This week I attended the launch of the new business and consumer range of laptops from Sony Vaio.

Sadly I was unable to get my hands on one to give it a proper trial, but with retro ‘spaced' keyboards along with a lightweight build incorporating solid-state hard drives among the features, these are certainly aesthetically pleasing and comfortable to use.

I spoke to Chris Hirst, Vaio business category marketing manager at Sony UK, who explained that the business ‘Z', ‘Y' and ‘S' ranges have a price scale that takes into consideration the depreciation of value along with power, portability and materials.

So firstly to look at the S series, they weigh 2kg with a battery and are made from tough, yet lightweight magnesium alloy. They are powered by the latest generation of energy-efficient Intel Core processors and performance is boosted by up to 4GB of fast DDR3 RAM that gives plenty of space to run all of your applications.

It has a 13.3” Vaio display with LED backlight, while selected models feature a backlit keyboard with an ambient light sensor. The same light sensor adjusts screen brightness on all models for comfortable viewing while cutting power consumption.

There is also a multi-touch trackpad for comfortable, positive operation.

Built-in security features include advanced HDD protection that safeguards your data from disk crashes – even while you are booting up or preparing to go into hibernation mode.

Connectivity includes three USB ports and HDMI for enjoying your full HD media collection on a connected TV. Even if you are far away from a WiFi hotspot, optional Vaio Everywair 3G mobile broadband keeps you connected at download speeds up to 7.2Mbps.

The ‘Y' series is more lightweight at 1.8kg and it features magnesium alloy for extra strength and Vaio signature cylindrical hinge styling. It also features the same display as the ‘S' series, while selected models include Vaio Everywair 3G mobile broadband and the standard battery life is up to nine hours.

Finally the ‘Z' series, launched in mid January and due out in March, features Quad solid-state drives that can write data in parallel on a maximum of four SSDs. It weighs under 1.45kg and features a palm rest manufactured from a single, thick slab of aluminium.

This also features Vaio Everywair 3G mobile broadband, a 13.1” screen with LED backlighting, while the built-in ambient light sensor detects when ambient surroundings are dark, automatically switching on keyboard backlighting for accurate typing while dimming screen illumination to save power.

Hirst explained that there was a reason why the business range was sized this way. He said that while the netbook serves a purpose ‘it is not made for multi-tasking as you need resolution on the screen and power to do it'.

Hirst said: “These feature the new core processor from Intel and this is part of the core ethos, 3G is also installed across this range as we realise that people have smartphones and want WiFi capabilities. There are a lot of dongles available where it needs hardware, while this is convenient to connect to a wireless network.”

Commenting on the solid-state hard drive (SSD), Hirst said that SSD has been restricted by its size, and if you drop the computer the needle can hit the platter and break it. However with the SSD setup you are more protected, and with the sheer amount of process, you can get data out faster. He also commented that people do not backup enough, and this is another benefit to SSD.

In terms of security, Hirst said: “It includes fingerprint security, and also a trusted platform module to encrypt data. The fingerprint is 'huge' as you can log on to your banking website or applications or link any procedure to the fingerprint. This also comes with McAfee trial software.”

The deadline for filing self-assessment tax returns has not brought an end to phishing messages intended to trick web users.

Despite HMRC telling customers that it only informs them of tax refunds by post and that they should not respond to such phishing emails, reports were made of a highly lucrative criminal scam in the run up to Sunday's tax return deadline.

The latest scams take advantage of the number of people waiting to hear whether they are eligible for a tax refund. Phishing messages now tell people that they are due a rebate and ask them to complete online forms with their bank or credit card details in order to receive it.

Phil D'Angio, security expert at VeriSign, said: “Key dates such as tax return deadlines present golden opportunities for fraudsters to target people made vulnerable by processes that they may find confusing. But whatever the occasion, phishing sites are easily spotted when we know what to look out for.

“In this case, Revenue and Customs issued clear directions – taxpayers will only be informed of tax returns by post, so any emails claiming to be from this body should be ignored. However, phishing scammers don't need a specific date or deadline as an excuse to attempt to defraud individuals – emails asking for confirmation of personal information of any sort, those promising cheap online deals or emails issuing warnings on closures of bank accounts should all be deleted without taking any action.”

Trusteer, a browser security and fraud prevention specialist, said that these reports prove the increasing ingenuity - and topicality - of cyber criminals. Its CEO Mickey Boodaei claimed that HMRC attacks are twice as successful as banking phishes for the simple reason that taxpayers are tempted by the prospect of a cash rebate direct to their bank account.

He said: “The `carrot' of free cash also persuades many internet users to lower their normal credulity guard and, when they see a choice of bank sites from the `HMRC landing page', they click on the link and immediately start entering their bank and other personal details.”

He further encouraged users to ‘fire up a search engine and look for reports of a possible scam on the internet' when they receive what appears to be a free cash giveaway or deal that looks very tempting.

For example, entering the words `HMRC tax refund email' into Google returns a series of links. The first one says: "HM Revenue and Customs (HMRC) would not inform customers of a tax rebate via email, or invite them to complete an online form to receive a rebate of tax..."

Boodaei did claim that HMRC is the perfect phishing target, as it allows the cyber criminals to set one page and one email message that target all banks at once, instead of setting a different message for each bank. This is much more efficient.

Secondly, while many online bankers know not to follow links to their bank's website, a message from HMRC seems less suspicious.

“Cyber criminals are using automated tools to generate these attacks and therefore they can generate a high volume of attacks in a very short space of time,” said Boodaei.

Mick Paisley, head of information security and business resilience at Santander, said: "There is no end to the tricks fraudsters will use to try and pull the wool over the eyes of an unsuspecting public. The nature and timing of this phishing makes it hard for people to ignore and the promise of money back from anyone is interesting, the promise of money back from the taxman is, to many people, far too good to let pass. 

"Unfortunately, this type of timely attack could see many people falling for it. We would urge all Alliance and Leicester customers to do all they can to protect themselves. First, be wary when clicking on a link in an email from an external source.

“Most importantly, our internet banking customers should download and install the free Trusteer Rapport software, which protects users from sharing their banking details with these fraudsters, while also allowing us to take aggressive action to take down these criminal sites as quickly as possible.”

I had an interesting email today from ScanSafe, who detailed the prevalent threats from each of the last ten years.

You could argue that cyber threats became more prevalent in 2000 with the iloveyou worm, but it is also interesting to see how threats have evolved too. Mary Landesman, senior security researcher at ScanSafe, listed the threats by year as follows;

1.      2001: Loveletter steals free internet access

Modern malware is commercially motivated – instead of writing malware for ego gratification, today's attackers are using malware to make money.  The Loveletter worm combined social engineering (love letter for you) with a password-stealing Trojan designed to harvest ISP usernames and passwords. The intent: to provide free Internet access to the worm's author.

2.      2002: JS/Exception bombs usher in malicious marketing

In mid-September 2001, the Nimda worm began its rapid spread around the globe, facilitated by multiple means of propagation. One of the methods included modifying any .htm, .html, or .asp pages found on infected systems. The worm also spread by exploiting several vulnerabilities in Microsoft IIS, furthering the worm's ability to infect web pages. As such, Nimda can be viewed as a pioneer in malware's eventual move to the web.

3.      2003: Sobig worm popularises spam proxy Trojans

January 2003 ushered in the Sobig worm, a significant threat not fully appreciated until Sobig.E and Sobig.F appeared in the summer of that same year. Sobig-infected computers were outfitted with a spam proxy, enabling mass-mailers to send large volumes of unwanted email via victim computers –even harvesting the victims own email contacts to add to the spammers' mailing lists.

4.      2004: Bagle worm vies for dominance to harvest addresses and account information

The monetary gains to be had from harvesting email addresses became even more apparent during the subsequent email worm wars in early 2004. Beginning with MyDoom and the Bagle worm, an interloper (Netsky) quickly jumped into the fray. The authors of Bagle then began coding variants of their worm that, in addition to dropping their own malware, would also remove Netsky. In turn, the Netsky author began neutering the MyDoom/Bagle infections while adding his own malicious code to the system. This prompted a response from the Bagle authors; hidden in Bagle.K's code was the message, “Hey Netsky, f*ck off you b*tch, don't ruin our business, wanna start a war?”

5.      2005: Bot-delivering breaking news alerts

Following the worm wars, named threats became fewer as attacks became more overtly criminal and profit motivated. To bypass technology, clever attackers began incorporating a much higher degree of social engineering in their attacks. In January 2005, following the previous month's tsunami in the Indian ocean, scammers began targeting people's fear and curiosity through breaking news alerts. Links in the email that claimed to point to headline news actually pointed to malicious malware that turned victim computers into bots.

6.      2006: The as-yet-unnamed Storm worm emerges

By 2006, the Storm botnet was formally underway, though not named as such until January 2007, after a bogus breaking news alert claimed “230 dead as storm batters Europe”. Coincidental to the alert, a very real storm in Europe did cause loss of life, thus earning the Trojan family (and its associated botnet) its new name, Storm.

7.      2007: MPack publicity popularises exploit frameworks

In 2007, publicity around MPack led to heightened adoption of exploit frameworks in general, laying the groundwork for managed web attacks. The release of free or low cost SQL injection tools in autumn of 2007.

8.      2008: Goolag and automated injection attacks complete cloud-based malware-as-a-service

In 2008, remote discovery tools such as Goolag further cemented cloud-based malware delivery via the web. These attacks quickly proved profitable and shifted the value proposition from spam and malicious marketing to stolen FTP credentials and intellectual/financial property theft. Cloud-based distribution of malware also increased the sophistication of malware creation kits, thus doubling the volume of malware with exponential year-over-year increases

9.      2009: Gumblar incorporates and expands a decade's evolution of malware

The 2009 Gumblar attacks can be viewed as the culmination of a decade's evolution of criminal/profit-motivated malware. Gumblar creates two sets of botnets: client-side traditional backdoors and a second, never before seen botnet compromised of thousands of backdoored websites. Gumblar includes a forced redirect revenue stream for the Gumblar creators thus providing instant monetisation, as well as long term potential profits via its ability to intercept, tamper with and steal internet and network communications. Gumblar also includes the ultimate in social engineering – turning perfectly good, reputable websites against their visitors.

10.  2010: ?

After incidents involving footballers Darren Bent (see here) and Ryan Babel, the current Premiership champions have wasted no time in ensuring that nothing as embarrassing happens to them.

In a statement on its official website, Manchester United said: “The club wishes to make it clear that no Manchester United players maintain personal profiles on social networking websites. Fans encountering any web pages purporting to be written by United players should treat them with extreme scepticism.”

Although a report by epltalk.com revealed that members of the team had been tweeting, accounts have been removed for Wayne Rooney, Ryan Giggs and Darren Fletcher, and Wes Brown's Facebook account has also been removed.

However this is a shrewd move by Sir Alex Ferguson and the corporate communications team at Old Trafford. Liverpool and Netherlands striker Babel wrote on his Twitter page about his frustration at being left out of the Liverpool squad. He said: “I never had a fight with the manager. I always kept quiet. Where did it go wrong? You have people who support me and don't support me and one day, you will see what I'm capable of. Will it be at LFC or somewhere else? — I have faith.”

Former Tottenham and now Sunderland striker Bent has felt the wrath of the football press, who labelled him a ‘twit' for his outburst last year, and although he had a promising start to the season, he is among those likely to be left at home for the world cup by England this summer.

Manchester United has now limited the opportunity for players speaking out of line, and embarrassing the club in the media. I suspect that other clubs will follow suit, and this could spin into sensitive businesses too.

The only shame in this is the fact that the likes of Dimitar Berbatov and Michael Carrick will not be able to publicly rue their decisions to abandon White Hart Lane, but let's wait for the next social networking site to take off, and see how savvy Manchester United is when that takes off.

All of the news on SC at the moment seems to revolve around the Google cyber attack last week.

Although that is what it is being called, it is not really justified to label it as just an attack on Google as it has now been revealed that Juniper was also affected. So while we seek out a general term (McAfee has labelled it Operation Aurora), I caught up with senior vice president of marketing at ArcSight, Reed Henry.

I asked him what was being targeted in this instance? Henry said that in China there are at least 250 known hacking groups, according to a US Congressional Report, and these groups go for valuable assets.

Henry said: “In the case of this cyber attack, they also had a political purpose in gaining access to the Gmail accounts of Chinese dissidents. The same skills and technologies are deployed by cyber criminals to perpetrate all these crimes, which in turn make these groups valuable weapons to be harnessed by nation-states.

“The cyber criminals have evolved their skills and sophistication to such an extent that they can breach the four walls of any company they target. So rather than just focus on keeping them out with defences they will breach, the focus needs to be on detecting and responding to an attack quickly before damage is done.”

As we have found with Juniper, and I am sure we will see with other companies who will reveal in time that they have been hit, this is more than problematic. I asked Reed, could this affect second and third level partners?

He said: “If this is truly a case of intellectual property theft, then all partners party to a portion of that intellectual property could be targeted as well via the same phishing technique or another tailored exploit, assuming the attackers knew who the third parties are.

“These targets would include both outsourced and collaboration partners who design, build, and manufacture portions of the products involved. It is also feasible that once malware gets inside a business, it propagates across the internal network and reaches a partner network and systems via a VPN or shared IT infrastructure.”

Further, could this lead to more hacking attempts? He said: “This attack is not unusual and similar attacks happen everyday against a targeted company. This attack showed off the sophistication of the attacker as a zero-day exploit was built against an undisclosed vulnerability. With cyber attacks it is just a matter of time before a company is attacked and breached, so what is important is that the breach is detected early and responded to rapidly.”

Should companies be prepared to secure themselves against vulnerabilities, both known and unknown?

“Businesses are in a precariously risky situation these days. Cyber criminals have evolved their skills and techniques to such an extent that they can breach the four walls of any company at will. Today's cyber attacks are well organised, sophisticated, and targeted, not random, aimed at specific businesses or organisations seeking to steal valuable information for resale or fraudulent use,” said Henry.

This story has now been around for almost a week, and it shows little sign of going away. I asked Reed how long he feels this will go on for? He said: “Companies will be vulnerable to this particular exploit until they patch their systems with the fix, when it is available. So expect it to carry on for months and months. There will be many more types of these attacks on the heels of this one. If cyber criminals want to breach a particular company, they simply can if they persist.”

Reed further claimed that there was nothing special about this breach, as these types of breaches happen more and more often and are not unusual or unexpected. As this was a zero-day attack against an unknown vulnerability in a ubiquitous software suite that was distributed to target companies via phishing emails with malicious files attachments, it is a complicated yet commonplace occurence with cyber criminals today.

He said: “The bottom line is companies are flying blind and unaware of what is happening in their networks, so certainly expect a lot more damage to occur without companies knowing about it. If the attack focus is intellectual property don't expect to hear about it in the news. There are no breach notification laws for IP theft. If personal data is stolen we might hear about it if the target company's home country has breach notification laws.”

In the final part of our look back at what made the headlines on SC Magazine this year, today we focus on September to the present day.

We started September with the website for the Apache Software Foundation being taken offline after being compromised by an SSH key, while on the 4^th reports appeared about Ealing council facing a bill for half a million pounds after its compromised systems failed to work for several weeks.

Five days later, Rodney Joffe, senior vice president and senior technologist of Neustar, who is also a director of the Conficker Working Group, claimed that this was a Conficker attack, this was not the last we heard of the notorious worm either, as Oxford Brookes University was hit later in the month. Joffe claimed that this was a sign that things would only get worse.

On the 18^th September we reported on plans by the Conservatives to change the authority of the Information Commissioner's Office while October saw the annual RSA exhibition where I talked with rogue trader Nick Leeson, while the journalist fraternity joked about the debacle that was National Identity Fraud Prevention Week, which was eventually revealed to be a marketing campaign by a paper shredder company.

However maybe a shredder may have come in handy after we were encouraged by F-Secure to write down passwords to help us remember them, certainly scandalous but the benefit of having secure but complex passwords was highlighted following the publication of more than 10,000 passwords for webmail accounts.

A report by PandaLabs revealed at the end of September that almost a quarter of UK small businesses do not have any security software, and 98 per cent spent less than £1,000 per annum on security solutions. The solution arrived the following day with the introduction of Microsoft's Security Essentials free anti-virus software. This is certainly not the first free download or hosted anti-virus, but a major launch when you consider the vendor.

Microsoft was back in the headlines, although it was barely out of them during 2009, on the 22^nd October with the launch of Windows 7 in what was arguably the last major launch of the year.

The Digital Britain report had its largest developments in this period, at the beginning of September several musicians spoke out against UK government proposals to kick file-sharers off the internet. These plans were confirmed at the end of October in a speech by Lord Mandelson, where he explained that the proposal was to offer a ‘three strikes and you are out' strategy.

The first criticism of this was by TalkTalk, who claimed that the plan was based on file sharers being ‘guilty until proven innocent' and constituted an infringement of human rights. Further, we reported that more than 17,000 had signed a petition against the proposed law on the 24^th November.

One of the major criticisms came from the fact that cut off file-sharers could use somebody else's WiFi to get back on to the internet, an investigation by TalkTalk found that most houses in a suburban street were unsecured on their connection, while an investigation by the BBC Watchdog programme revealed the insecurity of public WiFi.

The end of October and beginning of November brought some major domain stories, with the Guardian Jobs site hit by a rumoured SQL Injection, while customers of T-Mobile found that a rogue employee had been selling their details on to third parties.

Twitter won the dubious ‘honour' of being the last reported compromise when users were redirected to a page promoting the Iranian Cyber Army. Although they were not left with the worst reputation, that ‘honour' went to Facebook, who decided to change its privacy settings once again, to almost universal criticism from its members.

In malware, we were left to decide whether the Space Invaders game created as an art project was a Mac Trojan, as proclaimed by Symantec. Creator Zach Gage spoke to SC about this and admitted that it was ‘potentially dangerous software', and said that he was ‘cool' with it being described as malware.

November also saw the first worms for the Apple iPhone. Admittedly they only affected ‘jailbroken' models, but while the appearance of Rick Astley was considered a joke, genuine worms followed in the next few days that created anything but laughs. The Astley worm creator Ashley Towns got a job in what was generally perceived to be a PR stunt.

So moving to the end of December, a last reported data loss was given to the Ministry of Defence, who lost a laptop with the encryption key with it, while Adobe's vulnerability in Acrobat and Reader will be patched in mid-January.

For the last big story of the year (probably), Howard Schmidt was appointed by President Obama as the cybersecurity coordinator, leaving us with a positive message for the end of 2009.

So that concludes our look back at what made the headlines in 2009, and I hope that we can exceed this next year so in 12 months time we look back with a bit more of a positive view.

In the second part of our look back at what made the headlines on SC Magazine this year, today we focus on May through to the end of August.

As the world worried about the impact of the H1N1/swine flu virus, the cybercriminal fraternity did not as news of a malicious PDF began to spread, something that spun into a continuing story about remote workers, and the challenges posed when patching.

On the 12^th May Twitter users started a trend to reveal their porn names that sent the security industry into an education lockdown, this was followed on the 22^nd May with warnings made by Trend Micro about a phishing campaign regarding the microblogging site, particularly with a typo-squatting site at ‘Tvviter' that aimed to catch out unaware users to sign in and allow hackers to steal login details.

Google was forced to apologise on the 15^th May when a traffic jam, caused by an error in one of its systems, led it to direct some of its web traffic through Asia, and saw around 14 per cent of its global users experiencing slow services or even interruptions.

The search engine was quick to deny claims that it had experienced a distributed denial-of-service (DDoS) attack, an attack that became more prevalent in July when North Korea was accused of DoS attacks on American and South Korean websites, while Twitter experienced two similar attacks in mid-August.

First reports of the Gumblar botnet emerged on the 19^th May from ScanSafe, while T-Mobile, who would have further bad news in November, was forced to play down reports of a hacking with customer details advertised for sale online.

The first news of a US cybersecurity czar was made on the 29^th May, with details made on what they will need to do the job. SC asked if the UK would be, or even should be, the next country to appoint a similar high-ranking individual, and plans were loosely announced a couple of weeks later with plans announced by the Prime Minister to launch a national cyber security centre. However any plans that Obama had were quickly dropped after Melissa Hathaway stepped down on the 4^th August.

There were two major product announcements in this period, firstly Microsoft revealed plans to roll out its ‘Security Essentials' free anti-virus software while Google announced plans to release an operating system based on its Chrome browser.

News did not get any better for the internet giants as we moved through the summer though. Twitter suffered a hacking by ‘Hacker Croll' when an administrative employee had her personal email account hacked, and Croll was able to gain information which allowed access to the employee's Google Apps account, which contained Docs, Calendars and other Google Apps that Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company.

Hacker Croll later detailed how they had carried out the attack, but not before the industry had spoken out on how this demonstrated a ‘lack of security in cloud computing'. Another web giant to be hit was Facebook, who came under extensive and detailed criticism by the Canadian Privacy Commissioner.

August also not the best month for Microsoft, as it was blocked from selling 2003 and 2007 versions of its Word programme and was ordered to pay over £175 million for ‘wilfully infringing on a patent' by Canadian firm i4i. Microsoft hit back at the ruling two weeks later, claiming that it was ‘not justice'.

August also saw reports coming from conventions in the US, with a Microsoft vulnerability revealed and subsequent patch released at the Black Hat conference, while reports emerged on the 12^th August about a malicious ATM at the Riviera Hotel Casino in Las Vegas, where the DefCon conference was taking place.

In data loss, a huge fine was dished out to HSBC for the loss of 180,000 customer details, while McAfee accidentally distributed the full contact details of over 1,400 delegates on a bulk email.

To conclude, on a middle third with few things to laugh about, Gary McKinnon lost his High Court bid to avoid extradition to the United States.

Check back tomorrow for the last section of the year.

To conclude our lookback at 2009, over the next three days I will be looking at what made the headlines on the SC Magazine website.

So today it is January through to the end of April. When people first arrived back in the office they were warned of a ‘spamalanche' by Expert Messaging that would leave the average employee with 450 emails and heavy users with up to 3,000 messages to open, with 70 per cent of the messages spam or unwanted email. Perhaps among them was an HMRC tax rebate scam which was described as ‘prolific' by many security commentators and the former revenue, and gave an early warning on phishing campaigns in 2009.

The first report of Downadup/Conficker (whichever you prefer) came on the 19^th January when F-Secure claimed that the total calculation was 8,976,038 infections worldwide and 353,495 unique IP addresses, which it claimed ‘is not getting better, it is getting worse'.

Two days after this, the Heartland incident set a precedent for data loss over the course of the year, when ‘unknown intruders had broken into its systems sometime last year and planted malicious software to steal card data carried on the company's networks'. This led to calls for companies to secure on all fronts and Heartland's founder, chairman and chief executive officer Robert Carr, calling for better information sharing.

Staying with data loss, on the 26^th January, the Home Office was described as having a ‘lucky escape' over the PA Consulting incident, where the contractor lost an unencrypted memory stick containing the sensitive personal information of thousands of people in 2008.

This was followed by the appointment of a new Information Commissioner on the 10^th February, on the same day that new US President Barack Obama ordered a review of the government's IT systems.

The Digital Britain report got its first mention on the 12^th February when it was described ‘as a failure that only benefits the music industry' by FAST, sparking a year long parade of criticism. Another area that has seen criticism levelled over the past 12 months has been Facebook's privacy settings, the first changes were reported on the 17^th February and a climbdown was reported the following day.

Also in legal news, the first of many stories regarding the extradition of Gary McKinnon appeared on the 26^th February, while in product news the software blade architecture was launched on the 25^th February and the first two-factor authentication application for the Apple iPhone was introduced the following day.

The first talk of a Conficker ‘activation' began on the 9^th March with claims that it a second attack was imminent, this was followed by huge speculation after Arbor Network's Jose Nazario warned that the 1^st April ‘attack' should be taken seriously. In the end not a lot happened on the day or on the following days, however by the 9^th April Trend Micro detected variant ‘E' that utilises peer to peer file-sharing.

Moving back to March, the BBC botnet experiment led to days of speculation on its legality, while internet inventor Sir Tim Berners-Lee warned against the collection of users' data by commercial organisations, leading to major web organisations opting out of the Phorm system on the 25^th March.

Amazon and Google also joined Microsoft in rejecting the open cloud manifesto while Google's Street View was undoubtedly among technology's finest inventions in 2009, not everyone felt the same which led to Privacy International claiming that it violated the Data Protection Act, a view rejected by the Information Commissioner's Office on the 24^th April.

There were several compromise incidents at the end of April; former Beatle Sir Paul McCartney had his website hit on the 8^th April, the Home Office was hit by a malicious link that led to a Japanese adult site while the Mikeyy cross-site scripting worm hit Twitter.

At the end of April we all headed off RSA San Francisco and the InfoSec exhibition in London, where we announced the winners of the 2009 SC Magazine awards.

So that was the first four months, check back over the next two days for the rest of the year.

I was on the tube last weekend and found what appeared to be a random piece of paper, but on closer inspection turned out to be a printed off email.

Now for reasons of data privacy, I will not reveal the offender's name or personal details, primarily because I have not been in contact with them about this, but to give some detail it contains their name, job title, address, email, web address and four numbers for mobile, direct line, switchboard and fax.

The email also contains the names of around ten recipients and forms an evaluation of recent activities.

Now my first thought on collecting this was could it be enough to commit identity fraud against the sender or one of the recipients? I turned to Dave Divitt, fraud solutions consultant at ACI Worldwide, who claimed that the email was an ‘interesting find'.

He said: “I think to go for ID theft with this information alone would be tough, but not inconceivable.  I think more likely, as you had assumed, a targeted spear-phishing attack could happen to get the last few bits of info needed to start going for either Corporate or personal ID theft. The danger is not as much the information (because much of it could be available via the corporate website), but the context and other people listed on the print-out.

“For instance I could try to pull up a random set of contact details from a corporate website, but crafting a phishing email that would trick them would be tough, however with this document as something real and relatable, I could make my email much more convincing.”

Ok so it is not enough for full on theft, but there is the ability for spear phishing and spam messages to be sent to the recipients – although I would have to guess their addresses as just their names are listed. But then again what are the chances of them being on Facebook or LinkedIn, and could I create a webmail account, pose as the sender using an informal address and intercept them that way?

David Harley, director of malware intelligence at ESET, claimed that from the sound of the email that it would be ‘enough to generate some form of targeted attack such as spear phishing, or a starting point for an attempt to gain access to privileged data using direct telephone or in-person social engineering'.

He agreed with Divitt, saying: “In itself, it probably wouldn't be sufficient for full-blown identity theft: however, it could well be a significant step towards aggregating enough data for some form of ID theft. Information that isn't too dangerous in itself can acquire a much more sinister aspect when it's used as support or corroboration of other information, or just as a starting point for data harvesting. (419s are notorious for using neutral information such as news items to “prove” the identity of the scammer.)”

So my grand plan of identity theft seems to be falling apart here (which for legal reasons IO will point out that I would not do even if I could), but there is a message about another form of data leakage.

Divitt said: “Either way, it's definitely a case of thinking about what you let out into the public as you never know who might find it.”

So next time you are on your way out of a meeting and find you do not need your meeting details anymore, perhaps it may be best to destroy of that document in a secure fashion.

I came across a blog by ESET's director of technical education Randy Abrams earlier today, where he claimed that PayPal had confirmed that its own email is phishing.

It began with him receiving an email that appeared to be a phishing message and contained links to the official site. He told them that ‘it was a bad idea to include a link in it because it looks just like a phishing email'.

The response thanked him for ‘forwarding that suspicious-looking email' and said ‘You're right – it was a phishing attempt and we're working on stopping the fraud. By reporting the problem, you've made a difference!'

Ok so if you read between the lines, you will see that PayPal have issued a standard response to anyone who sends a suspicious email to Randy, but the fact that this was issued as a reply is rather humorous. However Abrams does raise a valid point that ‘legitimate businesses should never include links to log on pages, or most places'.

While it is encouraging that PayPal does encourage messages to be sent in, perhaps it would be best to read the contributions first so security types do not get the last laugh?