Posts by happygeek

Rather surprisingly, Kaspersky Lab has forecast that the security threat landscape will increase by more than 20 million programs by the end of 2008 when compared to the 2007 year-end figures, a ten-fold increase no less. That is worth repeating: the number of new malicious applications in circulation by the end of 2008 will increase by 20 million according to Kaspersky.

OK, I am used to getting emails and press releases which are, shall we say, a little on the alarmist side in the run up to the annual InfoSecurity Europe show. And, true to form that show is starting in about 10 days time. However. The Kaspersky Lab malware forecast for 2008 is truly what we call in these parts a 'gob-smacker.'

According to Kaspersky Lab analysts, in 2007 the number of new malicious programs recorded on the Internet, including viruses, worms and Trojans, amounted to 2,227,415, which represents a four-fold increase on the results for 2006 (535,131). The overall volume of detected malware reached 354 GB in 2007. The number of new signatures added to the Kaspersky Lab antivirus databases in 2007 amounted to 250,000. According to its forecast, one million new signatures will be added to the databases in 2008.

David Emm, Senior Technology Consultant at Kaspersky Lab comments on the trend, "In addition to the quantity, the quality of malicious programs is also improving. New and more complex samples, such as the notorious Zhelatin (aka the Storm Worm), are emerging that demonstrate a …

According to reports the general manager of Internet security with IBM has warned that "the security business has no future."

Speaking at the RSA conference in San Francisco, IT Pro says, Val Rahmani warned that the enterprise must fundamentally change security strategies if it is to have any success within the context of sustaining business.

It seems that IBM might have become tired of trying to keep on top of the latest security threats, the never ending cycle of success and failure that we are all too well aware of within the remit of attempting to fight the latest malware threats. Rahmani referred to this as an obsession with "fighting worms, trojans, viruses, insiders, outsiders, criminals, Martians. It's a futile pursuit" and is quoted as going on to add that "We keep rolling that boulder up the hill, and just when we think we've got there, along comes a new threat and we are starting all over again."

The answer to the problem would appear to be, at least according to IBM which just so happened to have acquired a dozen security companies during the last year alone, to focus on business sustainability instead.

Of course, business sustainability is really just security by another name. So that's OK then, and means that IBM can still spend the $1.5 billion that it has pledged this year on, err, security...

News is breaking that the European Commission could push for laws to restrict the personal search data held by search companies to no longer than six months, after which it must be discarded. The EC Article 29 data Protection Working Party seems to be heading for a confrontation with search engine giants, most of whom hang on to such data for much, much longer.

The European Commission will argue that this data can be used to build profiles even when some identifying information is deleted, and historically the privacy implications surrounding such profiling have been made pretty clear it has to be said. Anyone recall the great AOL Search debacle when journalists were able to track individuals down despite identifying material being removed from the research database?

The Article 29 report recommends data should be deleted or otherwise made 'irreversibly anonymous' after it no longer serves any purpose and suggests that this would be an absolute maximum of six months.

Google insists that it was the first company to anonymise search logs and that user privacy is at the heart of all its products. Yahoo also says it is committed to providing clear and comprehensive privacy policies. Yet both, of course, retain that data for longer than six months. It will be interesting to see where we go from here and juts how messy things get.

According to engineering team insider Josh Wiseman, Facebook will start rolling out the long awaited Facebook Chat system this week. Although you might think that Facebook provides plenty of chatting opportunity already, courtesy of the Wall and Inbox functionality, the argument is that neither offer the immediacy of a true IM style chat system. Which is where Facebook Chat steps up to the plate and fills that gap.

"We'll be rolling this out slowly going forward, but fairly soon you'll notice our new Chat bar at the bottom of your browser - no installation or assembly required. From this bar you can view your list of online friends and open conversations with any or all of them. There's no need to setup a "buddy list." Unlike the Wall or Inbox, the messages are delivered and displayed to your friend as soon as they're sent, so you should expect a response right away and without any page loading" Wiseman says.

He also admits that chat is not a new concept, and that IM systems have been around for more than a decade. What he fails to mention is that, at least according to early reports, the Facebook Chat system will not integrate with any of them. This is strictly an in-house, Facebook to Facebook member chat feature.

I would have looked at it from Jan 2007 plus 3 years equals Jan 2010, within 12 months of April 2008 equals before April 2009.

So the dates are wrong, by some 9 months - or put another way, nearly a year :)

There are lies, damned lies and statistics. Or something like that. However, there are also some really interesting figures emerging about online life right now which are worthy of repeating here.

How about this report that the numbers of web sites on the Internet has risen from, can you believe it, just 50 in 1992 to an astonishing 162 million today. That's probably worth repeating, 162 million web sites. Now how many have you bookmarked and how many, apart from DaniWeb and Google of course, do you visit every day?

Another report that has caught my eye is rather less joyful, although equally astonishing. It concerns the number of viruses and malware floating around, and predicts that the number will hit one million by the end of this year. Perhaps even more amazing is the suggestion that around 25 percent of all unique malware has been created in just the last six months of the 20 year history of viruses.

The final number is perhaps the most sobering though, and that is the 219,553 complaints about online crime that were received by the Internet Crime Complaints Centre last year. Of these 90,008 were referred to law enforcement agencies, and the total dollar loss for these referred complaints came to a whopping $239 million, a median loss of $680 per complainant.

It should come as no surprise that the upcoming 'Patch Tuesday' from Microsoft should include critical patches covering the likes of VBScript and Jscript implementation in Windows 2000, XP and 2003. However, some reporters have expressed just a little astonishment that both Windows Server 2008 and Vista SP1 are also included in the latest patch run.

Apparently one of the five critical patches affects every version of Windows, and that includes both the latest server OS and the first of the Vista service packs. Windows Server 2008 was only released to the public five weeks back, and Vista SP1 just two weeks ago.

In the IT Pro report one security expert is quoted as suggesting that the patch may be related to the recent release of some protocols which might have attracted malware writers. The expert, Graham Cluely from Sophos, does also add that it could well be a case of including them in the patch now to save the possibility of having to do it later.

According to unified threat management specialist Fortinet Facebook users had better start paying attention to the postings that appear on their message wall within the popular social networking site. It appears that spammers are moving away from targeting third party applications, as evidenced in the recent 'Secret Crush' case, and are instead turning their attentions to posting deceptive message containing links to spam sites on the wall instead.

Fortinet warns that by using genuine profiles to distribute these messages, spammers are able to overcome the trust issues that exist when renting or buying identities from underworld types. The full advisory can be found at the Fortiguard Center.

Fortinet has also published the findings of its March malware report, and this makes the usual somber reading it has to be said. It reveals that Sunday has become a spike day for malware activity, with four consecutive Sundays seeing an increase in activity that has pushed the Pushdo.EV Trojan to the top of the malware tree with 13.5 percent of all activity for the month. It achieved this by sending out animated e-cards that promised recipients pictures of naked ladies.

"Activities in the last month showed the strength of the Pushdo botnet, which is a clear indicator that the socially-engineered mass e-card approach continues to gain traction," said Derek Manky, security research engineer for Fortinet. "Consumers should be reminded that legitimate e-cards are not generally sent as attachments, but rather as links to …

Security provider Webroot has today published its State of Internet Security: Protecting Business Email research report and estimates that every single business email account will receive some 42,000 spams during the course of 2008. Or 116 junk messages every single day if you prefer. That is an increase of some 60 percent since 2004 according to Webroot, despite the investment made in spam filtering technology. It would seem that spammers are taking the lead when it comes to developing methodologies to beat the filters therefore.

Mike Irwin, COO at Webroot, agrees "The size and volume of these spam attacks is largely due to the partial success of current filtering defences that now make spamming success a numbers game. It's clear why first-generation defences such as appliances and server-based software are struggling to keep up."

The report goes on to confirm that it is not just spam that is causing problems for business, but malware growth as well: up from 50,000 variants in 2004 to some 5.5 million in 2007. Of course, spam remains a hugely significant vector of attack for deploying these new malware variants. One in five businesses that responded to the Webroot survey say that they had experienced a threat to sensitive or confidential online information during the course of 2007.

"Huge amounts of spam and malware can easily overwhelm the networks of small and mid-size businesses and, in some cases, even small countries. In our survey, more than half of the respondents …

It really does beggar belief, doesn't it? :(

I am not an easily shockable person. Anyone who knows me, anyone who has seen me, will understand this. Indeed, other than the usual trio of sexual or racial abuse and mindless violence it takes a lot to drop my jaw in shame and despair while browsing the web. However, a bunch of numbnut griefers managed to achieve just that over the weekend when they used a combination of JavaScript coding and flashing animations with the intent to trigger fits amongst the users of an epilepsy support website.

According to reports one user suffered her worst epileptic attack in 12 months when she clicked on an offending post at an Epilepsy Foundation site forum. Confronted by a full screen of rapidly flashing squares in different colours she quickly "locked up" and was rescued by the quick thinking of her 11 year old son who killed the browser process and prevented a full fit from occurring.

The non-profit organisation responded admirably quickly and closed the site briefly on Sunday in order to purge the forums of the messages, and hopefully patch the security holes which allowed them to be posted in the first place.

The hackers responsible posted hundreds of messages via an automated script on Saturday, following up by injecting JavaScript into posts to redirect to another site with even more targeted pages designed to trigger the seizures in viewers suffering from both photosensitive and pattern-sensitive epilepsy.

Wired claims that …

Check it out Google has turned the lights out and gone black, but it is only for today it seems. Apparently it is all in a good cause: Earth Hour which invites people around the world to switch off their lights for an hour during the course of Saturday 29th March. That hour is between 8pm and 9pm in whatever your local time zone is.

"Given our company's commitment to environmental awareness and energy efficiency, we strongly support the Earth Hour campaign, and have darkened our homepage today to help spread awareness of what we hope will be a highly successful global event" a Google spokesperson said.

If you have been reading my blog long enough, and paying attention, then you might recall my mentioning something very similar here last year when a Google custom search site launched a black version of Google called Blackle which is still up and running and claims to have saved 535,178.192 Watt hours as a result. As a result of the background of a black Google using less energy to display on a monitor than a white one that is. A theory that has been dismissed by those who point out that it makes no difference on an LCD monitor, which most of use today. Well, most of us in the developed world that is. When it comes to less fortunate, less developed, less well off nations the CRT still rules supreme.

So why isn't …

Google has today announced the launch a tool to answer the kind of questions anyone posting video clips to YouTube are always asking, such as: who viewed my video, how did they find it, where did they come from?

YouTube Insight is free, and enables anyone with a YouTube account and that includes users, partners and advertisers, to see detailed stats clips that they have uploaded.

Stats such as how often their videos are viewed in different geographic regions, or maybe how popular they are relative to all videos in that market over a given period of time.

This looks really cool, especially when you dig deeper and discover stuff like being able to reveal the lifecycle of your video. ever wondered how long it takes for a specific video to become popular, for example, or what happens to it in terms of views at that popularity peaks?

Just check out the About this Video button which is located under My account > Videos, Favorites, Playlists > Manage my Videos.

Researchers at web gateway security specialists Finjan have uncovered an underground crime data exchange service which is highly sophisticated in nature. The exchange, known as SellCVV2, promotes the sale of fraudulent credit card data, offering not only volume discounts for fraudsters with bigger ambitions, but guarantees as well.

According to Finjan, the site "appears to use Google's Blogspot service" and is "typical of a number of portals promoting the exchange of fraudulent card data." However, Yuval Ben-Itzhak, Finjan's chief technology officer, warns "what is apparent from the SellCVV2 site is the level of commercialization of the traders involved. Prices are segmented depending on whether a card is a Classic Visa or MasterCard, a premium account such as a Gold, Platinum or Business/Corporate card and its country of issue. Prices typically range from $38.00 per set of card data for premium card accounts in small volumes, going down to $10.00 for Classic card data in volumes of 100 or more. Customers are also being offered trial set of data, as well as a guarantee on account details that do not work."

If ever cynics needed proof that there is a highly organised criminal industry behind card and identity theft then this is it. The trial card data offer, the volume discounts and the guarantees are all symptomatic of organised criminal activities.

"The level of sophistication shown on the site, acts as a clear warning to anyone who thinks card fraud is a containable problem" Ben-Itzhak concludes.

Computerworld is reporting the possibility of a worm or bot in the wild that is specifically targeting D-Link branded routers. It refers to a three year old vulnerability which Symantec security researchers believe is being exploited by a new exploit. Apparently, the Symantec security response team has seen an increase in attack activity as it relates to D-Link devices.

Oliver Friedrichs, director of the Symantec security response team, is quoted as saying that it looks like hackers are "exploiting the SNMP vulnerability to reset and reconfigure the administrative password on the routers" after scanning TCP port 23 for an active SNMP service.

The report goes on to suggest that router vulnerabilities are up, and unsurprisingly so are attacks against routers as a result. Unfortunately, there is no comment from D-Link itself with regard to whether it had investigated if this vulnerability was being exploited, nor indeed if it had ever been patched.

According to IT Pro Microsoft has done a u-turn when it comes to charging users for installation or compatibility support with regard to Vista SP1. It says that Microsoft is now "offering free support to any Windows Vista SP1 user experiencing problems."

Quoting Microsoft MVP Brandon LeBlanc, it reports "you have a variety of options you can choose for support, all of which will not cost you any support fee."

Indeed, it would appear that the Microsoft Vista support site is now offering totally free support for SP1 installation and compatibility issues be it via email, IM or telephone to anyone enquiring during US Pacific time business hours, and the offer will run for a full twelve months.

If you have a machine with Vista pre-installed, then you no longer have to go via OEM support or pay Microsoft $59 for every support request, which has to be good news all round.

According to recent reports the FBI has been using honey-trap hyperlinks which claim to lead to child pornography in order to entice offenders into clicking them. Last year, it seems, armed raids were carried out on homes in Nevada, New York and Pennsylvania as a direct result of such link clicking, even though the video files downloaded from the undercover government server contained no illegal images.

It seems that the courts are happy to approve the practise, although others are less convinced of the morality if not the legality of the operation, quite apart from the technical hurdles it throws up. Who is to say if the householder is using an unsecured wireless connection at the time, or if it is instead some paedophile sitting in a car outside with his laptop?

Of course, federal law in the US does criminalise the attempted downloading of child porn, and carries as much as 10 years in prison, and nobody is suggesting that people who are interested in such filth do not deserve to pay for their actions. But entrapment is a slippery path to be treading, and the implications are enormous. Is it OK for the FBI to spam millions with email offering drugs and then arresting anyone who clicks the links, for example?

That said, in this particular case, the honeypot links were limited to a discussion forum that the Feds had reason to believe was inhabited by people trading in child porn images. Is …

FrSIRT, the French Security Incident Response Team, has reported that multiple vulnerabilities have been identified in various IP-PBX software applications that can be exploited by attackers to bypass security restrictions and cause denial of service attacks or otherwise compromise vulnerable systems. The software is used by an ever increasing number of companies in order to computerise their telephone switchboard systems and implement low cost Internet calls.

A number of issues have been highlighted by FrSIRT, including a buffer overflow error in the RTP payload handling code when processing a malformed INVITE or SIP packet with SDP. This could be exploited in order to execute arbitrary code. There is also a report of an error in the SIP channel driver itself when handling invalid "From" headers, which could be exploited to perform unauthenticated calls.

"Recent reports suggest that as many as 50 per cent of major companies are using Internet telephony services as a way of cutting their telecommunications costs, but our analysis is that they also need to review their IP telephony security arrangements as well" Rob Rachwald, Fortify Software's director of product marketing told us, adding "the buffer overload problem in the RTP payload handling code when dealing with a malformed INVITE or SIM packet with SDP, is, we predict, one of several buffer-based security problems you're going to see with company IP telephony systems in the near future. Most companies have installed multi-layered security technology on their computer network, but IP telephony services almost …

the 2.5 hours a week figure relates to during lesson time only rather than in total which i would say was pretty excessive!

File under: shock, horror or perhaps irony.

According to a press release from Global Secure Systems that I received today, it has "uncovered the alarming reality that UK school children are studying social networking websites during their lessons instead of what they should be concentrating on." In fact, the release goes on to reveal that a "staggering" 52 percent of the 1000 children surveyed confessed to visiting Facebook and similar sites during lesson time.

OK, first things first, the results are slightly twisted in favour of a high response as the survey itself was conducted through Facebook so the people taking part were already likely to be committed users. Secondly, given this single demographic it is highly unsurprising that so many kids should admit to visiting social networking sites on their laptops during class.

Doesn't make it right, of course, just not a great shock.

"I am disturbed, but not surprised, by the findings of this survey. There are two main issues; one is the safety of youngsters on the web and the second is the time that is frittered away. The time youngsters spend on the internet, and more specifically on social networking sites, is a huge challenge for parents and those of us in education. Says Toby Mullins, Head of Seaford College. "Youngsters are not only using lesson time but often quietly continue late into the night, leaving them short of sleep and irritable the next day. I think a study like …

Paul Battley is a software developer from London who can probably lay claim to being the biggest thorn in the side of the BBC right now. No sooner had the mighty British Broadband Corporation announced that his hack which allowed people to download iPlayer TV streams meant for an iPhone to a hard drive and share them others had been fixed, than the 30 year old Linux fanboy broke it again.

Apparently his motivation in using plug-in requests to search Javascript code for the fixes, and then reprogramming the interface using Ruby on Rails, is simply a combination of the coding challenge and a hint of annoyance over lack of Linux support for the iPhone version of iPlayer.

The BBC, for its part, says that rights issues require them to offer streamed programming for no longer than seven days after initial broadcasting, while a downloads service enables PC users to keep those programmes longer, for up to 30 days in fact. "It's an ongoing, constant process and one which we will continue to monitor" The BBC said via a statement…

Ever wondered just how smart a smartcard is, from the security perspective? Obviously there are problems as detailed in a DaniWeb blog posting last month which described how hackers can exploit hardware RFID weaknesses to access credit card account data for example. But now a former member of the team which helped develop security for the Microsoft smartcard program, Dan Griffin, has apparently decided to go ahead and expose how to attack the smartcard middleware plug-in for Vista systems.

According to the Dark Reading security site, Griffin has developed a 'fuzzing' tool which can hack third party vendor plug in software that uses the Microsoft Vista smartcard mini-driver interface. What's more he will give a proof-of-concept demonstration at the CanSecWest conference next week.

Griffin is quoted as saying that smartcards being used for access purposes come complete with Java code which allows for the writing of malicious code right onto the card itself. Using his SCardFuzz tool he can force a heap buffer overflow attack on the vendor's smartcard plug in which would allow an attacker to crash the Vista machine or simply control it via known exploits.

Griffin says "You insert it into a reader on an unattended machine... And you can take out a system process and at best, make it crash, or at worst, take over that process and control it."

According to reporters at Pocket Lint it would seem that the controversial ban upon the sale of the equally controversial video game Manhunt 2 in the UK has been overturned. The site reports that the Rockstar Games developed title has been edited to the satisfaction of the British Board of Film Classification (which control certification of games as well as movies in the UK) and will be released with an adults only 18 certificate.

Actually, that might not be quite true as it appears the BBFC twice rejected the title, and even went as far as taking the battle against certification to the English High Court. However, the ultimate decision was taken by the Video Appeals Committee which upheld a previously appealed decision that the game could be sold on an adults only basis.

David Cooke, director of the BBFC says "We twice rejected Manhunt 2, and then pursued a judicial review challenge, because we considered, after exceptionally thorough examination, that it posed a real potential harm risk."

That is the general thrust of an interesting article that appeared in the Los Angeles Times this week. It starts by describing how the offices of one of the world's most popular websites is a rented space stuffed with furniture bought off of eBay and with a printed paper sign taped to the door which states 'Wikimedia Foundation' the name of the not for profit organisation that actually runs Wikipedia.

It goes on to quote the foundation Executive Director, Sue Gardiner, as saying that as far as money is concerned "we are about as unsophisticated as we could possibly be" and continues "it's time for us to grow up a little bit." Which is good news, because many people must wonder just what is going on when a top ten website that gets 300 million page views a day resorts to rattling a box and asking its users for cash all the time.

By simply selling advertising space, Wikipedia could catapult itself into the multi-millions, hundreds of millions of dollars value bracket in one fell swoop. Heck, the advertising doesn't need to be intrusive, and it takes a lot in these days when we are all used to websites relying on the advertising dollar to produce a page that is so in your face that we don't bother to use it anymore.

Anyway, the value of Wikipedia, the content, will always be strong enough to draw in the punters even if it did mean having …

Sounds more like the kind of thing that will get used in a movie: terrorists assassinate the president via WiFi by disabling his pacemaker. This assumes that you end up voting in an Old Age Pensioner again, instead of a younger more vibrant candidate of course :)

According to a newly published research paper from the Harvard Medical School backed Medical Device Security Center, it appears that hackers could use wireless technology to turn off heart pacemakers.

As unlikely as it sounds, the boffins reckon that people with an implantable cardiac defibrillator (or pacemaker as they are also known) to help their hearts keep a regular beat are at risk from hackers who could interfere with the device and even theoretically deliver an electric shock to the heart of an unsuspecting patient.

This is made possible by the unencrypted radio signals transmitted by the devices to enable reprogramming by doctors when necessary. "We believe the risk to patients is low and that patients should not be alarmed" researchers have said. Well that's OK then. Perhaps it has something to do with the $30,000 worth of kit required to perform the hack or the close proximity to the victim that is also a requirement.

Or maybe most hackers have better, and more profitable, things to do than hack into a heartbeat for a laugh…

Anyone with an interest in the history of computing will know that the first mechanical computer was invented by one Charles Babbage, British mathematician and visionary. If you happen to be in the vicinity of the Science Museum in London you can even see a working difference engine, something Babbage never did in his lifetime as he died before a prototype could be completed.

Amazingly, according to this story a number of scientists in the US are now working once more on mechanical computers. Fair play, they are likely to weigh less then the two ton steampunk Babbage creation, a lot less in fact. These computers are comprised of nanomechanical parts, meaning the entire computer could actually be smaller in size than a silicon transistor of today.

The Defense Advanced Research Projects Agency, a player in the development of the original Internet, is funding the research in order to create tough computing devices which could survive the harshest of environments. Environments such as the insides of weaponry for example.

I rather like the description of the transistor created from nanomechanical pillars at the University of Wisconsin which are made from silicon oxide tipped with gold, and measuring just 30 nanometres across. Still huge according to the man behind the development, who claims they could make one a third as big if they wanted to.

Scientists at IBM have finally managed to get around the problem of electrical interference that prevented signals from working correctly while using the carbon mesh material of grapheme. It means that they can now get on with the job in hand of building nanoscale transistors according to this report.

The San Francisco Chronicle reports that Google has finally got the go ahead from European regulators to close the acquisition of DoubleClick for $3.1 billion. The deal has immediately been closed, therefore, as the decision by the European Commission removes the last hurdle standing in Google's way.

Oh go on Scru, please forgive me :)

Seriously though, do you reckon a small outfit is going to break Blu-Ray and succeed in the consumer marketplace where Toshiba and HD DVD failed?

The New York Times ran an interesting story yesterday with the title of Another DVD Format, but This One Says It's Cheaper. Essentially, a London based company has come up with an alternative to Blu-Ray just when you thought that particularly bloody consumer battle had been laid to rest. The HD VMD, or Versatile Multilayer Disc, promises to be just as good as Blu-Ray on image quality but a lot more pleasant on your wallet. Forgive me for saying so, but wasn't that what HD DVD promised and failed to succeed in the marketplace with the backing of Toshiba? I fail to see how a small UK outfit can do better, to be honest.

Think of where your spam comes from and the usual suspects, according to most surveys of such things by the security and messaging experts, turn out to be the good old US of A, Russia and China which between them accounted for 33.8 percent of all spam in the last quarter of 2007. However, in a new survey by Sophos, the US is down in 64th place, Russia 45th and China 132nd. So why the big difference? Simple, this survey has looked at spam relaying in terms of the volume per capita rather than just the volume per se.

"Between October-December 2007, the US relayed far more spam than any other country due to the sheer number of computers in the country that had been taken over by remote hackers," said Carole Theriault, senior security consultant at Sophos. "But when measuring spam emitted per capita, the results are very different. Most of the countries in this chart have very small populations compared to the usual offenders, but their totals are sky high when it comes to spam emitted on a per-person basis. Just because your PC is located on a remote island in the South Pacific doesn't mean it's not contributing to the global spam problem. All computer users, wherever they are in the world, need to wake up to the threats and ensure their PCs are properly protected."

Well yes, contributing but not contributing that much in the overall scheme of things. Let's take the …

Interestingly, Wal-Mart is to continue selling Linux via the web just not in retail units. It also appears that the Linux PCs did all sell out in the retail units, but demand was obviously not as high as amongst the online crowd.

According to an Associated Press story just hitting the wires, Wal-Mart is to stop selling computers running the Linux operating system after less than 5 months because, to quote Wal-Mart spokeswoman Melissa O'Brien "This really wasn't what our customers were looking for."

I tend to agree, and always use the wifi option on my Nokia N95 8GB where I can in preference to the 3.5G mobile broadband for just that financial reasoning. Plus wifi tends to be more reliable/stable.

I think the report looks at spam coming from users of a system, rather than from the operators itself :)

According to messaging security experts MessageLabs there has been a 100 percent rise in the amount of spam from Gmail during February, along with a worrying 200 percent increase in targeted Trojan attacks.

The February MessageLabs Intelligence Report, published today, paints a sorry picture as far as IT security is concerned, and much of the blame seems to be laid at the doorstep of web based email services. Indeed, the report suggests that 4.6 percent of all spam originates from Web mail-based services. Even allowing for the fact that Gmail spam has doubled, much of it promoting adult themed websites apparently, it is Yahoo! Mail which is the villain of the piece as it is responsible for sending 88.7 percent of all Web mail-based spam MessageLabs says.

Targeted Trojan attacks increased in February to 30 per day, focusing specifically on smaller numbers of targets so as to stay below the security industry radar where possible. One particular attack, MessageLabs reports, involved 900 targeted Trojans that were intended for named senior business executives worldwide. This made use of multiple attack vectors including compromised websites and malicious downloads.

"There are several approaches a spammer can take to defeat a CAPTCHA," said Mark Sunner, Chief Security Analyst, MessageLabs. "Whether they do so using an algorithm, a 'mechanical turk' or combination of the two, email providers are feeling the pressure to keep pace but are limited to what a human can realistically solve creating ever more doubt surrounding the …

According to the Guardian newspaper, the much publicised reports circulating online and in the global print media that Sir Paul McCartney has struck a deal to put the Beatles back catalogue up for download on iTunes this year is simply not true. The story is that Sir Paul has agreed a £200 million ($400 million) payday for the tracks, which would cover his divorce settlement to Heather Mills nicely. But the Guardian reports that Apple Corps, which retains publishing rights to the music, says no date has been set and quotes a spokesperson as claiming “The story isn't correct. I can't tell you if it's this year or next year or when."

TechCrunch has highlighted a swathe of restrictions facing developers who want to get their applications onto the iPhone platform following the release of the Apple iPhone SDK. Instead of all the billowing hype in the blogosphere about how wonderful Apple is for releasing the SDK, perhaps developers might want to read the small print at which point they will realise just how contractually restrictive the Apple deal is.

Bruce Schneier is a security legend, and posts like this one go a long way to proving just why. In this Wired commentary Schneier gives the best explanation I have seen as to why the ‘transparent society’ argument is a myth, why it is not better than privacy but rather equates to no privacy at all. Schneier argues that you cannot evaluate the value of privacy and disclosure unless you account for the relative power levels of the discloser and the disclosee.

The Trend Micro TrendLabs Malware Blog is reporting that the volume of totally free do it yourself phishing kits available in the wild on the web had moved past the 400 mark. Ironically, some are even used by phishers to phish other phishers…

According to WorkLight newly published research into the success of social networking sites such as Facebook released this week proves the business interaction case for using these portals at work. Given that WorkLight have the audacity to describe itself as an 'Enterprise 2.0 Company' my gut reaction is to think: file under Many Rice-Davies Applies, or well it would say that.

The Nielsen Online research did indeed show that two thirds of people online in the UK, or 20.8 million of us, visited at least one of the top ten social networking sites during January this year. However, when you look at the breakdown and realize that YouTube is top of the pops on 10.4 million unique visitors, followed by Wikipedia on 9.6 million and Facebook on 8.5 million you do, surely, have to start wondering what the hell this has to do with a business case for anything. Yes, it does prove that social networking is no longer a niche but rather a mainstay of UK Internet usage, but it is quite obviously consumer and leisure usage that rules the roost. How many enterprises really need to visit YouTube or Facebook on a regular basis for fear of their businesses crashing around them if they don't?

David Lavenda, WorkLight's vice president of marketing and product strategy, tries his best to make the case: "Nielsen Online's research shows that social networking sites remain highly popular amongst UK Internet users. This makes their use for …

According to a YouGov survey published today by VeriSign the average UK consumer is worth £10,077 ($20,000) online in terms of banking, gaming and shopping accounts. The pan-European survey on consumer attitudes to online security concludes that UK Internet users are putting as much as £361 billion ($720 billion) at risk by sharing data on poorly protected web sites.

65 percent of those who took part in the survey admitted sharing personal information with their online bank every week, while 58 percent did likewise with online retailers and surprisingly only 31 percent got friendly on the data sharing front with social networking sites. The sheer amount of personal data that we seemingly all appear to be happy to share means that we are increasingly at risk from identity crime. The survey reckons 75 percent of people give away their date of birth, 70 percent their home address, and 68 percent their mother's maiden name without much thought to the cybercrime consequences. Which is somewhat ironic given that a further 78 percent claimed to be worried about identity theft and 43 percent have either experienced it themselves or know someone who has.

On the more positive side, consumer education has had some effect when it comes to raising online security awareness and 69 percent said they were aware of the browser 'padlock' iconography and 41 percent knew of the VeriSign secured seal as well.

Jon Kerr, VeriSign SSL Manager, UK commented, "It's no surprise …

The phrase 'beggars belief' comes to mind, doesn't it? :)

A hearty slap on the back must go to authorities in South Korea who have arrested and charged the 41 year old ex-CEO of an antivirus software company with distributing fake security scareware. Lee Shin-ja was formerly CEO with security outfit Media Port, and stands accused of distributing the 'free' bogus software to an astonishing 3.96 million users since 2005, with 1.26 million of them going on to buy the full product. Of course, they only reached for the wallet after being presented by fake security warnings in the free product which directed them to upgrade in order to clean the non-existent infection from their PC.

Shin-ja is reported to have made something in the region of 9.2 billion won (which works out to $10 million) in less than 3 years, all thanks to the $4 per month subscription fee levied for use of Doctor Virus, the application required to fix those fake infections. "More and more people are becoming concerned about the security of their personal computer - and it's all too easy for the unscrupulous to try and fool users into believing a bogus warning," said Graham Cluley, senior technology consultant for Sophos. "Unlike many other countries, it's not uncommon for South Korean computer users to run multiple anti-virus programs at the same time - probably because many of their homegrown solutions don't come with an on-access scanner," explained Cluley. "This environment increases the likelihood that people will download and 'test the water' with a …

According to the Sunday Times one couple got more than they bargained for courtesy of the almost extortionate charges that mobile phone companies are allowed to levy in Europe when it comes to sending text or data while 'roaming' away from your home country. Although the case in question might be a little out of the ordinary, it does serve to highlight just how ridiculous the situation has been allowed to become. Mrs X decided to download no less than four episodes of the sitcom Friends via the unlimited broadband service on the mobile phone belonging to Mr X. Not as daft as it may sound, the episodes had been made available for free download and if Mr X had not needed to travel to Germany from the UK on business before the downloads had completed there would have been no additional charges made.

Unfortunately, unaware that the videos were even being sent Mr X switched his phone on upon arrival in Germany and the downloads continued for another 12 hours in total at a cost, are you ready for this, of £11,000 ($22,000) in all.

The mobile network concerned has conceded that the fact Mr X had traveled abroad complicated matters, meaning that the automatic trigger to inform a customer that a charge quota limit had been surpassed took rather longer than when compared to the event happening at home.

The European Union commissioner for Information, Society and Media is not taking this laying …

The Cult of the Dead Cow, the infamous hacking collective, has released a Google hacking utility called Goolag Scan that brings the ability to search the information engine for web-based data that is normally hidden to anyone wannabe with a web browser and half a brain. It does this by implementing something in the region of 1500 customised Google search routines to reveal application server passwords, credit card numbers, corporate email records and audit logs to name just a few examples. Sure, the ability to find this stuff is open to anyone using Google who knows what to look for and how to filter the results accordingly. Sure, the real problem is the companies who have not properly secured the data in the first place so making it available for such searching. But let's be honest, the Cult of the Dead Cow sure ain't helping matters.

"Advanced Google searching has been known about in security circles for some time, but it has been a highly specialised and technical topic that is definitely not for non-programmers" says Calum Macleod, European director at encryption experts Cyber Ark, who adds "A lot of companies protect their Web-based and Internet gateway- accessible data using ID and password systems, but the actual data pages are often unprotected. Even though the pages are not indexed in the standard sense, Goolag Scan can prise the data out into the open and allow standard keyword searching on those pages."

The Cult of the Dead …

According to the Pakistan Telecommunications Authority (PTA) while the blocking of the YouTube website over the weekend in Pakistan was intended the worldwide outage that saw the popular video streaming service become unavailable to huge swathes of the planet was accidental. Anyway, PTA spokesman Khurram Mehran assures us it is all OK now because it has "issued instructions to all internet service providers that YouTube should be unblocked as the specific content has been removed by the website." The specific content referred to being cartoons of the Prophet Mohammed which Pakistani authorities have described as being highly profane and sacrilegious.

I do not intend to get into the who religious debate, nor indeed the political one (some quarters have suggested the real reason for the ban was to block access to coverage of alleged parliamentary election rigging claims) as neither are my area of expertise. However, the fact that a nation can unilaterally initiate a near-global blackout of one of the most popular sites on the Web is rather worrying from the technical perspective and does not bode well in the fight against cyber-terrorism. It does not take a genius to make the leap from protesting against content on YouTube to protesting against the actions of another country.

Danny McPherson, the Chief Research Officer at Arbor Networks and part of the Security and Engineering Response Team (ASERT) has plenty of experience when it comes to analysing burgeoning security threats and has given plenty of thought as …

Last year I exposed a security breach involving the online collection of applications for visa documents allowing Indian citizens to visit the UK, an expose that ended up with the UK government itself being found guilty of breaking the Data Protection Act and which kick-started something of a sea change in the way that such online applications are handled. You might think, therefore, that the company at the heart of that scandal would have cleaned up its act when it came to security. Unfortunately, communications with a former VP responsible for business development at VFS suggests otherwise.

Suprit Roy used to be responsible for new project rollouts at VFS before resigning from the company on 10th December 2007. He claims that the whole visa application database security scandal was caused by an underlying lack of commitment to enforcing discipline, standards and ethics at a senior management level. "It was only after your expose got broadcast on Channel 4 and the FCO sent in Independent Investigator Linda Baker-Costelloe that the company acted reactively to enforce some IT security practices" Roy says. He also says that despite this, not enough has been done at the most basic levels of security and cites his own corporate email account as evidence.

Most companies which not only understand security issues but take them seriously are quick to act when any employee leaves, let alone someone of VP status, to sanitize the email account associated with them. There are plenty …

It is not often that a drunken discussion provides anything more than a hangover the following morning, but recently a bunch of IT security experts got talking while the beer was flowing and someone asked the question: what is the biggest threat on the IT landscape today? Everything from 'the user' at the obvious end through to 'Bill Gates' at the drunken bum end of the scale was suggested, but the undoubted winner which was revealed before we all passed out was the botnet.

Think about it, botnets have all but taken over as the control centre of the exploits that cause the most damage to the home user and corporate alike. If you are plagued by spam then the chances are there is a botnet out there coordinating the distribution of it, your computer might even be a part of such a distribution chain without your knowledge or consent. If your business finds itself the victim of a Distributed Denial of Service attack, there is the botnet for hire behind the scenes launching the data missiles. If you are the target of a drive-by malware incident, chances are that the Trojan you have downloaded will carry a payload that includes compromising your PC and adding it to a botnet army somewhere or other. Read any security vendor threat report for 2007 and you can bet your bottom dollar than the botnet feature loud and clear and often.

The good news is that with the botnet boom comes …