There is no ignoring the credit crunch, that’s for sure. Whether it is the cost of your weekly food shop, fuel for your car or the fact that the value of your house is moving in the wrong direction, we are all feeling the pinch. All, that is, except the outsourcing segment of the IT services market according to IDC. OK, so a recent IDC study of the Western European IT services market which saw better than expected performance during 2007 and reported growth at 6.4 percent in constant currency has been revised a tad in the light of growing economic uncertainty. But even when taking a “more conservative view of the market” IDC still predicts growth at 4.8 percent CAGR and expects it to reach $242.8 billion by 2012.

IDC even admits that demand for IT services will “slow down in 2008″ to a level of something like 1.8 percent less than the spending growth last year, but importantly IDC reckons that the credit crunch will not have as strong an influence in Europe as it has done in the US. Where it will hit hardest, if you go by the IDC predictions at any rate, would appear to probably be project services, followed by support services but with “little or no impact in the outsourcing segment.”

“As the European economy cools down, the outsourcing segment continues to be the growth engine of the IT services market,” said Laura Converso, research manager, IDC’s European Services Research. “The overall outsourcing market will exceed the size of project-based services by 2008 and will account for 42% of the total IT services market by 2012. At a worldwide level, IDC estimates that Western Europe will eclipse the U.S. to become the largest geographic market for IS outsourcing by 2009.”

In fact, IDC is predicting that the overall outsourcing market will be the fastest-growing of all, attaining a 7.5 percent growth forecast for 2008 thanks to a cost-cutting mentality driven by the credit crunch.

Ever wondered just how much data there is out there? Some folk at information management specialists EMC did, so they commissioned a research study from IDC to find out. Apparently the answer, as far as up to the end of 2007 was concerned anyway, is 281 exabytes, or 281 billion gigabytes if that helps with the visualisation.

IDC reckon that the digital universe equates to around 45GB of digital information for each and every single person on the planet.

The reason that numbers are so mind boggling is because, well, the numbers are so mind boggling. The digital universe isn’t just made up of the Internet and all the hard drives on computers around the world, but also digital cameras, digital television, mobile phones and so on. For example, IDC reckon that there are more than a billion digital camera phones alone.

The really interesting part, however, is that only about half of our personal digital footprint is actually related to us and what we do, the rest can be classified as a kind of digital shadow which is comprised of information about us.

That is the rather unsurprising conclusion of a YouGov survey which took a pan-European view on consumer attitudes to online security. It revealed that European users visit their bank most often, closely followed by retail sites. Yet when asked if the government and banks, for example, are doing enough to safeguard their data while online, a resounding 57 percent of UK users said nope, 44 percent of Germans said nein and 31 percent of Swedes responded nej.

The survey was commissioned by VeriSign who say that European Internet users are putting as much as £360 billion at risk simply by sharing personal data on sites that are lapse about security. Interestingly, the survey also asked who should be responsible for the protection of our personal information online and the answer was overwhelmingly, and again totally unsurprisingly, the banks, credit card companies and web sites themselves.

Jon Kerr, VeriSign SSL Manager, commented, “With increasing frequency, we are seeing more and more theft of consumer’s personal information. The study shows that online customers are becoming more aware of the risks involved in passing on their details over sites that may not be secure. It is the organisations themselves that will fail to benefit as they will lose out on an increasingly skeptical customer base who expect their online safety to be taken care of. Trust is difficult to build but easy to break…”

I like the Black Hat conferences, not least because they always manage to produce a balanced measure of truly mind boggling security holes on the one hand and truly mind boggling self-serving smoke and mirrors on the other. I am not 100 percent sure where stories such as the RFID credit card hack fit into the balance, but there is little doubting the relevance of demonstrations such as the one which showed exactly how a determined attacker is able to hack into VMware and Xen virtualisation software while the VM is in transit between physical machines.

The security researcher in question is actually a PhD candidate from the University of Michigan, one Jon Oberheide who, if you say that quickly enough sounds like he belongs in the Star Wars movies somewhere along the line. But there is no air of science fiction about the proof-of-concept tool he demonstrated which shows how easy it is to hack into and control the VM hypervisor, as well as its applications, when a virtual machine is being migrated and use this to purloin data from those live VMs.

Oberheide reckons that his tool, Xensploit, reveals the lack of understanding when it comes to the risk involved with migrating live virtual machines. The main problem being, of course, that taking down a live system is not an option because that somewhat goes against the whole point of the dynamic availability of any VM deployment in the first place. But being aware of the risks means that measures can be taken to mitigate them, and in this case information is most definitely power.

Oberheide demonstrates that a man in the middle attack is possible while data moves in clear text during the VM migration, with Xensploit manipulating the SSHD authentication to provide the required administrative access. Route hijacking, ARP/DHCP spoofing and DNS poisoning can all play their part in such a compromise or, as Oberheide confides, even a simple passive password sniffing exercise.

And the solution? The usual to be honest, assess risks accordingly and take security seriously. Mutual authentication between hypervisors during migration, together with an encrypted data plane and a network isolated environment for the migrating VMs should do the trick…

When Lord Triesman, the parliamentary Under Secretary for Innovation, Universities and Skills, says “if we can’t get voluntary arrangements we will legislate” as he did with regard to intellectual property theft when interviewed by the BBC a few months back, you have to wonder just what the powers that be have in mind. Calling for Internet Service Providers to take a “more activist role” when it comes to illegal file-sharing might sound OK at first, but dig a little deeper and you cannot help but wonder if this is just another step towards that big brother society we seem to be tumbling headlong into. After all, Triesman himself admits that by implementing a voluntary scheme to track illegal file-shares then it would be “quite possible to know where it is happening and who it is happening with”.

Don’t get me wrong, I am not in favour of an intellectual property free for all. P2P services that exploit copyright holders by distributing their material without making any royalty payments are, as far as I am concerned, fair game when it comes to legislation and law enforcement. I am less convinced that the right way to progress is to chase after the kids using these services, or more likely their parents who usually have little idea what Johnny is getting up to in his bedroom with that laptop anyway. And I am certainly less than impressed with the notion of allowing yet another method of citizen surveillance slip stealthily in through the back door.

Certainly the Internet Service Providers Association (ISPA) is equally unconvinced about the merits of shifting the blame to the ISP, arguing that acting as the conduit for illegal peer-to-peer traffic is not the same as generating it, participating in it or profiting from it. Indeed, according to the ISPA “ISPs are no more able to inspect and filter every single packet passing across their network than the Post Office is able to open every envelope. ISPs deal with many more packets of data each day than postal services and data protection legislation actually prevents ISPs from looking at the content of the packets sent.”

And there lies the rub when it comes to legislation. Non technical types as his Lordship, despite being advised no doubt by a committee of white coat and pen protector clad numpties, are unable to see beyond the political knee jerk reaction and the media headlines. The actual implementation of any such law, or indeed a ‘voluntary’ agreement, has to take into account the technical ability to make it work. Which is why I cannot help but feel that there is more behind this than the IP copyright issue. Surely the technical committee advising him must have told Triesman that it is all but impossible to identify illegally shared copyright material from the data stream across a multitude of likely scenarios. Surely that same committee must have advised him that it would be a pretty good method of creating a nice database of personal identifying material though.

The Federation Against Software Theft (The Federation) has welcomed the news, however, insisting according to CEO John Lovelock that “The UK is rightly proud of the innovative skills of the hundreds of small companies that produce world class software solutions, but the livelihood of these firms is constantly being put at risk by Internet Service Providers freely allowing illegal distribution to take place. With the ecosystem of the British economy changing from its historic manufacturing base to more service and creative-led industries, these small companies are the lifeblood of the country. We have a duty to make sure that their intellectual property - the core of their business - is properly protected. For too long people have been flouting the law by making illegal copies of software available over the internet, at the same time they have been afforded anonymity by their internet service provider. This cannot be right, and cannot be acceptable. ISPs must get their own house in order. Hiding behind a defence that they are merely a conduit is simple not acceptable.”

Well, that’s OK then…

I guess it had to happen, given the current climate of fear amongst governments in the US and UK regarding the so-called terrorist threat. Don’t get me wrong, I take the whole national security debate as seriously as the next rational citizen and am aware that terrorists are capable of perpetrating the most abhorrent of acts. However, I am also aware that governments see the current climate as being an ideal launch pad from which to bring in draconian laws that can impact upon the privacy of every citizen, good or bad. The arguments are always the same: if you’ve done nothing wrong then you have nothing to fear. I am afraid, however, that I do feel very real fear when 5 million kids have been fingerprinted and are on a database which could be used in case they do something wrong in the future. I am afraid I do feel fear that my DNA can be routinely taken and stored on a national police database even if the original arrest is proven to be in error and I am released without charge, again just in case I do something wrong in the future. And I do fear that a report by US intelligence officials which suggests virtual worlds such as Second Life are a breeding ground for international terrorists is a warning of yet more erosion of privacy that is set to come our way in the near future.

A report by the US government Intelligence Advanced Research Projects Activity group says that the anonymity and easy global access of Second Life creates a seedbed for transnational threats. “The virtual world is the next great frontier and in some respects is still very much a Wild West environment. Unfortunately, what started out as a benign environment where people would congregate to share information or explore fantasy worlds is now offering the opportunity for religious/political extremists to recruit, rehearse, transfer money, and ultimately engage in information warfare or worse with impunity.”

Yeah right, just like the evil Internet, that accursed email and those PAYG mobile phones many people use. Which of course, governments the world over are already bugging and attempting to control.

Is it just me, or does anyone else have a genuine concern that the whole global terror threat is just a smokescreen under which the state can start to monitor everyone, all the time? The UK is already the most filmed nation on the planet, with more CCTV installations watching our every move in small towns and big cities alike. Mobile phones, email, the Internet and now Virtual Worlds are all technologies that, TPTB assume, will give them even greater power to monitor the millions of us who are doing nothing wrong so have nothing to fear.
Luckily, however, the citizen is able to fight back because technology also brings with it the ability to achieve anonymity, to encrypt conversations to the same standards as the intelligence agencies use and to maintain our privacy. No wonder they are running scared and running into the arms of the law to force a change.

For the time being at least, even if the law does change and even if the secret squirrel types insist on perpetuating the myth that we must be evil if we want to remain anonymous online, I doubt that anything can be done to effectively monitor activity within something like Second World. If you saw that episode of CSI New York where a contract killer adopted an avatar personality to get close to the next target in real life, and was traced in an instant and to a specific apartment location by law enforcement officers, remember that this was pure fantasy. For the time being at least, the real world rational citizen can sleep easy in Second Life I think…

The Completely Automated Public Turing test to tell Computers and Humans Apart security system, thankfully better known by the pseudo-acronym of CAPTCHA, has been well and truly cracked according to reports online. The system uses a set of alpha-numeric characters presented against a background which when combined make it all but impossible for a machine to decipher but easy enough for the human brain to be able to deal with. Or at least that was up until now if these reports are to be believed.

A Russian security ‘researcher’ going by the pseudonym of John Wane has claimed success in bypassing one of the toughest of CAPTCHA implementations, the one to be found at Yahoo! Wane has posted decoder system code online which is said to be accurate to around 35 percent. Now that might not sound significant, but when you are trying to keep the spammer bots at bay I can assure you that it is. As Wane himself says “It’s not necessary to achieve a high degree of accuracy when designing automated recognition software” especially when a spammer can easily hit a rate in excess of 100,000 attempts per day. If they were to manage anything like 30,000 successful account creations then the spam problem, for blogs, forums and the general email population, would rocket overnight.

Application vulnerability software specialists Fortify has warned us all to be vigilant, especially as far as message received from webmail systems are concerned in the light of this possible breach. Fortify Chief Scientist Brian Chess has gone on record to say that “any free email service that is using the CAPTCHA system - or a similar approach to prevent automated sign-ups - is engaged in a never-ending arms race with its attackers.”

It isn’t all bad news though, as CAPTCHA represents just the main gate as it were in the fight against spammers, and the likes of Yahoo! and Google have plenty of other tricks up their collective spam fighting sleeves to prevent an all out flood of malicious mail.

Talk about social networking sites and you probably think Facebook, MySpace and possibly LinkedIn. The chances are, unless you happen to be Brazilian, the Google social networking offering Orkut has managed to evade your radar altogether. Orkut is, however, hugely popular in Brazil and that’s why it was mostly Brazilians who were among the estimated 750,000 members to find themselves on the wrong end of a worm infection within the space of 24 hours.

According to McAfee Avert Labs the Orkut worm, which spread rapidly at the end of last week, was highly targeted towards that Brazilian community. It used the Orkut scrapbook facility, a method of sending messages between ‘friends’ in the network, to distribute text scraps in Portuguese which translated into such cobblers as “2008 is coming, I wish that it begins quite well for you.” It also made sure that an executable was downloaded which added users to an Orkut community group called “Infectados pelo Virus do Orkut” which translates to “Those Infected by the Orkut Virus.” The loop continues and the worm spreads by then sending more infected scraps to everyone within that persons network of friends.

It appears that all of this was made possible by a relatively new feature of an Orkut tool that allows its members to write message scraps containing HTML code, the new feature adding Flash and Javascript capability into the mix. Uh oh, the warning lights and sirens should have been going off when news of this ‘functionality’ was released.

It all meant that the only action needed to be taken for someone to get infected was to view their Orkut profile. Which seems to be the point, as the group description reveals that the worm was actually created and released to expose just how dangerous the system is.

Certainly the worm caught the attention of Google quickly enough, as it would seeing as it was spreading at the rate of 100 member infections every minute at one point and it would appear code filters have been put in place to prevent further exploitations.

“Google takes the security of our users very seriously. We worked quickly to implement a fix for the issue recently reported in Orkut. We also took steps to help prevent similar problems in the future. Service to Orkut was not disrupted during this time” a Google spokesperson said.

Salesforce.com has been the victim of a classic spear phishing attack, where a highly targeted social engineering exploit is used in an attempt to persuade a single employee to reveal confidential corporate information that can then be used as ammunition for further and more widely spread attacks.

The CRM vendor has admitted that one of its employees had fallen foul of such a spear phishing scam and handed over a password to the cyber-criminal involved. This led to a customer contact database being copied, and consequently the “first and last names, company names, email addresses, telephone numbers of salesforce.com customers, and related administrative data belonging to salesforce.com” being leaked. I am led to believe that a number of the customers so exposed were then taken in by a phishing scam which was made all the more believable by the amount of accurate personal data it was able to use.

John Stewart, founder of secure authentication specialists Signify reckons the whole thing should not come as a surprise to anyone, telling me “the growing popularity of the SaaS (Software as a Service) model means that it’s too big a honeypot for the Internet Underworld to ignore.” One of the problems being that there’s a blind spot in corporate security: whereas two factor authentication and VPN encryption is considered essential before remote users are allowed access to this data on the corporate network, as soon as it is hosted by a third party, it seems that just a web browser and a password are all that’s needed. “In essence, you’ve uploaded your entire customer database and sales pipeline to a public website and protected it with a basic password” Stewart insists, adding the data is no more secure than your Facebook login.”

Salesforce.com is now recommending the use of two-factor authentication (2FA) for service login, but this requires replacing the password with a 2FA process by enabling the single sign on function: something that is limited in the edition used by the majority of SME ‘Pro Edition’ customers. With single sign on being, effectively, a global setting which is either on or off for everyone it doesn’t take a genius to realise that Salesforce still as a long way to go. SMEs are going to baulk at the cost of deploying 2FA tokens to every user, including everyone on the road, all managers, office and admin staff. The spear phishing attack has shown how just a single weak link in the chain can be exploited after all. The other option is the equally expensive upgrade to the Enterprise Edition, something of a Catch 22 it seems.

“It is frustrating that our customers cannot extend the use of their tokens to secure their Salesforce.com accounts too.  If Salesforce.com were to make SSO a ‘per user’ setting on Pro Edition, this would be a clear gesture that they are truly committed to helping all their customers improve their security” Stewart argues.

Gartner is predicting that organisations which do not start approaching information management in a coordinated, enterprise manner, will ultimately fail in either their first or second year, and at a rate of more than 90 per cent.  The thing being that while many organisations naturally want to exploit information assets, and do so by addressing issues around information overload in order to achieve efficiency and transparency objectives, they also want to ensure appropriate safeguards and measures are in place to protect sensitive information and minimise risk. The problem, according to Gartner, is that despite recognising the importance of the issue, many of them simply do not have the formal information governance programmes or strategies in place to enable them to follow through successfully.

“IT professionals have focused for too long on technology and not enough on information,” said David Newman, research vice-president at Gartner Symposium/ITxpo. “The business expects to have the right information at the right time to get the job done.  It also expects information to be accurate and consistent.  Furthermore, senior management expects that adequate controls and defined accountabilities are in place to assure compliance and reduce risk.  That’s why information governance is top-of-mind among any of our clients today.”

According to Gartner, one telecom provider in the UK instilled data-quality awareness into its culture and improved revenue assurance by reducing revenue loss due to inaccurate billing from more than 15 per cent to less than 1 per cent. Yet most organisations still manage information in what you might think of as being separate silos: system-by-system or department-by-department. The pretty obvious result, when you are looking in from the outside, is a lack of consistency, transparency and quality across the organisation as far as information assets are concerned.

“The purpose of information governance is to define the accountabilities and responsibilities (commiserate with organisational level) that ensure the accuracy, integrity, accessibility and security of information across the organisation” Newman added.

A formal information governance discipline achieves the following tangible benefits:

1.Transparency, trust, reputation and risk mitigation
2.Faster time to market and faster cycle times as the result of improving information flows
3.Levels of mutual understanding and commitment to information as an enterprise enabler
4.Consistency across the organisation, particularly when operating in a shared service