SQL injections have been a big focus of mine this week - previously I blogged about how the theft of 130 million debit and credit cards were alleged to have been carried out using SQL injection techniques, and I followed it up with some reasons how it became large-scale.

Perhaps because of this media attention, HP has released some advice about what to do if Google detects that your website is hosting malware.

It says: “A frightening trend with SQL injection attacks concerns how an attacker will insert links to javascript content used to serve malicious links that may automatically compromise the users of this website.

“When this happens, Google will automatically detect this and actively deter users from  visiting your website.”

HP has published some basic recovery steps that may ensure that all content that was modified by attacker has been removed.

1. Disconnect from the internet
2. Backup he entire site and backend database.
3. Save all logs and analyse them.
4. Change all authentication - the attacker is likely to have stolen the credentials needed for website access.
5. Reinstall OS (this is more of a precaution).
6. Restore previous backups.
7. Perform simple code audits.
8. Turn the site back on.

More information can be found here.
It does have a disclaimer that this isn’t legal advice and if monetary problems occur, consider hiring a consultant and notifying the proper authorities.

I was reading a blog post from our very own security expert Davey Winder about the recent incident where Twitter documents got published by the US website TechCrunch.

He made the very valid point that this wasn’t actually Twitter which got hacked this time - it was an employee’s Google Docs account!

However, like Davey says PRs and the press seems to got into a tizzy about Twitter security when in fact this time it had nothing to do with it!

It was the security of Google Apps that this time is in question. But then is it really?

It looks like the problem was actually a password. An employee was silly enough to use one which was guessable  - one non-unique password on multiple services.

That’s a web wise problem - not necessarily the fault of the companies.

I wasn’t there to see the first statements of the new Cyber Security minister Lord West, but according to reports he admitted that the government has hired a team of former “naughty boy hackers” for its new Cyber Security Operations Centre.

The BBC quotes him as saying: “You need youngsters who are deep into this stuff… If they have been slightly naughty boys, very often they really enjoy stopping other naughty boys.”

OK -  first up these are fine words for a Cyber Security Minister. Naughty boys? - I’ve only been writing on security for the last year and a half, but I already realise that many of the criminals he’s talking about aren’t ‘naughty boys’ - they are hardened criminals fully intent on making as much profit as possible.

I get the feeling he’s one of those people who don’t think that cyber criminals are ‘real’ criminals because they play on the computer. And this is somebody the government has employed to oversee its cyber security. Great.

And he’s employed hackers with criminal records? This is all well and good in a movie, but as security expert Rik Ferguson notes, the government has actually hired a team of people who have committed criminal acts and given them jobs.

He also makes the point that if you’re going to hire hackers to stop hackers, then why employ the naughty crap ones who managed top get caught? - or ’script-kiddies’ as Ferguson puts it -  the laughing stock. Yep, Lord West - good choice!

Even if this is just misquoting or taken out of context, it’s a little worrying that the Cyber Security Minister himself seems to be so inept at understanding the real problems of IT security.  Last week I wrote a feature on what the basic qualifications a Cyber Security Minister might actually need - I don’t think Lord West ticks any of the boxes.

Maybe it was the case that none of the ministers around Gordon Brown had the technological expertise or IT training for this role. In this case they really should have simply found one. I mentioned John Suffolk, government chief information officer, as somebody who had the technology knowledge for the role.

It might be the case that Neil Thompson, the prospective new director for the Office of Cyber Security, might be the person who really will shape the cyber security of Britain. As security expert Graham Cluley said in my feature, maybe its good to have an unknown person in the role who will knock heads together and do what’s needed.

But hopefully he won’t be listening to the ‘Cyber Security Minister’ Lord West. He may be all well and good when it comes to knowledge of actual physical warfare - but cyber war is a completely different beast. Hope you know what you’re doing Gordon.

In April I wrote a news story based on a talk by data encryption company PGP Inc founder Phil Zimmermann at Infosecurity, which revealed his feelings about Britain heading towards becoming a surveillance state.

But compared to countries like Iran and China, I guess we’re lucky. Both have been known to monitor citizens for years. Shockingly though, tech countries in Europe don’t look like they have any qualms in providing this surveillance technology to countries that are willing to use it in this way.

The Wall Street Journal and the BBC  both reported on how the Nokia Siemens Networks (which has just bought some wireless tech from poor old Nortel) provided sophisticated technology for Iran to examine the content of online communications.

It’s not just for blocking traffic - the technology is supposed to see what information is passed back and forth. A Nokia Siemens spokesman is quoted as saying: ” Western governments, including the UK, don’t allow you to build networks without this functionality.”

It’s kind of scary. But would you expect anything less? Tech companies sell to the public as well as private sector - and very often governments around the world want to keep track of their citizens.

However, at least there are still ways to be anonymous and organise demonstrations without being tracked  - as the events in Iran and the use of Twitter shows.

Even Google has to bow down to government power. Google has very quickly complied to a direct command by China to remove pornography from all its sites, even though all it is doing is linking to the content rather than having anything involved in distributing it.

But China is a big market, and there’s a lot of profit to be made. This need to make money can also be seen with the fact that the Chinese government can get away with shipping surveillance software with all of its PCs.

It’s the price we have to pay for better technology. The networking tech that makes communication on devices like mobiles so easy and useful can also be used in ways which we don’t necessarily want. Companies are there to make money - they are not our moral guardians.

As a citizen I guess the only power we have is that of the vote - and is why the Iranians are so furious that the elections over there weren’t as fair as they should be. But in the UK we still have that vote - and hopefully we can use it properly.

At the ENISA / Reuters event I attended this morning, there was a very interesting talk with BT chief security technology officer Bruce Schneier and International Security Forum (ISF) president Howard Schmidt that surprisingly switched from business security and into the presidential events in Iran that have been taking place.

Schneier said that the events were very interesting when it came to IT and IT security because it was the “coming of age” for citizen journalists.

The real journalists were under house arrest and not able to report, and the information that was coming out was from people - mostly through Twitter, as the Iran government forgot about it when trying to block things for the election.

Schneier said: “We’re seeing stories and images coming out that are unable to be blocked by the government, and the only thing they can do at this point is to ‘take down’ the internet. It’s possible and governments have done that.”

“Hackers around the world are helping,” he added. “If you have a Twitter account we’re all being asked to change our location to Iran and change our timezone, because that makes it harder for the police to find the real twitterers.”

Schneier also said that people around the world were setting up proxy servers to allow Iranian information to come out, and that there was even a proposal to use the Opera browser and turn it into a massive anonymous network to help the Iranian citizen journalists.

He continued: “The anonymity tools that many Western governments are trying to get rid of are saving lives in Iran. It is the first time that people in other countries don’t just protest in their own capitals - they actually do something.”

Schneier said it was very interesting to see computer security, networks and hacking used in this way.

Howard Schmidt argued the point further by highlighting the fact that mobile devices were being used to get the word out. He said that this anonymity allowed people to use the internet as a real vehicle to create change.

Schneier highlighted the Cyberwar Guide for Iran Elections guide for beginners as a useful starting point, if you wanted to get involved, and mentioned the fact that people were getting involved in denial of service attacks against the Iranian government.

Schneier said: “This is interesting. A lot of what people think as cyber war is kids playing politics - you see this in Pakistan, the Arab states, China. They are not just fooling around - this is serious stuff. We can actually have international politics being affected by these actions.

“I think this is a first. I think this shows the power of social media in a way nothing ever has before,” he adds.

Author Timothy Garton Ash also makes similar points in an article written for the Guardian.

It’s been reported that a hacker has claimed responsibility for hacking Steve Jobs’ Amazon.com account.

According to Cult of Mac,  the hacker identifying himself as Orin0co attempted to sell journalists his credit card details as well as other details of his Amazon.com account, such as his purchase history in the last 10 years.

Orin0co claimed he managed to fool Jobs simply by sending him a fake Amazon.com email that convinced him to log onto a fake Amazon.com website.

Apple will not comment on the claims, while Amazon.com were said to have no knowledge about whether his account had been hacked or not.

It does seem highly unlikely that somebody as technologically savvy as Steve Jobs would have fallen victim to something as simple as an email phishing scam.

The hacker also claimed that Jobs bought 20,000 items from Amazon.com in the last ten years -  a total of five a day!

It seems very doubtful - though he’s hugely rich, where exactly would have he have found the time to do this shopping? - considering he’s had things like Apple world domination, the iPod and the iPhone to keep him busy.

Twitter has confirmed that it has been hacked again by an outsider, with the French this time claiming responsibility.

According to reports,  a person going by the name of ‘Hacker Kroll’ managed to access celebrity accounts as well as the account of Jason Goldman,  Twitter’s director of product management.

The hacker claimed that they managed this to do this with a social engineering technique to access his Twitter account. He or she says they found it by accessing an admin’s Yahoo account to find his Twitter password.

Through screenshot images the hacker claims that they have broken into celebrity accounts belonging to those of Ashton Kutcher, Britney Spears and Lily Allen.

Reports said that the email addresses of the compromised accounts, mobile phone numbers as well as the accounts the affected users had blocked were accessible. (Kutcher and Allen are said to have blocked celebrity gossiper Perez Hilton).

In response, Twitter co-founder Biz Stone admitted that an outside party had gained unauthorised access, and that 10 individual accounts were viewed. He did say that no password information or personal information was revealed or altered,

Stone said: “Twitter takes security very seriously so we will be conducting a thorough, independent security audit of all internal systems.”

It wasn’t the first, and unlikely to be the last problem with hackers that Twitter will have. Back in January an 18-year old hacker who managed to breach administration systems admitted his guilt, but instead of a social networking attack he had used a self-created dictionary program tool.

One of Twitter’s most famous British followers in Stephen Fry also fell victim to a phishing attack. Considering Twitter’s rise in popularity, especially with businesses, can it be trusted to keep your accounts safe fromintruders?

Sophos security expert Graham Cluley said: “Although many will blame Twitter for no ensuring that its staff followed sensible policies to better secure critical administrator accounts, lets not forget that the real criminal here is Hacker Croll.

He added: “They have acted illegally by breaking into these accounts, even if they didn’t do anything malicious.”

According to security experts, teenage hacking is becoming a real threat when it comes to cyber crime.

Professionals have indicated that forums such as that of Dark Market which was taken down recently, are starting to be populated by teenagers who are looking to swap credit card data as well as the hacking and phishing kits which is used to collect it.

As these teenagers are not as well trained as professionals who may well do this for a living, they are more likely to get caught as well as pick up a criminal record, which will really hurt them if further down the line, they want to have a career in IT.

The first steps are simply to look for cracks and exploits for computer games, for example to run computer games which they haven’t paid for. Although many kids do this, it is nevertheless illegal.

Then it is likely they’ll graduate to more serious crime, such as swapping programs and malicious data, and further on targeting social networking sites with exploits and virus code.

IT PRO talked to Billy Hoffman at RSA Europe, who works in