There is very little about phishing messages that is surprising. Often they appeal to the lowest form of intelligence in order to catch their target out, or use social engineering or clever tactics to trick people into gaining their banking details.

A new tactic that emerged this week uses the lure of a $90 credit for a recipient's participation in a survey on McDonalds. The email asks for five minutes to answer questions on the products, ensuring users ‘that we will not ask you about any personal information'.

So far this is quite a clever scheme, particularly as the website the email links to puts on a good show of quizzing the user about their favourite McDonald's food and drinks. In return for participation the $90 will be credited, meaning that banking details have to be submitted, with the user's driver's licence, credit card and CVV also required.

Chester Wisniewski, senior security advisor at Sophos Canada, who highlighted the threat, said: “I am always surprised that people think they can win $90 in a survey or that they may have won £3 million in a UK lottery they never entered. Doesn't anyone wonder how on earth McDonald's or the UK lottery got their email address in the first place?”

As we have highlighted with the ESPN Soccernet phishing campaign, it is now becoming less of a case of assuming people want to inherit tens of millions of pounds from an African prince or will want to watch a video of a celebrity in a compromising position, and more about a financial or voucher reward for answering a few questions about the Big Mac.

This particular phishing campaign has its flaws, such as the text in the email is in Cyrillic as a default character set, but what is concerning is how simple it is to miss, and how many will be fooled by it.

In recent weeks I have received a lot of announcements and details on how attack vectors are evolving.

Perhaps this is a coincidence in timing, but since we highlighted how rogue anti-virus was being sold by cold-callers, new methods have also been reported. A media report claimed that online businesses have been facing threats from a criminal gang employing scare tactics to trick them into handing over large sums of money to avoid having their sites hit by distributed denial-of-service (DDoS) attacks.

Essentially using bullying and extortion tactics, the report by ZDNet claimed that after a message is received, the fraudsters begin by charging businesses $200 and warn them that they will add another zero to the cost for every 48 hours that they do not receive the money, simultaneously attacking the website with a DDoS attack.

Symantec, who identified the tactic, said that attempts of gathering personal information or money by using tactics similar to those mentioned here are very common in scam attacks.

It said: “In this targeted attack, the ‘To' header is an email address provided in the registrant contact details for the domain, and the ‘Subject' header follows a format similar to ‘Hosting - Important Updates and Information', which helps the email to appear as if it has been sent by the hosting service provider.”

Commenting, VeriSign CTO Ken Silva said that the problem in this instance is that enterprises have no way of verifying whether the criminals will actually carry out their threat of taking down their sites.

He said: “However, with a DDoS attack able to cost businesses millions of pounds in lost revenue, ignoring such a threat is a risk businesses cannot afford to take. DDoS attacks are increasing in frequency, scale and sophistication, as have the tactics employed by cyber criminals.

“A report by Forrester found that just under 75 per cent of respondents had been a victim of one or more DDoS attacks within the past year. We often see companies trying to protect themselves by employing outdated practices such as bandwidth over provisioning which are costly and ineffective. The fact remains that prevention is always better than cure.”

Another ‘trend' is regarding hackers forcing a ‘legitimate' anti-virus uninstall, where hackers leverage a clone of the prevalent rogue CoreGuard anti-virus product called AnVi.

Detected again by Symantec, the AnVi gake product gets the user to access the legitimate anti-virus uninstaller and upon executing the malicious file, the Trojan shows a message box asking the user to uninstall the legitimate anti-virus program, if it is present on the computer.

It said: “In this case it is using the legitimate anti-virus uninstaller and forces the user to remove the anti-virus software from the computer. Moreover, it tries to download rogue anti-virus software by connecting to malicious websites. In this case it tries to download AnVi Antivirus, which is a clone of the CoreGuard Antivirus 2009 misleading application.”

Rob Horton at NCC Group said: “These forms of social engineering attacks are becoming more common. Keeping your system and anti-virus software fully up-to-date can help mitigate the threats presented by some of these attacks.

“However, the key to adequate protection lies in browsing caution, paying close attention to any warnings displayed by your operating system or browser, and being very careful what you click on.”

The threat of rogue anti-virus, it seems will never go away. Sophos warned of a new threat recently that spread via ‘suspicious email attachments from unknown sources'. It said that if recipients open HTML files attached to the spam emails, their web browser will be directed to a hacked website containing a malicious iFrame that allows the fake anti-virus attack to be launched.

Sophos detects the malicious email attachments as Troj/JSRedir-CH and the fake anti-virus attack as Mal/FakeAV-EI. The emails use a variety of themes ranging from credit card charges to free-to-view holiday photographs to lure recipients in.

Graham Cluley, senior technology consultant at Sophos, said: “A scam like this can be extremely successful at passing revenue directly and quickly into the hands of hackers - so we all have to be on our guard. The attacks are designed to trick people into paying to remove threats from their computer that never really existed in the first place.

“Once a user's computer is infected with fake anti-virus, the software will continue to bombard the user with bogus warning messages to encourage them to pay for threats to be removed or install more malicious code onto their PC.  If computer users are concerned about the security of their machine, they should go directly to a legitimate IT security site, rather than put their trust in a criminal hacking gang.”

These threats are likely to be a few among many, and I dare say that there are stronger and more successful opportunities being peddled right now. When it comes to user security, a reputable brand is the way forward.

However if you are being threatened with attack, the decision on how to act on what could be an empty threat lies with the recipient.

The Zurich Insurance £2.27M fine has shed light on the challenges faced when transferring data between global offices.

The Financial Services Authority (FSA), who levied the fine, said that the incident occurred when Zurich outsourced the processing of some of its general insurance customer data to Zurich Insurance Company South Africa (Zurich SA), and that an unencrypted backup tape was lost during a routine transfer to a data storage centre. Also, as there were no proper reporting lines in place, Zurich UK did not learn of the incident until a year later.

Talking to SC Magazine, Hugo Harber, director of convergence and network strategy at managed services provider Star, claimed that he was shocked that Zurich did not encrypt its backup data and that the security of data was not considered.

He said: “I am not criticising Zurich as this could have happened to any big business, but how many businesses have not understood the importance of it? There is also the storage of data in transmission as this is a critical point for the business.

“From one perspective this is personal data and it details who the customers were. It is much more serious these days as names can be transmitted with an SLA. This is a very mature market.”

He also said that another interesting thing is the reporting issue, as even though the business is based in the UK and the loss occurred abroad, it does not matter where you ship in the world, you are still covered by the FSA regulation.

“There are still a lot of systems in shipping data offshore, and the FSA has made its case for data backup,” he said.

Asked if this incident will raise awareness of secure backup, Harber said: “I hope so, I find that when we talk to our customers about data management there is a whole lot of things that they don't consider. They don't think about where they put it so security, people don't want to talk about it, as it is a headache.

“It is difficult to make a request to the board, so we need fines like this for the board to make a conscious decision to invest in the security of data. Every business has a duty of care to their customers, so we find customers have issues around what to do with it as they don't know what they have and where it is kept.”

Commenting, Edy Almer, VP of marketing at Safend, claimed that the news highlights not only the importance of effective management processes, but also the financial and reputational damage of failing to ensure that these are enforced.

He said: “The incident has highlighted a failing in outsourcing arrangements that had been made. The fact that, as far as we know, the back-up tapes on to which the data was transferred were unencrypted - and that the loss of data went unknown for a year  - shows a massive flaw in control and processes.  

“Encryption would have been a safe harbour had it been used. Had Zurich encrypted data transfers, securely transferred and logged it, and had a solid DLP system in place, with good auditable records, the problem could have been avoided.

“The penalties for data loss are getting tougher, and it's simply not worth the risk of saving a few hundreds of thousands of pounds, when fines into the millions can be levied. Encrypted secure logged transfers over DVD or secure web or any other way would have avoided the problem.

“Organisations, across all industry sectors, need to remember that, whether sensitive data is in transit or, at rest, it needs to be properly stored, secured and encrypted to prevent a loss of this kind. The goal should be to invest in data protection now, to avoid paying more later.”

Harber concluded by insisting once again that he did not blame Zurich, as he believed that their operations in the UK are 'watertight', but the problems lie further down the chain.

Regardless of who is to blame, the fact that this has raised awareness of so many issues is why it has remained newsworthy. As Harber said, companies may use this to raise concern at board level to ensure that they are not the next in the headlines for similar reasons, and that may be the point of the fine from the FSA in the first instance.

The news coverage around celebrity deaths has been extensively highlighted but a new tactic seems to becoming popular.

Symantec's Mayur Kulkarni claimed that malicious spam is now luring victims not in regard to the deaths of the likes of Michael Jackson, Patrick Swayze and Natasha Richardson, but those celebrities who have not actually died at all.

He said: “Strange stories of celebrities have suddenly erupted in the spam ring, which describe their deaths in plane crashes or car accidents. The intention of distributing such false news is to spread viruses using HTML or zipped attachments. This is one more in a series of recent virus attacks seen in the last few weeks.

“This is an old trick of using celebrity names to lure recipients into opening malicious URL or attachments. In one of the campaigns seen, spammers are using subject lines showing that a celebrity has died.”

Among the celebrities named as receiving a visit from the Grim Reaper are Beyonce Knowles, Brad Pitt, David Beckham, Jay-Z, Jennifer Aniston, Miley Cyrus and Tiger Woods. Almost a year ago, rumours began to circulate that rap star Kanye West had died, leading to malicious links appearing on the first page of Google searches. Last week McAfee named Cameron Diaz as the most dangerous celebrity in cyber space, as searches on her are most likely to run into online threats.

Kulkarni said that in the message, it states that the celebrity has died, along with 34 other people when their plane carrying the group on a trip crashed into a mountainside while approaching the airport. For further details, recipients are asked to open the malicious attachment.

In another example, the subject lines were changed to show that the celebrities had a fatal car crash and they were killed in that accident.

On opening the zipped attachment there is an executable, detected as Trojan.Zbot by Symantec.

“Spammers are known to create curiosity in their spam messages so that users get interested and make an attempt to open and, perhaps, install the executable. Doing this using brand names such as well-known news agencies or using a celebrity name gives them the much-needed credibility in order to gain trust in the recipient's mind,” he said.

However it is not just rumours of celebrity death that are catching the attention of the gossip-hungry, Sophos senior technology consultant Graham Cluley identified a new threat on Facebook which is luring users into viewing photos of a ‘football player and an underage prostitute'.

In a survey-based threat similar to the Disney page identified earlier this year, it promises to show photos of the alleged incident, undoubtedly jumping on the bandwagon of England striker Peter Crouch's rumoured incident with Algerian prostitute Monica Mint.

Cluley said: “With the British media obsessed with football, WAGs and sex scandals - it's no wonder that the story has been making plenty of headlines.”

The page lures users in with a headline of ‘OMG.. This England Football Player Got CAUGHT F**KING A UNDERAGE PROSTITUTE!' with ‘shocking' photos promised of the ‘disgusting' incident with a girl who apparently ‘looks about 13'.

If a user clicks on the link they are invited to share the message with their Facebook friends (thus spreading the message virally) before being allowed to see the photos. When a user finally thinks they are going to see the photos they are instead taken to a series of online surveys, allowing the cyber criminals to earn money in the form of commission by tricking people into taking the surveys.

Cluley said: “If you do manage to make it past the survey (and I would question why you would do so) you'll ultimately be taken to a story published on the British tabloid The News of The World's website yesterday, covering the latest gossip about Peter Crouch's love life, and topless pictures of Monica Mint. (By the way, she's reported to be 19 years old - so not underage in most countries, including Spain and the United Kingdom).

“But, of course, you didn't have to complete the online survey to see the story of Peter Crouch's shenanigans. You could have just visited The News of the World website instead. But that would have deprived the scammers of some revenue.

“I've informed Facebook of the scam, and hopefully they will shut it down shortly. In the meantime, Facebook users would be wise to think twice before ‘liking' or ‘sharing' pages in order to see the oft-promised ‘sensational' or ‘shocking' content'.”

A year since file sharing site The Pirate Bay was convicted of breaking Swedish copyright law, the website is still online and active.

In August last year, SC Magazine reported that The Pirate Bay was ordered to be taken offline by Swedish authorities following a defeat in court. Following this it was revealed that the shutdown caused a huge rise in copycat file sharing sites to spring up on the internet.

It was also forced offline by a group of Hollywood Studios in May this year, while this week detections were made by Sunbelt Software that a number of typo-squatting sites were hoping to catch out unaware would-be downloaders. Its research office manager Tom Kelchner said: “The phoney site piratebay.com comes up as the third result on a Google search for ‘piratebay' or fourth for ‘pirate bay'.”

However according to John Lovelock, chief executive of the Federation Against Software Theft (FAST), the file sharing website convicted by a Swedish court of breaking the country's copyright law has been allowed to continue and even thrive in its operations.

He said: “Pirate Bay has been allowed to frankly profit in column inches and financially to the detriment of IP rights holders from the controversy surrounding its conviction and the ensuing publicity. Time will tell if the new owners turn the website around, but the current situation just serves to undermine the integrity of the Swedish court and hinder the global fight against copyright offences.”

Now under new ownership, The Pirate Bay was sold for £4.7m to Global Gaming Factory (GGF) at the end of June 2009, three months after the court case, providing the owners with a multi-million pound windfall. The new owners were quick to state that although the site would continue to practice file sharing, the files would be hosted legally, rather than stolen from copyright owners. 

It is always good to see information security stories feature in the national press, and one caught the eye at the end of last week.

In a story on BBC News at the end of last week, it highlighted findings by the Georgia Tech Research Institute which claimed that a password of seven characters or less will soon be ‘hopelessly inadequate', as the researchers said that the growing number of processors on graphics cards will soon make it trivial to crack short passwords.

The research found that a graphics processing unit (GPU) may soon compromise password protection as today's top GPUs can process information at the rate of nearly two teraflops - a trillion floating-point operations per second.

Richard Boyd, a senior research scientist at the institute, admitted that software programs designed to break passwords are freely available on the internet, but these programs combined with the availability of GPUs, mean it is only a matter of time before the password threat will be immediate.

He said: “We've been using a commonly available graphics processor to test the integrity of typical passwords of the kind in use here at Georgia Tech and many other places. Right now we can confidently say that a seven-character password is hopelessly inadequate - and as GPU power continues to go up every year, the threat will increase.”

Joshua L. Davis, a research scientist involved in this project, said that attackers know that many people use passwords comprising easy-to-remember lowercase letters, and code-breakers would typically work on those combinations first.

He said: “Length is a major factor in protecting against brute forcing a password. A computer keyboard contains 95 characters and every time you add another character, your protection goes up exponentially, by 95 times.”

Davis also commented that the best password is a sentence. David Bennett, director EMEA consumer business development at Webroot, agreed with this. He suggested at the very least building a secure password out of a simple sentence, something like ‘Today 29th July I lost my identity and £897 to a hacker' into ‘T29jIlmi&897TAh'.

He said: “This suddenly becomes a very secure password when you mix case, numbers and characters in what appears to be a random fashion. Using this method you can create several simple to remember phrases that build security – just remember to use a different phrase for each site.

“This is okay if you only have a few passwords to remember, however, how many of us only need passwords for one or two sites? I am sure I'm not alone in now needing multiple passwords for social media, banking, email, etc. and it's a challenge to remember them all. We see the industry moving towards cloud-based solutions that remember these long passwords for the user, so users don't need to remember those difficult passwords.”

Research by VeriSign Authentication of UK online adults showed that 39 per cent disagreed that ‘user name plus password' is a strong enough security measure.

Christian Brindley, regional technical manager EMEA at VeriSign Authentication (now a Symantec business), said: “A password is only one layer of security which criminals have proven they are able to bypass; either through brute force as the Georgia Tech researchers have demonstrated, or, often, simply by guessing.

“The current migration to cloud services should mark the end of the traditional username and password usage and drive the adoption of stronger internet security measures. One method that has been proven to work is strong authentication, which combines a user's log in details with a one-time password generated by a device such as a plastic token, credit card style device or even a mobile application. Once a second factor of authentication is introduced, the risk of account sharing and hacking of password reset tools is all but removed at source.”

Stephen Howes, CEO of GrIDsure, said that he found it to be ‘bewildering' that the institute recommended that passwords should become longer and more complicated.

He said: “This goes against every other trend that I have come across in my business and personal life towards making things more convenient and less complicated. Who is seriously going to remember the recommended 12 character strong password consisting of letters, numbers and symbols? It's a recipe for frustration and you can guarantee that users will either forget these passwords or, more likely, just write them down.

“Ultimately, no matter how long and complex you make a password, it can still easily be hacked or stolen by means such as shoulder-surfing or malware (keylogging, screen scraping and so on). I therefore believe that static passwords have no place in today's connected world and consumers should be offered more effective alternatives that offer better security without making their lives more complex or inconvenient.”

We have covered password security a lot in the past, after all a simple and ‘guessable' password can often be the only security to so many precious things. I certainly welcome the debate launched by the Georgia Tech Research Institute and that it was flagged by the BBC, so that this is given more of a chance to be read and considered by the public.

Whether they take any notice, or continue to click on a story from the entertainment section is instead anyone's guess.

In a year that has seen a consistent pattern of patching on the monthly Patch Tuesday I thought that it would be interesting to see how this is impacting the sector.

Generally an effort for any business or user, 2010 has seen a common pattern of heavy and lighter loads of patches. Looking at the last four months for example, May had two patches; this was followed by ten in June, back down to four in July and now 14 announced for today in August.

There have been out-of-band releases, such as the patch released last week for the Windows shortcut vulnerability, but what has influenced such a pattern? I spoke with Greg Lambert, technology director of ChangeBASE, who commented that Microsoft would have worked hard in July to get patches developed so it can have an easier time in August. He predicted that September will see two or three patches, as less time is spent in development during August.

An automated application compatibility testing and remediation company, ChangeBASE's software helps to identify the issues that migrating to a new operating system or virtualised platform might cause for an organisation and also identifies how to fix these issues.

Among its testing processes is an analysis of Microsoft's Patch Tuesday, which identifies any issues (including security vulnerabilities) that it may cause to an organisation's infrastructure.

Lambert told me of an incident where was patch was applied without consideration for its impact and a trading floor was wiped out. He said: “We helped with the question of will a patch change anything on the application, or is there anything that the application is depending on?

“Our system takes two to three hours to propagate an email workaround and within a few hours we have a fully impact analysis. It states what needs to be tested and what to inspect more.”

He commented that it is finding that people are applying patches up to two weeks after Patch Tuesday, and no one will apply anything immediately tomorrow.

“When there are three to four patches we will find that it will take a week to deploy the patches, Microsoft also changes things in the background and that will take a week to two weeks,” he said.

This intrigued me, as surely once a patch has been released it is uploaded in order that hardware is secure and vulnerabilities are covered. Or is it a much more complex process than that?

I asked Alan Bentley, SVP international at Lumension, about the claims that patches can often take days, or even weeks to be applied. He commented that it really depends on a company's change control mechanism, as a large organisation in a server environment will need to analyse and evaluate the risk of remaining unpatched.

He said: “We are seeing risk in an environment without doing proper checks and changes are often greater than a key vulnerability remaining unpatched for a period of time.

“If a company has the technology to deliver an automated patch to deal with a vulnerable application and test correctly, the balance is between secure operations and releasing requirements. It is a security requirement to understand a vulnerability and be in a position to understand risk, and the operations team test the impact that a piece of software will have.”

Certainly a revelation to this writer, but I guess it makes sense to know what you are working with and to be sure that what you are applying is both legitimate and will not crash your system.

Lambert commented that ChangeBASE sees big organisations such as financial services companies who do not have off-the-shelf applications, and are entirely dependant on them. He said: “No one knows about the RBS internal applications other than RBS. We load the applications into the database and get a measure of the security value so know the impact. If you have a massive issue you have is make a decision and adding 14 more tasks to a big issue.”

So this moves things into a discussion on best practice when it comes to patching. Stewart Room, partner in the privacy and information law group at Field Fisher Waterhouse, said: “What you don't find in any regulatory guidance, any court cases is any statement of law that patching is a legal requirement. It does not exist anywhere. It is right that we should not face a technical failure because of security, from a legal perspective it is an issue that has not been determined.”

What interests me is that the headlines on patching only take up one week every month, but it is a challenge constantly faced by IT administrators. How you do it is up to you, but to not do it at all can be devastating.

I have seen plenty of discussion in the blogosphere of late about the anti-malware testing standards organisation (AMTSO).

The discussion seemed to spin from the publication of new guidelines with added resources for software testers included. In a comment a couple of weeks later, David Harley, writing separately from his duties as senior research fellow at ESET and a director of AMTSO, claimed that he was ‘confused and not to mention exasperated, at the flurry of bad press that AMTSO is suddenly receiving'.

He pointed to a blog by Kevin Townsend to which he contributed some thoughts, and thought the time might be right for some healthy discussion about how the organisation might engage better with the general user population.

However the feedback received showed a general feeling of negativity towards AMTSO, with Harley saying that it had been described as ‘a self-serving group of anti-virus vendors (cantankerous vendors, even) trying to impose retrograde standards unilaterally on testers' to a ‘sinister cabal of vendors and testers and the organisation should be user driven'.

A joint statement from researchers at Kaspersky Lab, Panda Security, McAfee, Symantec and ESET aimed to clarify some of the complaints, but I asked Harley what the headlines have been about.

He claimed that he would not have made an investment of time and energy if he did not believe that there is a need for major improvements in testing and the public understanding of testing.

He said: “Nearly 20 years in the arena as a corporate customer, sometime tester, educationalist and anti-virus researcher and more recently within the anti-virus industry, suggests to me that it does. That is the sort of problem AMTSO was meant to solve. Of course, there's an element of self-interest in AMTSO's activities, but the thinking behind all that is that better testing benefits the population at large, not just the anti-virus industry.”

He highlighted three problems – firstly while AMTSO is not a profit-making organisation, the subscription fee is fairly hefty. It was heavier in the first year, because of the large setup costs, and was reduced accordingly for the second year, because many of those costs were one-off. Still, a subscription large enough to cover maintenance/administrative costs is still too large for most interested individuals.

He said that those costs are basically for professional services such as legal services; the board of directors and review analysis board, while the independent advisory board is made up of volunteers.

“That gives rise to another issue. Since we all have full-time jobs, we can't give AMTSO the time and attention some of us would like to. The best measure of what the organisation has achieved so far is probably its own repositories of papers, guidelines and other resources, put together in the course of several workshops and a lot of email. A lot more than that has been done behind the scenes, but there are no brownie points for setting up processes that are necessary, but don't directly impact on the public,” he said.

The second problem is that the group includes security vendors, as well as testers and product certification agencies. Harley admitted that while mainstream vendors and testers do not necessarily see that as a problem, most people do not see it that way, rather they see it as the foxes guarding the hen house.

He said: “Indeed, when a single vendor is behind an ‘independent' site, which does happen, you get some pretty biased testing, but AMTSO is slightly different. The group comprises (generally) researchers, not marketroids. It's difficult for a vendor or tester to cross the line when the eyes of so many competitors are on him.

“Still, there's a huge mistrust in the media and the population in general of security vendors, and that poses a significant PR problem. There's a subsidiary problem in that the organisation is not sufficiently engaged with the public at large. One approach I've been advocating is a much cheaper membership option with less privileges, something like the Anti-Phishing Working Group's basic membership, and something like that may happen sooner rather than later.”

Finally, he said that there is confusion over what AMTSO means by raising standards (rather than standards; despite the name, AMTSO is not equipped to impose standardised testing, even if it wanted to (it doesn't), and is not a suitable venue for formulating ISO/BSI-like standards.

He said: “While some labs are, quite rightly, stressing their achievements in meeting such standards, they're very generic.  While I'd hope that a standards organisation addressing the need for standards specific to the IT security arena would want input from vendors and testers, AMTSO in its present form could not provide that kind of standard, in my opinion, because it would be seen as the AV industry imposing measures that suit the industry rather than its customers.”

So how could standards be raised in a more general sense?  Harley said that this would be by improving the quality and availability of information about tests and testing, and by making testers more accountable for the accuracy and quality of their testing.

He said: “The AMTSO review analysis process is one step towards this, though its implementation to date has been far from smooth and not universally popular. A self-certification scheme is also in process, though excruciatingly slowly: that's the problem with relying on volunteer labour.”

In a recent blog update as part of a look forward to the Black Hat Conference, Microsoft Security Response Center (MSRC) director Mike Reavey commented on its latest work to address vulnerabilities in its software.

He commented that ‘some will say that we take too long to fix our vulnerabilities', especially with memories of the Windows Help and Support Center vulnerability that was left unpatched for almost a month until July's Patch Tuesday.

Reavey said: “It isn't all about time-to-fix. Our chief priority with respect to security updates is to minimise disruption to our customers and to help protect them from online criminal attackers. These customers own and operate a diverse ecosystem of nearly a billion systems worldwide.

“It's humbling to think about the responsibility this entails and yet we embrace the challenge. Even in the face of that, our overall track record shows the window of vulnerability is being reduced and we have additional plans to improve.”

He said that the MSRC receives more than 100,000 email messages per year, almost 275 per day or 11 per hour, which is filtered down to approximately 1,000 legitimate investigations per year.

Once a vulnerability has been confirmed, he said that a comprehensive examination is undertaken to ensure that the reported vulnerability is addressed and any other vulnerabilities that might exist in related code are identified and addressed, and that no new vulnerabilities or bugs are introduced during this process.

So why does Microsoft not commit itself to fixed timelines?

Reavey said: “Because it is important to consider the overall customer risk when focusing on updating software for security issues. Most security updates released by the MSRC will be rapidly deployed to hundreds of millions of systems worldwide helping to protect customers from attacks in a very short timeframe, and the software being updated is being used by hundreds of thousands of applications on all sorts of hardware in all sorts of scenarios.

“So it is imperative that the update has been rigorously engineered and tested in order to avoid creating any type of disruption to these systems. During this time, the MSRC monitors for signs that the vulnerability, or variants, are being used in active attacks.

“The MSRC does this by using comprehensive telemetry systems, as well as data and information provided by customers and partners around the world and the rest of the industry. This approach helps Microsoft balance between the potential urgency of releasing an update for a particular vulnerability and ensuring high confidence that the update will address the vulnerability, all of its variants and maintain the functionality and stability that customers expect from the affected products.”

He said that for the majority of issues it is able to release high quality and comprehensive security updates to customers well before any indication of attacks, and well before they are disclosed publicly. However, there are exceptions. In some cases attacks happen so the MRSC has to compress testing to release updates quickly. Also, when there are attacks, it releases workarounds in days that can block these attacks even without the updates. Usually these take the form of a 'fix-it' that can protect customers with one click or be easily deployed throughout the enterprise.

Pointing to the active template library vulnerability that was disclosed at last year's Black Hat Conference, Reavey said that it took over a year to coordinate that release, and in the end, even the finders themselves understood and commented that with the complexity involved, taking over a year was not unreasonable.

He said: “When seemingly simple security issues, such as a memory corruption bug, affect multiple different products, the coordination and calibration can drive longer timelines so no product, or customers of those products are left behind.

“There have been cases that are such deep architectural changes that they can take multiple years to fully resolve or may not be able to be resolved in some of our older products. Usually these issues result from new threats emerging that product designs or assumptions couldn't anticipate. Changing those assumptions for products that have been in market for several years does take time and coordination so customers and applications can work effectively with them.”

He concluded by claiming that focusing on resolving security issues has, and will always be a priority for the MSRC and it will continue to work to improve its processes, but it must always strike a balance between timeliness and quality.

Even though vulnerabilities are disclosed and often with little time given to the MSRC to create, test and release a patch, the actions of the centre are admirable and I rarely hear criticism of its processes. While exploits are increasing with strength and depth, I think it is time to appreciate what sort of a task the MSRC is really up against, and welcome the patches when they are released.

This week saw the launch of BDNA in the UK whose products ‘map out the DNA of IT assets within organisations'.

Calling itself an ‘IT Genome company', it has set out to solve the biggest problems facing enterprise IT organisations, namely global asset visibility and management, effective asset utilisation and overall cost reduction.

Speaking to SC Magazine, the company's CTO Walker White explained that BDNA was founded to build a catalogue of hardware and software to use as a reference log of what has been released.

He said that customer feedback of the original product offering said that it ‘is useful but we need to understand is what we have got'. He said: “We developed the ‘Insight' flagship inventory solution, and the IT Genome strategy is BDNA getting back to the roots and understanding from a reference point, what is in the environment.

“The analogy to genomics is a very good one, and we have been able to say using our inventory solution customers have been able to save literally hundreds of clients environments. What has become clear is that the differences from one client to the next are very small but the outcomes are very different, one organisation will be very secure with that DNA and another is unsecure.”

At the core of the technology offering is ‘Technopedia', what BDNA calls the world's most comprehensive encyclopaedia of major software and hardware products, containing more than 9.5 million market data points on nearly 87,000 IT products.

White said that this development was ‘the subtotal of work to capture an exhaustive collection of hardware and software'. He said that it categories the network and captures when software was last updated and when its end of life is.

Its IT Genome strategy is based on the theory that every enterprise has an IT Genome - the complex of hardware, software, processes and policies that define the contours of an IT infrastructure and the value it delivers. This comprises its suite of products and services taking advantage of Technopedia to discover, normalise and enrich IT data.

White said: “The IT Genome strategy is about understanding the core components of an organisation that are the foundational building blocks to all of the other processes and projects that are going on and BDNA is capturing that data, setting it up and capturing with relevance as a result of having Technopedia as a source of the two offerings.

It has launched BDNA ‘Discover' and BDNA ‘Normalise' into the suite as product offerings. BDNA 'Discover' is an inventory solution that does not require administrative access to the endpoint, attaches to the network and goes on to the device to get configuration. BDNA 'Normalise' will work with Technopedia and enrich the software.

White mentioned that ‘waste' is able to be determined, and when asked what he meant by ‘waste', he said: “Unutilised or underutilised assets in software and hardware, we have clients who normalise software using BDNA to discover what they have. As we move forward there is nothing to stop us latching up to anything we want to normalise. BDNA Discover looks at anything that is IP enabled.”

One area that can benefit from this sort of identification is licensing and software asset management. Chris Gomes, pre-sales technical consultant Europe at BDNA, said: “We did a project with a customer and they were using F-Secure anti-virus, and by using Discover to normalise and enrich, we were able to discover that some computers didn't have anti-virus at all, while on some machines the anti-virus was installed but because the user had elevated privileges, they were able to stop the service and we were also able to find out-of-date software.”

This launch in the UK, following a new strategy launch in the US in April and in France in June, is in response to rising demand from organisations globally to have solutions that enable full visibility into their IT infrastructures, according to Paul Winters, UK country manager for BDNA.

He said: “This combined with the fact that IT infrastructures are constantly changing and evolving, makes it difficult to keep track of IT assets and their current status.  Enriching asset data with content and context is essential for making informed business decisions.

“The ability to maximise the value of key IT initiatives such as virtualisation, software licence compliance, data centre consolidation and green IT and others depends on your ability to accurately see the state of your IT infrastructure.  The IT Genome strategy provides the content required for any strategic IT initiative – discovering, normalising and enriching asset data to reduce IT cost.”