I’m no football fan, I’ve made that clear enough this last few weeks. However, while I don’t like to see the national team humiliated in the way they were by Germany over the weekend, I can’t help but feel that the 4-1 drubbing might just be a blessing in disguise as far as Internet security is concerned.

It’s OK, I’ve not gone totally mad and entered into some strange realm of hugely tenuous links, I’m actually quite serious about this. The football World Cup is one of those relatively rare events that tick pretty much every box that your average spammer, scammer and Internet bad guy can look for in a current event to latch onto. It is not only big news, but it’s big news all over the globe. What’s more, it’s the kind of big news that stirs up national pride and gets huge swathes of the online population talking about it, arguing about it most importantly reading about it. The World Cup is, in other words, a malicious link poster wet dream.

As I mentioned recently, 25 percent of all global spam is currently related to the World Cup and much of that will contain malicious linkage. Although I have no actual figures to shore up my next argument, I’m going to stick with it based purely on the sheer number of emails that have been passed my way and the off the record conversations I’ve had with security researchers: Many of those malicious links and the messages that spread them relate to the damn vuvuzela.

There, I’ve said it. The hugely annoying plastic trumpet that nobody can play, unless it is meant to sound like a Wookie with toothache that is, has been the second most dominant news force of this World Cup after the fact that England cannot play of course. Which means that the malware authors love it, as the latest attack using Twitter to spread a message which simply reads “OMG! Vuvuzela banned!” along with some hashtags to help spread the word (#worldcup and #vuvuzelabanned) and, of course, assorted malicious links. According to Andrew Brandt at Webroot the tweets use different link shortening services to mask the destination of these links, a bogus image hosting site Image Sheep, and while you are there, in the background, your PC is herded into a botnet.
Brandt warns “there is a real image hosting service by the same name, but the real Image Sheep is registered elsewhere and hosted in an entirely different network than these fake Image Sheep clones”.

The multiple payloads at the fake site appear to include the receipt of stolen user data batches which are used to login to Twitter and Facebook amongst others, another “contains scripting that adds an entry with details about the victim’s computer into a MySQL database” and this reports on “the number of infected users, the rate at which people infect themselves, and the clicks to various parts of the page”.

As I say, the good news for those of us in the UK at any rate is that I suspect these kind of exploits will be a lot less effective now that England has been knocked out of the World Cup and general interest in the competition wanes. Strangely enough then, I think we should all be thanking the Germans for doing us a favour…

Who could forget that historic HMRC security breach in November 2007 which saw the bank details of 25 million people go missing? The surprising answer to that question is around 20% of companies, it would seem.

At the time, the Conservative Party told the BBC that the breach was “a catastrophic failure” and then Chancellor Alistair Darling admitted it was an “extremely serious failure on the part of HMRC to protect sensitive personal data entrusted to it in breach of its own guidelines”.

In June 2008 the Poynter Review into the shameful affair identified major institutional deficiencies and recommended a number of security principles to prevent any reoccurrence. Now a survey by Cyber Ark suggests that companies are still choosing to ignore some of these core recommendations, including 19% which continue to use external couriers to transfer sensitive data files.

The Poynter Review clearly recommended that transfers of digital data involving physical media should be phased out completely, yet this new survey shows this method is on the up rather than being phased out. In 2008 when questioned on this, 4% of respondents used the postal system to transfer large files, however that figure has now jumped to 11%.

It’s not all bad news though, as the survey also revealed that 82% of companies do have some system in place for the transferring data, and the use of email for this has declined from 35% in 2008 to 16% now. Unfortunately, 67% have moved to FTP for sensitive data transfer and 28% using web based services.

Mark Fullbrook, UK Director for Cyber-Ark, says “With FTP, and even encrypted FTP sessions, the problem arises after data has moved while it sits on the FTP or SFTP server in plain text. The nature of the beast means the service is directly connected to the internet leaving it open to violation, and as there is no audit trail, no record of who accessed the files. More alarmingly is those organisations that are using a web based offering – they may just as well stand on a street corner and give away their information as these services just weren’t designed with sensitive corporate data in mind”.

I may not be paranoid, but that doesn’t mean they aren’t trying to steal my identity right out of my wallet. I’m not sure who ‘they’ are, to be fair, but I sure don’t want them looking at the data on my biometric passport or wireless contact credit card. No sir-ee Bob. That’s why I’m buying a wallet that comes complete with multiple layers of Radio Frequency shielding material woven into the fine Italian leather body.

It’s not even April 1st is it, and here I am writing about buying a firewalled wallet can you believe it? And it’s true, these things do exist: a Californian company called Kena Kai is knocking out a range of wallets with a built-in firewall under the DataSafe brand. They cost about the same as any other leather wallet, a lot less if you compare them to designer brands, and don’t look like they have been designed by an acne-ridden nerd called Nigel either.

Do I really think that anyone is going to try and steal my identity by scanning me as I walk past (within around 6 metres, the effective range of most ’skimming’ devices) on the off chance I have some new-fangled RFID-powered credit card or am carrying my biometric passport around Tesco for some reason I cannot currently think of? No, as it happens, I don’t. Not least because I don’t have a biometric passport or a RFID credit card.

But you know what, given the choice between a boring old wallet or a super-nerdified firewalled wallet the latter will win every time as far as I am concerned. Just think about the bragging rights at parties…

It must be a slow news month, as I find myself reading a press release which informs me in a big and bold headline that “RECOVERING LOST DATA STRESSFUL FOR IT MANAGERS”. No shit Sherlock. I guess things could have been worse had it been put through the Daily Mail Headline Generator which would likely have spewed out something along the lines of ‘Data Loss Linked to Increased Heart Attack Risk’ or similar.

So what was the meat of that press release, which unsurprisingly came from the desk of a backup and recovery software outfit (Acronis), and promised to reveal the results of in-depth research into the stress levels of IT managers exposed to the disaster recovery process? Well, the sub-headline splash was that 44 percent of IT managers find recovering lost data stressful. Have I already said no shit Sherlock?

The only great surprise there is that the number isn’t larger, a lot larger. Sure, you might argue that it’s relatively low as the majority of IT managers have already implemented a solid data backup and recovery solution. However, if my experience is anything to go by even under those pre-prepared circumstances I would be sweating bullets while I wait to see if the thing has actually worked properly and reinstated all the missing data or not.

Acronis reckons that one of the main sources of stress was ensuring the CEO’s data was properly protected, with 29 percent of those asked comparing the stress levels of losing that data as equivalent to forgetting a passport when they get to the airport or being late for a job interview. Seems to me that they don’t actually care that much about whether the CEO has his or her data or not then. Otherwise they would be comparing it to things such as being a bomb disposal soldier in Helmand Province or waiting for the Tax Inspector to arrive for a look at your books.

Seriously, that was one dumbass press release. Mind you, I have reported upon it, and provided it with the publicity that it was designed to achieve, so maybe it was actually a very clever press release that was disguised as a dumbass one?

And in other news: a PR company sent me an email inviting me to attend a press conference and addressed it to Stevie Wonder instead of Davey Winder. Apparently it wasn’t an error, but an attempt at humour which wasn’t meant to cause offence. That’s OK, none was taken. I replied with an email that simply stated “I just called, to say, I won’t be attending your press conference. And I mean it from the bottom of my heart”.

Newly published research from Ofcom reveals many things: 80 percent of adults in the UK will only share social networking data with friends and family, only 30 percent think that Internet information is reliable compared to 50 percent for TV and radio, and the Scottish are pretty crap when it comes to online security stuff.

The Adult Media Literacy report is encouraging in many respects, not least as it does show a trend towards security awareness amongst most UK Internet users. That 80 percent of adults being happy to share their social networking account data with friends and family only figure, for example, is way up from the 48 percent who said the same in 2007.

It’s not all good news though, with a quarter of Internet users admitting that they lacked confidence when it came to installing filtering software and configuring security features. This despite the security vendors going flat out to develop more user friendly fire-and-forget products. Obviously a lot more work needs to be done to make security solutions truly user friendly, and I suspect that much of that work needs to be at the educational rather than interface level. The trade off between usability and security is such that users have to make the defence granularity choice themselves, leaving it to software inevitably leads to a broken online experience in some way, shape or form. If the user doesn’t properly understand the implications of the choices they make then they will never get that balance right. Simply telling someone to default to ‘allow nothing’ is about as useful as scaffolding made from jelly.

However, I digress, back to the ‘it is not all good news’ thing: while the UK national trend for understanding online security issues is up nicely, one part of the country does seem to be lagging behind somewhat. Yes, I’m talking about you Scotland.

The report reveals that adults in Scotland are the least likely overall to worry about entering their personal data online, and some fifty percent of Scots are happy to enter their home address details on the Internet compared to just 23 percent in Wales and Northern Ireland for example. Yet this despite Scottish adults being the biggest home users of the Internet in the UK on 10.6 hours per week each on average, compared to 8.3 hours in England and 6.8 hours in Wales. Scottish users also account for the biggest percentage of social networking users on 49 percent with such profiles compared to 46 percent in Wales, 44 percent in England and just 31 percent in Northern Ireland.

So there you have it, proof that the Scottish are crap when it comes to online security - at least in comparison to the rest of the UK.

I guess I had better batten down the hatches now then and await a virtual Glasgow kiss or three…

Ever since Gizmodo broke the news about that iPhone 4G that was left in a bar, it seems everyone wants to know more about the next generation Jesus Phone from Apple. But at what price?

How does free grab you? Well that’s the promise that’s been spotted by security experts Sophos appearing in both Twitter and email-based spam scams. An email is doing the rounds which offers the (un)lucky recipients the opportunity to test and ultimately keep an iPhone 4G. This despite the fact that it has yet to be released, and Apple has yet to officially say anything about it other than ‘give us our prototype back’ either. The scam, of course, being that anyone wanting to sign up for the free testing deal has to hand over personal information in order to do so and the spam is really just a clever phishing exercise.

The Twitter scam is equally sinister, using the accounts of apparently sexy young women to offer free iPhone 4G handsets for users who click on a promotional link. A link that, of course, takes them to a personal data harvesting website.

As Graham Cluley of Sophos says “some internet users might blindly hand over their personal information in the belief that they will get a preview version of what will be one of 2010’s hottest gadgets”. I’d take issue with that statement, in that there is no ‘might’ about it and some users will, for sure, do just that. Be it as a result of living in a freebie society where people happily expect to get something for nothing, or maybe it’s the effect of junk food on the brain, but there are certainly plenty of people who will fall for this scam.

While I don’t imagine for a minute that the average IT Pro reader falls into this bracket, it might be worth letting your friends and family know that the price of an iPhone 4G right now is just too high to be worth risking that mouse click upon.

Just how much does the average Brit hate Europe? Ask them about data security in the cloud and you’ll find out.

Size does matter, and the bigger it gets the harder it becomes to remember where you put it. I’m talking about data storage and the data stored within it, in case you wondered. The findings of a poll published by the Business Software Alliance (BSA) on its third European Cyber Security Awareness Day in Brussels reveal that the majority of European citizens not only don’t know where their online data is being stored but they are less than certain whose job it is to protect that data, wherever it may be.

I kind of know the feeling. I have plenty of network attached storage, so much that only a few years ago I would have had to have been Bill Gates to afford it. I even have my own personal cloud thing going on courtesy of the rather nifty Pogoplug which I like to think of as my little bit of pink Linux data fluffiness. However, the fact that I have huge amounts of data stuffed onto huge amounts of storage doesn’t mean I know where it is. Indeed, if it were not for some seriously smart local search software I’d never remember exactly where I put anything, especially if I had put it there a few years ago. Documents are not a problem, I know where they are as I keep a copy of everything I write on a heavily encrypted USB stick which I carry with me at all times, with a further encrypted back up stick stored away for good measure.

Luckily, I also know where the buck stops when it comes to securing all the data: that would be with me. I run my own business, it’s my responsibility to look after the data it generates and do so in a secure fashion. But what about data generated about you by someone else, and stored ‘in the cloud’ as everyone, including my elderly mother, likes to say these days? back to that BSA survey, and 60 percent of those asked didn’t actually know what ‘in the cloud’ means, including my mother had she been asked, funnily enough. What’s more, 1 in 5 were unaware if their personal data was being held there or not.

What two thirds did know, or at least agree upon,was that responsibility for securing data held ‘in the cloud’ lay outside the businesses that actually use the data. Most agreed that there was a need for some kind of international handling of cyber security rather than an individual national approach to the problem. Spain on 77 percent and Poland on 74 percent were most enthusiastic about an international approach to data security, with most other Europeans being broadly in agreement with the concept. Apart, that is, from us Brits. Despite recent calls by the House of Lords for just such greater involvement by the EU and increased cooperation with NATO on matters of cyber security, only 46 percent of us increasingly isolated islanders thought it was a good approach.

The BSA is preparing a global cyber security policy framework to guide this notion of international cooperation to secure the online environment, and its senior director of government relations, Francisco Mingorance, insists “most Europeans are looking for global leadership and collaboration to protect their personal information from hackers and cyber criminals”. I guess that most Brits just don’t consider themselves to be European, at least when it comes to online data security matters. Either that or the BSA just happened to be questioning a bunch of UKIP supporters.

What are you doing to plug potential data leaks? New research suggests that it might not be enough, if you are an average IT manager.

Call it what you like, Data Loss Prevention or Data Leak Prevention technology, but there seems to be no ignoring DLP these days. Of course, some might argue that DLP is nothing new but rather just a marketing exercise in repackaging existing technologies in order to shift them as some new ‘magic bullet’ security solution. Last year a survey by IDC revealed that 92 percent of the enterprises asked had either already got a DLP model in place or were planning on implementing one before the end of this year. The introduction of punishing new powers for the Information Commissioners Office regarding data loss, with fines of up to £500,000 for those found to be neglectful in the light of a data breach, only helps to focus attention on DLP.

All of which is good news, surely? Well, you might think so but a new independent survey by Vanson Bourne of 200 IT decision makers into the real world penetration of DLP suggests otherwise. It reveals that 38 percent of respondents are failing to actually deploy DLP solutions in the form of device control, endpoint DLP or DLP appliances. When attention turned to the small and medium business sector the numbers plummeted further, with some 54 percent failing to act.

Digging into the detail reveals further dodgy data actions, such as despite the use of personal smartphones within the business environment only 48 percent of those who had deployed a DLP solution had actually bothered to control data synchronisations between employees’ computers and those smartphones. What’s more, only 26 percent were controlling printed document data even though a recent Ponemon Institute study suggested this was one of the most popular channels for stealing corporate data.

When it comes to action being taken to prevent data leakage, 77 percent reckoned that they monitor webmail and social networking activity of employees, and only 8 percent thought that privacy concerns should be an obstacle to enforcing security.

“The fact that many organisations are still failing to adequately address data leakage prevention is concerning. However, the increasing integration of endpoint content filtering and device control technologies, as well as the growing popularity of complete content-aware endpoint DLP solutions should help to address this” said Sacha Chahrvin, UK Managing Director, DeviceLock who continued “IT departments are becoming acutely aware of the need to keep costs arising from highly resource intensive processes – such as security compliance auditing, incident investigations, and forensic analysis to a minimum. Affordability and ease-of-use clearly remain significant barriers of entry for those responsible for protecting organisations’ data especially amongst small to medium sized businesses”.

The answer is, as from the start of this week, a bloody big YES. Although according to a survey by Cyber-Ark some 65 percent of people are ignorant to the fact, the Information Commissioner’s Office has been granted new powers which came into effect on April 6th and these allow for fines of up to £500,000 if a business has insufficient security in place and this leads to a ‘deliberate or negligent’ breach of personal data.

The study of some 500 city workers uncovered an amazing level of ignorance amongst employees regarding the fines and the Data Protection Act rules which could lead to them. The fact that 65 percent said nothing had ever been mentioned to them could leave directors up to their neck in the smelly stuff in the event of a breach. The ICO reckons that it will certainly consider whether a breached organisation has taken ‘reasonable steps’ to prevent it from occurring.

Interestingly, some 71 percent of respondents reckoned that after they had been made aware of the financial implications to their employers they would be more careful when it comes to data handling. So maybe if you haven’t done so already you should be getting a memo out to all staff ASAP.

Especially if, as was the case with 64 percent of those asked, your employees carry customer data around with them on mobile devices. 38 percent of them admitting that data is protected by sweet FA, and only 50 percent have even a password, with just a measly 12 percent using encryption of any kind.

Adam Bosnian, vice president of products and strategy for Cyber-Ark Software commented says “people increasingly understand the need to protect their data, but for some reason it’s not always top of the CISO’s priority list – and it should be. We have been blown away by these findings especially to discover that, with a £500,000 fine hanging over UK directors as of the 6th April, workers are walking about with unprotected customer records. Education is one piece of the puzzle in making sure that those people who do have access to privileged data are responsible with it and recognise the vital role they play in an organisation’s compliance obligations. Organisations also need to control privileged users and accounts to protect sensitive information, such as customer data, from navigating its way into the wrong hands”.

You might think that, given the sheer number of business applications available for the iPhone, the answer is a resounding yes. However, it does rather depend, of course on how you approach the question in the first place. If you enter the question arena from the door marked security then things take on an altogether different light. I have lost count of the number of security consultants who have been warning that one of the biggest dangers facing the average enterprise in terms of data loss and security impact potential is that posed by the rise of the smartphone.

Take the recent survey conducted by endpoint data leak prevention outfit DeviceLock, which took over seven months to compile. It asked whether more than a 1000 businesses had taken any steps to secure themselves against the security threat of iPhone usage. Less than 40 percent could confirm that they had, with an alarming number of people admitting that any iPhone threat is treated most definitely as a back burner security issue right now. In Western Europe and North America things were even worse, with 75 percent currently ignoring the iPhone security threat. Compare and contrast with Eastern Europe, Middle East and Asia Pacific businesses where close to 60 percent had taken action already.

“While this website-administered poll has inherent limitations, the results do suggest that the iPhone threat to data security is being generally underestimated” said Ashot Oganesyan, DeviceLock CTO and Founder, who concludes “the variation in how the well-developed IT markets of the West view the iPhone threat versus the emerging IT markets of the East may be because Enterprise IT planners in the West are relying on the already-entrenched vendors, such as RIM and Microsoft, to ‘have their backs’ and not introduce such a device without the necessary security hooks in place for device-related policy enforcement and encryption”.

Whatever, history shows us that the most effective enterprise strategy for dealing with any mobile media is simply to establish clear policies with regard to these new devices and enforce those policies using whatever tools are available to them. It ain’t rocket science, but without it I fear that the continuing use of iPhones (and other smartphone devices) within the enterprise could quickly see iPhone security become a stellar security problem.