Infosecurity Magazine news stories for 5-7 March 2012

My news stories on Infosecurity Magazine for Monday, Tuesday and Wednesday this week…

Trustwave to acquire M86 Security
Trustwave, a Chicago-based security company with offices around the world, has signed a definitive agreement to acquire M86 Security, which is based in Irvine California and has international headquarters in London and R&D in California, Israel and New Zealand.
07 March 2012

CIOs recognize the mobile threat; but aren’t yet responding to it
A new survey from Vanson Bourne, sponsored by Sophos, underlines a current anomaly: CIOs believe that mobile devices are a security risk, but aren’t doing much about it.
07 March 2012

LulzSec leader Sabu turns FBI informant
It’s been a tempestuous week in the battle between Anonymous and the law: 25 arrests, the poisoning of the Anonymous DDoS tool, and now the LulzSec leader, Sabu, has been named an FBI informant.
07 March 2012

Trust in communications is decreasing
While the UK is becoming increasingly better connected, trust in those connections is declining.
06 March 2012

THOR: a new P2P botnet for sale
A new botnet is nearing completion and is being offered for sale on the hacking underground at $8000.
06 March 2012

India/Bangladesh cyberwar moves to a new level
The ongoing cyberwar between India and Bangladesh has escalated with Teamgreyhat, in support of “our Indian brothers”, moving from commercial to economic targets.
06 March 2012

Is it time to move on from anti-virus?
On Friday, Wired quoted security expert Jeremiah Grossman as someone who doesn’t use anti-virus software, and asked the question: “Is Antivirus Software a Waste of Money?”
05 March 2012

UK opts in to the EU-USA PNR agreement
The UK’s Home Office says that on the 9th February 2012 it notified the President of the Council that “the government has opted in to the EU-US Agreement on the exchange of passenger name record [PNR] data.”
05 March 2012

Twitter complies with court order – hands over account details
Guido Fawkes in the UK is the pseudonym of an award-winning anti-establishment blog operated by Paul Staines. In the US it is a name associated with a Twitter account handed over to law enforcement. Around the world is has become associated with the Anonymous movement.
05 March 2012

Richard Thomas responds to Alex Owen’s statement to the Leveson Enquiry

I was pretty damning of the ICO in my post outlining Alex Owens’ witness statement to the Leveson Enquiry (looking into the phone hacking scandal). You can read that here: Something rotten in the state of the Information Commissioner’s Office – will Leveson act?

Well, surprise, surprise. Richard Thomas doesn’t remember it.

The informal meeting to which Mr Owens refers took place in this instance because (understandably) the team wished to share the nature and scale of their success with me. I recall that meeting as the occasion when I was informed about the volume and nature of the materials – the “treasure trove” – which had been discovered. I recall congratulating Mr Owens and the team for a job well done. I do not, however, recall any course of action being formally or informally recommended by Mr Owens or anyone else, let alone being “bemused”. Specifically, I do not recall any proposal, on that or any other occasion, that any journalists – nor indeed any other customers of Steve Whittamore and his associates – should be investigated. I not recall even any suggestion that any further investigations were under consideration. One of my central memories of that meeting is a recognition of the challenge presented for a very small team by the sheer bulk of the evidence, without any suggestion that even more should be obtained. I do not recall whether Francis Aldhouse was at that meeting, but I do not ever recall hearing the words attributed to him.

…I do not have any recollection or awareness whatsoever of preventing any Investigating Officer…

…Nor do I have any recollection of making any later “decision” or issuing any sort of instruction…

…Nor was I aware at any time of any grievance…

…Although I cannot recall any discussion…
Fourth Witness Statement of Richard Thomas CBE

That’s the defence. And now the attack:

Mr Owens has made a number of allegations about me and the ICO. It is therefore necessary for me to alert the Inquiry to the fact that there were a number of performance, disciplinary and grievance issues between Mr Owens and the ICO…

It’s all so predictable that any media relations person could have written it for him without ever needing to speak to him. The difference is that Owens states things happened, while Thomas doesn’t deny them, just can’t remember them.

UK Internet Security: State of the Nation – The Get Safe Online Report, November 2011

When a security site is backed by several government departments (including the Home Office), by law enforcement (the Serious Organized Crime Agency) and the intelligence services (Centre for the Protection of the National Infrastructure, which holds hands with MI5 and CESG), then it should be taken seriously. So, when such a site (Get Safe Online) releases a grandiose report with a grandiose title (UK Internet Security: State of the Nation – The Get Safe Online Report, November 2011), we should expect something serious. This is, we are promised, the state of the nation.

But it is poor. It is trivial. Most secondary school magazines could do better simply by writing to the security industry and asking different companies to provide a brief comment on a particular security aspect. Because that’s all that this is – a series of separate contributed articles from some of the companies and agencies that sponsor Get Safe Online.

HSBC claims

Coupled with the widespread use of advanced anti-spyware software provided by banks, as well as the excellent advice from Get Safe Online, HSBC believes our online customers are now safer than ever.

SOCA gives us this gem:

It would be good to think that we could arrest and prosecute every cyber criminal… [but] this will never happen. [So] an equally important activity is prevention and awareness.

Which just goes to show that law enforcement has forgotten its role: viz, we should prevent crime first, and arrest the remaining criminals. The modern version believes that we should arrest all the criminals we can, and then try to stop the ones we miss.

Verisign comments:

At VeriSign we’re constantly trying to educate people about online threats and raise awareness about the dangers of social engineering, which is the main trick used by cybercriminals.

Which is simultaneously horribly naive (all cybercriminality depends upon social engineering somewhere), and self-aggrandizing. Trend’s Rik Ferguson makes a serious attempt at saying something meaningful without blowing his company trumpet:

The volume of mobile malware has not yet reached the epidemic proportions of computer-based malware, but criminal interest is clearly there and growing. We are seeing multi-platform attacks distributed by the same criminal groups that traditionally have focused on conventional systems. Smartphone security, such as encryption and anti-malware, is available but not widely deployed. The need is already there for it to be commonplace.

But here’s the problem with a government-backed site taking sponsorship money from private companies. That company endorses the site – but there is a clear indication that the reverse is also true: the government sponsors that company. Since Trend Micro is the only anti-virus company mentioned in the State of the Nation report, it comes across that Trend Micro is the anti-virus company preferred and recommended by government. The same argument can apply to most of the other ‘contributors’.

So not only is this ‘state of the nation’ report both trivial and a possible contender for being prosecuted under the Trades Description Act, it is also an insult to the 99% of the security industry that has declined to spend its money on buying dubious government advertising. You may have gathered that I am not merely unimpressed by this report, I am frankly appalled.