Although it seems hard to believe, spam is older than many of the people reading this blog entry. On May 3rd, according to New Scientist, will be 30 years old. It was then that one Gary Thuerk, in his role as a marketing man at the old Digital Equipment Corporation outfit, in his wisdom thought it would be a good thing to use this new fangled email and equally new fangled Arpanet network system to send an advertising message to all its users. Of course, back in May 1978, all its users equated to just 393 poor souls. Even in this small amount the spam was not best received and a number of complaints were received by Thuerk, as well as DEC getting a wrist slapping from the Arpanet admin.

Shame that it did not all end there, isn’t it? Today we have some 120 billion spam messages being distributed every single day across the Internet. Sapping resources in terms of manpower, finance and connectivity.

The 30 year birthday will not be getting a nice cake in the shape of a tin of luncheon meat from my wife, who happens to make very nice novelty cakes it has to be said, because I will not allow it. Not least as I don’t feel much like celebrating anything to with spam right now. Having what you might call a middling to high online profile, there is no point in trying to hide my email address. It has been out there too long, it is too widely known, and changing it does not make sense from the business perspective. Unfortunately this does mean that it gets hijacked every now and then by the spammers, as it has been for the last week or so in fact. About 80 percent of my incoming email, ironically once you have filtered out the spam, is made up of bounce messages from other people’s spam filters telling me they think the message I have sent them regarding a Rolex watch, penis powering drug or top financial tip might be a wee bit spammy. No s*** sherlock, really?

As usual, there is no real defence against this. Spammers will always use a readily available email address in order to try and circumvent filters, and these are chosen almost entirely at random. It could be you next week, or the week after. I have long since stopped chasing my tail and replying to folk in horror with ‘it wasn’t me’ messages or even trying to complain to ISPs and the like. Life is too short, time is too precious, and it does no good anyway. All you, and I, can do in these circumstances is weather the storm. A simple filtering rule in my email client to move bounce messages into the spam filter prevents me from having to wade through them with my delete finger primed for action. It’s about the best there is, really.

I do hope that within the next 30 years we have found a way to deal with the spam problem though. Be that through cultural revolt, legislative action or technological advance. I don’t actually care how spam gets stopped, as long as it does…

There is no ignoring the credit crunch, that’s for sure. Whether it is the cost of your weekly food shop, fuel for your car or the fact that the value of your house is moving in the wrong direction, we are all feeling the pinch. All, that is, except the outsourcing segment of the IT services market according to IDC. OK, so a recent IDC study of the Western European IT services market which saw better than expected performance during 2007 and reported growth at 6.4 percent in constant currency has been revised a tad in the light of growing economic uncertainty. But even when taking a “more conservative view of the market” IDC still predicts growth at 4.8 percent CAGR and expects it to reach $242.8 billion by 2012.

IDC even admits that demand for IT services will “slow down in 2008″ to a level of something like 1.8 percent less than the spending growth last year, but importantly IDC reckons that the credit crunch will not have as strong an influence in Europe as it has done in the US. Where it will hit hardest, if you go by the IDC predictions at any rate, would appear to probably be project services, followed by support services but with “little or no impact in the outsourcing segment.”

“As the European economy cools down, the outsourcing segment continues to be the growth engine of the IT services market,” said Laura Converso, research manager, IDC’s European Services Research. “The overall outsourcing market will exceed the size of project-based services by 2008 and will account for 42% of the total IT services market by 2012. At a worldwide level, IDC estimates that Western Europe will eclipse the U.S. to become the largest geographic market for IS outsourcing by 2009.”

In fact, IDC is predicting that the overall outsourcing market will be the fastest-growing of all, attaining a 7.5 percent growth forecast for 2008 thanks to a cost-cutting mentality driven by the credit crunch.

Kyocera Mita Europe has published the results of its latest survey, carried out by the IFAK Institute, which looked at the way in which environmental issues impacted upon the European enterprise from the employee perspective. British companies were pretty clear cut in thinking that they could do better with 89 percent saying so, compared to the European average of just 69 percent.

Us Brits are also leading the way when it comes to understanding the importance of getting the green message across to employees. While only 59 percent of the French companies asked considered this of importance, and 62 percent of the Germans, the British enterprise response was a credible 73 percent.

Overall though, across Europe, employees thought that they were doing a decent job in saving the planet while working through the adoption of green practises of some kind or another: 90 percent to be precise. Interestingly, top of the save the planet pops were switching off equipment at night with 55 percent, followed by using digital documentation on 52 percent and duplex printing and photocopying on 43 percent. Shame on the 9.7 percent who readily admitted to doing absolutely none of the above though.

The enterprise itself is doing its bit, at least that is the message coming across when employees were asked the question. 44.8 percent of European companies recycle used ink and toner carts for example. Methinks the employees are wearing rose tinted spectacles if they truly think that less than 50 percent bothering to recycle carts is ‘doing their bit’ for the planet. It is an appallingly low figure. Indeed, this is borne out by the 77 percent of respondents who thought the business could be doing more in general, and 69 percent when it comes to recycling in particular.

Let us not forget that saving the planet is not, perhaps, the driving force behind environmentally friendly computing practises - that would have to be reducing costs as suggested by 38 percent of those asked about enterprise motives for going green. 21 percent thought it was some kind of politically correct branding exercise designed to boost the image of the company concerned. Only 24.9 percent thought that environmental change was the main influencing factor.

Mention buffer overflows to any software developer or security savvy geek and the chances are the hairs on the back of their necks will stand to attention fairly quickly. And for good reason, after all buffer overflow exploits have been pretty much the major thorn in the side of IT security for a good few years now. However, times change and threats evolve, and buffer overflows could soon be overtaken in the hair raising stakes by null pointer security flaws.

Take a look around the blogosphere right now and go search for null pointer de-referencing, null pointer flaws or best of all leveraging the ActionScript virtual machine and you will get a flavour of what the big fuss is all about.

For me, the null pointer de-referencing scare certainly has all the hallmarks of being the next big thing. Security experts are running around waving their knickers in the air while hackers are quietly getting on with understanding how best to exploit the vulnerabilities it presents. But just what is null pointer de-referencing?

It is not something that can easily be put simply, but if you think of a de-reference as being something that happens at the point when an application accesses, or at least tries to access, memory at an address declared to have nothing there, with the value NULL in other words, then you have pretty much got it. Ideally the application would fall over and die, but just as with all those best buffer overflow exploits in some cases it is possible to get them to access and execute arbitrary locations when that NULL pointer is accessed. The ActionScript paper mentioned earlier provides the framework to make this happen, to allow for simple probing of applications for NULL pointer de-references across multiple platforms, to make this class of vulnerability easy to track down for those who would wish to exploit it and us.

As Geoff Sweeney, CTO of security experts Tier-3 says “We have been monitoring this for some time and confirm that null pointer security flaws are exploitable and could quickly replace buffer overflows as the next big threat.

That would appear to be the conclusion of a new survey carried out on behalf of the Department for Business, Enterprise and Regulatory Reform, the early results of which have been released today. Although we will have to wait until next week for the full survey to be revealed at InfoSecurity Europe, the results seem both encouraging and worrying at the same time.

The 2008 Information Security Breaches Survey suggests that the number of UK companies reporting malware infection is actually down by as much as 60% when compared to just 24 months ago. This can be, fair enough, partly accounted for by improved anti-virus controls but at the same time we are told that two-thirds of the companies affected said that malware was responsible for their worst information security breaches.

One thing is clear, and that is the nature of the malware threat is certainly changing. The people writing the malware itself are increasingly sophisticated in their methods, especially when it comes to concealing their activities.

Still, on the happy happy side of the fence the survey does appear to be suggesting that malware is causing less damage than in the past, much less damage. The early figures that have been leaked out have a mere 14% of UK companies reporting a malware infection last year. That’s down from 35% two years ago, and it would appear that there are three main reasons for this:

1. Corporate anti-virus defences have significantly improved with 95% of companies scanning incoming emails for viruses and 98% having software installed to scan for spyware.
2. Most minor infections are no longer considered security breaches but as ‘events’ dealt with by routine controls.
3. Malware itself is now just the first stage in enabling more lucrative attacks by hackers rather than infection being an end in itself. Which means it tries harder to remain undetected.

And on the not so happy side? Well, we are warned that despite the lower levels of infection, it’s a mistake to assume the malware threat is over. Chris Potter, a partner with PricewaterhouseCoopers LLP, who led the survey commented: “If there is one area of security where UK plc has really got the message, it’s virus protection. Only a tiny minority of companies don’t take this area seriously. The message from this survey is clear - if you haven’t got anti-virus and anti-spyware software, you’re way outside the benchmark. But, there remain some serious challenges. Companies now seem to be slower to install operating system patches than they were in 2006. Delaying patches can leave systems vulnerable to attack. On the other hand, rolling out patches instantly, without testing them first, can lead to systems instability. It’s important that companies strike the right balance here - risk assessment is essential.” While Dr. Guy Bunker, Chief Scientist at Symantec Corporation, one of the consortium members responsible for the survey, added: “While the results of the survey are encouraging, it’s clear that the battle between malware writers and companies continues unabated. Our recent research shows that there are over a thousand new malicious threats appearing each day. The battle is still on, it’s just changed from being obvious and high-profile to silent and obscure but is just as lethal. The motivation of malware writers has changed. Law enforcement in this area has improved around the world. As a result, the kudos derived from writing a disruptive worm to gain notoriety is outweighed by the personal consequences. Motivated by the money involved, organised crime is employing malware writers to write ’stealthy’ code that seeks to obtain confidential information or open security holes which can be exploited for financial gain.”

Another of those pre-InfoSecurity surveys has emerged from my email today, and oh boy is this one a huge bringer of happiness. Well, actually, no it isn’t. What it does bring to the IT security table is the bad news that 75 percent of of the companies questioned think their applications have holes large enough to be exploited by criminal types.

One Professor Howard A. Schmidt, who happens to be a director at Fortify Software but perhaps more interestingly also a former Cyber Security Adviser to the White House, is quoted as saying “this figure of three quarters of organisations having security holes based on application vulnerabilities, while dramatic, is unfortunately not that surprising. When organisations develop applications, quality is one of the highest priorities but security vulnerabilities are seldom recognized or fixed. Priority is often given to delivering application features and business benefits without the understanding of fundamental coding errors that lead to security issues. Cybercriminals are targeting applications to steal money and information, and they know all too well how to exploit vulnerabilities not only in commercial software but are also very adept in finding security holes in applications that are developed “in house”. Business leaders need to set in place business software assurance processes including development practices designed to ensure that their applications are secure to protect the data of citizens, customers and shareholders from the new wave of threats from cybercriminals.”

He’s not wrong of course, although I disagree about the ‘not that surprising’ bit. I am absolutely gob-smacked that people wearing long trousers and one assumes getting paid decent money to take care of IT business will happily admit that the applications they use are doing a decent impression of Swiss cheese: full of holes.

Look, hackers are not in it for the fun any more. Forget the pot-boiler novel portrayal of the spotty geek wreaking havoc for the heck of it. Today those geeks can afford to have laser treatment for the spots and still have enough money left over for the latest bling-filled car. Cyber crime is big business, big and well organised business. Shame that it seems only the bad guys are taking it seriously enough though…

I love the run-up to the annual InfoSecurity Europe show, not least because it means I am assured of numerous press releases with the most wonderfully eye-grabbing headlines from exhibitors wanting to attract my attention and my time while visiting the show. One such release arrived in my inbox today, proclaiming that if you ‘Outsource your code’ then you are ‘more likely to be hacked.’

Naturally, I read on. The gist of the email being that according to a report released today by IT analysis group Quocirca, some the majority of companies manage to overlook the basic task of mandating security when they enter into an outsourcing agreement.

In fact, the report reveals that of the organisations that admitted to being frequently hacked, all outsource at least some of their coding practice, with 90 percent outsourcing more than 40 percent! The survey at the basis of the report discovered that more than 60% of companies which enter into the outsourcing of critical applications coding just do not bother to mandate that security must be built into the applications at all. This should actually come as little surprise if you ask me, especially if you delve deeper into the report and discover that 20 percent of UK companies don’t consider security when building their applications at all.

Heck, statistics abound which show that the software application layer is like a banana to a monkey as far as hackers are concerned when it comes to accessing critical data. The National Institute of Standards and Technology (NIST) reckons that 92 percent of vulnerabilities affecting computer networks are contained in software applications. Do the math and this whole issue starts to become really rather important, does it not?

I am not sure that I agree with the implication of the statement in the press release that says “an organisation that has not developed the code itself can never be absolutely certain that it is secure” which would seem to suggest that outsourcing per se is the evil twin in this software sibling scenario. The truth is that even if you develop the code yourself from the bottom to the top you can never be 100 percent certain that it is secure, at least not for 100 percent of the time. New exploits can make previously considered secure code vulnerable, after all. This is kind of admitted in the release when it insists ” However strong a relationship with a third-party developer, or watertight the service-level agreements in place, a rogue developer can place vulnerabilities in the code that they develop-for example, by placing a backdoor in software that can be used to infiltrate a network in the future.” Yup, as could a rogue in-house developer of course.

The report was supported by Fortify Software whose Director, and former Cyber Security Advisor for the White House,

Launched in 2003, the Museum of Computing in Swindon was the first dedicated museum in the UK covering the computer and related technology, if you don