We are experiencing a new wave of junk email that could be best described as Spam 2. What with the tidal wave of PDF spam that hit last month, and the MS Excel attachment spam that has taken over from it this month. But is it really a next generation spam trend, or the desperate death throes of an industry which sees a cash cow shot in the head by ever improving anti-spam technologies?

There can be no denying that the latest spam wave has been carefully designed to circumvent those technologies that work by analyzing content alone, and wrapping messages in new file formats is one way of achieving that. But then so was the image spam epidemic that truly did flood mailboxes the world over for many months, until the anti-spam guys got on top of it.

I can’t see the Spam 2 being any more successful, especially as there are plenty of heavyweight anti-spam solutions out there that look for patterns in mass emails which can block it automatically. A content-agnostic approach will uncover image based spam in any format or language, combine it with a zombie detection system to offload unwanted traffic at the network perimeter based upon history and reputation of the sender and spammers increasingly look like an endangered species. “In the last month, image based Spam 2 attacks including pdf and excel spam accounted for over 50% of all spam we detected” says Steve Cornish from anti-spam company PineApp “Excel spam on its own currently accounts for just 5% but this still represents millions of messages and next month we may start to see PowerPoint or Word files.”

Meanwhile, Sophos technology guru Graham Cluley reckons that there has been a dramatic decrease in the amount of PDF spam already, and that this is proof that it makes for an unprofitable spam mechanism. How dramatic a fall? How about from a high of 30% of all spam at the start of the month to, well, just about none at all right now.

“If PDF spam email messages have all but disappeared, there can only be one reason - they’re not working” says Cluley “Spammers wouldn’t turn away from PDF spam if it was an effective way to fill their pockets with cash and direct consumers to their websites, dodgy goods or dodgy investment opportunities.

Well, what a fun weekend that was. For 20 hours or so stretching across Friday and Saturday, many XP and Vista users became pirates, at least as far as Microsoft was concerned.

The validation servers appear to have suffered a major outage, taking along all proof that you had actually bought and installed a legit copy of the OS. When consumers tried to perform a system update or indeed any online activity that requires the WGA server to kick in, they were informed that their copy was not genuine.

A little embarrassing perhaps but nothing more, right? Wrong.

People with Vista, for example, found that functionality was stripped back with the Aero graphical interface mysteriously vanishing.

Still, Microsoft were doing all they could to put things right in the shortest possible time, and making sure their customers were aware of the concern, right? Wrong again.

Or at least that is what it must have felt like to the people whose tech support emails and forum postings were met with an official response of

If it were not bad enough that some spamming scumbag were using my email address in the from field of their latest campaign to improve sexual performance through the double whammy of herbal Viagra and cheap company shares, resulting in a huge swathe of bounce messages heading my way to keep me up of a night (and not in a sexual way) I was starting to think that some of the spammed were retaliating by signing me up to all sorts of weird and wonderful online services.

Thankfully this is not the case, but rather the result of a new outbreak of malicious spams as identified by the email content security provider Marshal.

The Marshal TRACE team tells me that the spams are used as the hook to get people to visit websites where the reward is a nice little infection with the Storm Trojan. So far I have had everything from job hunting services, joke-a-day websites and even one from the mysterious ‘web players’ organisation. The common thread being that I had registered with said site or service and requesting that I login to change my temporary password for one of my choosing.

Interestingly, and assumes courtesy of the public starting to become more aware of the URL when responding to such messages, the links included do not show a fully translated domain but instead just an IP address. Ooh, clever move chaps, or it would be had I actually attempted to register with an association of online bartenders recently.

“We are seeing significant volumes of ‘confirmation spam’ hitting inboxes. This outbreak is the latest in a string of underhanded social engineering tactics used by the same individuals responsible for the Storm Trojan to propagate their botnet. These criminals are clever and highly adaptive. This is simply their latest attempt to fool unsuspecting email users into infecting themselves” Bradley Anstis, Director of Product Management at Marshal told me.

Previous attempts, since the Storm Trojan first hit the headlines back in January, have included the use of spoof news headlines such as “Saddam Hussein alive!” and a selection of greeting cards apparently sent by a friend and awaiting your attention.

The most worrying aspect of all this is that it appears this scam is being operated by the same criminal group that sent out the ‘hot pictures’ campaign at the start of the week. It could signal a trend of changing tack, modifying spam strategy every few days as opposed to the normal lifespan of such things which has traditionally stretched into months.

I am not going to suggest that advertising revenue is not important in the overall web business model scheme of things, for a huge swathe of such enterprises it is vital. But suggesting that using ad-blocking technology within your web browser client is tantamount to theft is just daft. Not as daft as blocking anyone who uses the Firefox client because it comes with some rather effective ad-blocking technology built in, mind you, but daft nonetheless. The fact that one site has done both is shockingly stupid.

Take a look at whyfirefoxisblocked.com and you’ll see what I mean. Sure, it could all be some kind of elaborate hoax. Reverse psychology marketing perhaps, suggesting that Firefox users are the scum of the earth and detailing a (very primitive) way of blocking access to them, all to stir up media attention and get some free advertising (no pun intended) for the Mozilla browser.

Somehow, I doubt it though. I am inclined to lean more towards it being a genuinely ridiculous campaign by the hard of thinking. And here is why…

“Software that blocks all advertisement is an infringement of the rights of web site owners and developers” claims the site, continuing “accessing the content while blocking the ads, therefore would be no less than stealing.” OK, they have a point so far, and the ethical approach would be not to visit a site and make use of that content if you are unwilling to take the advert rendering alongside. Indeed, this is pretty much what I practice. If a site provides quality content, gives me access to a resource that is valuable, then I will happily put up with some unobtrusive advertising. IT Pro falls nicely into this category as far as I am concerned. I disable ad-blocking on a site-by-site basis where I believe the content deserves it. However, where a site is geared towards feeding me adverts, filling their coffers in the process but without any worthwhile content or user experience alongside then the adverts are blocked. That is called freedom of choice, and unless there is a specific legal requirement which stipulates I must not block ads in order to access the site, I don’t think I am doing anything wrong.

Then again, I don’t think that site owners who try and prevent access by people using blocking software is wrong either. Na

The House of Lords Science and Technology Committee have published their long awaited report into Internet security, and it is just as amusing as you might imagine a report by a bunch of old duffers talking about the Internet would be.

The hugely insightful conclusion would appear to be that “the Government must do more to protect individual Internet users” which I am sure must have taken the poor loves many a dunked rich tea to arrive at. Instead of acting to protect individuals, or providing incentives for the private sector to act, the Government continues to insist that individuals are ultimately responsible for their own security. This, the Committee insists, is “inefficient and unrealistic”.

Not as inefficient and unrealistic as encouraging Internet service providers to improve the security offered to customers by establishing a kite mark for Internet services, it has to be said. I guess that memory does worsen with age, otherwise their Lordships might have remembered that various similar schemes have come and gone, all gone in fact, courtesy of being pointless. Even the one most likely to succeed, the Which? scheme backed by the Consumer Association vanished quietly after loudly going nowhere. It is almost as pointless as those numerous sites which used to carry little award logos from self styled ‘best of the web’ services. As if a crappy logo could disguise a crappy page.

Other suggested measures are a little more sensible, such as establishing a centralised and automated system for the reporting of e-crime. Although it falls down a tad when you read that it should be administered by law enforcement, and they should have increased skills to catch and prosecute e-criminals. Listen up Lord Cuckoo, out here in the real world where us peasants live, the police don’t even bother investigating when your car gets vandalised or your house burgled. If you are a victim of identity theft or credit card fraud then the official line is that it’s a matter between you and your bank, and they don’t want to get involved. Considering that there are no motoring laws being broken, and council tax payments withheld, I cannot see what possible incentive there is for the police to investigate the spreading of malware, a 419 fraud or some online security breach.

About the only thing I agree with would be the establishing of a data security breach notification law, forcing companies into revealing when their security had been breached so that customers are aware of the potential infringement, and to establish legal liability for damage arising from such breaches.

Lord Broers, Chairman of the House of Lords Science and Technology Committee, said:

In case you did not know, much of my time of late has been spent researching and writing a book for the Science Museum (Being Virtual, to be published by Wiley in 2008) covering the concept of identity in the digital age. It is going well, thanks for asking, and I might even have the manuscript finished in time to meet the deadline. One of the problems with writing about who we really are today, is that I have been spending a lot of time in the virtual world. Well, virtual worlds to be precise. While these are great places to go and escape from the reality of day to day existence, companies looking to exploit the massive market potential of emerging and immersive 3D environments cannot escape the realities of business risk management and brand security issues. IT research specialist Gartner has today warned companies that are sensitive to brand issues, as well as social and ethical positioning, to exercise particular caution in uncontrolled worlds such as Second Life.

“The risks enterprises face as a result of their involvement in virtual worlds are real and can be significant. They shouldn’t be ignored, but neither should the potential opportunities and benefits that arise from using these new environments for corporate collaboration and communications,” said Steve Prentice, vice president at Gartner. “When planning enterprise activities in virtual worlds, an enterprise’s awareness of the risks, as well as a reasoned and objective analysis of them, will enable it to objectively evaluate the overall situation and offset risks against often-nebulous benefits.”

Here are the five broad issue groupings that Gartner identified, together with related advice for enterprises in each category:

1. IT-Related Security Risks

IT-related security risks are primarily centered on unverified applications being downloaded to managed desktop systems, and on issues regarding firewall permeability. There are no indications that these client applications represent a higher risk than other similar applications, but Gartner said that at this time, the high frequency of updates makes the control of a large application difficult.

2. Identity Authentication and Access Management

Individuals interact in virtual worlds via avatars, which are computer-generated representations of themselves. However, because new accounts can be opened with ease (and at no cost), many individuals have multiple avatars. Thus, it’s difficult (if not impossible) to ensure that any specific avatar actually represents the person with whom it’s associated. This lack of verifiable identity control or access management is a major deficiency in public virtual worlds and is having a significant impact on the potential use of virtual worlds for internal collaboration purposes. Gartner recommends that companies seriously evaluate the availability of “private” virtual-world environments, which are hosted internally and exist entirely inside the enterprise firewall.

3. Confidentiality

Virtual worlds aren’t secure environments. Gartner believes that discussions involving confidential and commercially sensitive information shouldn’t take place inside Second Life or any other virtual world - or in an open, internet-supported social-networking site. Worldwide legal systems (especially in the US) have become increasingly aggressive in demanding access to electronically stored records. By moving to a private virtual world (built by using tools such as GarageGames’ Torque Game Engine or Sun’s Java-based Project Wonderland); or developed using established applications (such as Forterra Systems’ Olive) that are entirely contained inside the enterprise firewall, the issues of privacy, confidentiality and identity can be controlled. Non-US organisations may wish to avoid virtual worlds that are subject to US jurisdiction because this may result in stored information being subject to legal scrutiny.

4. Brand and Reputation Risk Management

Uncontrolled virtual worlds represent an environment fraught with danger for enterprises that are sensitive to brand and reputation issues. Enterprises should exercise extreme caution in their virtual-world activities. Enterprises that are sensitive to brand and reputation issues should consider confining their activities to controlled virtual environments to minimise (but not eliminate) their potential exposure.

5. Productivity

Considerable scepticism remains regarding the practical benefits of virtual worlds to enterprise activities, with many senior executives viewing them as time- (and therefore money-) consuming diversions that lead to significant amounts of wasted time as well as computing and bandwidth resources. As social networking sites enter the mainstream of daily life for a growing segment of the population, some enterprises are re-evaluating their restrictions on the basis that networking and collaboration are important elements of worker productivity and morale. Gartner’s take is that productivity may decline during the extensive learning and adoption phases of virtual worlds, but this shouldn’t prevent enterprises from looking beyond the initial phases toward the productivity benefits that may ensue. Whilst unconstrained use of virtual worlds for all staff is probably inappropriate and unnecessary, enterprises should keep an open mind and evaluate trials carefully to avoid premature and inappropriate decisions regarding access and value.

I got a press release from the Microsoft PR people this morning, suggesting that maybe now is the time I should start changing my work habits and get a little more flexible. Microsoft, it appears, wants me to get MOOFing.

Ah yes, that would be the Mobile Out Of Office thing, MOOF you see, that prompted Microsoft to build an office up a tree last month wouldn’t it? Apparently some research or other concluded that 75% of people reckon the ability to work flexibly as being a deciding factor when looking for a new job, and 50% amazingly suggest work would be less stressful if they could have a tad more say in where that work was done. Listen up Microsoft, work would not be less stressful just because you were doing it up a bloody tree!

The reasons that the press release gave for me to considering joining the MOOF set were equally amusing, and for the most part easily debunked as far as my circumstances are concerned.

Let’s see, ah yes “extreme weather causing Summer chaos, floods of epic proportions” was number one on the list. I can relate to that, being located in South Yorkshire, with a Doncaster postcode. In fact my village was amongst the first to get flooded right at the start of the rain epidemic a couple of months back. In further fact, my village was so flooded that the road in and out was submerged and nothing could get through apart from my farmer neighbour with his biggest tractor. In even further flipping fact, the electricity was kindly removed from the village when the sub-station also sank without trace. Mobile Out Of Office? I was immobile, stuck in my office, and unable to work. And I already work from home

The Blackhat security conference in Las Vegas has come up trumps in the bad puns but good advice stakes, with SPI Labs warning business about the dangers of premature Ajax-ulation.
What researchers Bryan Sullivan and Billy Hoffman were actually referring to was the threat of web developers relying too much upon their urge to use Ajax techniques. Techniques, the researchers claim, that can force far too much business logic over to the client side and as a result enable user manipulation leading to security breaches.

Demonstrating their logic with the use of SQl and XPath injection exploits, the pair built a travel site which could be easily hacked to trick the system into not only blocking the sale of tickets for any given flight, but also to reduce the cost of the tickets being purchased. Sounds good to me, cheap tickets and an empty plane! Probably wouldn’t sound so good to the travel agent if it had been a genuine site though.

The whole area of web application security is something that needs to be taken much more seriously than it would appear to be at the moment, as more and more companies seek to get that competitive edge by leveraging Ajax technologies. A dynamic web is a great thing which holds much promise, but if basic security tenets are ignored in a rush to get to market advantage, well it doesn’t take a genius to predict how quickly that advantage will turn sour.

Hoffman says “Ajax applications run more code on the client than traditional web applications, this provides an attacker with all kinds of insight into how Ajax applications function, such as what web services it talks to, the function names and variable data types, as well as the control flow of Ajax applications and how data is stored.”

I’d be inclined to listen to the man.

Forget all the Bush