Today marks the start of the Black Hat conference in Las Vegas, Nevada.

At the time of writing there is no real revelation of what vulnerabilities will be disclosed, although there are rumours of a widespread phone hacking that will take place at the Def Con conference, also being held in Las Vegas.

Last year saw vulnerabilities revealed on platforms including the Apple iPhone and Microsoft Internet Explorer. Microsoft, often one of the most attacked and vulnerable IT platforms, has said that it will be at Black Hat, with its security response centre (MSRC) among the sponsors of the show.

MSRC director Mike Reavey claimed that Microsoft attends the show because ‘Black Hat has always been a reflection of, and driven by, the community-likeminded people from all walks of life and professions with a shared interest in advancing the state of security'.

Microsoft recently revamped its disclosure rulings and with a major flaw in Windows remaining unpatched, Reavey explained that today's threat landscape is one that is shifting constantly.

He said: “The realities of today's threat landscape point to a world that has shifted from a variety of participants with various motives to one of two sides - those who intend to harm or commit crime and those who intend to prevent harm and fight crime.

“As an industry and community, philosophical differences or competition aside, we should be in this together. Our own welfare as individuals and a collective community is at stake with unseen criminals who show no indication of backing down. It's our hope that this effort to shift to a shared responsibility of coordination and collaboration is something that is carried beyond Black Hat as we progress and evolve as a global community of defenders.”

I often follow the blog of security guru Bruce Schneier and a recent entry particularly caught my eye.

He pointed to a story, originally published on AOL.com News, which claimed that there was a bill (text here) that could give the President the authority to shut down all or portions of the internet in the event of an emergency.

Schneier claimed that this was not a new idea, Senators Jay Rockefeller and Olympia Snowe proposed the same thing last year, and some argue that the President can already do something like this. However if this or a similar bill ever passes, the details will change considerably and repeatedly.

Looking at the concept of an internet kill switch though, Schneier said that it was a bad idea as 'security is always a trade-off of costs versus benefits'. He said: “So the first question to ask is what are the benefits? There is only one possible use of this sort of capability, and that is in the face of a warfare-calibre enemy attack.

“It's the primary reason lawmakers are considering giving the president a kill switch. They know that shutting off the internet, or even isolating the US from the rest of the world, would cause damage, but they envision a scenario where not doing so would cause even more.”

He pointed to several flaws in the plan, primarily that while international connectivity can be cut off; there are still plenty of ways to get online, such as with satellite phones, obscure ISPs in Canada and Mexico and via long-distance phone calls to Asia. Also even if all packets coming in from one nation were to be blocked, it would not work as you cannot figure out what packets do just by looking at them. “If you could, defending against worms and viruses would be much easier,” he said.

“Packets that come with return addresses are easy to spoof. Remember the cyber attack on 4^th July, 2009, that probably came from North Korea, but might have come from England, or maybe Florida? On the internet, disguising traffic is easy. Foreign cyber attackers could always have dial-up accounts via US phone numbers and make long-distance calls to do their misdeeds.”

He also claimed that as the internet is the most complex machine mankind has ever built, shutting down portions of it would have all sorts of unforeseen ancillary effects – such as its effect on ATMs, stock markets and infrastructure.

He said: “Even worse, these effects would spill over internationally. The internet is international in complex and surprising ways, and it would be impossible to ensure that the effects of a shutdown stayed domestic and didn't cause similar disasters in countries that we are friendly with.”

He further claimed that this would not be able to be built securely, as ‘an enormous security vulnerability' would have been created. “We would make the job of any would-be terrorist intent on bringing down the internet much easier,” said Schneier.

“Computer and network security is hard, and every internet system we have ever created has security vulnerabilities. It would be folly to think this one wouldn't as well, and given how unlikely the risk is, any actual shutdown would be far more likely to be a result of an unfortunate error or a malicious hacker than of a presidential order.”

He concluded by saying that the main problem with an internet kill switch is that it's ‘too coarse a hammer', as good guys far outnumber the bad guys and shutting the internet down, either the whole thing or just a part of it, even in the face of a foreign military attack, would do far more damage than it could possibly prevent.

Schneier said: “For years we've been bombarded with scare stories about terrorists wanting to shut the internet down. They're mostly fairy tales, but they're scary precisely because the internet is so critical to so many things.

“Why would we want to terrorise our own population by doing exactly what we don't want anyone else to do? A national emergency is precisely the worst time to do it. Just implementing the capability would be very expensive; I would rather see that money going toward securing our nation's critical infrastructure from attack.”

I wanted to highlight this opinion because I thought it presented an interesting global perspective on a questionable solution that IT managers face. In the event of a major incident in an organisation, the possibility of blocking internet access is available, but what Schneier suggested presents a different aspect. If you have ultimate power, is it your right to use it?

Earlier this week I covered a story that claimed that voluntary disclosure was pointless if the company reporting were to receive a fine.

Fair point, and the debate between Stewart Room and the Information Commissioner's Office is one worth considering. So in a different environment but in the same vein, I came across a blog today that gave a scenario that was worth considering.

Written by ‘Complex360', a pupil who describes himself as an ‘Xbox security F***er upper' and ‘someone who needs a real hobby', talked about his discovery of a vulnerability in RM Connect that allows file intrusion. He said that he used shortcuts to establish a link between a hidden drive/server/folder to be able to see its contents, which would be ‘a very dangerous thing in an establishment like a school', as pictures, phone numbers, addresses, academic targets and current levels could be found.

He said: “I, just as much as anyone, didn't want someone like above-mentioned to access this.”

From this, Complex360 said he had three options: release the exploit online on some full disclosure website leaving the personal details of potentially 100,000+ students at risk; to keep quiet and run the risk that someone could discover what he had discovered and use it for bad purposes; or copy everything and post it to the internet leaving nearly 1,500 past and present students vulnerable.

However he claimed that what he did was ‘the right thing, report it'. He said: “I told Mr Sanderson (a maths teacher who saw me creating an html file for easy access) because I felt like if anyone could tell it how it really was it would be him. This way, they could patch the hole and everything would be alright. This is obviously the most practical thing to do as I didn't want anyone's, especially myself and my friends, information stolen and used against us.”

He also talked of giving a demonstration to the IT technicians and a representative from Research Machines, with four solutions to patch the hole without using third party tools. He said: “I would like to make it apparent now that I didn't damage, edit, or corrupt anything, I merely found it was possible and reported for everyone's good.”

However this good character and activity has led to Complex360 being taught separately from other students at his school, his father talking to senior staff and then him talking about it to the police, on the grounds that he committed a crime ‘viewing confidential files'.

He said: “This recent drama has made me truly realise why people go black hat, it seems there would have been less repercussions in releasing it on some full-disclosure site. You would have thought that with recent paedophile abduction attempts that the securing of data would be something they would be thinking heavily about, but apparently not.”

My knowledge of who Complex360 is, is minimal, but it is easy to sympathise with him (I assume it is a male) considering that he has decided to report the code rather than publicise it. After all he had reported this to the company in question, can you imagine Microsoft reporting vulnerability detections to the informant's parents?

He claimed on his Twitter page that the day in question is today, and asked some ethical hackers for help. Considering the criticism that was levelled at Tavis Ormandy after he gave Microsoft five days to fix a problem before going public with details of a flaw, I guess it is easy to take his side. What is the bigger concern is his claim that the ‘recent drama has made me truly realise why people go black hat', is this sort of treatment breeding the next generation of hackers?

It is not my intention to make Security Cats a place to discuss areas of a sporting nature, despite this being my second football-related post in a week.

Despite this I have decided to pay some sympathy towards the people of the city of Coventry. Let's be honest the last century has not been kind to them, their city was devastated the Luftwaffe during the Second World War, even the phrase 'being sent to Coventry' has become common in terms of being ostracised.

The football angle relates to Coventry City's decline in fortunes since their FA Cup win in 1987 against Tottenham Hotspur, to them now languishing in the Championship for too many years. As if these instances were not damaging enough, a survey this week by Symantec Hosted Services found that the fair city of Coventry was the most spammed city in the UK.

Based on data compiled over a ten-month period, the research identified Coventry to have the highest spam rate with 92.8 per cent, ahead of Dudley (92.1 per cent), Wigan (91.3 per cent) and Blackburn (91.2 per cent).

Paul Wood, MessageLabs intelligence senior analyst at Symantec Hosted Services, pointed to the fact that no city or its resident are free from attack, and claimed industries such as manufacturing, automotive and building and construction, which may employ many people, receive less spam.

However I say we should salute the people of Coventry, Lady Godiva may be long gone and the 20^th century has treated you badly, but stand proud and strong and do not let the cyber criminals diminish your spirit. If it does, put Oggy back in goal and have Kilcline defeat them in an arm wrestling contest, that'll show 'em!

Among my conversations with those outside of the security circle there are many who understand the basic concept of anti-virus and one-time passwords and their benefits.

However the need for passwords is often a challenging one, as the same logins tend to be used for several sites and often need to be reset after a certain period of time. One such authentication process is the ‘Verified by Visa' process that often appears on internet shopping sites after a sale has been approved.

As an internet shopper myself, this extra level of protection is welcome but adds a level of frustration that a password – which I invariably forget - needs to be remembered for that crucial ticket booking or purchase.

So it was with a huge sigh of relief that I was told about the launch of a smartcard that will make this process much easier. With the same design as a credit card and acting in the same manner as two-factor authentication cards from the likes of RSA, CRYPTOCard and VeriSign, the Visa CodeSure card has a chip on the front, while the back has a magnetic strip, numerical buttons and a PIN display.

The instructions tell me to press down the C/M button and then six, choose a PIN number and press OK. A one-time code is then displayed. The only criticism here is that the card is a little flimsy, but pressing the buttons on the card work better when it is placed on a solid surface, such as a desk.

I want to try out the card and do some spending! I decide to buy some CDs from CD Wow, one of the approved vendors in this scheme, and for which I am not registered, and ironically I have to sign up for with a new password. As this card comes pre-loaded with money I make my choice and go to the payment page. I enter the details from this card and am taken to the ‘Verified by Visa' authorisation page.

However, because I have registered the CodeSure card it is different! Rather than asking me for a password which I have invariably forgotten and have to reset, I enter the one-time password from the back of the card – which is activated by me entering a pre-set PIN number.

Entering this gives me a one-time password with which I go through authentication, and from this my order is complete. Thankfully with the card provided there is money pre-loaded, but I assume that you can use the card to authenticate having used another card for payment, or perhaps 'Verified by Visa' will aim to add this technology on to other cards.

Visa claimed that by providing a card with an alpha-numeric display, a 12-button keypad and battery embedded in the card, fraud online will be significantly further reduced, and as the cardholder is required to enter their PIN for each online transaction, the Visa CodeSure card will prevent any unauthorised use.

Having trialled this personally, and despite the return of a faulty card and subsequent first time success with a replacement, I can vouch for the security and practical benefits offered with this. I guess there is a challenge of remembering a PIN number rather than a password, but with stories often covered on passwords written on post it notes, in diaries or reused for ease of remembering them, Visa has gone some way to solving that problem.

At the end of a month of football and 64 games we now find office conversation returning to work and bandwidth returning to normal.

With the World Cup in the hands of Spain and the men's Wimbledon title in the hands of fellow countryman Rafael Nadal, this has been arguably the most demanding summer ever when it comes to providing bandwidth for employee demands to watch the sporting events.

At the start of the tournament I considered the likelihood of this being the first ‘techno-friendly' World Cup, particularly considering in the 2006 tournament the likes of Twitter and Facebook existed but were barely used and blogging was for the enthusiasts. At the end of this tournament, national press have used the Tweets of pundits and fans for content, while iPhone applications guided fans through the calendar of matches.

From a security perspective, we predicted that malware would be present throughout and we were not let down, with constant detections of suspicious downloads. Symantec's July state of spam and phishing report revealed that the volume of messages with World Cup keywords in the subject line is more than nine times higher during this tournament compared to that of 2006.

It also detected a 'substantial' increase in gaming sites and betting brands that have been ‘spoofed' to capitalise on the popularity of the World Cup. These included fraudulent gaming sites providing fake FIFA offers, while phishing websites spoofed Google's social networking site Orkut to take advantage of the celebration of special occasions.

Steve Owen, director of information security at Interoute, noted that the number of attacks directly targeted at Spain and the Netherlands at the end of Sunday after the final ‘rose in tandem with World Cup fever'.

He said: “From Friday, Spain took the top spot as the most attacked country – becoming the most targeted country in Europe for vulnerability and denial-of-service attacks - registering a massive 65,750 attacks over the 48 hours.  However, Sunday saw the number of attacks directed straight at Spain increase by an impressive 96.2 per cent during the match alone – peaking at 112,288.

“The Netherlands also experienced a 273 per cent increase in the number of attacks during the match, but even this was not enough to claim second place.

“By Monday morning, as World Cup fever started to calm down, the number of attacks fell with it. Attacks on Spain fell by more than 50 per cent, whilst attacks levelled at the Netherlands fell by more than three-quarters.”

Also at the start of the tournament we considered the other factor of this being a ‘techno-friendly' World Cup, with employees taking a chance to watch the games played during the day while at work. Following the annual Wimbledon championship and events such as the inauguration of President Barack Obama in January 2009, IT departments were probably braced for the worst when it came to demands for streaming coverage of the matches.

Ipswitch found that global bandwidth use increased by over a third during the World Cup, with the increase in the UK seeing an actual increase of 43 per cent to 95 per cent. On average in participating World Cup nations bandwidth use hit 81 per cent.

Ennio Carboni, president of Ipswitch's Network Management Division, said: “Network managers have been telling us just how much of an impact the World Cup has had on bandwidth use. Over two million people turned to web-based streaming services from ITV in the UK, taking the corporate network perilously close to falling over.

“We believe in John Chambers of Cisco's vision that video represents the next phase of ubiquitous communication among corproations. While social in nature, the World Cup experience highlights the stresses video has on network infrastructure and the tasks facing network administrators today. Your business depends on your network for successful operation. Users making use of video streaming services can put a considerable strain on companies' networks, resulting in bandwidth chokes and even outages, in addition to exposing them to security threats.”

Andy King, area director UK and northern Europe at LANDesk, claimed at the start of the tournament that this was the time to start seriously considering changing the employee user policy.

Speaking to SC Magazine this week on whether a change on policy was likely to happen, King admitted that he was seeing people putting in place enough bandwidth to get a sight of the type of user and what they were seeing.

Calling this a 'soft request', King said: “We saw organisations where they provide a session, but they will make an example of someone and send them an email asking them about their activity. There is more concern because there are widgets and applications that you can download. I know of someone who is a tennis fan and downloaded a tennis application called 'Slamtracker', I asked was it tested or controlled at all? You need to check with IT first.

“Controls are the same with policy. If you allow an iPhone to be connected into a computer it is just for charging but block everything else out.”

Asked if it is a question of there not being enough bandwidth, King said: “No, as most companies have enough bandwidth to cope, but you do not want to stop work. But in an internet world, you expect the internet to work.

“People are prepared for now but the challenge is of how to prepare for something you do not know about. You do not know what happens next but you can prepare for the worst.”

In a blog post Chris Merritt, director of solution marketing at Lumension, claimed that there were ‘six IT security lessons learned from the World Cup', and likened IT security to playing football in the dark - where the lights only come on when the opposition scores a goal. He said: “The outside world may only see those goals, but we know how hard we worked, and will continue to work, to prevent them. By taking some lessons from seemingly unlikely sources, perhaps we can stretch that interval between lights-on.”

His list of six key points included: expect the unexpected as it is really a matter of when, not if, things go wrong so have a response plan in place, with defined actions and responsibilities and test it before you need it; do not just hope for the best as he still hears about people relying on obfuscation to protect sensitive information, or not taking even the simplest steps to patch the OS and apps on their machines.

He also recommended using technology to put some teeth into your security policy; to play defensively ‘when the opposition is on the attack'; realise that you are up against the whole world, as that is where your adversaries are and they are motivated to get what you have; and finally keep working it as you develop and implement your IT security plan, you need to prioritise and get some quick wins.

The past four weeks have been a learning process for so many people on so many levels, taking this education and using it in regular environments is the next stage.

I recently met with Simon Church, UK managing director of Integralis who informed me that there are around 800 vendors in the security space.

Integralis, who describes itself as ‘doing pure integration services with vendor technology and delivering solutions with managed services', is able to see an overview of what is happening within the industry, and Church's revelation of the size of the industry may not be surprising to some.

Church said: “There are now 800 vendors of security solutions and we are trying to find the right service.” He also admitted that it is a challenge, but it is interesting to go to the smaller stands at Infosecurity Europe and meet with companies who may have cool technologies that he may not even know about.

“A few weeks ago I took a solution to a customer with lesser known technologies, we are trying to reposition ourselves, but it is about good and bad practice and the ability to manage people,” said Church.

This led me to think, with all of the acquisitions that have taken place in this industry, particularly over the last 12 months, I had an assumption that in fact the industry was becoming too narrow with niche providers snapped up by larger organisations keen not to miss the boat.

At a recent industry roundtable with Websense, I met Louis Gamon, information security co-ordinator at John Lewis and the director of administration at ISSA. He commented that there is a challenge for professionals in his position to choose the appropriate solution.

He said: “I am not going to spend £1 million on things that I will then throw out, I do not neglect current risks but I have to be sensible and prioritise on what we do and focus our attention.”

I asked him how he chooses solutions from the apparent 800 or so selection of technology vendors. He said: “You have to pay attention to analysts and we follow Gartner. We go for the ‘innovative' rather than the ‘leader' or what models fit our environment. We have to get advice and guidance from somewhere and we talk to colleagues and what is working. There is a reasonable amount of information sharing.”

Back in March the Jericho Forum launched a self-assessment tool to check the effectiveness of an IT security product against its commandments. This enables vendors to differentiate their products, based on a three-tiered scoring process that assesses how well their product or solution satisfies the requirements implicit in each commandment. A ‘passed' product will be able to display the Jericho Forum's ‘Self-Assessed' logo on its website and marketing materials.

Much like the internet and the universe, with so much innovation and interest in this sector it is hard to measure just how big this industry actually is. Okay, so I am exaggerating, but after concerns voiced in the past about acquisition ‘narrowing' the industry, in fact it seems that there is more than enough of a selection of inspiring technology.

If you are working as a security manager, how do you select products? Alternatively if you work for a technology vendor, how are you selling to buyers, and how much does analyst influence, as mentioned above, mean to you?

I was interested in an article that appeared in the Guardian over the weekend which looked at the debate and controversies around the .xxx domain.

It focussed on the approval of the .xxx top-level domain (TLD) for adult websites last week, something that SC Magazine looked at last year. It said that the Florida-based British internet entrepreneur Stuart Lawley won the right last week to start selling registrations that were devoted to pornographic content. He believed that the first amendment guaranteeing free speech means any attempt by US legislators to corral sex sites into .xxx is doomed to fail.

He also believed that within five to ten years, he hopes that ‘.xxx will be synonymous with adult online entertainment and will be the first location people look for it'.

When we looked at this last year, my question was: 'Would this allow websites to become more generalised for their content?' This has both positive and negative impacts, particularly as media brands branch out and do not want to be pigeon-holed by a specific detail.

So what is the option? To buy up every domain that relates to a company or brand? Well arguably yes. As MarkMonitor, a member of ICANN, explained to me last year, its main activity is to help brands protect their identities online and find rogue sites ‘and deal with them, offering litigation and trying to reclaim it'.

So now that .xxx has been registered, would brands be expected to buy up domains that feature their company name in order to protect themselves? Charlie Abrahams, vice president and general manager EMEA at MarkMonitor, said that the company's view of the .xxx domain continues to be fairly sceptical that this will make much difference to anything.

He said: “Well trafficked ‘porn.com' sites are likely to stay where they are, as there is no good reason to change and a .xxx extension will not, in itself, protect minors from viewing .com sites. Also it is just another place to police.”

As I said earlier, this could have a positive impact. Frederick Felman, chief marketing officer of MarkMonitor, spoke on issues surrounding TLDs recently. He claimed that a new class of TLDs will be introduced that have a lot of internal character sets that are of a specific geographic nature very soon. He said: “This will be good for individual businesses to target markets and for changes and with fraud.”

I am mixed on how many .xxx websites spring up immediately, primarily because of the stigma attached to a legitimate site and the likelihood of them taking the domain up.

On the other side brands may want to buy the right to ‘their' .xxx domain to protect their future online identity, and also there will be opportunities for short term guerrilla marketing campaigns - can you hear me Lady Gaga?

We are all aware of the threat of rogue/fake anti-virus/scareware and how easily it can catch unsuspecting users out, particularly as so much attention is given to ‘ensure you have anti-virus installed'.

However a new threat has emerged with an increase in cold-calls noted that attempt to sell fake or cracked anti-virus software. ESET claimed that the scam often works with the caller pretending to be calling from, or affiliated with high profile companies such as Microsoft and them using domains such as go4sapling.com, supportonclick.com and metsupport.com.

They reportedly frighten the victims into believing their computers are infected, but offer to rectify the non-existent problem for a charge. ESET said that it has heard of people paying anywhere from between £45 and £79 to clean the computer and the promise to install a different anti-virus software product.

The vendor, and I am sure many others, are aware of this only when the customer calls the vendor to enquire about error messages warning of virus signatures being out of date.

David Harley, director of malware intelligence at ESET, acknowledged that rogue anti-virus is a growing problem, but with low internet telephony rates it is just as cheap to call a victim as it is to wait for them to drop by your website.

He said: “Like most scams this one relies on social engineering techniques to convince the user it's genuine. Unfortunately attacks like this only make it harder for consumers to tell the difference between security truth and falsehood. Which is, of course, part of the scam: at the same time as the bad guys are making money, they're attacking the reputations of legitimate security organisations and vendors.”

As someone who thought the days of chain letters were over, with all threats now utilising the power of the web, this comes as something of a shock. After all, where are the numbers of customers being sourced from? Are scammers trawling the phone book for potential victims, or are they dialling and hoping?

Or is similar technology being used as to how phishing and spam emails are being used, with a compromised system making these calls? Or are scammers now using call centres to sell their wicked wares?

ESET advised anyone receiving such a call to put down the phone and contact their anti-virus provider directly, with a swift 1471 to find the number of the caller if possible.

At the start of the year we looked back and forward to threats in 2009 and 2010 and with the 2010 preview in particular, we considered what threats there would be this year.

This week I had an email from Fortinet, whose opinions were included in our preview when it came to a discussion on the cloud. Derek Manky, project manager for cyber security and threat research at Fortinet, pointed out ten significant points made by the company and what has happened since.

1) Security, virtually speaking

January 2010: “Preventing infections from cross pollinating between virtual machines will be key in securing virtual movements of servers.”

June 2010: With the ongoing progression of virtualisation, it becomes important to treat each virtual machine as if it were a physical box. For example, a worm could easily hop inter-VM on the same machine to another machine that has a completely different set of access credentials, creating a more potent infection. Virtualisation adds another level of complexity, further widening the security gap. We have seen some interesting developments this year, including a unique Flash crash (potentially exploitable) that only occurs in a virtualised environment.

2) Information, protect thyself

January 2010: “Information-centric security, rather than container-centric security, will be necessary in the next decade as access to data will continue to evolve outside the traditional network.”

June 2010: Today, information can be stored anywhere: digital cameras, printers, picture frames, thumb drives, laptops/netbooks, etc. The number of containers is growing, while the sensitive information remains relatively the same. This is why enterprises and administrators need to think about policies and a security framework that police information as it comes into and out of the network, no matter what the container.

3) Get your head, not your security, out of the cloud

January 2010: “Adopting cloud-based services opens organisations up to many risks and vulnerabilities as information travels to and from protected networks via a public pipe, creating many more opportunities for data infection or theft.”

June 2010: Information continues to flow through public pipes. For example, Facebook has now introduced social plug-ins. Information that is already available from one source is bound to be integrated to other public platforms, spreading potentially sensitive data though cyber space. Once information leaves your fingertips, it becomes very difficult to control. Thus, it is extremely important to safeguard your information before it leaves your fingertips and ultimately your data store/network.

4) Don't throw the apps out with the bath water

January 2010: “Second-layer security will be adopted to help enterprises have better application control beyond just allow or not allow.”

June 2010: As a packet travels, it will be shaped frequently. Second-layer (‘layered') security is like a waterfall filtering process with each tier able to extract hazardous material before it makes it to the next step. An example scenario with application control would be legitimate application traffic making it through the ‘allow policy', only to abuse the application as the traffic arrives at the client. Intrusion prevention would be a good second-layer security mechanism in this example.

5) Security and network services aren't strange bedfellows

January 2010: “A natural evolution with the trend in consolidating network devices is to integrate more network functionality into security devices.”

June 2010: This is the foundation for today's unified threat management (UTM) solutions. Devices such as Fortinet's FortiGate product line allows both application control and intrusion prevention on one device. While they both have different goals, the underlying packet inspection technology allows enhancement on both sides.  As the attack surface grows, appropriate security technology needs to be developed to counterattack. Integration of these technologies and ease of management is critical for threat mitigation from an administrative standpoint.

6) CaaS vs. SaaS

January 2010: “Cyber criminals will take a page from the new Security-as-a-Service (SaaS) business model to implement their own Crime-as-a-Service approach, a criminal ‘environment for hire', so to speak.”

June 2010: Crime services have been openly available in 2010, most notably through the use of simplified botnets. These botnets report statistics back for quality control, so that the operators selling services (‘loads') can inform their customers when and where their malicious software was installed. We also continue to observe the Cutwail spam bot being distributed with different identification numbers. These are customer IDs, with each hired bot sending spam for the customers who bought them.

7) Scareware and affiliates find new ground

January 2010: “With consumers becoming wise to scareware, cyber criminals are expected to up the stakes in 2010 by holding consumers' digital assets hostage for ransom.”

June 2010: The rise of ransomware is no longer a myth, it's a reality. We have witnessed several variations of ransomware emerge in 2010, from SMS-based locks to ones that kill applications until the user has paid the recovery fee. Detection levels have grown stronger in 2010, with variations of ransomware making their way into our top ten threat listings. While volume increases, attack strategy and technology continues to grow increasingly sophisticated. Combine this with solid encryption algorithms, and there is no doubt that ransomware will continue to plague cyber space through the remainder of 2010 and beyond.

8) Money mules multiply

January 2010: “Unwitting consumers may find themselves accessories to a crime as cyber criminals find new ‘mules' to launder their ill-gotten gains.”

June 2010: We have observed numerous instances of this trend and highlighted several examples in our threat reports. These socially-engineered attacks dupe users into fraudulent jobs that may sound innocent by description. Typically, the recurring job descriptions we observed in 2010 were accounts receivable ones, which involved the candidate receiving and forwarding funds while taking commission. Be very cautious of such promises, as there are legal implications.

9) Multiple platforms in the crosshairs

January 2010: “With a growing number of users on new platforms, cyber criminals will target their attacks beyond Microsoft Windows.”

June 2010: We have seen an increase in mobile threat activity. Symbian OS still remains a favoured attack platform - viruses such as Yxes are becoming increasingly sophisticated, while others, such as Enoriv, are just starting to emerge. As other operating systems such as Android continue to gain momentum, they too, could shortly pose similar threats.

10) Botnets hide through legitimate means

January 2010: “Botnets will no longer just obfuscate their binary codes to escape detection. Instead, they will piggyback on legitimate communications vehicles to propagate and cloak activities.”

June 2010: This year several new botnets have come into scope, each using common protocols such as HTTP to do their dirty work. Botnets, which existed before 2010, continue to remain strong and develop their protocols to obfuscate activity. This year we discovered webwail, a web-based scripting engine that can create accounts through the web (such as Yahoo, Hotmail, GMail, etc) and then spam through them. To do this, Captchas are cracked dynamically by a third party, so that the web bot may proceed as if it were human. While we have only observed webwail to create and send spam, our analysis indicates it is much more capable.