become more effectively encrypted perhaps through the adoption of PKI. Command and control functionality will be more effectively dissipated, using cloud services peer-to-peer and covert channels though compromised legitimate services.”

In terms of fighting back, in Part 2 Ferguson acknowledged the action against owners with the take down of botnets, but said that 'the concerted action that both public and private organisations are taking against botnets means that the criminal innovation never stops'.

At the end of Part 3, Ferguson asks 'where do we go from here?' He said: “So what can we do, is all hope lost? Not entirely I would argue. The battles continue in a war that must be waged on several fronts; governments and international organisations such as the EU, OECD and UN need to provide a strong focus on the harmonisation of criminal law globally in the area of cyber crime, enabling more effective prosecution.

“Law enforcement agencies need to formalise multi-lateral agreements to tackle a crime that is truly transnational. Internet Service Providers and domain registrars also have a key role to play. ISPs should be informing and assisting customers that they believe to be compromised (a trend which happily appears to be on the increase). They should also be terminating service to customers they believe to be acting maliciously. Domain Registrars should be demanding more effective forms of traceable identification at time of registration and bad actors should have their service suspended as soon as credible suspicion is raised.”

Finally, he calls on the security industry to continue with the levels of cooperation achieved among rivals during the fight against Conficker and for these to deepen, while initiatives 'must be financed on a national level to more effectively educate and inform citizens of the dangers posed by cyber crime and to encourage safer computing practices'.

There could easily be a belief that the fight against cyber crime is an uphill struggle against innovation, but at the same time there has been major successes in recent years. Rik's three-part history is also available as a PDF whitepaper here.

In case you had your head in the sand for the past 24 hours and managed to avoid almost every source of media, you will have missed the announcement of Prince William and Kate Middleton's engagement.

Aside from those begging for an extra day off work or contemplating what the first dance will be (I predict it will be ‘William, it was really nothing' by The Smiths, listen here), as usual the search engine poisoners have been hard at work.

Websense reported that in the top 100 results, approximately 22.4 per cent of all searches for current news leads to malicious search results and warned users to go to reputable sites when looking for news and not to do just random searches.

Mary Landesman, senior security researcher at Cisco, said: “My first thought on reading this was that malware and scammers will be even quicker to cash in. Indeed, many are proclaiming that Prince William and Kate Middleton's wedding (set for sometime next spring) will be the biggest marital event since Princess Diana and Prince Charles.

“Cisco ScanSafe research indicates that three out of every 100 malware encounters results from people clicking unsolicited malicious links in email, IM and social messaging and ten out of every 100 encounters occur via search engine results. Bottom line - think before you click, consider the source and pay attention to the destination URL. By following this advice, hopefully you can toast to the happy couple without toasting your computer.”

Tom Kelchner, research centre manager at GFI Software, pointed at the second photo under ‘Images for Kate Middleton' as being malicious. He said that it initially leads to a photo but that page then redirects to friefox.ddns.pl, where a Trojan is forced on to users.

As we have highlighted before, any news story is likely to end up with suspicious or malicious search results and as the researchers above highlight, it is best to use a reliable source with a fully patched browser. While the nation may be cooing over William and Kate, those with less pure thoughts do not miss a trick.

This week marks the start of ‘Get Safe Online Week'.

Describing itself as ‘an annual event to raise awareness of internet safety issues', the campaign group, formed of government departments, security vendors, online services and law enforcement, said that its objective is to encourage everyone to take some time out of their week to learn more about internet safety and to make sure that their computer is properly protected.

Writing in its report, Baroness Pauline Neville-Jones, minister of state for security and counter terrorism, said: “The internet continues to provide great opportunities for every one of us. Both the threats and opportunities associated with the internet are likely to increase significantly over the next five to ten years, as our dependence on online communication and transactions increases. Therefore staying safe online becomes more important than ever.

“It is essential that Government and industry continue to work together to raise awareness still further of these basic security and policy issues. Only by working in close partnership can we effectively tackle burgeoning online crime. I am therefore very pleased to support the Get Safe Online initiative in bringing together, for a sixth year, government bodies, law enforcement agencies and the private sector to tackle the safety needs of the UK's internet users.”

In its first piece of research released this week, it found that one in four UK web users are targeted via cold calls where fake anti-virus software is attempted to be downloaded. Managing director of Get Safe Online, Tony Neate, said: “Not only is this big business for criminals, but it also represents a shift in their approach. Rather than exploiting our lack of awareness, they are now exploiting the fact that most of us know how important (genuine) anti-virus software is.”

Fraser Howard, principal virus researcher at SophosLabs, said: “The concept behind these latest scams is simple: the criminals are using support centres to contact users and trick them into believing they have a problem with their computer. In so doing, users may be scammed into paying for unnecessary support or software, perhaps even giving the criminals remote access to their computer in the process.

“The scripts being used by the call centre may well be pure comedy to the tech-savvy, but the simple fact is that a lot of regular users are likely to fall for it. It only took me a few minutes of searching to find others who had received the same calls as myself, and within discussion forums there were numerous posts from individuals who had been tricked into parting with their credit card details.

“Should we be surprised at this latest development in scareware distribution? I do not think so. Malware distribution has been a business for a good while now, and where the financial rewards are sufficient, some investment in ‘sales' is clearly justifiable.

We have seen scareware attacks evolve from simple mass-spammed attachments to more cunning web-based attacks. The search engine optimisation (SEO) attacks are particularly cunning in that they abuse the very services that we all rely on and trust. Using call centres to cold call victims lacks that finesse, but it is somewhat inevitable, sadly.

“Improved security (particularly widespread adoption of URL filtering) makes it harder for the even the most cunning of web-based attacks to succeed. The telephone cuts right through that and exploits the weakest link in the chain, the user.”

Now after the recent ‘National Identity Fraud Protection Week' it could be argued that another week of activity is hardly going to make major headlines, after all how many times can you hit end-users with the ‘don't download bad stuff' mallet? Even though this campaign is backed by Government and it does release some statements on online safety throughout the year, is one campaign for only one week out of 52 really enough to change attitudes?

I expect that there may be headlines and guidelines on how users should use security software and secure passwords over the coming days, but come next Monday will it be a case that end-users will go back to old and more user-friendly habits?

Baroness Pauline Neville-Jones says that ‘it is essential that Government and industry continue to work together to raise awareness still further of these basic security and policy issues', but as Sophos UK country manager Ciaran Rafferty told SC Magazine recently, a £650 million investment into investigating cyber crime should be used as part of an education project and ‘used to tell people how sophisticated cyber security is'.

Perhaps then people will get it and until then, campaigns may be only preaching to the converted.

Over the next few weeks I anticipate to be asked and be asking about future trends and likely developments for 2011.

Among the predictions, I expect one that will be prominent is cloud computing, be it for Software-as-a-Service (SaaS), storage or infrastructure cloud services, or even for basic outsourced storage.

Last week I spoke with the chairman of the Cloud Industry Forum (CIF) Andy Burton, who claimed that its consultation showed that the cloud section of the industry ‘needs a credible and certifiable Code of Practice that provides transparency of cloud services such that consumers can have clarity and confidence in their choice of provider'.

That code of practice will be launched in two weeks, but ahead of that 70 firms including BMW, Shell and Marriott Hotels, said that systems which do not work together are holding back the spread of cloud computing. According to a recent BBC News report, the 70 companies have formed the Open Data Centre Alliance to push for unified standards for technology.

Chairman of the alliance, Marvin Wheeler, said that the demands on the IT organisations are coming at such an alarming rate that there are many different solutions being developed today that maybe do not work with each other.

He told BBC News: “We need one voice, one road map, so that companies are able to say to manufacturers here is a clear vision of what they should be developing their product to do.”

The alliance's long-term plan for 2015 is the creation of a federated cloud where common standards will be laid down for those in the hardware and software arena. It also wants to ensure that all devices are interoperable when accessing services via the cloud.

There is no doubt that the collective force of the companies involved could make a mark, but what is likely is that hardware and software companies are already looking to this area as a future development.

Looking at the Open Data Center Alliance, Burton said that he thought it was a very good initiative and that it was absolutely appropriate, as the companies behind it have the ‘commercial clout' to provide guidance to the vendors in the market of hardware and software about driving interoperability standards.

He said: “So I think Object Management Group (OMG) and the Open Data Center Alliance are very good issues; where I think the Cloud Industry Forum goes one step further is that we're obviously championing access to the technology of cloud regardless of the size of the organisation. You can be a small organisation or a large organisation but because the bulk of organisations out there are small-to-medium businesses, they do not have the resources of an enterprise.

“So we absolutely endorse and support the work of the Open Data Center Alliance, but it is focused very much at the enterprise end of the market, whereas we are focused very much on the broad adoption of cloud in the market place, which by nature is focused on the small-to-medium business.”

Ian Moyse, EMEA channel director at Webroot, said: “Anything that helps customers gain valid confidence in the cloud is a good thing, the key though is that it is a credit where credit's due approach. If a standard or certification is open to all-comers then it will not help a customer differentiate between the worth of varying cloud offerings.

“There also needs to be a differentiation between technical standards and certifications such as SAS 70 and ISO and business standards being promoted by the likes of Cloud Industry Forum and EuroCloud. As cloud is growing so fast we are in danger of needing a standard for all the varying and competing standards.”

Perhaps that perspective is the most appropriate, after all what is stopping me from developing a standard or code of practice now and demanding that others follow it? Probably because no one is backing it, but with the right support and voices behind any standard, those it is targeted at may have to listen.

Most of the talk online today has been about getting Take That tickets for the reunited five-piece's shows next year.

Among the tour will be four nights at Wembley Stadium and fans clambering to get their paws on a ticket have experienced multiple website crashes and slow loading pages since they went on sale at 9am today.

Crashing and slow-loading pages may not be news for most music fans, but with technology advances over the past few years surely this sort of thing should not keep on occurring?  

Nick Barron, from cloud computing provider Carrenza, which provides cloud hosting support for companies whose websites need to scale quickly to surges in traffic, said: “Although it's a nightmare for Take That fans, unfortunately these types of technical glitches happen more frequently than you might think. Big name acts announcing ticket sales are great for business, but they can put an enormous pressure on websites and can result in huge surges in traffic.

“Today's problems highlight how important it is for companies to ensure that their websites are designed, from the beginning, with the architecture capable of meeting high demand. It's also critical to choose a hosting provider that allows you to flex your resources to meet spikes in demand. It only takes minute for a website to crash, but your reputation can be shattered just as quickly.”

Perhaps the best comment on this came from a friend of mine, who shared his experience: “At 8:30 this morning in the office my desk phone starting ringing. I answered and I had to tell the person that I didn't have any Take That tickets.

“Over 100 calls later in an hour and a quarter it was clear there was a routing problem with some of the numbers advertising tickets which were accidentally being sent to our office.

"It was rather manic as there was only a few of us in the office so I was trying to ask punters which advert they had used. One lady said it was from a full page advert in the Daily Mail, it looks like whichever number was dialled, it was forwarded to our box office. It seems like a system fault (or an idiot made a mistake in the system) which sent loads of calls to us. I could have taken loads of credit details and made loads of people disappointed. Luckily we are all really nice and just tried to let people down gently that they'd have to redial and queue all over again!"

Proof that you should dial carefully? On this ‘greatest day' of them all, you never know who is capturing details.  

Botnets are apparently commonly rented, with the services sold to those prepared to pay the price. After all, many cyber criminals consider themselves to be businessmen and operate their botnets as a service.

Following a report on SC Magazine's website yesterday regarding the Iranian Cyber Army (ICA) selling access to its botnet, Imperva's senior security strategist Noa Bar-Yosef looks at some of the key questions on this issue.

How much does it cost usually to rent a botnet? What are the factors involved in price?

Bots are used for a very large variety of purposes so it is difficult to pinpoint a price. The growing and maintaining work of a botnet has become just an additional profession in the hacker supply chain of the growing hacking industry. Similar to market competition of the real world, botnet growers are competing to provide their service, which means that prices are falling.

There are different aspects that are taken into price account of the botnet hiring: size of a botnet; type of attack (e.g. spam, DDoS, cred-fetching); target (military, private organisations, targeted or widespread); location; and length of attack.

Although a rental is based on a multitude of factors, to give some ballpark figures for some of the more common ‘services', a 24-hour DDoS attack can be anything from a mere $50 to several thousand dollars for a larger network attack. Spamming a million emails, given a list, ranges between $150-$200, while a monthly membership for phishing sites is roughly $2,000.

Does this move by the ICA surprise you? How common is it for people to build botnets and then sell them off?

No, the move by the ICA is not surprising. Cyber criminals, just like all criminals, seek different sources of revenue. Botnet growers are continuously advertising their services.

What is interesting in the case of ICA is that they were the ones performing the attack. From their point of view, most of their attacks were politically motivated. But they seem to have asked themselves ‘why can't we make extra on the side with our infrastructure?' These so-called ‘ideologists' could be re-investing proceeds from ‘commercial' operations to their political objectives and proceed with other attacks as well as further develop other cyber attack resources.

From a security standpoint, does this activity make botnet detection easier or harder? If people are selling groups of bots, doesn't that mean you can stop multiple groups by disrupting the group selling the bots?

In general, this activity doesn't impact the detection of botnets. Why? Many of the command and control servers use fast-flux technology, where the server constantly changes, so it is harder to find the ‘brain' behind the zombies and take it down.

Advertising underground services carries risks of discovery. For example, a criminal in the real-world advertising fake Rolexes: that individual runs the risk of selling to an undercover cop. Similarly a criminal selling illegally obtained online credentials to some Facebook account runs the risk of the forum being tapped into by some authority. Yet these criminal acts proliferate, since hackers are not stupid. They use different evasion techniques, secret forums and even a reputation-based system in order to avoid being detected.

Some say that smaller botnets are a bigger problem than the larger spamming botnets because the smaller ones tend to be targeted and seek to stay under the radar. Do you agree that that is the case, and is this related to the trend of people selling off portions of botnets?

It doesn't make a difference. Why? A botnet grower has a large number of computers under his/her control (zombies). He/she rents a certain number of these zombies for different purposes. Each of these rentals together provide a botnet. So botnets range in size but ultimately they can be sourced to the grower. So criminals are not selling portions of their botnet, rather they are renting portions of the computers under their control according to the needs and requirements of the attack requestor.

This week I allowed a hacker to infiltrate my smartphone purely in the interests of journalism.

I will admit that my attacker did so with my permission, as he was arguably counting on this coverage. However what it did lead me to realise was that hacking devices is in fact very easy and affordable to do.

The hacker in this case was Jason Hart, who recently participated in an experiment to see how many WiFi connections were unsecured and how many users would connect to a free network without consideration of what it was or how their details would be harvested.

In his day job, Hart is CEO of two-factor authentication specialist CRYPTOCard but in our recent meeting he demonstrated just how easy it is to hack computers and mobile devices in a public place. With a remote device costing around £40 and free software, Hart encouraged me to connect to it using my iPhone.

From here he asked me to access a web page, naturally I chose SC Magazine via the Safari browser. The software then recorded my activity as I selected story links randomly and as I then accessed apps my passwords were recorded as I logged in.

For most white hats and researchers I am aware that this is hardly revelatory, but what was concerning is that in this case Hart had named the device ‘hack test', but he told me that for the experiment it was renamed ‘BT Openzone' which Apple iPhones automatically connect to.

Talking about the experiment, Hart said: “We had public hotspots in six cities and people connected, unaware of the risks. All it takes is a rogue wireless network with a trusted name and people connect in.”

Asked if it can collect sensitive data, he said that the setup allows the IP address to be seen and a hacker can use this to capture sensitive data. He later said that the process of hacking has now covered three stages: servers, browsers and now passwords, as ‘you are invincible with someone's password'.

“The new way is with a username and password, you can all be breached and if you do not solve it, fundamentally everything is flawed,” he said.

He said that on underground forums, more money is paid for usernames and passwords than for credit card details as more sensitive information can be gained.

What was demonstrated was certainly revealing, but at the same time it was also rather terrifying that with an ounce of knowledge of how to set up a sniffer and with a free software download your online activity and credentials can be intercepted and recorded.

As Hart said to me, everything is generally protected by one password; be it a hotmail account, PayPal account or private cloud.