I hate doing the math when it comes to data protection, not least because the end user security sums just don’t add up more often than not. Case in point would be a survey regarding data theft and email usage from InvisiViewmedia which has just landed on my desk. This claims that 98 percent of employees think it is “vital to protect confidential information” yet at the same time reveals that a worrying 30 percent quite happily send that confidential information unsecured in the body of an email or as an unencrypted attachment.

If those sums make you barf, wait until you get a load of this. This same survey also asked if people were worried that their sensitive and confidential data might get into the wrong hands. Now given that we live in a fairly data security-aware world these days, courtesy of so many high profile cock-ups making the mainstream news broadcasts and newspapers, you might think that the numbers would be high in favour of those who were really concerned about the prospect. But, alas, no. The math shows that 46 percent did sorry but thought there really was no alternative, and 25 percent claimed that the “risk of a security threat is too small” to even worry about. But wait, here’s the really screwed up bit: 13 percent were actually quite willing to take the risk of loss.

Jan Gunner, a director at InvisiViewmedia comments “Considering how clued-up most businesses are today when it comes to the very real threat of data interception, it is quite alarming to discover quite a complacent attitude in terms of securing confidential information. More interesting is the belief that there is no alternative to sending such data securely and this is something we are very keen to educate businesses on”.

It used to be the case that the word ‘hijack’ immediately drummed up visions of terrorists and airplanes, special service soldiers storming in with machine guns blazing. That sort of thing. The truth today is a lot less exciting, but still rather dangerous. When I hear the word hijack I think of spam.

Either of the sort that scumbags use when latching on to the important story of the day, and hijack that news to spread spam and malware such as has been doing the rounds most recently with the Haiti earthquake.

Alternatively, and proving to be even more problematical, is spam that contains a hijacked IP. Symantec warns that this kind of hijacked spam which is also known as ‘dotted quad’ has risen significantly in the last month.

Indeed, one December attack alone on Christmas Eve at 2pm apparently resulted in a quarter of the world’s spam containing hijacked IPs. Blimey! Symantec reports that this type of spam has increased three fold when compared to rates during November 2009.

This shouldn’t be a problem, to be honest, but unfortunately while the online world continues to be populated by link clicking idiots it will be.

If Benjamin Franklin were alive today I’m pretty sure he would amend his famous “…in this world nothing is certain but death and taxes” line to include botnets. Every single day, some 150 billion spam messages are distributed by botnets and, like death and taxes, no matter how hard we try nothing seems to be able to prevent botnet growth. Well, almost nothing.

With botnets now being responsible for some 88% of all global spam by volume, and the computers of those unsuspecting folk which contribute to the botnet collectives being at risk of an assortment of auxiliary security and privacy compromises, something has to be done. That much is obvious. According to the latest Symantec MessageLabs Intelligence Report, that something has been the closure of hosting outfits that it describes as ‘rogue Internet Service Providers’ such as McColo, PriceWert and Real Host. These closures came after a four month investigation by the Washington Post which forced the suppliers of their connectivity to take action.

At the time of the McColo takedown, late in 2008, the impact was felt almost immediately. IT Pro reported how during the first 12 hours following the pulling of the plug, spam volumes dropped by as much as 70%, and how those spam volumes remained low for a few weeks. However, within a month security researchers were seeing a steady climb in spam activity as the botnets found new homes for their command and control centres. By the start of this year, Mega-D had come back from the dead and was responsible for around half of all the spam flowing through security honeypots. Other botnet brands, if you can call them that, such as Cutwail and Srizbi have also hit that 50% figure at their peak.

But, as the new Symantec MessageLabs report reveals, botnet trends come and go like the seasons. Srizbi has vanished from the spamming scene entirely it would appear, and Mega-D has been shrinking in size so rapidly that it is now only one tenth as big as it was in June in terms of compromised computers. That does not mean that Mega-D is no longer a player, of course, in fact it is putting the bots it does have left to work at a far harder pace and is churning out spam at a rate per minute that can only be beaten by a relative newcomer called Bobax. depending on your point of view Bobax either sounds like a cuddly teddy bear or a nasty disease. I favour the latter, especially when the spam output per compromised computer is claimed to be the highest that MessageLabs has ever seen. Currently, Bobax is responsible for some 15.7% of all global spam by volume. That still falls short of another new name, Grum, which is apparently churning out 23% of global spam right now, having ramped up the output per bot significantly since the summer.

The largest botnet if measured by the number of compromised computers under its direct control would have to be Rustock, claiming anything up to 1.9 such PCs. In sheer botnet size terms it has grown to double what it was at the start of the summer. Yet in terms of actual spam output it is struggling against the competition. Researchers insist that what sets Rustock apart from the rest is the ‘highly automated cycle of spamming activity’ it displays, with spam output accelerating from 8am (GMT) and peaking at noon. The newest of the major botnets to watch is Maazben, a casino only spammer at the moment but one which is growing at a rapid rate (up from 0.5% of global spam to 1.4% in just a few weeks) recently without increasing the spam output. This suggests it could be getting ready for a move into other spamming markets soon.

“Over the past year, we have seen a number of ISP’s taken offline for hosting botnet activity resulting in a case of sink or swim and an ensuing shift in botnet power,” said Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec. “This has undermined the power of the more dominant botnets like Cutwail and cleared the way for new botnets like Maazben to emerge. However, this won’t always be the case as botnet technology has also evolved since the end of 2008 and the most recent ISP closures now have less of an impact on resulting activity as downtime now only lasts a few hours rather than weeks or months as before.”

When you send an email to an address that doesn’t exist or to a server that is having trouble delivering it, you get a Non-Delivery Report back. Spammers have been exploiting these bounce messages for a while now, as a way to get around spam-filtering measures. However, last month saw NDR spam hit an all time high with 20% of all spam messages using the trick. That’s a rise, according to security specialists PandaLabs, of no less than 2000% when compared to the number of different NDR spam samples seen between January and June this year.

It is a clever technique, and obviously one that works or the spammers wouldn’t waste their time and money exploiting it. The point being that the bounce messages themselves are more often than not genuine, with the server function being exploited to distribute the spam (sent as an attachment to the bounce notice) using the sender’s real name.

Now I know I have upset readers in the past by calling them morons for clicking on spam links in email, but this time I will let you off as it’s a rather different kind of spam trickery being employed. Go on, admit it, curiosity often gets the better of you when you get a bounce message and you open the thing to see who it was you sent mail to that has not arrived. Right? Even if you have not sent that mail in the first place, and don’t recognise the email address. Indeed, the fact that you don’t recognise the address plays in the spammer’s favour making the recipient even more likely to take a sneaky peek.

According to Luis Corrons, technical director of PandaLabs, “there is presently no consensus on whether NDRs are a technique to evade anti-spam filters or a collateral effect of dictionary attacks; either way, this technique is now among the most widely used. These waves of spam are usually generated through botnets (infected PCs controlled by attackers to launch spam, etc.). Since most NDRs are legitimate emails and, part of the mail server functionality, many traditional anti-spam techniques did not detect or block them up until now”.

No, seriously, please stop. Yes, you. New research suggests that one in every six people click on spam. I don’t, and I’ve asked the four other people in the office if they do and they say no as well. So it must be you.

According to the Messaging Anti-Abuse Working Group (MAAWG) the people who do click are doing so because they are “curious” although I prefer to think of them as just being morons. It does not take a genius to work out that the more spam gets those click-throughs then the more spam will be churned out, often directly to the link-clicking morons in question. It only requires a small spark of common sense to realise that the same spam links can often lead to more than just an offer of some fake Viagra, and the curious clicker gets added to a botnet for good measure.

Yet the MAAWG survey results suggest that 80 percent of users doubt their computers were at risk of bot infection. Morons. Especially when the security industry is, with alarming regularity, revealing exactly how much of the spam that we get is actually being distributed by spambots. MessageLabs Intelligence, for example, recently stated that the Donbot, Cutwail and Mega-D botnets were sending up to 21 billion spam messages each day.

Disturbingly, two-thirds of the consumers surveyed considered themselves “very” or “somewhat” knowledgeable in Internet security.

“Spamming has morphed from an isolated hacker playing with some code into a well-developed underground economy that feeds off reputable users’ machines to avoid detection. Consumers shouldn’t be afraid to use email, but they need to be computer smart and learn how to avoid these problems” said MAAWG Chair Michael O’Reirdan.

The complete 60-page survey report, “A Look at Consumers’ Awareness of Email Security and Practices or ‘Of Course I Never Reply to Spam, Except Sometimes’” includes graphs, detailed findings and analysis, and it’s downloadable from MAAWG free of charge.

There was a huge fanfare of media attention yesterday as Google proudly announced that one of the longest beta tests in software history, well it certainly felt like that, had finally come to end. Yes, the GMail webmail application that was launched on April Fool’s Day way back in 2004 has finally emerged from it’s beta status. So why has it gone straight back into beta today?

Apparently not everyone is comfortable with losing the beta sticker from their GMail service, it makes them feel a little uneasy or something. So those obliging people at Google have added a ‘Back to Beta’ configuration setting for the app, under the GMail Labs tab, which according to the description that accompanies it “soothes the soul by putting the familiar beta sticker back on the Google Mail logo.” Sigh.

Meanwhile, back in the sane world, Google seems to be admitting that the decision to remove the beta tag from Google Mail was taken to appease the business customers who feel uneasy buying into the whole Google Apps thing when there’s a bloody great big ‘Beta’ sticker on one of the key parts. So maybe we haven’t escaped the insanity after all.

Matthew Glotzbach, Director, Product Management, Google Enterprise explains “Ever since we launched the Google Apps suite for businesses two years ago, it’s had a service level agreement, 24/7 support, and has met or exceeded all the other standards of non-beta software. More than 1.75 million companies around the world run their business on Google Apps, including Google. We’ve come to appreciate that the beta tag just doesn’t fit for large enterprises that aren’t keen to run their business on software that sounds like it’s still in the trial phase.”

Freedom of information is pretty big news right now, just ask your local MP. But have you thought about your own situation with regards to eDisclosure for your business? According to new research by information risk management outfit Recommind, nearly half of UK enterprises have experienced an increase in eDisclosure requests during the last year.

OK, so you might not have to worry so much about revelations of money spent on cleaning your moat or ‘flipping’ half a dozen London flats in a year, but the small matter of the identification, preservation and collection of electronically stored information for regulatory and internal investigations and law suits has the potential to become a big problem nonetheless.

Recommind tells me that despite the number of businesses getting more and more eDisclosure requests, two thirds of UK organisations can only muster no more than five percent of their IT budgets to address the issue. Some 90 percent are under the 10 percent of total budget spend boundary when it comes to provisioning properly and preparing for the almost inevitable eDisclosure time bomb to explode.

The figures are not altogether surprising, given that the same research suggests that most IT directors could pretty much care less. Most rated it as their lowest priority, an oversight that might just come back and bite them on the arse it would seem to me. Simon Price, a Recommind director, also shares this feeling.

“The problem is that eDisclosure is still seen as an American problem and for many UK companies, this is all the excuse they need to sweep it under the table” Price told me, adding “the reality is that this is a problem facing UK businesses and if the upwards trend continues, before long we’ll see firms over here subject to same level of scrutiny as their US counterparts.”

Why should you care? Well how about the financial penalties or even brand damage through reputational loss. The problem as far as I can see comes down to the basic misunderstanding of the place of eDisclosure within a business, and the responsibility held for dealing with it. Most companies put that responsibility with regards to budgeting and decision making on the IT department, yet it is legal that end up making the final eDisclosure decisions at a quarter of firms. And how much budget share does legal get? On average, less than 14 percent.

“There’s a danger that the IT team won’t necessarily recognise and fully comprehend which information should be preserved and disclosed, and which can be discarded” Price says, concluding “the legal department will be experts on this side of things, but they need the IT team to help ensure any technology processes and systems are accurate and up to the job.”

Recommind recommend (S’OK, this is not a tongue twister folks) the following to help prepare for when that eDisclosure bomb explodes under your business:

Big Brother Britain is ever in the headlines, first with the news that the Home Secretary was planning a central database of every email sent, every mobile phone call made and every website browsed. This was swiftly followed by the denial, by the announcement that the Government was not planning any such central database at all. Instead, Jacqui Smith insisted that these plans had been scrapped and would be replaced by lots of smaller database to be maintained by individual Internet Service Providers at a cost of some £2 billion over the next 10 years. Of course, these databases will inevitably be linked and therefore easily searched as one by The Powers That Be, so it’s not exactly a U-turn of David Blunkett proportions.

Now comes the revelation that GCHQ, the super secret Government spy centre which everyone seems to know about anyway, is developing a £1 billion ‘Mastering the Internet’ technology which will do pretty much what it says on the tin: monitor and intercept every email sent, telephone call made, website visit and social network interaction. The Sunday Times says that a “huge room of super-computers will help the agency to monitor — and record — data passing through black-box probes placed at critical traffic junctions with internet service providers and telephone companies.”

While the Government is sticking to the ‘nothing to worry about here’ line by insisting that they will not be snooping on the content of any message but rather are merely interested in simply monitoring who is communicating with whom in order to help prevent crime and acts of terrorism, I would like to propose that we help them go the whole 10 yards and have full access to our email conversations at least.

So why don’t we just CC Jacqui Smith into every single email we send? I am sure that the Home Secretary will be able to find the time to sit down and read through them all, just in case we are talking to someone we shouldn’t be or saying something that could be deemed problematical. Better safe than sorry, and after all it is only a matter of doing one’s duty for Queen and country, and rather than cost us a couple of billion the Home Secretary, with her large expenses claims, could cover the cost of reading them all herself.

Oops, I nearly forgot: if you want to CC Jacqui Smith into all your emails you will need her email address.

smithjj@parliament.uk

As phishing messages go, it was never likely to be the most successful. A high ranking member of the British Government asking his friends for 3000 bucks because he had lost his wallet while abroad? I don’t think so.

Yet that is, it would appear, exactly the email that hundreds of people in the address book of former UK Home Secretary and current Justice Secretary The Right Honorable Jack Straw MP have found themselves on the receiving end of. The United States may well be the phisher kings but Nigerian scammers would seem to be doing OK in the UK.

According to the Telegraph Jack Straw has confirmed that he “started getting phone calls from various constituents asking if I was really in Nigeria needing 3,000 dollars.”

However, the Justice Secretary is quick to play down the potential national security implications of his email account being hacked. The messages appear to have been sent from his Blackburn constituency account rather than his Westminster Government one.

That said, the emails did go to Ministry of Justice officials, council bosses and Labour Party members as well as his Blackburn constituents.

Straw told the newspaper that there were no Justice Ministry security issues as this was “an issue for constituents, not the Government.”

Still, it remains a highly embarrassing incident for the man who established the National Hi-Tech Crime Unit as Home Secretary some eight years ago, with a specific remit to crackdown on Internet crime including hacking. Not forgetting that the NHTCU website itself now sells holidays, after the unit was absorbed into the Serious Organised Crime Unit but nobody thought it prudent to hang on to the NHTCU.org domain for safe-keeping.

Graham Cluley, senior technology consultant at Sophos, reckons that “You have to wonder if the hackers broke into Jack Straw’s mailbox in a similar fashion to the attack used on Sarah Palin’s Yahoo account last September, where cybercriminals reset passwords by guessing the answers to secret questions.”

Or maybe, like most people, he just used an easy to guess password? Whatever, I am intrigued that there has been no official comment from Jack Straw with regard to the seriousness of hackers potential having access to his email archive and all that could entail.

I once wrote that “Spam is annoying, resource consuming, malware driven and often offensive” and still old that opinion. There was a time a few years back when I would have said that spammers were immortal when viewed as an industry, it simply could not be stopped. Now, I would simply say that spammers are vulnerable.

In October I noted that the once King of Spam was dead as the Storm Botnet had apparently stopped producing any spam at all. Of course, having been around this business for a long time now, it was obvious that the death of one player does not equate to the death of the industry. Indeed, I warned at the time that there were “plenty of young pretenders ready to wear the junk mail crown.”

The interesting thing is how recent events have played out with it being reported just last week that the takedown of a single web hosting service thought to be responsible for enabling as much as 75 percent of the spam on the planet, meant that spam was pretty much dead in the water. Indeed, during the first 12 hours following the pulling of the McColo Corp plug spam volumes did drop dramatically. As much as 70 percent less volume being recorded by the likes of MessageLabs for example.

What is more, one week on, and spam volumes have still not returned to the same levels as before the takedown. Things really are not smiley and happy in spam-land right now. Shame.

You just cannot downplay the importance of the McColo spam factor, it hosted the command and control infrastructure for three of the world