The sun may well be shining but, as far as IT security is concerned, the summer has got off to a pretty poor start. According to the Fortinet Threat Landscape report for June, which has just been published, the FortiGuard Labs covered 201 new vulnerabilities this period. I’ll repeat that, more than 200 NEW vulnerabilities in the space of a month and that’s nearly double the number from last month. Of these, some 71 (or 35% if your prefer) were being actively exploited by the bad guys before the month was out.

Some so-called security trend reports are little more than crystal ball gazing, to be honest, but I tend to take the FortiGuard Labs one more seriously as it is compiled using threat statistics and trends based on data collected from FortiGate network security appliances and intelligence systems out there in production worldwide.

This reveals that in the space of one month there have been four Flash and Excel vulnerabilities (all disclosed and patched in the same period), a hit-and-run attack for the Internet Explorer HTML Object Memory Corruption Vulnerability (CVE-2010-0249) which first surfaced in January 2010 and was used in the Aurora attacks, as well as some nefarious activity by the Sasfis botnet.

“We observed Sasfis loading a spambot component, which was heavily used to send out binary copies of itself in an aggressive seeding campaign” said Derek Manky, project manager, cyber security and threat research, Fortinet. “The Sasfis socially-engineered emails typically had two themes; one looked like a fake UPS Invoice attachment, and the other was disguised as a fees statement. Much like the Pushdo and Bredolab botnets, Sasfis is a loader - the spambot agent is just one of multiple components downloaded.”

Then there has been the malicious JavaScript code which, in terms of malware, was the only detection that topped those botnet binaries. Obfuscated JavaScript code identified as JS/Redir.BK showed a surge of activity on June 12th and 13th, redirecting unsuspecting users to various legitimate but compromised domains. These hosted an injected HTML page named z.htm and circulated through an HTML attachment in spam emails.

“There is no doubt that JavaScript is one of the most popular languages used today for attacks” Manky warns “it is used in a growing number of poisoned document attacks (PDF), particularly with heap-spray based techniques. It’s also used to launch exploits, and it is popular as a browser redirector to malicious sites, since the JavaScript code can be obfuscated and appear to be more complex than traditional IFrame based attacks from the past.”

I’m no football fan, I’ve made that clear enough this last few weeks. However, while I don’t like to see the national team humiliated in the way they were by Germany over the weekend, I can’t help but feel that the 4-1 drubbing might just be a blessing in disguise as far as Internet security is concerned.

It’s OK, I’ve not gone totally mad and entered into some strange realm of hugely tenuous links, I’m actually quite serious about this. The football World Cup is one of those relatively rare events that tick pretty much every box that your average spammer, scammer and Internet bad guy can look for in a current event to latch onto. It is not only big news, but it’s big news all over the globe. What’s more, it’s the kind of big news that stirs up national pride and gets huge swathes of the online population talking about it, arguing about it most importantly reading about it. The World Cup is, in other words, a malicious link poster wet dream.

As I mentioned recently, 25 percent of all global spam is currently related to the World Cup and much of that will contain malicious linkage. Although I have no actual figures to shore up my next argument, I’m going to stick with it based purely on the sheer number of emails that have been passed my way and the off the record conversations I’ve had with security researchers: Many of those malicious links and the messages that spread them relate to the damn vuvuzela.

There, I’ve said it. The hugely annoying plastic trumpet that nobody can play, unless it is meant to sound like a Wookie with toothache that is, has been the second most dominant news force of this World Cup after the fact that England cannot play of course. Which means that the malware authors love it, as the latest attack using Twitter to spread a message which simply reads “OMG! Vuvuzela banned!” along with some hashtags to help spread the word (#worldcup and #vuvuzelabanned) and, of course, assorted malicious links. According to Andrew Brandt at Webroot the tweets use different link shortening services to mask the destination of these links, a bogus image hosting site Image Sheep, and while you are there, in the background, your PC is herded into a botnet.
Brandt warns “there is a real image hosting service by the same name, but the real Image Sheep is registered elsewhere and hosted in an entirely different network than these fake Image Sheep clones”.

The multiple payloads at the fake site appear to include the receipt of stolen user data batches which are used to login to Twitter and Facebook amongst others, another “contains scripting that adds an entry with details about the victim’s computer into a MySQL database” and this reports on “the number of infected users, the rate at which people infect themselves, and the clicks to various parts of the page”.

As I say, the good news for those of us in the UK at any rate is that I suspect these kind of exploits will be a lot less effective now that England has been knocked out of the World Cup and general interest in the competition wanes. Strangely enough then, I think we should all be thanking the Germans for doing us a favour…

There are many reasons why I hate the World Cup: it’s football (and not the proper Rugby Union kind either) and it’s totally inescapable. The media seems to assume that everyone is interested in which bunch of seriously overpaid egos can kick a ball around the least worse, so TV schedules are rejigged around the matches and newspapers stuffed full of any vaguely football related news, including the wives, girlfriends and no doubt labradoodles as well.

But perhaps the main reason I hate the World Cup right now is the sheer amount of spam and malware it has created. According to the latest MessageLabs Intelligence Report from Symantec Hosted Services, a whopping 25 percent of all global spam is currently related to the World Cup.

OK, so it is nothing new for the spammers and scammers to latch on to current events in order to peddle their murky trade, but when analysis reveals that 25 percent of spam includes keywords related to football you know things have reached a new low.

If that is not bad enough, MessageLabs Intelligence also intercepted a run of some 45 targeted malware emails earlier this month, all aimed at Brazilian companies and designed to rely on social engineering tactics and World Cup excitement to compromise corporate systems. using a dual attack mode approach, both PDF attachments and malicious links were included in order to double the chance of success: think about it, if the AV scanner removes the infected PDF attachment but then forwards the apparently cleansed message complete with a malicious link the recipient is much more likely to consider it as trusted.

“Right now, spammers are reliant on the massive wave of excitement and expectation that typically surrounds an event like the FIFA World Cup” says MessageLabs Intelligence Senior Analyst, Paul Wood. “Riding this wave, spammers get the attention of their victims by offering products for sale or enticing them to click on a link. It is not uncommon for the event to appear in the subject line of an email but for the body of the same email to be completely unrelated”.

With England playing so badly that the team is not likely to progress much further you may have thought the fuss would die down and the spam problem go away equally quickly, however the tournament will continue with or without England and so will the opportunity to spam us. Anyway, Wimbledon tennis has started now as well, which is yet another excuse for the bad guys to grab us by the balls.

Game, set and match to the spammers it seems…

Who could forget that historic HMRC security breach in November 2007 which saw the bank details of 25 million people go missing? The surprising answer to that question is around 20% of companies, it would seem.

At the time, the Conservative Party told the BBC that the breach was “a catastrophic failure” and then Chancellor Alistair Darling admitted it was an “extremely serious failure on the part of HMRC to protect sensitive personal data entrusted to it in breach of its own guidelines”.

In June 2008 the Poynter Review into the shameful affair identified major institutional deficiencies and recommended a number of security principles to prevent any reoccurrence. Now a survey by Cyber Ark suggests that companies are still choosing to ignore some of these core recommendations, including 19% which continue to use external couriers to transfer sensitive data files.

The Poynter Review clearly recommended that transfers of digital data involving physical media should be phased out completely, yet this new survey shows this method is on the up rather than being phased out. In 2008 when questioned on this, 4% of respondents used the postal system to transfer large files, however that figure has now jumped to 11%.

It’s not all bad news though, as the survey also revealed that 82% of companies do have some system in place for the transferring data, and the use of email for this has declined from 35% in 2008 to 16% now. Unfortunately, 67% have moved to FTP for sensitive data transfer and 28% using web based services.

Mark Fullbrook, UK Director for Cyber-Ark, says “With FTP, and even encrypted FTP sessions, the problem arises after data has moved while it sits on the FTP or SFTP server in plain text. The nature of the beast means the service is directly connected to the internet leaving it open to violation, and as there is no audit trail, no record of who accessed the files. More alarmingly is those organisations that are using a web based offering – they may just as well stand on a street corner and give away their information as these services just weren’t designed with sensitive corporate data in mind”.

According to the latest research to hit my inbox, the security needs of the SME are becoming more sophisticated. I have to admit, I am not altogether convinced.

RSA, the Security Division of EMC, released the results of a survey conducted by the SANS Institute which was a sampling of data from the SANS Sixth Annual Log Management Survey Report and focused on small and mid-sized organisations with less than two thousand employees. It suggests that almost 80 percent of SMEs rank detection and prevention highest in criticality, and that the mid-sized enterprise best understands the importance of collecting and analysing log data. The fact that survey respondents reported logs are most useful when used for forensic analysis and correlation, then detection and prevention, both coming in higher than 90 percent, suggests mid-sized organisations are becoming more sophisticated in their security needs, RSA insists.

“This data suggests that organisations want and need the efficiency of a log management solution to move beyond compliance to security detection, reaction and prevention as well as to augment effective IT and network operations” says Jerry Shenk, Senior Analyst at SANS.

“This data suggests some people have too much time on their hands” says Davey Winder, opinionated security expert at IT Pro, continuing “I mean, who really wants to read a report based upon a log management survey?”

Seriously, security does not need to be sophisticated at any level, it seems to me. It just needs to be practical. And that means being appropriate to the business using it, and appropriate to the risks faced by that business. Common sense goes a long way even at enterprise level and in the rush to buy in ever more sophisticated security solutions that, I am afraid to say, often gets left behind. Yes, checking logs for potential security problems is a good thing, but when you start talking about the efficiency of log management solutions I start switching off…

With just a few weeks to go before the football world cup kicks off in South Africa, my inbox is already starting to fill up with related spam and press releases. I’m a Rugby Union man through and through, a very happy one as it just so happens that I’m a Leicester Tigers fan, and have very little time for anything to do with soccer. Unless it’s the type you spell SOCA, that is. When the Serious Organised Crime Agency gets serious about organised criminal gangs participating in British cybercrime to the tune of £3.5 billion a year, anyone with an interest in online security has to sit up and take notice.

SOCA has warned that the bad guys are endlessly inventive, even going as far as impersonating SOCA officials themselves in order to perpetrate fraud recovery scams where victims are counselled with help to recover lost money, but in actual fact just end up getting fleeced all over again.

If you honestly think it cannot happen to you, or someone you know, then think again. When the crime business is so big as to be worth £3.5 billion a year, it’s big enough to touch anyone who is not constantly vigilant - and that includes everyone from the individual consumer to the biggest enterprise.

VeriSign, for example, conducted research recently which concluded that as many as 11 percent of the online UK population has been a victim of online ID fraud over the past year. Each of those victims losing, on average, some £352. “Soca’s research further highlights how criminals are continuing to widen the techniques they use to target their victims, with online fraud now a major industry” says Matthew Bruun, a security expert at VeriSign.

Which is why SOCA made today, June 1st, a global day of action and awareness to fight back against the scammers. Apparently. Unfortunately, there doesn’t seem to have been much evidence of this getting any great media coverage which kind of suggests that most people find cybercrime about as interesting as I find football. And that, dear reader, is very worrying indeed.

I may not be paranoid, but that doesn’t mean they aren’t trying to steal my identity right out of my wallet. I’m not sure who ‘they’ are, to be fair, but I sure don’t want them looking at the data on my biometric passport or wireless contact credit card. No sir-ee Bob. That’s why I’m buying a wallet that comes complete with multiple layers of Radio Frequency shielding material woven into the fine Italian leather body.

It’s not even April 1st is it, and here I am writing about buying a firewalled wallet can you believe it? And it’s true, these things do exist: a Californian company called Kena Kai is knocking out a range of wallets with a built-in firewall under the DataSafe brand. They cost about the same as any other leather wallet, a lot less if you compare them to designer brands, and don’t look like they have been designed by an acne-ridden nerd called Nigel either.

Do I really think that anyone is going to try and steal my identity by scanning me as I walk past (within around 6 metres, the effective range of most ’skimming’ devices) on the off chance I have some new-fangled RFID-powered credit card or am carrying my biometric passport around Tesco for some reason I cannot currently think of? No, as it happens, I don’t. Not least because I don’t have a biometric passport or a RFID credit card.

But you know what, given the choice between a boring old wallet or a super-nerdified firewalled wallet the latter will win every time as far as I am concerned. Just think about the bragging rights at parties…

Who better to fight cybercrime than the Silver Surfer? According to Marvel this superhero has the power cosmic and can absorb and manipulate ambient cosmic energies from the universe to fight off any foe. But forget the Fantastic Four where Silver Surfer first appeared over forty years ago, this time we have Prime Minister Cameron and Sidekick Clegg to thank.

To thank, that is, for bringing the crime fighting superheroine to our attention. Ah yes, did I mention that the silver surfer in question is not the Marvel Comics cartoon character but rather a 70 year old woman?

The new security minister with responsibility for online security, the so called cybersecurity czar, is Baroness Pauline Neville-Jones. Sitting in on meetings of the National Security Council, the former diplomat and member of Government defence spin-off outfit Qinetiq which provides technology-based services and solutions to the defence and security markets, Baroness Neville-Jones has plenty of experience in the national security area although her hands-on knowledge of matters cybersecurity are less clear. Indeed, a quick look at the make up of the National Security Council, which Baroness Neville-Jones helped to create, reveals a distinct lack of cybersecurity expertise and a tipping of the balance of power very much in the direction of the physical aspects of military security instead.

Still, it’s undeniably cool to be able to lay claim (albeit a little tenuously) to having the Silver Surfer fighting online crime all the same…

Newly published research from Ofcom reveals many things: 80 percent of adults in the UK will only share social networking data with friends and family, only 30 percent think that Internet information is reliable compared to 50 percent for TV and radio, and the Scottish are pretty crap when it comes to online security stuff.

The Adult Media Literacy report is encouraging in many respects, not least as it does show a trend towards security awareness amongst most UK Internet users. That 80 percent of adults being happy to share their social networking account data with friends and family only figure, for example, is way up from the 48 percent who said the same in 2007.

It’s not all good news though, with a quarter of Internet users admitting that they lacked confidence when it came to installing filtering software and configuring security features. This despite the security vendors going flat out to develop more user friendly fire-and-forget products. Obviously a lot more work needs to be done to make security solutions truly user friendly, and I suspect that much of that work needs to be at the educational rather than interface level. The trade off between usability and security is such that users have to make the defence granularity choice themselves, leaving it to software inevitably leads to a broken online experience in some way, shape or form. If the user doesn’t properly understand the implications of the choices they make then they will never get that balance right. Simply telling someone to default to ‘allow nothing’ is about as useful as scaffolding made from jelly.

However, I digress, back to the ‘it is not all good news’ thing: while the UK national trend for understanding online security issues is up nicely, one part of the country does seem to be lagging behind somewhat. Yes, I’m talking about you Scotland.

The report reveals that adults in Scotland are the least likely overall to worry about entering their personal data online, and some fifty percent of Scots are happy to enter their home address details on the Internet compared to just 23 percent in Wales and Northern Ireland for example. Yet this despite Scottish adults being the biggest home users of the Internet in the UK on 10.6 hours per week each on average, compared to 8.3 hours in England and 6.8 hours in Wales. Scottish users also account for the biggest percentage of social networking users on 49 percent with such profiles compared to 46 percent in Wales, 44 percent in England and just 31 percent in Northern Ireland.

So there you have it, proof that the Scottish are crap when it comes to online security - at least in comparison to the rest of the UK.

I guess I had better batten down the hatches now then and await a virtual Glasgow kiss or three…

Ever since Gizmodo broke the news about that iPhone 4G that was left in a bar, it seems everyone wants to know more about the next generation Jesus Phone from Apple. But at what price?

How does free grab you? Well that’s the promise that’s been spotted by security experts Sophos appearing in both Twitter and email-based spam scams. An email is doing the rounds which offers the (un)lucky recipients the opportunity to test and ultimately keep an iPhone 4G. This despite the fact that it has yet to be released, and Apple has yet to officially say anything about it other than ‘give us our prototype back’ either. The scam, of course, being that anyone wanting to sign up for the free testing deal has to hand over personal information in order to do so and the spam is really just a clever phishing exercise.

The Twitter scam is equally sinister, using the accounts of apparently sexy young women to offer free iPhone 4G handsets for users who click on a promotional link. A link that, of course, takes them to a personal data harvesting website.

As Graham Cluley of Sophos says “some internet users might blindly hand over their personal information in the belief that they will get a preview version of what will be one of 2010’s hottest gadgets”. I’d take issue with that statement, in that there is no ‘might’ about it and some users will, for sure, do just that. Be it as a result of living in a freebie society where people happily expect to get something for nothing, or maybe it’s the effect of junk food on the brain, but there are certainly plenty of people who will fall for this scam.

While I don’t imagine for a minute that the average IT Pro reader falls into this bracket, it might be worth letting your friends and family know that the price of an iPhone 4G right now is just too high to be worth risking that mouse click upon.