Posts by happygeek

deboogeek: make that 9 years... :)

Spot on from Deceptikon, in my never humble opinion.

Oh, and I would add that I imagine if it's decided that the changes have broken it then DaniWeb will revert to something unbroken in pretty short order (not that I think it is broke at the moment, to be honest).

Yep, tagging is the way forward - people just need to get used to it being front and centre in the UI rather than being allowed to merge into the background a bit.

It sucks. Then you die. Get over it. Get on with it.

Hello.

I would suggest you post your questions in the following forums/categories:

1. https://www.daniweb.com/web-development/31

2. https://www.daniweb.com/software-development/2

You will have to do a lot better than that. Can you please explain exactly what the problem is, including platform etc, then someone may be able to help.

Good luck, but speaking from my own experience of way too many allnighters I'd say rest is ultimately more beneficial than enthusiasm in the long term. Don't knock yourself out Dani! :)

So I was recently at the big Motorola launch event which spanned New York City, Mexico City, Sao Paulo and London where I was part of the media herd waiting to see exactly what new handsets were about to be revealed. The answer came in triplicate: the Moto X Style, Moto X Play and the new third generation Moto G. As the latter of these was the only device to actually go on sale with immediate effect, and Motorola had review units available to take away, it's the Moto G that I am reviewing here today having put it through the ropes for the last ten days. Given that the long awaited OnePlus 2 goes on sale here in the UK this coming week (August 11th) I wanted to answer a question I had posed for myself: is the new Moto G a OnePlus 2 killer or not?

Both the Moto G and OnePlus 2 position themselves as low cost but high spec smartphones, proving that you don't have to sacrifice too much in terms of technical toys to the gods of thrift in order to own the kind of mobile phone that your friends and colleagues will be envious of. The new third generation Moto G certainly does not disappoint when you get it out of the box; this does not feel like a budget handset. In fact, even though it doesn't sport the gimmicky wrap around screen or full metal bodywork of the …

News has broken this weekend that the personal data, including bank account details, of some 2.4 million customers of the Carphone Warehouse may have been compromised following a breach that the mobile phone retail giant is calling "a sophisticated cyber-attack." The company also warns that encrypted credit card data of up to 90,000 customers may have been accessed during the breach.

Scotland Yard and the Information Commissioner's Office have both been notified, along with a security outfit specialising in forensic examination of such attacks. However, the statement from Carphone Warehouse, released on Saturday, and revealing that the compromised personal details also include names, addresses and dates of birth also reveals that disocvery of the attack took place on Wednesday: "On 5 August 2015 we discovered that the IT systems of three of our online UK businesses had been subject to a sophisticated cyber attack." This will no doubt leave many customers whose data has been exposed wondering why it took a further three days for the breach to be disclosed.

Customers, it should be said, that extend further than just Carphone Warehouse itself. The official disclosure statement continues: "The three websites affected are onestopphoneshop.com, e2save.com and mobiles.co.uk. These websites also provide a number of services related to mobile phone contracts to iD mobile, TalkTalk mobile, Talk mobile and Carphone Warehouse." Now, bear in mind that this means a further 480,000 TalkTalk Mobile customers could be impacted and I expect reports of the total number of potential victims here to rise …

they will tend to kill people in the real society. Because, they will consider that killing is legal.

And can you provide any evidence at all to back up that wild statement? Violent video games have been around for decades now, yet as far as I can see there are not hoardes of kids running around killing people as a direct result in every town in every city.

Try engaging brain before operating mouth (or, in this case, keyboard)

Your task is to do your own bloody homework.

Dianne. What?

Degaussing doesn't guarantee erasure. Degaussing in combination with a crusher aftwerwards is a much more secure bet.

Either:

a) your laptop has been haunted by the ghost of Roger Whittaker

b) your harddrive is about to die and burn

c) your heatsink fan (most likely) bearings are shot

I'd work from c backwards myself...

Well, according to his profile: "AMWebCreation is website design, development, SEO, SMO, CMS, Ecommerce, clipping path, logo design; IT training center" so all I can suggest is that if he has to come to us to get advice on what the stuff he is charging other people to train them on is, then probably best to avoid him altogether.

Unless, of course, he is just here to spam.

Action video camera vendor GoPro has announced that it is riding into the Tour de France with a promotional video to celebrate being named the official camera of the world's largest annual sporting event with a worldwide television audience of some 4 billion people, but not before the BBC reported how GoPro cameras could be used to spy on their owners.

According to security company Pen Test Partners, it is way too easy to take control of GoPro cameras and one of the partners at the outfit, Ken Munro, showed demonstrated how. He showed the BBC how a GoPro Hero4 could be used to eavesdrop on users, or to view existing video footage and delete it if desired, despite appearing to be switched off. The problem stems from users who had set the device up with simple passwords, then when the camera was put into sleep mode it could still be accessed via a wireless connection and that simple password cracked to give the attacker control.

Of course, as with all such things, it's not quite as black and white as that paragraph might suggest. The user would first have to be using a pretty lame Wi-Fi password which would be set up when the camera was connected to a mobile device such as a smartphone. Secondly, the attacker would have to intercept this encrypted key, and crack it, a standard man-in-the-middle affair but not a typical attack scenario for your average action camera user I …

And welcome from me...

Earlier this month, security outfit FireEye’s 'FireEye as a Service' researchers out in Singapore discovered and reported on a phishing campaign that was found to be exploiting a zero-day in Adobe Flash Player vulnerability (CVE-2015-3113). That campaign has been well and truly active for a while now, with attacking emails including links to compromised sites serving up benign content if you are lucky and a malicious version of the Adobe Flash Player complete with the exploit code if you are not.

Adobe has now responded with a security update with the following recommendations:

Users of the Adobe Flash Player Desktop Runtime for Windows and Macintosh should update to Adobe Flash Player 18.0.0.194.

Users of the Adobe Flash Player Extended Support Release should update to Adobe Flash Player 13.0.0.296.

Users of Adobe Flash Player for Linux should update to Adobe Flash Player 11.2.202.468.

Adobe Flash Player installed with Google Chrome and Adobe Flash Player installed with Internet Explorer on Windows 8.x will automatically update to version 18.0.0.194.

Here are the affected software versions:

Adobe Flash Player 18.0.0.161 and earlier versions for Windows and Macintosh

Adobe Flash Player Extended Support Release version 13.0.0.292 and earlier 13.x versions for Windows and Macintosh

Adobe Flash Player 11.2.202.466 and earlier 11.x versions for Linux

Craig Young, Security Researcher at Tripwire, reckons that "Flash, along with ActiveX and Java are remnants of the 1990s 'Web 2.0’ technology boom. The nature of these technologies allows attackers to run code directly on remote computers …

A couple of decades ago, in another life, I wrote a little script which would capture keystrokes and then store that data within the 'white space' of an image file. It was pretty crude, but it was also twenty years ago and to be honest nobody was really looking for stuff which was effectively hidden in plain sight that way. That way being the use of something called steganography, from the Greek steganos which means covered and graphie which means writing; so literally covered writing. I used it to good effect during my period as an explorer of networks belonging to other people, most notably when sysadmins would stay at my apartment and login to their networks in order to do a bit of housekeeping and, unknown to them at the time, give me root. Things have moved on a lot since then, and steganography has become a much more complex tool being deployed by cybercriminals.

Back in March this year I reported for SC Magazine on how a variant of the Vawtrak malware family had been using steganography to hide update files in tiny 4Kb encrypted favicon graphics, these in turn being distributed using the Tor network via a proxy. Fast forward to now and the Dell SecureWorks Threat Intelligence Unit has revealed how it has tracked one such malware tool, Stegoloader, which appears top have been active since 2012 and uses digital steganography to avoid detection. Stegoloader requires a core component of the malware …

The Electronic Frontier Foundation (EFF) has released the latest version of its 'Who Has Your Back?' report and accompanying infographic, and it makes for interesting reading. Once you appreciate that what the EFF is talking about here is how good, measured as a response to a handful of yes or no questions, a bunch of leading tech companies are at protecting our data from government snooping requests. It's not about privacy in the larger scheme of things, just from that particular angle.

That said, let's look at how the EFF came to the conclusions that can be seen in the accompanying graphic. Essentially the organisations concerned were asked, on a yes or no basis remember, if they fulfilled five criteria when it comes to privacy expectations regarding government snooping in the post-Snowden era: follows industry-accepted best practice, informs users about government data access demands, discloses data retention policy, discloses government content removal requests and if it has pro-user public policy which opposes encryption back doors. Here's the broad breakdown.

When it comes to 'following industry accepted best practice relating to government demands upon data access just about every company questioned. The notable exception being Whatsapp, with the messaging app failing to be awarded a star in the EFF chart courtesy of two transgressions: it didn't require a warrant before handing user data over to the man, and it didn't publish any kind of transparency report either. Oops.

Moving on, what about how the companies fared on 'informing users …

Speaking to TrustedReviews this week, Alexander Moiseev, Kaspersky Europe's Managing Director, has warned that your car is at serious risk of being hacked. He is, however, wrong and I'm going to explain why.

Kaspersky Lab and Mr Moiseev may well insist that the threats to the automotive industry are very real, and very much here and now; and while I don't dispute that there are concerns I do think there is a very real element of Mandy Rice-Davies Applies about the entire debate. With the demise, albeit a long and drawn out death, of desktop AntiVirus as the golden goose of the IT security industry, it should come as no real surprise when that industry looks for alternative areas to occupy. Transport is one of the much hyped, I would argue over-hyped, areas currently doing the rounds. The more the 'threat' is talked up, the more there will be a demand from consumers for 'protection' and vehicle manufacturers will turn to vendors to supply it.

That is far from my campervan being hackable now, or ever, matter of fact.

In that TrustedReviews interview, Mr Moiseev likens IT security not being involved in the design and development process of cars to having a house with no roof and putting bars on the windows to protect from theft. He argues that we don't have to wait for the autonomous self-driving Google Car for the hacking threat to materialize, and says our cars today …

As news breaks that a second breach at the federal Office of Personnel Management may have seen another set of data, potentially more valuable than that accessed during the first, Philip Lieberman, President of privileged identity management specialists Lieberman Software, has been talking about what went wrong. Here's what he had to say on the matter:

The apparent US Government policy with regard to the protection of commercial enterprises attacked by nation states and others has been benign neglect (perhaps a shoulder to cry on). Current law and government policy forbid commercial enterprises to take any action against the attacker and handle the matter via the rule of law and in the appropriate jurisdiction. Since there has been little to no recourse possible, commercial enterprises have been attacked and damaged with little government assistance. We are told to build better walls and operate in a defensive mode even though both our government and governments of others have cyber weapons that commercial enterprises with no effective defence. Using technologies such as air gaps, segmented networks, encryption, privileged identity management, can reduce the damage and scope of damage caused by these weapons. So there is no real defence, only the concept of acceptable loss.

On the other hand, the US Government has been clear that an attack on its citizens and systems would result in severe response directed by the government itself (which is well within its power and rights). However, there are two issues …

It's been a year now since the Dyre malware family was first profiled, and there is no sign of infection rates slowing down. In fact, reports would seem to suggest just the opposite with infections up from 4,000 at the end of last year to 9,000 at the start of this. The lion's share being split pretty evenly between European and North American users.

So I was interested to spot this Tweet from Ronnie T @iHeartMalware who is actually Ronnie Tokazowski, a senior researcher at PhishMe, which declares: "I'm tired of dumping #Dyre configurations by hand. So I wrote a python script to do it. Enjoy folks!"

Ronnie explains "It’s been over a year since Dyre first appeared, and with a rise of infections in 2015, it doesn’t look like the attackers are stopping anytime soon. At PhishMe we’ve been hit with a number of Dyre attacks this week, so to make analysis a little easier, I tossed together a quick python script that folks can use for dumping the configurations for Dyre. To dump the memory, you can use Process Explorer to do a “full dump” on the process they inject into. (Typically the top-most svchost.exe, sometimes explorer.exe)."

Here's the script for all you Python fans to have a look at.

Researchers at security company AppRiver have issued a warning regarding a variant of the Fareit malware family which is using fake Amazon purchase confirmation emails to inject itself and steal any type of crypto currency that can be found on the target machine.

Troy Gill, manager of security research at AppRiver, details how his team have been monitoring, and blocking, what he describes as a stream of malicious emails during the last week. All posing as legitimate Amazon purchase confirmations, all stating that 'your order has been confirmed’ and all directing the reader to the attached, and infected, .doc file for the shipping and tracking details. If the recipient has macro's enabled in Microsoft Office, specifically Microsoft Word, then their machine will become infected upon opening that document. Although it has never really gone away entirely, the Word Macro threat has seen something of a resurgence in recent months and this is just the latest in a long line of examples.

"This family of malware is often distributed via Word documents with malicious macros embedded and has been known to drop multiple malware variants on the target machine" Troy Gill explains, continuing "in this particular case the malware quickly goes to work attempting to steal the Outlook password along with website passwords from various browsers such as Firefox, IE, Chrome and Opera. It then attempts to harvest account credentials for a lengthy list of FTP and multiple file storage programs."

It …

You mean like this: https://www.daniweb.com/business-exchange/jobs-and-resumes/jobs/_/52

Here's a niggle: previously banned members now not banned and free to do what they will.

See: https://www.daniweb.com/members/1123654/rosina12 who has 30 active infraction points (given on the 26th May for spamming) and is now listed as an unverified member instead of banned...

Eeek.

I am surprised. Surprised that you know anything, given your posting history so far that is...

Nice one doc.

Now, I've been getting these headaches...

Another month, another flaw related to the historical US export restrictions on cryptography; this time in the form of LogJam. It hits SSL 3.0 and TLS 1.0 which supported reduced-strength DHE_EXPORT ciphersuites, restricted to primes no longer than 512 bits, meaning that a man-in-the-middle attack is possible to force the usage of the lower export strength cipher without the user being aware and which impacts something like eight per cent of the top one million web domains and all the major web browser clients. Well almost, because Internet Explorer has already been patched (nice one Microsoft) with Firefox expected to follow soon and Chrome after that although time scales are not yet confirmed. You can confirm if your browser client has been updated yet by visiting https://weakdh.org

I'm not going to go into huge depth about the bug itself here, mainly because it's been covered very well by lots of places already. If you have a technical bent, and as a DaniWeb member I'm guessing that's pretty likely, then I'd suggest reading the original disclosure paper itself which can be found as a PDF here.

Here's the abstract for a taster of what you will find:

We investigate the security of Diffie-Hellman key exchange as used in popular Internet protocols and find it to be less secure than widely believed. First, we present a novel flaw in TLS that allows a man-in-the-middle to downgrade connections to “export-grade” Diffie-Hellman. To carry …

While keen to point out that Microsoft's TechNet portal security was "in no way compromised" by the tactic, researchers with security outfit FireEye discovered that a well established China-based hacking campaign called Deputy Dog had managed to create profiles and posts on TechNet that contained embedded Command and Control codes for use with a BlackCoffee malware variant.

This method of hiding in plain sight is nothing new, but it can make detection problematical as the data (especially within a technical forum such as TechNet) is simply 'lost' in a sea of similar code from genuine users of a well respected and therefore assumed to be safe site.

The technique may, however, have backfired having been detected. The FireEye researchers have been working with the Microsoft Threat Intelligence Center to inject their own data onto some of those TechNet pages and use this to gain insight into how the malware, and the people behind it, operate. Ultimately, this will make both identification of infected forum systems and the cleansing thereof much easier.

Tim Erlin, Director of Product Management at Tripwire, warns that while using a legitimate website to distribute malicious data is nothing new "the addition of obfuscation here is a twist that makes detection just that much harder" and points out that "any website that allows for public comments to be submitted is already monitoring for abuse, but they can only detect what they’re actually looking for. Now that this technique has been surfaced, website administrators …

The best advice I can offer you is that if your computer won't let you hear Susan Boyle sing then DON'T TOUCH ANYTHING and be very grateful indeed.

I'll get me coat...

My fairly ecelectic most listened to artists, in alphabetical order and according to my computer playlists, for the last 3 months have been:

AC/DC
Avenged Sevenfold
Bert Jansch
The Clash
Dropkick Murphys
The Dubliners
Einsturzende Neubauten
Fields of the Nephilim
George Thorogood
James
Kings of Leon
The Levellers
Linton Kwesi Johnson
Nick Cave
Placebo
Rammstein
Rancid
Ry Cooder
Seasick Steve
Sex Pistols
Sisters of Mercy
Slipknot
The Velvet Underground
The Who

Oops! Totally missed the date on that one. Been ill this week, that's my excuse :)

Still, good advice is good advice nonetheless. It doesn't go off.

Read, learn.
Ask, learn.
Learn, share.

That about sums it up...

It's all too easy to think that spam is an old problem, and one that has largely been dealt with. Certainly, many people will tell you that they see very little evidence of spam in their mailboxes. This, however, has less to do with the demise of the spammer and everything to do with the effectiveness of spam filters.

The latest Kaspersky Lab analysis of the spam and phishing threat landscape for the first quarter of 2015 suggests that some 59.2 per cent of email traffic was actually spam, which is good news in as far as that number is six percentage points down on the previous quarter. It's also a pretty good reflection of my own incoming email, which currently sits on around 55 per cent spam. Not that I see it unless it's that time of the month when I pay my spam folder a visit to check for false positives, and they are rarer than rocking horse poop these days.

Interestingly, it seems that the raft of new generic top-level domains (gTLDs) such as .work or .science for example, have provided an impetus for the spammers. Kaspersky suggest that "new domain zones almost immediately became an arena for the large-scale distribution of advertising spam, phishing and malicious emails." Indeed, according to Kaspersky Lab’s email traffic analysis there was "a considerable increase" in the number of new domains that sent out spam content in Q1 2015. The spammers are targeting these new domains specifically as well, so .work …

My van was built 15 years ago by Mazda in Japan as a multi-purpose 'people carrier' vehicle with the unlikely name of a Bongo. It has survived the years well, and I have now converted it into a camper van. Another 15 year old that travelled across the globe has not survived the passage time, and we can be thankful for that because I'm talking about the Love Bug. No, not Herbie the talking VW Beetle from those candy-sweet Disney films but rather a computer worm that spread like wildfire in May 2000. Also known as 'ILOVEYOU' thanks to the subject line of the emails it used as a distribution method, and 'Love Letter' because it self-propagated through the use of a Visual Basic Scripting (.vbs) file attachment with the name of LOVE-LETTER-FOR-YOU.txt.vbs, this particular malware threat was incredibly successful.

How successful you ask? Well how does more than half a million infected computers across twenty countries and damages exceeding $15 billion grab you? Just to confirm, that was no typo: $15 billion. The BBC first reported the Love Bug arriving in the UK on May 4th 2000 with estimates of one in ten UK businesses already being hit by the thing at that point. Even the House of Commons got disconnected from the outside world when the parliamentary network was switched off to prevent further infection. Security researchers at MessageLabs (which would later become part of Symantec) put the spread into context by comparing it to the …

I live in the north west of England and we basically have nothing which could be considered a disaster

Halifax. I give you Halifax...

Advert blocking software is thought to be used by something in the region of just five per cent of online users, or 150 million people of you prefer. It is, however, on the up; research conducted by Adobe and anti-adblocking campaigners PageFair suggests that ad blocking use rose by 70 per cent last year. Of the various options out there, Adblock Plus is one of the best known and most used. Which is why the company behind it, Eyeo GmbH, recently found itself on the sharp end of a court case in Germany seeking an injunction to prevent it from selling the software in that country.

A handful of publishers, including the Zeit Online newspaper, had asked the Hamburg Regional Court to rule that Adblock Plus was illegal because it interfered with the ad-based business model that those publishers rely upon. At the heart of this complaint was the Acceptable Ads mechanism which allows some adverts to be white-listed and so not get blocked, these have to meet certain non-intrusive criteria but also some large companies such as Amazon, Google and Microsoft pay for their ads to be white listed.

Adblock Plus users can disable this 'feature' easily enough: right click on the browser extension icon, select options, uncheck the box that says 'allow some non-intrusive advertising.' Anyway, the publishers effectively argued that this system was discriminatory and the software anti-competitive and even that it interferes with the freedom of the press.

As expected by most watchers of such things, …

Werner Vogel, Amazon Web Services (AWS) CTO, speaking at the AWS Summit in London yesterday has made the rather amazing claim that security in the cloud is "much stronger" than anything you can have on-premises. As someone who has been writing about information security for more than 20 years, and covering the cloud security beat for five, I can understand why he may say that. However, it doesn't mean that he was right; not for every customer, not for every implementation.

If you are talking about the smaller end of the SME spectrum then, for the most part in my experience, there's a very good chance that the kind of dedicated security know-how and infrastructure investment available from the likes of AWS is beyond the reach of the average business. If you are talking about larger enterprises, which do have dedicated security teams and have already invested heavily in the relevant infrastructure and processes, well sorry Werner but that's a totally different ballpark.

It's one thing for Vogel to dismiss hybrid cloud, and I think he's got that fundamentally wrong as well, but to make such simplistic and wide-sweeping statements concerning security in the cloud is pretty much unforgivable. It's the kind of thing I hear on a daily basis from marketing men and product directors, but would not expect to be coming out of the mouth of the CTO of such a large player in the cloud space. Sure, AWS thinks it is pretty clued up when …

I kinda like the old 'cool techies unite' look!

Ah, just took a look - all the test ones I'm guessing :)

In what has quite possibly been one of the longest periods between security problems being revealed and action being taken, the Virginia Board of Elections voted on Tuesday to remove the certification of more than 300 AVS WINVote touchscreen voting machines. The Virginia Information Technology Agency, and consultancy Pro V&V, uncovered multiple flaws in the voting technology which had also been used in other states including Mississippi and Pennsylvania. The scandal here is that there have been concerted efforts to remove these machines from the electoral system since 2008 when experts investigating irregularities first flagged their concerns. They have consistently been used in Virginia between 2002 and 2014, and if you have voted there you may well have cause for concern.

The security audit found a whole catalogue of vulnerabilities including the machines using, wait for it, WEP wireless security which has long since been relegated to the Do Not Use pile courtesy of it being easily hacked. Just to make that hacking even easier, the password was hard coded into the machines; and it was 'abcde' can you believe? Talking of passwords, the OS admin password was, erm, 'admin' and database storing the votes (an old version of Microsoft Access) used an easily hacked encryption key of 'shoup' for good measure. Oh, and talking of that database, should someone have wanted to copy it, edit it and then put it back nobody would have been any the wiser as there were no controls in place to prevent …

According to the latest Verizon 2015 Data Breach Investigations Report all but four per cent of the security incidents analyzed by researchers could be accounted for by just nine basic attack types. That's pretty useful information for enterprise looking to prioritize their approach to security in terms of establishing a stronger security posture. So, as far as the nearly 80,000 incidents that were analyzed to form the basis of the report, what were these nine basic patterns then? Verizon states that the nine threat patterns are:

1. Miscellaneous errors (such as sending an email to the wrong person for example)

2. Crimeware (various malware aimed at gaining control of systems)

3. Insider/privilege misuse

4. Physical theft/loss

5. Web app attacks

6. Denial-of-service attacks

7. Cyberespionage

8. Point-of-sale intrusions

9. Payment card skimmers

Truth be told, these are exactly the same as identified in the 2014 report which is kind of worrying on the one hand as it suggests that mitigation measures are not being that effective or the bad guys would have moved on. Which also means it has, perhaps, a foot in the good news camp as well simply because they have not moved on to new attack modes in earnest. The new report reveals that 70 per cent of attacks relied upon a combination of these basic patterns, usually involving a secondary victim which adds complexity to the breach. It also reveals that many existing vulnerabilities remain open, with available patches not being applied, and those vulnerabilities can stretch back to as far as …

It all started pretty well, with the announcement by Mozilla at the end of last month that the Firefox web browser would make the Internet a safer place by encrypting everything. That's everything, even those connections where the servers don't even support the HTTPS protocol. Developers of the Firefox browser have moved one step closer to an Internet that encrypts all the world's traffic with a new feature that can cryptographically protect connections even when servers don't support HTTPS. The 'Opportunistic Encryption' (OE) feature essentially acts as a bridge between non-compliant plaintext HTTP connections and fully compliant and secure HTTPS ones. Firefox 37 made OE active by default, supposedly protecting sites that hadn't bothered with going through the digital certificate authority process, or which don't fully encrypt everything courtesy of embedded plaintext third party content requirements such as adverts for example.

At the time, Mozilla networking engineer stated "OE provides unauthenticated encryption over TLS for data that would otherwise be carried via clear text. This creates some confidentiality in the face of passive eavesdropping, and also provides you much better integrity protection for your data than raw TCP does when dealing with random network noise. The server setup for it is trivial. Only HTTPS protects you from active man in the middle attackers. But if you have long tail of legacy content that you cannot yet get migrated to HTTPS, commonly due to mixed-content rules and interactions with third parties, OE provides a mechanism for an encrypted transport …

Talking to a number of consultants specialising in IT security, it seems that the 'big boys' are leading the way with those remediation stats. Look to the medium sized enterprises sector and remediation falls to around 10%. Their future could be, erm, interesting to say the least.

In which case you have nobody but yourself to blame for the situation you find yourself in and, frankly, I have little sympathy for you. In the same way that I would have little sympathy for someone complaining about the broken foot they have, yet refuse to stop dropping concrete blocks on it twice a day.

According to new research from Venafi, apparently some 74 percent of 'Forbes Global 2000 organizations' (or the big boys of business if you prefer) have yet to properly secure their public facing servers against the Heartbleed OpenSSL threat. That's a year after the thing broke for goodness sake! Venafi found that at least 580,000 hosts belonging to this elite group of enterprises were still vulnerable as full and proper threat remediation had not been applied. They were patched, yes, but did not bother with the equally important steps of replacing private keys and revoking the old certificates. Apparently, looking at the market in general, it would seem that more than half of organizations simply have no idea how many keys or how many certificates have, or even where they are being used. If you are in the US you can be happiest, if that's the right word, as your big business boys sit just behind Germany at the top of the remediation tree with a 41 percent total. That's still pretty poor, of course, but way better than Australia on 16 percent.

Patrick Wheeler, director at Proofpoint, says “the fact that so many systems remain vulnerable to Heartbleed highlights the difficulty of basing security on patching production systems. Organizations have to balance the needs of business-critical applications with the duty to take all reasonable, industry-standard measures to protect employee and customer data. Incorporating security fixes can be all the more difficult in the case of an issue like Heartbleed, where …

I have a feeling that WojTroll will go quiet now...

Security is, more often than not, a case of getting the basics right. This is certainly true of the cloud where the hyperbole surrounding insecurity far outweighs the actual risk in my opinion. Not that the cloud is an inherently secure place to store data, just that it poses similar risks to other data storage methodologies which need to be assessed and dealt with accordingly. So when I hear statistics being bandied about such as '68 per cent of employees use personal cloud storage services at work' as was thrown in my direction this last week, I cannot help but heave a little sigh.

This is not a cloud issue, despite it being wrapped up as one when I saw it; it's a basic security principles one. Consumer grade services are called that, and sold as that for good reason - primarily because they are not intended to be used within a business context. Sure, plenty of people DO use them for commercial purposes but that is besides the point; it doesn't make them enterprise grade in terms of security. This kind of service misuse, for want of a better word, is what you might call a rogue cloud or shadow cloud. Shadow because it is hidden from the business, and rogue because it isn't meant to be there.

Actually, in the real world, neither descriptor is actually accurate more often than not. I've been to many an enterprise where the existing information security policy does not cover the use …