Weekend reports that T-Mobile has lost the personal data of 17 million German citizens - possibly one of the largest data losses in IT history - have revealed the danger of devolved and decentralised data storage.

The fact that the data losses reach back to the start of 2006 does not devalue the potential for identity fraud this huge data loss poses.  The data lost appears to include customers' phone numbers, dates of birth, addresses and email information, which is enough for an identity starter kit on more than 20 per cent of the German population - more if you exclude minors from your calculations.

The problem with handling a database of this size, especially across a company of T-Mobile's size, is the need for multiple copies of the database, all of which are accessible - and to a certain degree, editable - by more than 7,000 members of staff.

This makes a conventional encrypted database approach almost unworkable, since you will have multiple copies of the database, some of which include greater or lesser amounts of data, in existence at any given time. Updating all the records is a technical nightmare in itself, let alone encrypting the data on-the-fly for all concerned.

In this environment, conventional IT security can only go so far in defending the database against unauthorised access, attack and copying.

What you need is a technology that looks for anything unusual happening across all of the T-Mobile IT resources and, when it happens, either lock down the event, or, in the event of minor issue, alert management to a possible security problem.

Technology already exists such as new behavioural products which are capable of spotting anything unusual happening and are capable of preventing any type of know or unknown security problem from causing problems.

T-Mobile claims it has had no reports of the data being misused, but Der Spiegel, the German magazine, was able to buy the data from at least one third party. This illustrates the potential seriousness of the data leak/loss, and need for the cellular carrier to enhance the security of its IT resources and improve staff behaviour to secure sensitive information.

It has emerged that the DarkMarket card forum – which apparently allowed hackers to buy, sell and exchange illegal payment card data and associated information - turned out to be an FBI sting.

The DarkMarket.ws forum, which has been in operation for around two years, was widely regarded as an illegal operation, but it has since emerged it was was highly covert FBI sting. This is quite worrying, as it almost certainly means that other carder forums will move further underground, making their monitoring almost impossible.

The analogy I draw here is taking a sledgehammer to crack a nut. Yes, the carder forums are a thorn in the side of the payment card industry, but using a sting approach to capture fraudsters is only going to catch the small fry. The bigger fish - the ones the FBI really should be after - will have escaped detection.

As well as taking an OTT (Over The Top) approach with the sting, the FBI has overlooked the probable consequences of its actions.

This will almost certainly involve the fragmentation of the carder information and exchange marketplace, making it very difficult for card companies - and law enforcement officials - to track down future frauds in progress.

If the forums move underground and become encrypted, then they will almost certainly drop off everyone's radar, which is a great shame, as it will make it become much harder for the anti-fraud industry to track what is really going on.

For more on the DarkMarket saga: http://tinyurl.com/3vbpm9

Reports that ISPs will have to store details of every email sent via their systems for at least 12 months from March onwards seems to have civil libertarians up in arms (http://tinyurl.com/8rxl3l), but, surprisingly enough, there is no mention of any complaints from the ISP community.

This actually isn't that surprising, when you remember that the ISP community were making a fuss a few years ago, when the prospect of storing email for six years was mooted.

Against this backdrop, storing email for a 12 months is a comparative let-off, especially when many ISPs keep their backup tapes for this long a period anyway, so creating and interface to interrogate the data mountain isn't hat onerous a task

But will keeping emails for 12 months tackle the online crime problem?  You can join a vote on the poll here: http://www.infosec.co.uk/page.cfm/Action=Poll/pollID=142/nocache=true

It's highly debatable, largely because many Internet users make use of Web-based and impersonal email services from the likes of Hotmail and others.

Registering a Hotmail or Yahoo mail is a relatively easy task, and given the numbers of users with a moniker of `pinkfluffybunny701' or similar, tracing the real owners of these types of mailboxes can often turn into something of detective hunt.

On top of this, the planned month mandate to store emails for at least 12 months only applies to UK ISPs. International ISPs such as AOL and CompuServe, as other international ISPs who have large minorities of UK subscribers, fall outside the legal remit.

The Internet, in case you hadn't noticed, is international, unlike the laws that are attempting to bind its illegal usage.

And when you realise that around 20 billion emails are estimated to be sent each week in the UK, the value of storing that volume of data for the Police and around 600 other agencies to sift through when they wish starts to reduce somewhat.

That's a lot of agencies, but it's also a lot of data to sift through.

Few agencies have the resources to tackle such an information mountain, let alone search that data on regular basis. The IT and manpower resources required would put an IT manager in a daze.

And when you begin to factor in the estimates that four in every five emails sent are spam, you realise the futility of it all.

It was Douglas Hird, the UK's former foreign secretary and veteran politician that is famously reported to have said that you can make walking on the cracks in the pavement illegal, but enforcing such a law is nothing without the support of the people.

The ISP email retention law, which forms part of the European Commission directive, is expected to come into force on March 15 at a reported taxpayer cost (depending on who you talk to) of between 15 and 70 million pounds.

That's the cost, apparently, of creating an IT infrastructure capable of giving various agencies easy access to the required data mountain - never mind the fact that most agencies have insufficient resources to search in the first place.

And what happens if the sender of the email(s) has used a high-level encryption system? How will the various government agencies handle that no-so-minor inconvenience?

Words like "waste," "time" and "of" spring to mind...

Monster.com, the world's largest job-seeker's database, has been hit by a data loss for the third time in as many years, has highlighted the need for high-grade encryption on personal data of this type.

As one of the world's 20 most visited Web sites and with 150 million resumes, Monster.com is a massive operation, it's therefore quite shocking that, after two previous data loss incidents, the company has not implemented higher levels of security

This is the second time for the past 18 months that Monster.com has lost a wealth of personal data belonging to millions of job seekers. It's also the third time the company has put its users at risk after suffering a significant security breach

Back in August 2007 a Trojan horse using the compromised employer credentials pumped out data belonging to around 1.3 million people job seekers.   Shortly afterwards the job seekers started receiving phishing mails advising them to download malicious software or accept a job offering to serve as their lobbyist.

Monster.com, makes a big deal about users changing their passwords and being cautious over potential phishing email messages  - reminding users of the fact that `Monster will never send an unsolicited email asking you to confirm your username and password' - it's ironic, if not farcical, for the firm to suffer a third serious data breach in as many years.

Given the fact that job seekers are often desperate enough to reveal more personal data than they should in their quest for a new job, it is incumbent on any company holding such data to take precautions to protect that data. You have to ask whether Monster.com has taken such precautions.

What do you think Monster should have done to prevent this third strike?  Comment below or  join a vote on the poll here http://www.infosec.co.uk/page.cfm/Action=Poll/pollID=146/nocache=true

At Infosecurity Europe 2009 there will be a key note on “Who Got Caught Out in the last 12 months” the panel will looks at whom, and more importantly why organisations have been caught out. This session will explore whether the right mechanisms are in place to encourage reporting and sharing of information and best practice, whether organisations are being appropriately punished to deter future breaches, and whether the support and customer care is in place to look after the digital victims. http://www.infosec.co.uk/

Interesting to see the Police Central e-Crime Unit (PCeU)  announcing plans to consult with companies in an attempt to prioritise its efforts and "provide greater clarity" about its role in the world.

Of course, not all jurisdictions have abolished their version of the CCU. The States of Guernsey, for example, only set up its own version of its CCU back in 1998 following an investigation into small business fraud on the island.

The irony of that situation was that the Guernsey Police decided to create their own version of the unit when they saw how efficiently Greater Manchester Police was able to assist its officers in the investigation.

It's worth noting that the Guernsey CCU only has three police officers and one civilian in the division, all of whom have their own day-to-day duties in Guernsey, but are assigned on the unit on specific assignments as and when the need arises.

Despite their part-time assignments, each member of the Guernsey unit has undergone forensic computer training in the UK and the US, and also goes on regular courses designed to keep them abreast of the latest advances on both sides of the IT security fence.

The Guernsey unit can also call upon the services of the Serious Organised Crime Agency (http://www.soca.gov.uk) in the UK and on occasion can employ the services of specialist companies.

Back in the UK, however, and the PCeU is working to raise its profile.

Is this necessary? Yes, comes the simple answer, mainly for the reason that few people have heard of the new police unit and it deserves the support of the infosecurity industry.

It's actually quite difficult to see a difference between the PCeU and the excellent National Hi-Tech Crime Unit (NHTCU), which was subsumed into the Serious Organised Crime Agency way back in 2006. Apart from sad to day its funding.

Unconfirmed reports suggest that the PCeU is only being given seven million pounds over a three year period, whilst the old NHTCU operation was funded by around 20 million pounds in its first year of operation,

The good news is that, as part of the raising of its profile, Detective Superintendent Charlie McMurdie of the PCeU will be discussing the need to police the Internet in an event taking place on day one of the Infosecurity Europe show (April 28th – 30th) http://infosec.co.uk.

The aim of the session is to look at the current matrix in the UK that supports the detection, prevention, pursuit and prosecution of international electronic crime, as well as discuss the potential role of the world's electronic police (if that is the right word) for the co-ordination of both information sharing and prosecution.

Detective Superintendent McMurdie's presentation on the role of her new department is sure to be packed out, for more information see  http://www.infosec.co.uk/page.cfm/action=Seminars/SeminarID=4

There is a groundswell of opinion that ICANN, the Internet Corporation for Assigned Names and Numbers, should be assuming a central role in the ongoing battle against cybercrime.

ICANN, of course, is a relative youngster in Internet terms, having been set up back in 1998 to oversee a number of Internet issues previously handled by IANA, the Internet Assigned Numbers Authority.

The problem facing ICANN on the cybercrime front is that, whilst the aims of the pro-ICANN supports in the battle against electronic crime are laudable, there is a distinct lack of financial and political will in this regard.

The financial aspects could, of course, be countered by further funding from Uncle Sam, which already contributes in several ways to the not-for-profit institution.

The political will is another, entirely different ballgame, however, as ICANN was set up as an overseeing authority that, amongst another things, has the remit to develop policies to ensure the smooth(er) running of the Internet.

If ICANN starts to become the police on the Internet, and, in doing so, the judge and jury too, then the role of the Corporation starts to take on a distinctly political hue and, in doing so, runs the risk that the highly altruistic approach that the Internet industry takes when dealing with, and on behalf of, the organisation, will start to slip.

There is considerable scope for the creation of a third-party organisation whose role could be to work with ICANN and other bodies in helping to police the Internet and liase with the relevant agencies to ensure the law as it relates to cybercrime is both fair and fairly applied and/or enforced.  However a global internet police force is going to be practically impossible to run. It's not been achieved in the non-internet world, apart from limited cooperation with Interpol. And agreement on what actually is crime varies according to country. Even at high level - think about the US ban on overseas internet gambling companies. And when it comes to sensitive child sexual issues, the variations in age of consent just shows there is no global agreement.

That's why I'm suggesting a practical way forward is by implementation on a national or commercial level. ISPs could have a voluntary agreement to filter access to known criminal sites. A similar service could be offered commercially - in fact current web filtering services do this already to some degree, but any such "opt in" system would not be as effective for the country as a whole as a system that protected the majority of the internet population by default. So a national ISP based solution would help more people right away, and really might help to block a lot of criminal financial losses. ISPs would gain from consumer confidence (if marketed correctly), lower bandwidth by removing botnets, less risk of being blacklisted for spam.

UK ISPs currently run the CleanFeed system to block direct access to potentially illegal images, so a precedent for blocking has already been set. But rather than try to enforce an absolute block on access as CleenFeed does, it would be simpler, both legally and technically, to redirect any attempted accesses to a web page with a warning. ISPs can configure their standard DNS nameservers to return a different address when a criminal sitename is requested. This would block normal access, but anyone who deliberately wished to visit criminal sites could do so through different name servers, manually configured. Redirecting DNS requests like this does not require the expense of extra infrastructure such as the filtering web proxy servers that CleanFeed needs.

Having a way of bypassing such blocks would help de-fuse any possible criticism of censorship; especially since it is rarely illegal to access criminal sites, just unwise. So this would look very similar to the warnings given by search engines of potentially harmful sites. By applying a DNS block, fast-flux botnets and similar malware would also be stopped, which can't be done by a search engine warning. If such blocks were done by the major ISPs, it could largely abolish such botnets from the UK. The Police Central e-crime Unit might also find such a service useful, to rapidly restrict access to overseas criminal or illegal sites, while the due process of site take-downs took place at a slower pace.

The harder task is to precisely define the remit and policies of the organisation that decides what should be blocked. The risks of over-enthusiastic filtering, errors, and effective corrective feedback all need considering, if this filtering is going to be accepted. I believe there's enough obviously criminal stuff out there to be worth blocking, that it's going to be effective to go after that alone, rather than try to tackle all the greyer areas such as legitimate sites which also host malware. And this approach runs much lower risk of legal challenges to the blocks by organisations claiming to be mis-categorised.

If proven to work, there may well be pressure for international coordination, leading to the formation of another body. Such an organisation could be created by adding on to an existing group within the Internet governing hierarchy, which would be a fairly rapid expedient, but the best solution would be to create a wholly new association, drawing on the best of the rest, and creating a non- affiliated committee to ensure best practices on a global scale.

To vote on what you think is the most appropriate solution to tackling cyber crime click here http://www.infosec.co.uk/page.cfm/Action=Poll/pollID=157/nocache=true

A data breach which resulted in the exposure of the Social Security numbers of more than 1,000 employees of a Pennsylvanian government agency being compromised should simply not have happened.

The incident with the Office of Physical Plant is a classic example of what can happen if an Internet-facing organisation does not use URL checking and blocking technology, as this incident seems to stem from a malware-infected or phishing email.

Details of the exact cause of the data leak have yet to emerge, but had the government agency employed URL filtering and blocking technology, then any attempt to relay the data to an external Internet site or server would almost certainly have been stopped in its tracks

Current URL checking and filtering technology goes way beyond stopping employees surfing to inappropriate, illegal or known infected Web pages, since it can also stop a phishing email recipient `clicking through' to a known compromised Web page or Internet-connected server.

The Internet has become extremely large and policing the entire Web is much more than a full-time job. Stopping phishing or infected emails causing a data leak like the PennState Office of Physical Plant incident is just one feature of a competent Internet security gateway

Any organisation that does not use an Internet security gateway runs the risk of the severe embarrassment of having to publicly admit its IT defences have let them down, and that's before we get in to the possible legal wrangles that can ensure from incidents of this type.

For more on the Penn State OPP data leak: http://tinyurl.com/d2nmty

Research from the University of Melbourne (http://preview.tinyurl.com/dxgmug) - which says that workers who are allowed access to leisure Internet sites such as Facebook and YouTube are more productive overall - has just been released.

Ostensibly, the research proves the old adage, "all work and no play makes Jack a dull boy," but it also pre-supposes a degree of fair play on both sides of the employer/employee divide.

In a small/family-run firm, this approach is the norm, but in mid-sized and major companies, policing this approach is almost impossible without access to Web access security technology.

The good news is that the technology that can control access to inappropriate Web sites has reached the stage where granular controls, such as timed or time-based access to leisure Internet sites such as eBay and the like, can be policed and management alerted when a member of staff starts to overstep the mark.

But how should the mark be set?

If the mark is tightly defined, some staff will always overdo things. And if the mark is loosely defined, there is little point in having a leisure time access policy.

And there is also the risk that creating a defined access policy may erode an element of goodwill that a company has with its employees.

Why not go the whole hog and install a time clock in the staff room? See how far that gets you on the employer/employee relations front.

According to Dr Brent Coker, a Professor with the University of Melbourne's Department of Management and Marketing, employees who surf the Net within a limit of 20 per cent of their total work time tend to be an average of nine per cent more productive than those who do not.

But do companies really need that extra nine per cent productivity if it comes at a risk of some employees - as usually happens in a large company - overstepping the mark and management having to employ disciplinary procedures, with all the ill will that such processes engender for all concerned.

Good management - down to a local office manager level - should obviate the need for such rigorous controls.

Even in a call centre environment, where the norm is for supervisors to actively work with staff on any problems that arrive, a good supervisor will spot an errant employee at risk of taking advantage of company Internet access and move into counselling mode.

Good IT security technology can also perform a degree of employee mentoring - even though this should not, strictly speaking be necessary - by flagging up on a user's screen that it may not be in the best interests of their firm if they continue to access a site can reinforce behaviour inline with your internet usage policy.

There's also the interesting point that most mid-range and above mobile phones these days support Facebook and MySpace access, so whether the employee uses their desktop PC to access the service is largely irrelevant.

Being a good employer means mentoring and counselling staff under and around you. It's not at all about a Dickensien employer barking out orders from his/her desk.

Furthermore, the feast-or-famine nature of modern business means that, at quiet times, staff can surf the Net, read the paper or even - heaven forbid - socialise with each other.

If they do the latter, then there is every chance that they will be happy employees and, as a result, be more productive.

Which probably explains a lot more about the rationale of the University study than any more analysis.

Do you think it is a good idea to allow controlled personal web access for employees? Click this link to vote in our poll http://www.infosec.co.uk/page.cfm/Action=Poll/pollID=165/nocache=true

Or add a comment below

Research from Verizon Business (http://preview.tinyurl.com/chchms), which claims to show that organised crime is responsible for a large increase in the number of breached corporate electronic records – and which totalled roughly 285 million last year - does not come as a surprise.

If you look back at recent hacking and cracking history, by the end of the 1990s, most experts had concluded that the altruistic element of the hacker community - which has now become the white hat side of the industry - was being subverted by a new criminal community.

And by 2005, the word hacker was further tarnished by a steady stream of reports about commercial Web sites being hacked to generate profit at seemingly any cost to the reputation of the companies concerned.

The Verizon Business report - which was compiled using data from the 90 confirmed corporate network breaches the company recorded last year - showed that around 93 per cent of all records breached came from the financial sector.

The report also notes that nine out every 10 of these breaches involved "groups identified by law enforcement as engaged in organised crime."

This is perhaps why the report comes up with the staggering fact that the 285 million electronic records breached last year were more than the total number of records breached in the prior four years combined.

Delving into the study makes for some interesting reading, as the financial sector experienced the largest rise in cyber attacks, doubling its share of attacks to 30 per cent as hackers clearly started looking for potential identity theft data,

It's also interesting to note that the retail sector was still the one most targeted by hackers, accounting for one-third of the total number of cyber attacks, says the report.

Verizon says that the financial sector held 93 per cent of the 285 million individual records, such as account personal identification numbers, that were compromised in 2008.

According to the company, hackers who sell these records on the black market are increasingly focusing on larger institutions, which are often more difficult to hack but contain vast numbers of records.

It's also worth noting that, although sophisticated attacks represented just 17 per cent of data security break-ins last year, Verizon's report says that these "relatively few cases" were responsible for 95 per cent of the total breaches it investigated.

Verizon's conclusion that, the bigger the company the more machines they have to manage and that the bigger they are, the chances are higher that they've forgotten to do something, makes a lot of sense.

Bottom line? It's much easier to find holes rather than plug holes, says Verizon.

So what can companies do to protect their IT resources better?

Along with the usual recommendations that their security needs to be reviewed on a regular basis, it's clear that companies also need to implement processes to ensure their security policies are actually being followed.

That conclusion is fairly obvious from the comment at the tail end of the report, namely that almost 90 per cent of the electronic security breaches could have been prevented without complex or costly controls, if basic security practices had been followed.

Spam has been, and continues to be, a major problem for companies and  there are several vendors at the Infosecurity Europe show offering a variety of solutions to the issue.

But according to Richard Cox, CTO with Spamhaus, the not-for-profit anti-spam organisation, whilst ISPs are doing their bit and shutting down spammers' Internet accounts wherever possible, the spammers have discovered mobile communications.

Speaking with us at the Infosecurity Europe show, Cox explained that, with pre-pay - and untraceable - GSM (2G) and 3G SIMs being available for a modest fee, spammers have realised they can saturate a mobile data connection for a few days, and general several hundred thousand spammed emails in the process.

 And since spammers can generate significant amounts of revenue from spam - both directly and indirectly - from their unwanted messages, the cost of using pre-pay SIMs for a few days at a time is quite modest.

 Perhaps worse, says Cox, the mobile broadband operators in the UK and many other countries, do not have the resources to identify spam-generating SIM cards in a timely manner, meaning a pre-pay SIM can`last' for some time before its spamming exploits are spotted.

And it's not just 3G that is affected by the mobile spam revolution -in Nigeria, for example, spammers are quite happy to use a GSM/GPRS connection to move their messages.  Since Nigeria is a hotbed of financially fraudulent spam, the profit potential from mobile-originated spam is immense.

The problem is a big one, and getting bigger all the time says Spamhaus. And, says Cox, the cellcos are not sufficiently expert in the problem to solve it in the way that fixed line ISPs can.

Next time you receive your next batch of spam, don't blame your ISP, as the problem may not be as solvable as you might think.

At this year's Infosecurity Europe the information security business remains buoyant and, the good news is that the business appears to relatively immune to the ongoing economic woes that affect the rest of the IT industry

There are also some very interesting stories coming out of the show, not least from Peter Wood, a member of the ISACA Conference Committee.

Peter, who is chief of operations with First Base Technologies, revealed to assembled analysts and reporters that he and his colleagues have discovered a flaw in secure (https) Web communications.

The problem centres on the secure flag that is set on cookies. If, as often the case, the secure cookie flag is not set, then it offers a back door into a Web session that a user has open on his/her PC.

The security flaw stems from the fact that many Web sites switch from secure to standard http sessions - and back again - several times in a typical Web session in order to save on traffic.

The worrying part about the flaw, as Wood and his team cheerfully admit, is that it is a structural issue on the Internet and, as such, there is no ready solution.

In order to solve the problem, Web site operators will have to enhance their IP real estate to support multiple https Internet sessions for multiple site users, and maintain the security of those sessions, with all the attendant data overheads, for their site users.

And given that this can increase a site's data and IT resource usage by several hundred per cent, this is not a security issue that will be solved overnight.

Organisations should be on their guard against a potential significant rise in criminal spam, after Chinese spammers started offering 'bullet-proof'' spam servers to buy for just 700 US dollars.

With spam server rates as low as this, there is a significant risk that Western criminals will start using these servers to generate large volumes of spam. The problem is that the regulation of China's Internet services is some way behind that of the West.

Because of this, the task of shutting down these Chinese spam servers  as the `bulletproof' name implies - is much more difficult, meaning their spam continues to flow for much longer than normal.

The Chinese spam servers is made worse by the fact that criminals can register multiple domain names and host them on their systems, switching between domains at will.

This makes the task of spotting spam at the ISP level much more difficult. And company anti-spam systems have an equally difficult job.

Against this backdrop, he adds, the chances of criminal spam from Chinese servers reaching company desktops is greatly increased, and so the risk from a cybercrime perspective also rises.

Any company using in-house anti-spam technology needs to be aware of this potential problem and monitor the volume of email coming from Chinese domains. There may even be an argument to double-check all email originating from Chinese domains.

There is a risk, of course, that genuine messages from China may get filtered out in the process of spam analysis, so companies trading with the Asian region may also want to consider ramping up their other security defences as a precaution.

A survey carried out by the BSI - in preparation for the launch of a BS10012 (http://tinyurl.com/p4oysq), a data protection specification for a personal information management system  - and which shows that almost one in five UK business has breached the Data Protection Act at least once is a revelation to anyone thinking that UK firms are staying on the right side of the data protection law.

The new British Standard has been developed to establish best practice and aid compliance with data protection legislation, which is a laudable plan, but the results of the survey - which took in responses from more than 500 SMEs - is quite astonishing if you extrapolate this to the UK's 4.7 million small and mid-sized businesses (Source; BERR)

Granted, this is the first standard for the management of personal information, but what does it say when 835,000 of the UK's SMEs cheerfully admit they've broken the Data Protection Act?

And how many of the remaining 3.865 million SMEs have also broken the Act, but are blissfully unaware of its provisions?

Delving into the research (http://tinyurl.com/m2dybr) reveals that almost half of those admitting guilt saying they had breached the Act on several occasions.

It also says a lot that an additional 18 per cent of the survey respondents said they were not sure whether they had or not.

According to the BSI, its survey provides a snapshot of how UK businesses manage the personal information they hold on staff and customers, including sensitive data such as racial or ethnic origin, trade union membership and criminal proceedings.

Put simply, this means a lot of employee and customer, as well as client, data is being held on computer. And a lot of data is leaking out - in clear breach of the Act.

The reason for the breaches is quite simple when you analyse the figures, as around 65 per cent of firms polled admitted they provided no data protection training for their staff.

Nearly half of those surveyed also admitted that there is no-one in their business with specific responsibility for data protection.

And 18 per cent of the SMEs surveyed said that data protection is less of a priority in the current economic climate.

So what is the solution?

Alongside implementing the new British Standard, the Information Commissioners' Office should start to take action against these breaches of the Data Protection Act.

And with 835,000 law-breaking companies to go at, it shouldn't be difficult to track the miscreant companies down.

Hmmm - does that have you thinking?

Let me put another way - how do you think Twitter could prove useful to the efficiency of your organisation?

That's better.

Twitter is, whether we like it or not, an essential part of the communications infrastructure and, as a result, it is down to the CIO/CISO to develop a security strategy to counter any potential problems its usage creates on the company's computer resource.

Unfortunately for many companies, Twitter is a banned service, which is a great shame, given its powerful ability to cut across social and business boundaries and open up new channels of communication.

This fact was brought home to me recently when I read about the Boston (US) Police Department's usage of Twitter for tracking down bike thieves.

According to a report on Mashable, the social media newswire and guide (http://preview.tinyurl.com/m97p3n) the police in Boston - who are reknowned for their open attitude to new technologies - are using the social networking service to help them track down bike thieves.

Okay, this isn't going to change the world, but in terms of returning bikes to their correct owners and reducing the level of bike crime in the Boston area, it's a major step.

Any poor unfortunate that has their bike stolen registers and punches in their details on the Stolenbikesboston.com web site and the portal then automatically relays that data to the local police.

From there the police use an automated posting system to Twitter and Facebook that alerts all relevant police staff, bike shops and local security companies, to the fact that a given bike - complete with description and serial number - is on the stolen list.

The important thing to realise here is that Twitter is a lot more immediate than good old email. It gets the message across, quickly and reliably. And automatically.

This isn't rocket science, as back in the 1970s and 1980s, police at shopping centres across the UK used to use radiopagers (remember them?) to transmit instant messages to groups of shopkeepers if a team of shop-lifters was in the area.

Sadly, radiopagers haven given way to mobile phones and text messages can often be spooled by the cellular network. The technology has advanced, it seems, but its immediacy has not.

Back in Boston, meanwhile, and the scheme is reported to be a success,

As such, say police speaking to the Boston Herald - from where the report originates - the programme is being viewed a possible showcase and peer model for other forces across the US.

From an IT manager's perspective, the use of Twitter by the Boston Police Department is fascinating as, whilst the Herald does not say as much, it's pretty obvious that the police operate a pretty tight ship on the IT security front.

If they didn't, we'd soon hear about it.

Put simply - it's proof that you can implement a Twitter system on a highly secure IT resource without compromising the security of the underlying computer network concerned.

And you can also employ Twitter for tangible benefits that arise from its immediacy.

Very interesting to ZDNet's Sam Diaz commenting in his blog (http://blogs.zdnet.com/BTL/?p=21346) that, whilst American's are quick when it comes to pointing the fickle finger of blame at China, Eastern Europe and Russia for generating spam, they may also be responsible for consuming the unwanted messages.

Diaz doesn't say so directly, but the intimation is that Americans are clicking through and consuming goods plus services that are promoted via spam.

And this is quite understandable given the fact that the US is one of the largest and richest economies in the world, not to mention one of the most IT-savvy.

Or are they IT-savvy?

The report referred to in Diaz' blog comes from Sophos, which says that - during the second quarter of this year - the US relayed more spam than any other country.

Not only do Americans consumer the goods and services promoted by the spam, but their servers also relay the data.

This actually isn't as crazy as it sounds, as if you look at an Internet bandwidth map of the world (http://preview.tinyurl.com/lgh29o) from Akamai - which handles 20 per cent of the globe's Internet traffic - you can see that, although Asia is fastest with an average access speed of 4.6 Mbps, only 45 per cent of the population there has access to the Net via broadband.

Compare that to the US, where, although average access speed drops to around 3.9 Mbps, 61 per cent of the population has access to the Net via broadband.

If you delve into these figures, you start to realise that the US has a very high number of Internet peering points, largely because of the high volumes of Internet hosts it has connected to the Net.

And since each Internet host can be an email generator, therein lies the problem of relayed spam.

The same thing has happened with telephony. The US has a high percentage of the world's phone lines and, as a result, has a high incidence of junk recorded telephone calls.

Small wonder, then, that the US relays spam better than Italians produce spaghetti or Germans produce beer. Well, you get the picture.

But can you BLAME the United States for relaying all this spam?

Actually no, because the telecommunications market in the US is one of the most liberated in the world. As a result, competition has driven down the cost of telephone circuits and data pipes.

There's an lawful lot of so-called dark fibre (http://preview.tinyurl.com/nzfxm) in the US, so, it comes as no surprise that Internet bandwidth - the lifeblood of spam - is about as cheap as it gets there.

And with all those lovely Internet peering points to carry bulk messages, spam is the natural result.

But is America being stupid over spam?

No, it's called the free market...

Whilst it's obviously a great shame that Gary McKinnon has failed at what appears to be the final hurdle in his appeal at extradition to the US on self-confessed crimes of hacking, there are apparently wheels within wheels whirring away in the background. The wheels of bureaucracy  have, in fact, been whirring for some time and, in many ways, Gary is just a pawn in a political and legal game between the UK and the US. Note the order I said that in. The original game plan, if the legal profession's whispers are to be believed, was for the Crown Prosecution Service to revisit its original tacit approval of the US government's extradition request under the terms of the UK/US extradition treaty. However, as Alan Johnson, the current Home Secretary, said when writing in the Sunday Times (http://tinyurl.com/ngbed8) a few days after Gary's latest appeal through the courts stated: "It would-be unlawful for the home secretary to intervene." Prior to the High Court appeal, it was thought - privately - that the CPS would take `one for the team' by declaring its original assessment of the extradition request invalid, on the grounds that it failed to take all relevant conditions into account. These include, of course, Gary McKinnon's widely-reported medical condition, as well as the general lop-sidedness of the UK/US extradition treaty, which appears to biased in favour of the US. But - and it's a big but - the acid test of the case is that the extradition request would have been just as valid under the old - and more balanced - extradition treaty, simply because the criminal acts that Mr McKinnon precipitated, were so widespread and spanned so long. 

 So what will probably happen now?

The general consensus amongst legal professionals is that Mr McKinnon will be extradited to the US in a timely manner and that he will stand trial in an expedient time frame. The US authorities are reported to be well aware of the high profile -and strong sentiment - that attributes to the case and, against this backdrop, are likely to request his legal team to reach a plea bargain agreement with the relevant US legal bodies. This will - we understand - involve a much more lenient custodial sentence being handed down to the defendant than the recent media frenzy has suggested. And the US authorities will then hand Gary McKinnon back to the UK to serve out his sentence - in an open prison, hopefully - and his rehabilitation will be seen to be complete. At the same time as Gary is settling down in his open prison,it's almost certain that the UK Home Office will then present a solid case to the US government of the need for a new extradition treaty, on the grounds that the current treaty is so lopsided. And the McKinnon case will cited as a clear example of this bias. This is what I meant when I mentioned `wheels within wheels' and the issue that Gary McKinnon is a pawn in a much bigger game. But that, as they say, is what politics between nations are all about. It's just a terrible shame that a guy like Gary is caught up in what must be a horrible experience for him. This is the same government, you'll remember, that recently released Ronnie Biggs from prison, again, apparently against the people's wishes. But that, as they say, is another matter entirely.Give us your opinion on this issue by adding a comment to my blog

It was extremely revealing to read that Purewire - the Atlanta, Georgia-based IT security research firm - calculates (http://www.h-online.com/security/Baddies-prefer-Firefox-and-Opera--/news/114059) that, even though Opera, the web browser software, has between two and three per cent of the browser marketplace in user terms, around 26 per cent of hackers are using the software.

According to Paul Royal, a principal security researcher with the company, because of its low market share, few hackers bother to release exploit code for the browser.

But, of course, they use the browser for their day-to-day surfing and checking out all the darkware forums.

Purewire didn't just pluck this percentage out of the air - it obtained this insightful data by infiltrating hackers' systems using a bug in the analytics software included with a pair of hacker toolkits.

By forging the `refer' field and placing a little JavaScript into the toolkits, the firm was able to detect the browsers that the hackers were using via their IP addresses.

Out of 51 exploit kit-using hackers, Purewire's tactic successfully identified the IP addresses of 15 hackers, as well as the browsers they ran.

The majority of multi-strike attack kits, including LuckySploit, serve up a `lucky bag' of exploits, including code that leverages vulnerabilities in Internet Explorer, in ActiveX controls that the Microsoft browser uses, and in Adobe's Flash Player plus Reader.

Interestingly, of the 15 hackers that Purewire identified, only two - both with IP addresses traced to Latvia - apparently resided in the same country that also hosted the system containing their attack kit.

Most had at least one country between where they lived and where their malware-serving server(s) was located.

This tells us a lot about hackers and their day-to-day surfing modus operandi. It also tells us that Opera may be the way to go for secure surfing, simply because it has so few exploits in the wild.

There is no such thing as a safe surfing environment, but Opera may offer general users of the Internet a relatively safe haven to complete their day-to-day Web surfing.

Until, of course, Opera reached critical mass and the hackers start to turn their attention to the Scandinavian Web browser.

News that hackers are taking a break during the kids' holidays this summer (http://tinyurl.com/mrp5k8) proves something that many IT security experts - and industry onlookers too - often overlook, namely that hackers are people too.

Whilst the glamour of movies like the Matrix has recluses like Neo hacking away at his PC - albeit in a virtual world for real, if you see what I mean - the reality is that most hackers have to earn a living like the rest of us.

The net result of this reality incursion into the hacker space is that Tufin Technologies advises us that we can enjoy our summer breaks more, as hackers are much less likely to try to crack into the office or home working computer system than at any other time of the year.

This is no idle claim either, as Tufin quietly undertook the research to back up its claim at the Defcon17 IT security event in Las Vegas recently.

81 per cent of the hackers surveyed said they are much more active during the Winter than the Summer, although geekdom revealed itself in the study as 56 per cent said they would be hacking away during the coming Christmas period.

And 25 per cent of the uber-hackers at Defcon17 said they would also be indulging (if that's the right word) in a little corporate hacking on New Year's Eve, rather than downing the eggnog like the rest of the real interactive world.

Whilst this is bad news for IT managers who will have to maintain their security vigilance over the Christmas and New Year holidays, it does mean they can enjoy their summer holidays along with the rest of us.

But complacency should never be lurking in an IT manager's mind, as reports from Defcon17 suggest that those cuddly hackers have been hard at work developing automated on-network hacking applications.

This isn't science fiction as the US Department for Energy has been working on its own on-network security applications for the last year or so.

Known as UNTAMEs - short for Ubiquitous Network Transient Autonomous Mission Entities - (http://tinyurl.com/c5ly94) these beasties are patrolling the US energy grids looking for signs of any hacker activity, no matter how mundane.

In event that they encounter a hacker incursion, or perhaps worse, an automated dark-hat version of themselves, the UNTAMEs can communicate with each other to co-ordinate their attack-based defence strategy.

This may sound like science fiction and something out of Star Trek, but with hospitals now using badge-to-badge communication technology (http://tinyurl.com/nykdms) almost anything, it seems is possible.

Except site-to-site beaming, although it's probable there's a hacker, somewhere, is working on this technology as you are reading this.

Welcome to the world of technology. Enjoy your summer break.

An interesting ruling in the US under the "unauthorized access" provision of the Computer Fraud and Abuse Act (CFAA) - similar to the Computer Misuse Act on this side of the Atlantic - caught my eye recently (http://tinyurl.com/lm5szh).

The section of the CFAA has ended up being quite an asset to those looking to prosecute people for all manner of actions involving computers, even though it was originally meant to target hackers.

But that situation could change in the US, as the Ninth Circuit Court of Appeals has ruled that the Act cannot be used to prosecute someone for being disloyal with company info after quitting.

The ruling comes after a company named LVRC Holdings filed a lawsuit against a former employee, Christopher Brekka, his wife, Carolyn Quain, and their independent consulting business.

LVRC had accused Mr Brekka of using company computers "without authorisation" in order to e-mail himself LVRC client files in order to use that information for his personal business after leaving the company's employment.

All good fodder for the business newspapers,

You might think, of course, that Mr Brekka had been using his - or someone else's ID/password combo - to gain unauthorised access into the company's network after he left.

But it wasn't, as Mr Brekka had e-mailed the documents to his home PC while he was still an employee at LVRC, using login information that the company IT manager had sent to him.

The documents he e-mailed included a financial statement for the company, LVRC's marketing budget, and admissions reports for hospital patients.

Unfortunately for Mr Brekka, he did this whilst he was in discussion to acquire part of LVRC. Perhaps worse, those talks then broke down and he left the company.

Wisely or unwisely, Mr Brekka went on to use the information to help with his own consulting business, which he runs with his wife.

As you might expect, LVRC argued in court that his intention at the time of access determined whether or not he was authorised.

The Ninth Circuit judges, however, disagreed with LVRC's creative interpretation of `unauthorised access' noting that Mr Brekka had permission to access the computer at the time he sent the messages.

"We hold that a person uses a computer 'without authorisation'... when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone's computer without any permission), or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway," the judges wrote in their written ruling.

Now here's where it gets interesting from a legal standpoint - although it's clear that Mr Brekka was acting against the interests of LVRC at the time he sent the documents, his actions were not against the law.

And that, ladies and gentlemen, is the crux of the matter.

The nett result of this case is that the scope of the CFAA in the US is now limited in terms of its application and, as a precedent, the argument could be applied under the Computer Misuse Act in the UK.

The ,000 question, of course, is whether anyone will have the cohones to mount a legal challenge to a prosecution under the CMA in the UK.

Time alone well tell, but the LVRC/Brekka case has some interesting issues, to say the least.

Businesses to be aware that proposed new UK legislation requiring Communication Service Providers (CSPs) to maintain data on all forms of customer communications, including instant messages, email and even Internet telephony sessions, could pose a risk to company privacy.

Although the UK government has said it will not monitor the content of the communications - for which a warrant is normally required - it's important for businesses to understand that technology now exists that can give eavesdroppers a pretty good idea of the content.

The technology is called deep level packet inspection and allows, for example, ISPs to inspect IP data packets to assess what category of content is being carried and prioritise the data accordingly.

Almost all CSPs - especially the cellular carriers - use deep level packet inspection to monitor for Internet telephony calls, which are not allowed on some networks and/or tariff deals.

The big issue,is the extent to which CSPs will be required to log user interactions under the new legislation, as criminals could use then use stolen log data to piece together the communications jigsaw for themselves.

Suppose, that company A is planning to take over company B and is operating under a period of due diligence, with staff between the two companies exchanging data and Instant Message calls.

If criminals were to illegally obtain the log data from CSPs, they could make the necessary conclusions and buy or sell stock in anticipation of the takeover being announced.

And that is just for starters. All sorts of industrial espionage becomes possible with this sort of data. Whilst the CSPs and the government are bound by legislation, criminals are not.

It is to be hoped that, if this legislation is passed, then the CSPs protect the log data with very high levels of protection. This is just one facet of the pitfalls that could result from what may be seen a clumsily set up piece of legislation," he added.

For more on the proposed UK legislation see this article by Jeremy Kirk http://www.pcworld.com/article/181732/uk_to_push_for_law_to_retain_all_communications_data.html