In UK, 12M Taxpayers Lost With USB Stick

From Daily Mail via Slashdot

Ministers have been forced to order an emergency shutdown of a key Government computer system to protect millions of people's private details.

The action was taken after a memory stick was found in a pub car park containing confidential passcodes to the online Government Gateway system, which covers everything from tax returns to parking tickets.

An urgent investigation is now under way into how the stick, belonging to the company which runs the flagship system, came to be lost.

This data stick not only contained the user information, but it also contained the source code for the portal. What more can one say?

Deloitte loses hundreds of thousands of pension details

From The Register

Deloitte has admitted losing a laptop containing thousands of people's pension details, but said the data was encrypted and the machine password-protected, and it had no evidence the data had been misused.

The laptop contained 150,000 railway workers' details as well as details on all UK Vodafone staff with pensions and other unnamed pension funds. The lappy was stolen from a Deloitte staffer's handbag last month. The machine held personal information but not bank details. Deloitte was auditing the pension funds.

This sounds like yet another data loss with many thousands of people's personal details exposed, but it's a good news story. Deloitte's have a policy that all notebooks be protected by a hardware password, an OS password and data encryption, and according to a statement this notebook had all three. Well done to D&T!

E-mail security advice for politicians

From Tech Republic Blogs

One would hope that the people who run for public office in this country [USA] with promises of increased domestic security would take some pains to ensure their own security during the campaign. High priorities should of course involve things like having good bodyguards and site security teams when making public appearances, ensuring one’s campaign Web site doesn’t get defaced by people who disagree with one’s policies, and protecting e-mail privacy. While I would dearly love to see someone with an at least marginal understanding of technology get into public office from time to time, I know that might be a bit too much to ask at this point on the national political stage. Lacking personal understanding of such matters, however, one should definitely hire people who know what they’re doing and get them to advise on technical matters — and actually listen to their advice.

The advice given applies equally to company executives, business owners and professionals. All have important, critical and/or strategic information that they send and receive via email. Not considering the ramifications of that information getting into the wrong hands can sink your business. And when you do get the advice, you need to follow it.

For Google's Android phone, it's what's inside that counts

From CNet News

Google's first Android phone may not win any beauty contests, but the smartphone's software and advanced Web browsing will give today's current crop of smartphones, including the iPhone, a run for their money.

T-Mobile USA and Google unveiled the first Google Android phone Tuesday at an event here. The phone, previously code-named the HTC Dream, is now called the T-Mobile G1. And it goes on sale in the U.S. on T-Mobile's network starting October 22 for $179 with a two-year service contract.

Apple's iPhone really changed the smartphone game. Although RIM, makers of Blackberry, and Microsoft, makers of Windows Mobile, have had a head start in the smartphone market (55% and 20% respectively,) Apple's iPhone is already at 9%. This means that Google will have it's work cut out trying to gain significant market share.

Positives are that it intends to make Android an open platform, hoping to somewhat negate the factors like lack of business user related software (Exchange and MS Office integration) by allowing 3rd parties to develop those pieces. If you think that sounds like Linux all over again, then I agree.

Asus Recovery DVD scandal: How it happened

From The Coffee Desk

For those who haven’t already heard, the PC OEM company Asus was involved in a major scandal where a directory on the recovery DVD and inside c:\Windows\ConfigSetRoot\ contained a software crack for the WinRar program, software serial numbers, a resume (presumably for a now-jobless Asus employee), an internal Asus powerpoint describing “known compatibility issues”, Asus source code, and even an OEM issued Microsoft document, which mainly says “do not distribute DR-DOS with any computers”.

Yet another example of what happens when a company does not have, or does not follow, documented procedures. For many, procedures are a hinderance to getting work done. It's arguable whether procedures are useful in small companies, but once a company gets bigger, following documented procedures is critical. The trick is to minimise the impact of following procedures, and so minimise the temptation to ignore them.

Google SA anti-competitive?

From My Broadband

GLOBAL internet giant Google is being investigated by the Competition Commission for allegedly abusing its dominance by trying to steal a customer away from Cape-based e-marketing company Entelligence.

Entelligence has filed a complaint accusing Google SA of flouting the Competition Act by inducing a customer not to deal with Entelligence but to deal directly with Google instead.

In a statement yesterday, Google said the accusations were without merit. It adhered to “strict professional protocols” for working with agencies and clients in SA and around the world, it said, specifically to create a fair and open business model.

This, sadly, is an all too real example of life in the business world, anywhere on the planet. The only reason this stands out for me is Google claims as an unofficial motto "do no evil." I guess this means unofficial mottos are as meaningless as official mottos.

Chrome Eliminates Google's Middleman Problems

From Wired Blogs

With its release of Chrome, Google is distributing a browser that will give the company direct access to the user, and more control over the data it gets. If Chrome catches on, the result would be a boon for Google's cash cow -- advertising.

Chrome is a direct assault on Microsoft's dominant market position in the browser space, and it shares some of the privacy features of IE 8. But the bigger picture is control in the cloud of the direct and indirect details of internet life and how those will distill into the perfection of online pitches.

Google interacts with the world through people's browsers. What makes more sense than for Google to take control of the browser? If successful they can spend less time trying to make their services work across all browser platforms and more time adding functionality to those services.

And that's the least of the benefits for Google. I think this gives them the ability to prevent the other browsers from implementing features that make limit what Google tracks. We'll need to wait and see how this develops, but opinions are beginning to harden. Just, err, google for Chrome for more...

Some links to opinions about Chrome:-
Chrome versus the world
Google restores Chrome's shine
Google seeks route around Microsoft with Chrome
Chrome Vs. IE 8

You can download it here.

Five things that make it great to work in IT and Five things that suck about working in IT

From Tech Republic (great/suck)

Five things that suck about working in IT

• 5. You get a lot of fingers pointed at you


• 4. People assume you’re an expert in all things tech


• 3. You have to continually re-train, on your own dime


• 2. The hours are long and irregular


• 1. The job market is tumultuous and in transition

Five things that make it great to work in IT

• 5. You’re the hero when you solve problems


• 4. You get to play with cool stuff


• 3. You help make people more efficient


• 2. Your job is rarely dull or stagnant


• 1. You get to be a revolutionary

Of course none of these, on their own, is peculiar to IT, but as combination they make IT unique. Read more detail about them at the suck and great links.

Oh frabjous day! The telco Jabberwock is dead

From Thought Leader - M&G Blogs

Today may have seen the beginning of the end of the dreaded monster lurking in the tangled forests of South African telecommunications law.

When Justice Dennis Davis ruled in the high court this morning that value-added network services (VANS) must be allowed to provide their own networks — and that the regulator is obliged to grant the appropriate licence to any network that chooses to do so — he heralded the beginning of a truly competitive environment in telecommunications.

The court case was brought by Altech Autopage against the telecoms regulator, Icasa, essentially to force Icasa to issue a new category of telecoms licences to anyone who applied, rather than cherry-picking a select handful that Icasa decided were worthy. The Electronic Communications Act envisages that these ECNS (electronic communications network services) or i-ECNS (individual ECNS) licences would eventually allow their holders to provide any communications service, from internet or phone to broadcasting, as the technology underpinning these services is all moving to a common platform, namely the internet protocol. Little wonder everyone would like a slice of that pie.

Friday's court ruling in favour of Altech is probably the most important Telecommunications event since the Government decided to allow a 2nd Network Operator. If you recall the enthusiasm from the public regarding the announcement of the new operator, the depression as the process dragged on for several years and now the eagerness with which we all wait for Neotel to finally launch, you will understand what this means. In effect the court has ruled that anyone who has a VANS license can roll out a network that competes with Telkom (and Neotel, MTN, Vodacom, iBurst, CellC and Sentech), and currently 600 companies in South Africa are licensed.

Expect lots of people to be competing for your telecommunications business in the near to medium future.

Stopping the e-mail bloat: Are your business processes and e-mail the same thing?

From Tech Republic Blogs

I was reading the July issue of CIO magazine when I came across a quote from Ross Mayfield, the president and cofounder of Socialtext, which produces enterprise wikis. The quote from him reads, “(Employees) spend most of their time handling exceptions to business processes. That’s what they are doing in their inbox for four hours a day. E-mail has become the great exception handler.”

I couldn’t agree more, but I would like to add to his statement and say that, in my opinion, e-mail is not just the exception handler, but in many cases, it’s the primary method for business process communication.

How did we get here and why has it happened? There are a number of reasons, and I’d like to expand on a few.

• Making it up as we go along.


• Not enforcing business processes.


• Business processes that are not automated or automated with software that is outdated or doesn’t fulfill the user’s needs.


• Lack of communications within an application or integration with other communication mechanisms.


• Lack of communication alternative besides e-mail.

This is especially true of small to medium companies, and is a critical factor in them not graduating to becoming bigger companies. If your business processes do not exist, or are not being used, then your company is too dependent on critical employees. Aside from the fact that that makes you vulnerable to those employees leaving, it also means that your company cannot scale. Of course the downside of business processes can be the dreaded 'company policy' that is so hated by customers. A successful company is one that can solve that dilemma, and judging by the number of such companies it cannot be too difficult.

Spend some time reading the linked article and a bit more time thinking about your companies processes and how to automate them without stifling the ways in which you deal with your customers. After all, other benefits of well designed and adopted processes include exposing performance metrics and quality control.

Ten Tips for Successful IT Disaster Recovery Planning

From Information Security Today

Businesses of all sizes rely on information technology as a crucial component of their day-to-day operations. Because data availability is a top priority, the need for companies to compile a thorough disaster recovery plan is essential.

According to Info-Tech Research Group, however, almost 60% of North American businesses do not have a disaster recovery plan in place to resume IT services in case of crisis - a recipe for possible business failure. Faulkner Information Services found that 50% of companies that lose their data due to disasters go out of business within 24 months, while the U.S. Bureau of Labor indicates that 93% are out of business within five years.

Ten Tips for Disaster Recovery Planning:-

• Devise a disaster recovery plan


• Monitor implementation


• Test disaster recovery plan


• Perform off-site data back-up and storage


• Perform data restoration tests


• Back-up laptops and desktops


• Be redundant


• Invest in theft recovery and data delete solutions for laptops


• Install regular virus pattern updates


• Consider hiring a managed services provider

Read the complete article for more details. Although DRP is now a common check item on many IT departments lists, it still regarded as a burden rather than a critical task. Companies need to do more than request that DRP be a part of IT's functions. They need to fund it and make it a high priority item on job descriptions. With IT departments working in reactive mode DRP will be neglected.

Hackers Crack into Red Hat

From PCWorld

Red Hat confirmed Friday that hackers compromised infrastructure servers belonging to the company and the Fedora Project, including systems used to sign Fedora packages.

In the Red Hat compromise, the intruder was able to sign a small number of OpenSSH packages relating to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only).

As a precaution, Red Hat released an updated version of those packages, a list of tampered packages and a script to check if any of the packages are installed on a user's system.

About a year ago hackers were able to get into the Ubuntu servers. And some time ago Microsoft were also victims of a hack.

Being a System Administrator is like being a goal keeper in soccer. Everyone forgets the great and not-so-great saves, because what counts are the goals. Even when you are at the top of your game and are working hard to keep things running, the times you get hacked, and those will happen, are the times that are remembered. The example above are of Administrators in the major leagues, and even they get hacked on occasion.

Whilst it's sad to know that one cannot be 100% successful, I think it's helpful to know that failure will happen and that one needs to plan for that eventuality.

So? Do you have a disaster recovery plan?

Opinion: Why Google has lost its mojo -- and why you should care

From ComputerWorld

Google has gone from innovative upstart to fat-and-happy industry leader in what seems like record time. Put simply, the search giant has lost its mojo. That's good news for Microsoft, and it could affect how you use Google's cloud computing services.

Google looks as if it's on top of the world right now, holding an ever-increasing lion's share of the search market. So why do I think it's lost its mojo? Let's start with the way it treats its employees. Google's largesse has been legendary -- free food, liberal maternity and parental leave, on-site massages, fitness classes and even oil changes.

Many people, including me, use Google's services. After search and e-mail, there are documents, spreadsheets, calendars and drawing. In fact I have read about people who now use Google Apps exclusively. Google is their IT department.

But this is not what worries me about Google. Consider that they track everything you do, so even though they may not keep identifying information about you, they do track that user #45EF821F9BC8EA50, for instance, is interested in rock music, the Far Side, Dilbert, lingerie, cars, The Simpsons, cricket, John McCain, etc. In fact they can tie every search you have done to you.

And combine this with them having access to your calendar, documents and spreadsheets, they probably know more about you than you do.

Why would you trust anyone with that information, let alone someone who would have to turn it over to the US government, if asked, and is not allowed to inform you that they have done so?

HTTPS: Surf jacking makes it vulnerable

From Tech Republic Blogs

The infamous cookie causes yet more grief

In reality, it’s not the cookie that causes the problems; they are just an easy way to subvert HTTP and now HTTPS connections. There are two major categories, persistent cookies and session cookies. It’s important that we know the difference between the two when discussing how surf jacking works:

Persistent cookies are so named because they have a time to live that lasts longer than the current web browsing session. The first- and third-party cookies I discussed in my article about Behavioral Targeting and Deep Packet Inspection would be considered persistent cookies. Persistent cookies have very little to do with the actual Internet connection.

Session cookies only last the length of a web browsing session. More importantly, they carry information that validates the web browser to the web server.

A specific set of circumstances are needed to take advantage of Surf Jacking, but this is still something to keep in mind. Website developers should also look into the suggested changes to the way they develop sites and so make it harder for this to work.

12 early warning signs of IT failure

From ZDNet

High rates of IT project failure persist because most organizations don’t understand the real reasons why their projects fail.

Sensitivity toward early warning signs [EWSs] can increase project success rates by giving advance notice of potential points of failure. For example, the team can shore up weak executive sponsorship if it identifies the problem sufficiently early. The paper groups causes of failure into two categories: people-related risks and process-related risks.

Here are the top people-related risks:

• Lack of top management support


• Weak project manager


• No stakeholder involvement and/or participation


• Weak commitment of project team


• Team members lack requisite knowledge and/or skills


• Subject matter experts are over-scheduled

And the most important process-related risks:

• Lack of documented requirements and/or success criteria


• No change control process (change management)


• Ineffective schedule planning and/or management


• Communication breakdown among stakeholders


• Resources assigned to a higher priority project


• No business case for the project

You can read the entire report at the ISM Journal site (pdf). I highly recommend it. Some of the signs apply to any project, not just IT projects, and they also apply to any sized project. Even if the boss stuck his head around the door and delivered the specification verbally in 50 words, does not mean that your project is not important, or that it cannot fail.

More Than One-Third of Vista Purchasers Downgrade to XP

From SANS NewsBites Vol. 10 Num. 65
(August 18, 2008)

Statistics gathered by Devil Mountain Software indicate that nearly 35 percent of new PCs have been downgraded from Vista to Windows XP. Microsoft's end-user licensing agreement allows users who have purchased Vista Business and Vista Ultimate to downgrade to Windows XP Professional; those who purchased Vista Enterprise are permitted to downgrade to XP. Devil Mountain Software operates the exo.performance.network.

Computer World
Info World

[Editor's Note (Pscatore): I know it is popular to bash Vista, but from a security perspective, this is pretty silly. Delaying upgrading to Vista is one thing, buying a new PC with the capacity to run Vista and going backwards to XP makes no sense. At this point the applications that don't work with Vista are all badly written applications that should be shunned anyway.]

I have moved my primary Windows Machine to Vista 64-bit. It can address 6GB of RAM, is fast and the only real issue I have had is that it sometimes does not wake from sleep, and thus requires a reset. But even that has not happened in a while (about 2 weeks.) All in all I am happy with Vista. I even use IE7!

In my opinion it's easier for most users, by far, to move from XP to Vista than to get to grips with a completely new system like OS/X or Linux.

10 common security mistakes that should never be made

From Tech Republic

The following is a list of ten security mistakes I see all the time. They’re not just common, though — they’re also extremely basic, elementary mistakes, that anyone with a modicum of security knowledge should know better than to make.

• Sending sensitive data in unencrypted email


• Using “security” questions whose answers are easily discovered


• Imposing password restrictions that are too strict


• Letting vendors define “good security”


• Underestimating required security expertise


• Underestimating the importance of review


• Overestimating the importance of secrecy


• Requiring easily forged identification


• Unnecessarily reinventing the wheel


• Giving up the means of your security in exchange for a feeling of security

Nothing very difficult. In fact some are obvious, although one or two are counter-intuitive. It just helps to think about security a little bit. Click on the link to see more detail.

Dutch Police Notify Users Infected with Bot Malware

From SANS NewsBites Vol. 10 Num. 63

(August 8, 2008)
Dutch police have notified people whose computers were infected with malware that made them part of a botnet comprising more than 100,000 PCs. People were redirected to a web page containing directions on disabling the malware and a link to an online virus scanner. The police were able to automatically forward the infected users to the help page because they have taken control of the botnet. A 19-year old man was arrested last week when he tried to sell the botnet to someone in Brazil for GBP 25,000 (US $47,839).

Computer World UK

[Editor's Note (Ullrich): An interesting tactic that should probably be investigated more. In the past, investigators of botnets (law
enforcement or not) have been careful not to use the botnet functions themselves. Most of the time, the exact effects of these actions are not well understood. Other methods have however not been very successful in notifying users.]

I believe that the larger ISP's in South Africa can do something like this. If they can detect Bot type traffic on their network, they can modify the routing rules so that all web traffic from infected networks is routed to a page notifying the user of the problem, and whom the user can contact for help (note that they already redirect international web traffic to their transparent proxies).

Of course the cynic in me notes that as these ISPs charge per MB they might not be too keen to do anything that reduces traffic.

Apple Sells 60 Million iPhone Apps, Jobs Confirms Kill Switch

From Wired Blogs

In a rare gesture of openness, Apple has revealed data about iPhone application sales and confirmed the existence of a "kill switch" to disable malicious applications.

"Hopefully we never have to pull that lever, but we would be irresponsible not to have a lever like that to pull," he (Jobs) told the WSJ. An example of a malicious application would be one that stole users' personal information, Jobs explained.

Something like this seems like a good idea, until it is abused. I can't help but think about detention without trial, the PATRIOT Act and licensing journalists. They all presented as a solution to a problem and we are asked to trust the users. Sadly it's usually a misplaced trust.

The World's First Webmail Service Using Live Snails

From Gizmodo Via Khetan

If you thought the post office was slow, get a load of this Real Snail Mail project. Created by the aptly titled Boredom Research team for the SIGGRAPH 2008 Slow Art Exhibition, this snail mail service uses live snails to deliver your email messages via RFID chips planted on the shell.

You can send someone mail from the project page.

Aug. 11, 1942: Actress + Piano Player = New Torpedo

From Wired

1942: Hedy Lamarr, once described by German actor-director Max Reinhardt as "the most beautiful woman in Europe," receives a U.S. patent for a frequency-hopping device designed to guide radio-controlled torpedoes while making them more difficult to detect in the water. Holding the patent with her is George Antheil.

It's the incongruity of the patent holders with their invention, as much as the invention itself, that is remarkable. Lamarr, a Viennese-born movie actress, would eventually be given a star on the Hollywood Walk of Fame. Antheil, an American avant-garde composer of orchestral music and opera, lived in Paris during the '20s and counted Ernest Hemingway and Igor Stravinsky among his friends.

Read the complete article

Backups aren’t expensive, but they are necessary

From Tech Republic Blogs

It’s Okay if your small business can’t afford a dedicated IT expert, but most small shops, without fail, make the same mistake — they don’t perform frequent and reliable backups. No one really takes responsibility for backing up data and it’s every soul for oneself.

You might think that the cost and labor are prohibitive, but that’s false economy. You can’t afford not to backup your data. Besides, it just isn’t true. If I told you that backing up data would require about five minutes per PC, would you be interested? You might be surprised just how easy it is to back up your data regularly (using Windows).

Backing up is a tedious chore, but it's important. There are various mechanisms to make it easier, but at the very least read this blog and follow it's advice.

Attack Code Released for New DNS Attack

From New York Times

Hackers have released software that exploits a recently disclosed flaw in the Domain Name System (DNS) software used to route messages between computers on the Internet.

The attack code was released Wednesday by developers of the Metasploit hacking toolkit.

Internet security experts warn that this code may give criminals a way to launch virtually undetectable phishing attacks against Internet users whose service providers have not installed the latest DNS server patches.

This attack causes user's computers to contact the incorrect servers for services. For instance, when you type in www.google.com, expecting to be routed to Google, you could end up at another site pretending to be Google. The same could happen for your bank or your email. And this will work even if you use a bookmark.

Sadly this cannot be fixed by you. Your network administrator or ISP needs to fix their systems. It's probably a good idea to ask them if they have done so.

AVG Link Scanner creates web traffic jam

From searched-designed-developed

AVG, once seen as one of the best free anti-virus software packages on the market is now a webmaster's nightmare. Some of you may be aware that the latest version of AVG (version 8) comes with a new feature called Link Scanner. Link Scanner pre-scans links on a web search results page to determine whether they are safe to visit. What seemed a good idea to start with soon turned into a fairly large issue.

Early on, we noticed problems with using the link scanner when our internet connection started to suffer noticeably. The link scanner on all machines in our office was causing considerable bandwidth usage and slowing our internet connection down. We were quick to turn this feature off. Little did we realise at that point another problem lurked around the corner which was to be a webmaster nightmare.

With an estimated 20 million users worldwide using AVG 8 and a possibly 50 million users still to upgrade, webmasters are faced with the giant problem of fake traffic. These pre-link checks are skewing web logs all over the world by creating traffic statistics that aren't real human traffic.

Thankfully AVG have seen the light and have provided an update that turns off the Link Scanner. For those of you who have not yet installed version 8.0 please do so. An up-to-date virus scanner is a useful tool.

Court orders YouTube to disclose users’ login, IP addresses

From JournalStar.com

Dismissing privacy objections, a federal judge overseeing a $1 billion copyright-infringement lawsuit against YouTube has ordered the popular online video-sharing service to disclose who watches which video clips and when.

Lawyers for Google Inc., which owns YouTube, said producing 12 terabytes of data — equivalent to the text of roughly 12 million books — would be expensive, time-consuming and a threat to users’ privacy.

The database includes information on when each video gets played, which can be used to determine how often a clip is viewed. Attached to each entry is each viewer’s unique login ID and the Internet Protocol, or IP, address for that viewer’s computer.

Stanton ruled last week that the plaintiffs had a legitimate need for the information and that the privacy concerns are speculative.

Privacy is a valid concern on the 'net. There are some who believe that if you have nothing to hide then it does not matter if your privacy is violated. Others say that one cannot tell how this data will be used and therefore one needs to be vigilant about privacy. Either way, this ruling is another step on the road to reducing anonymity on the 'net.

Survey: More than 10,000 laptops lost each week at airports

From Computer World

Keep laptops close at airports, because they have a startling tendency to disappear in the blink of an eye, according to a new survey.

Some of the largest and medium-size U.S. airports report close to 637,000 laptops lost each year, according to a Ponemon Institute survey released today. Laptops are most commonly lost at security checkpoints, according to the survey.

Close to 10,278 laptops are reported lost every week at 36 of the largest U.S. airports, and 65% of those laptops are not reclaimed, the survey said. Around 2,000 laptops are recorded lost at the medium-size airports, and 69% are not reclaimed. The institute conducted field surveys at 106 airports in 46 states and surveyed 864 business travelers.

Can you say lost data? Got a backup, huh? Well how about exposed data? That's right, your payroll information, or your customer database, or your latest product range could be on a lost or stolen laptop.

TrueCrypt 6.0: Better Software for the Paranoid

From ostatic

TrueCrypt can use a variety of algorithms for its encryption, including AES, TwoFish, Serpent, and combinations of these. The developers have been good about dropping support for algorithms that have been significantly weakened over the software's lifetime.

There are two significant upgrades in version 6.0. First, TrueCrypt now performs parallel encryption and decryption operations on multi-core systems, giving you a phenomenal speedup if you have more than one processor available. Second, it now has the ability to hide an entire operating system, so even if you're forced to reveal your pre-boot password to an adversary, you can give them one that boots into a plausible decoy operating system, with your hidden operating system remaining completely undetectable.

TrueCrypt isn't necessarily for people who have illegal secrets to hide. If you travel with your laptop, and it contains any sensitive information - from your address book to company records - serious encryption is your best protection in case of theft. Remembering a few passwords, and installing a well-tested open source package that uses them, is a small price to pay for peace of mind.

This is a tool with which everyone who uses any mobile storage device, including laptops, should become familiar. Given that so many laptops are lost each year it is incumbent upon IT departments to look closely at tools like this.

Survey: 8 in 10 businesses now using Macs

From Computer World

Nearly 80% of businesses have Macs in-house, nearly double the percentage that said they had users running Mac OS X two years ago, a research firm said today.

"Then, we were talking about onesies and twosies," said Laura DiDio, a research fellow at Yankee Group Research Inc. who conducted a survey of more than 700 senior IT administrators and C-level executives. "Now the number of actual users is very significant. A number of the businesses said that they had 50 or 100 or even several thousand Macs deployed."

In early 2006, when DiDio last polled corporate IT professionals on Mac deployment, 47% said that they had Apple Inc. hardware in their environments.

I think that in South Africa we are still a bit behind the curve as far as these types of adoption rates are concerned, but we can expect that SA will catch up. It's also interesting that one of the reasons given is hardware reliability.

.confusion: ICANN opens up Pandora's Box of new TLDs

From ars technica

By next spring, businesses and other organizations will be able to apply for any top-level domain they can possibly think of, like arstechnica.awesome or google.thegoogle. Joking aside, the Internet Corporation for Assigned Names and Numbers (ICANN) voted today in Paris on a measure that significantly expands the scope of generic Top Level Domains (gTLDs), allowing organizations to apply for almost any domain suffix they can dream up.

Up until now, the rules for TLDs are rather strict and tightly regulated. Beyond the typical .com, .net, and .org, there are only a handful of others TLDs that IP addresses can be registered under, including .tv, .biz, .mobi, and .us. Thanks to today's unanimous vote, however, the list of possible options will skyrocket. "What we're effectively doing is opening up huge amounts of online real estate," ICANN president and CEO Paul Twomey told the Wall Street Journal before the vote took place.

This has the potential to dramatically change the way we use the Internet. One of the primary reasons for the name to number system was to reduce complexity. This brings the complexity right back. At the moment one had a reasonable expectation that the site you wanted ended in .co.za, or .com. Then maybe you could try .net, .org, or .org.za. Now .msn, .mac, .apple, .ipod, .sex,, even .etc are all possibilities. Looks like Google is about to become even more of a friend.

First tier ISPs do battle

From My Broadband

MTN recently announced that it had entered into an agreement with Verizon Business to acquire 100% of Verizon South Africa. The company said that the acquisition was in line with its strategy to provide integrated communications solutions in all of its markets.

Vodacom Business has also recently indicated that it plans price reductions up to 80% of traditional international connectivity which will basically change the current business models of traditional ISPs and network service providers such as Internet Solutions and Verizon Business.

This is good news for connectivity in South Africa. Unlike the fake ADSL hearings that only strengthened Telkom, the new Seacom cable, Neotel and the activities of the Mobile carriers promise to really shake up the telecomminucations industry in South Africa. Keep in mind that the new players are aiming to take market share from IS and Telkom - that is what will make them aggressive players. Once the market has been shared equally, who is to say they will not become a cartel like the bread, cell, car, etc. industries in South Africa.

Sometimes, software isn't so magical. Even for Bill Gates.

From seattlepi.com

So after more than an hour of craziness and making my programs list garbage and being scared and seeing that Microsoft.com is a terrible website I haven't run Moviemaker and I haven't got the plus package.

The lack of attention to usability represented by these experiences blows my mind. I thought we had reached a low with Windows Network places or the messages I get when I try to use 802.11. (don't you just love that root certificate message?)

This is an extract from a mail sent by Bill Gates to some of his staff. Even Bill Gates has grief using Windows and Microsoft.com, proving that he is human after all. Read the entire rant at seattlepi.com.

Timeline: The Gates era at Microsoft

From Computer World

Bill Gates is pretty much synonymous with Microsoft Corp., which he co-founded and built into the world's largest software vendor and the IT industry's most influential company. But Gates is stepping away from his day-to-day role at Microsoft at the end of this month. Here's a brief history of his 33 years at the company.

Love him? Hate him? Adore him? Happy to see him go? It makes no difference. Bill Gates is a man who was in the right place at the right time and translated that into an influence on the way we all live our lives. At the end of this month he will stop day-to-day activities at Microsoft (he remains Chairman) and spend his time at the Bill and Melinda Gates Foundation. Those of us who cut our teeth on DOS will forever remember Bill Gates as the man who impacted our career, and he definitely made being a nerd more acceptable.

The link above is well worth a read, especially if you did not know the early, pre-Windows days of Microsoft.

Microsoft denies XP a last-minute reprieve

From Computer World

Microsoft Corp. yesterday laid to rest rumors that it might reconsider pulling Windows XP from retail shelves and from most PC makers next Monday.

In a letter to customers, Bill Veghte, the senior vice president who leads Microsoft's online and Windows business groups, reiterated that June 30 would be the deadline when Microsoft halts shipments of boxed copies to retailers and stops licensing the operating system directly to major computer manufacturers, or OEMs (original equipment manufacturers).

Microsoft will, however, still be supporting Windows XP for the next few years so all is not doom and gloom. I suspect that many people, like me, will continue to use XP, skip Vista, then move to Windows 7. I really think that Microsoft need to make a decision the way Apple did and develop an OS with no backward compatibility. Trying to support what is already a bloated and buggy system in every new release is just plain stupid.

Update 27 June 2008 from My Broadband

With just days to go before Microsoft finally stops selling Windows XP, the company has bowed to consumer pressure by agreeing to extend support for the operating system until 2014. Microsoft has also confirmed that Windows 7, the successor to its current Vista operating system, will be made available in 2010.

This is good news because we can continue to get support for XP. There will be less pressure, especially in the corporate environment, to rush to Vista.

One-third of IT Professionals Have Snooped on Co-Workers

From SANS NewsBites Vol. 10 Num. 50 (June 19, 2008)

According to a survey of 300 IT professionals, nearly one-third have abused administrative passwords to look at confidential information about their co-workers. Close to half of the respondents also said they had accessed information that was not related to their positions. Just 30 percent of administrative passwords get changed every quarter, while nine percent are never changed, meaning that even people no longer employed by the company can gain privileged access to the system.

ZDNet
Survey press release (not full results)

This is the perennial problem of who do you trust. IT workers have a special place in a workplace - they are the people who keep the systems running. As such they need access to all areas of those systems, including the data stored on it. They have to be trusted. If one third have violated that trust then things are in a sorry state indeed.

Let us also not forget employers that cannot be trusted.

Mac OS X Trojans Detected

From SANS NewsBites Vol. 10 Num. 50 (June 20, 21 & 23, 2008)

A recently detected Mac OS X Trojan horse program exploits a flaw in Apple Remote Desktop Agent (ARDAgent) to load itself as root and take control of vulnerable machines. The malware has numerous capabilities, including keystroke logging, opening ports in the firewall to evade detection, taking pictures with the built-in camera and turning on file sharing. Users can protect their systems by removing ARDAgent from its normal location and archiving it. A second Trojan affecting Macs pretends to be a poker application and tries to gain secure shell access to vulnerable machines.

SC Magazine
Computer World
The Register

[Editor's Note (Pescatore): Since Apple's market share at enterprises will double in 2008, this item and the Safari patches points out that Apple needs to make progress in its secure development life cycle, and enterprises must factor the cost of patching Apple PCs into the acquisition costs or in the costs of letting users use their own Macs for company business.
(Skoudis): The underlying vulnerability here is an old-fashioned SUID root program called ARDAgent that attackers can trick into running code on their behalf as root in a local privilege escalation attack. SUID root programs aren't inherently evil -- a normal system needs several of them for day-to-day operation. But if SUID programs aren't carefully designed and implemented, they could lead to this kind of attack. To get an inventory of all SUID root programs on a Mac or Linux system, you could run: "find / -user 0 -perm -4000". I'm sure attackers are searching for other Mac programs with similar flaws.]

This, and the Safari on Windows fiasco, shows that Apple is not inherently better than Microsoft at software and system design. Obviously Apple started from a more solid base when they decided to use BSD as the basis of the new operating system, but when one looks at the software they have implemented on top of that base one sees that they have a ways to go. SUID programs have been developed for a long time on Unix and there are reams of papers on how to do it securely. Apple have no excuse for getting it wrong.

Why We Have No Clue How Much Stuff Should Cost

From washingtonpost.com

The day Steve Jobs announced the new iPhone, I drove home from work nervous. I imagine that lots of first-adopter-types felt a similar queasiness at the idea of walking through the front door and rationalizing to their spouses that it wasn't enough to own just the first iPhone. Now we had to have the second.

My wife was watching the network news and had apparently seen a report about the new phone. She said, "You're not getting the new iPhone." I said, "Yes, I am." She said, "Then we're getting a divorce." She was kidding (I think).

How does one value an item? According to those who design prices, expensive items are used to calibrate our value system, then the cheaper stuff seems good value.

"You're not going to spend another $400 or $500 on an iPhone when you have a perfect one right in your pocket," she added. I said, "You are so right. I'm going to spend $199." She stared at me for several seconds, and then she asked me a question that made my heart flutter: "So am I going to get your old iPhone?"

And it works on men and women.

On a related note, Vodacom are taking pre-orders for the iPhone.

The real reason Amazon won’t post to South Africa?

From Simon.co.za

Today I was surprised to hear the news that online retailer Amazon.com has announced that it will no longer ship to South Africa using ’standard shipping’ through the postal system. It will only send items to the region using courier services, which cost considerably more than conventional postage, citing theft of parcels as its primary reason. Is the South African postal system really that bad? I don’t believe it is, and I am developing a theory about the real reason Amazon has halted its postal services to SA.

I personally do a lot of online shopping, and have been doing so for at least eight years now. I have never had anything go missing in the post. I also refuse to believe that I am just lucky in this regard. So today I made a point of asking almost everybody I came across if they had ever lost post in South Africa. No one had.

From IOL

According to a statement on Thursday, the Post Office had not registered a single complaint about a lost Amazon item in the past year. It is now appealing to any customers who have experienced a problem with their Amazon orders in the past six months to call the Post Office customer line on 0860 111 502.

I also use Amazon a lot; at least 10 books a year. And I buy other stuff over the net as well; movies, software, t-shirts, etc that get delivered by SAPO, and I have never lost a parcel. I think Simon is right, there is another reason for Amazon's decision.

Sadly, the usual SA-bashing crowd are having a field day with this.

IT catfight in Portland, OR

From IT Project Failures at ZDNet

Portland, Oregon’s late and over-budget ERP implementation has become a battleground between city officials and system integrator Ariston Consulting & Technologies. As the failing project’s budget ballooned from $31 million to $49.45 million, finger-pointing and mutual blame have obscured faults on both sides.

This is an instructive read as it highlights both the responsibilities of the client and the contractor. The client has to be sure that the contractor is able to carry out a project of the size and complexity it envisages. The contractor has to be sure the client is able to provide a clear specification.

Verizon Business Releases Trailblazing Data-Breach Study Spanning 500 Forensic Investigations

From Verizon Business

Key Findings Examine Basic Security Tenets
Some of the findings may be contrary to widely held beliefs, such as that insiders are responsible for most breaches. Key findings include:

• Most data breaches investigated were caused by external sources. Thirty-nine percent of breaches were attributed to business partners, a number that rose five-fold during the course of the period studied.
  


• Most breaches resulted from a combination of events rather than a single action. Sixty-two percent of breaches were attributed to significant internal errors that either directly or indirectly contributed to a breach. For breaches that were deliberate, 59 percent were the result of hacking and intrusions.
  


• Of those breaches caused by hacking, 39 percent were aimed at the application or software layer. Attacks to the application, software and services layer were much more commonplace than operating system platform exploits, which made up 23 percent. Fewer than 25 percent of attacks took advantage of a known or unknown vulnerability. Significantly, 90 percent of known vulnerabilities exploited had patches available for at least six months prior to the breach.
  


• Nine of 10 breaches involved some type of “unknown” including unknown systems, data, network connections and/or account user privileges. Additionally, 75 percent of breaches are discovered by a third party rather than the victimized organization and go undetected for a lengthy period.
  


• In the modern organization, data is everywhere and keeping track of it is an extremely complex challenge. The fundamental principle, however, is quite simple – if you don’t know where data is, you certainly can’t protect it.
  

It's clear that most breaches can be prevented by existing policy, if only that policy was followed. Many companies already have policies regarding third-party access to systems, upgrades and patches and managing data. Just follow those policies.

Redefining Anti-Virus Software

From The Washington Post Blog

Microsoft Windows users have long been advised to shield their PCs from attacks by using anti-virus software, which principally relies on technology designed to quarantine or delete files that possess certain characteristics of known hostile programs.

But as the anti-virus firms continue to struggle to stand their ground amid a flood of new malicious programs being unleashed each day, a complementary approach to fighting malware is beginning to take root. This approach seeks to identify the universe of known good programs and treat the outliers with extreme prejudice.

This is an approach that has long been favoured by security professionals. Indeed, it is considered good practice to define firewall rules in term of banning everything, then allowing only a certain subset of services through the firewall. In addition, companies are now starting to define lists of sites that accessible, and banning the rest.

This follows the same theme; allow only known good programs to run on your computer, and ban the rest.

Watch out for a sneaky blackmailing virus that encrypts your data

From Help Net Security

Kaspersky Lab found a new variant of Gpcode, a dangerous encryptor virus has appeared, - Virus.Win32.Gpcode.ak. Gpcode.ak encrypts files with various extensions including, but not limited, to .doc, .txt, .pdf, .xls, .jpg, .png, .cpp, .h and more using an RSA encryption algorithm with a 1024-bit key.

After Gpcode.ak encrypts files on the victim machine it changes the extension of these files to ._CRYPT and places a text file named !_READ_ME_!.txt in the same folder. In the text file the criminal tells the victims that the file has been encrypted and offers to sell them a decryptor

I would imagine that they face the same problem a kidnapper does and that is how to complete the transaction without getting caught. One other interesting fact from the original article is that the original virus incorrectly implemented the encryption algorithm. This allowed researchers the opportunity to decrypt the encrypted data. This time they got it right. Thus this is a helpful reminder that implementing your own code, even of a proven algorithm, is not always the best move.

Google spotlights data center inner workings

From CNet (hat tip to Slashdot)

In each cluster's first year, it's typical that 1,000 individual machine failures will occur; thousands of hard drive failures will occur; one power distribution unit will fail, bringing down 500 to 1,000 machines for about 6 hours; 20 racks will fail, each time causing 40 to 80 machines to vanish from the network; 5 racks will "go wonky," with half their network packets missing in action; and the cluster will have to be rewired once, affecting 5 percent of the machines at any given moment over a 2-day span, Dean said. And there's about a 50 percent chance that the cluster will overheat, taking down most of the servers in less than 5 minutes and taking 1 to 2 days to recover.

This is an example of designing networks to handle failure, but can apply to almost anything one cares to build. Sadly too many times the driving parameter is cost, resulting in the lowest bid doing the building, and absorbing the losses incurred during the lifetime of a project. Most of those costs are hidden in the form of employee overtime, disgruntled customers and 'upgrades.'

This requires a mindset change. Projects must not be designed and built to work, they must be designed and built to not fail.

Israeli AG Says Employer May Not Read Employee eMail Without Consent

From SANS NewsBites Vol. 10 Num. 43

(May 29, 2008)
The Israeli Attorney General has ruled that employers may not read their employees' email without their free and informed consent. Attorney general Menachem Mazuz submitted the opinion to the National Labor Court which was hearing an appeal filed by an employee whose employer had been granted access to email from her personal computer.

Globes Online

Oddly enough I had recent experience with this when an employer placed forwards on the mails of two employees, without their knowledge or consent. The first was an employee who had resigned and was serving his notice period, and the second is an employee that's currently still working for the company.

The first employee found out because his wife wondered why mail she sent to him had bounced. He was confused because he had received the mail. Being one of the system administrators he investigated and discovered the snooping.

The second employee discovered the snooping through a different route.

Aside from the legal issues, one has to question the culture of a company where such incidents occur.

The biggest drawing in the world

Artist Erik Nordenankar used a GPS to draw a self-portrait on the planet.

He placed a GPS unit in a suitcase then gave the case and a specific set of instructions to DHL. DHL carried out the instructions.

When the GPS unit was returned, Nordenankar downloaded the GPS data to his computer and the 110664km long path taken by the unit inscribed his portrait on a map of the world.

See it at biggestdrawingintheworld.com

UK theme park bans PDAs, mandates family fun time

From ars technica

Alton Towers Resort, an amusement park in the UK, is trying out a ban on PDAs this week. The experiment could become a permanent policy if things go well, becoming part of a social movement designed to draw lines of proper gadget usage in public sands.

With a squad of "PDA police" roaming the park, any adults caught using a qualifying device will be directed to one of five "PDA Drop Off Zones" at which they can "safely" leave their PDAs for the day. The experiment's declaration at Alton Towers' site is low on details as to what measures will be taken to ensure the devices wouldn't be tampered with (it also specifically uses the term "PDA," though we're fairly certain it's just an umbrella term for other devices like smartphones, BlackBerrys, etc.). There's also no word on what repercussions, if any, adults will face if they refuse to make the trip to a PDA Drop Off Zone.

This is more than just asking people to turn off their cell-phones, but I like the idea. Maybe some people have to be forced to relax and to spend time with the family.

Back to My Mac and PhotoBooth Used to Identify Thieves

From SANS NewsBites Vol. 10 Num. 38

(May 10, 2008)
Police were able to track down a pair of thieves after the owner of a stolen laptop computer used the "Back to My Mac" service to gain access to the computer when the thieves used it to surf the Internet, and then took pictures of the suspects using PhotoBooth, a standard software on new Apple laptops. One of the woman's roommates recognized one of the men from the photo as a guest at a recent party. The two men were arrested and police recovered two laptops, two flat screen televisions, two iPods, and other electronic and related items.

NY Times
Sydney Morning Herald

It's always heart warming when victims successfully fight back.

Microsoft Will Release Four Security Bulletins Next Week

From SANS NewsBites Vol. 10 Num. 37

(May 8, 2008)
This month, Microsoft says it will release four security bulletins on patch Tuesday, May 13. Three of the four bulletins have been given severity ratings of critical; the other has been rated important. The patches address flaws in Windows, Word, Publisher and Jet Database Engine. The important bulletin will address flaws in Microsoft's anti-malware products. Two of the four patches will require restarts.

GCN
IDG
Microsoft

[Editor's Note (Cole): It is critical that organizations have an approach to apply patches within 24 hours. I am seeing patch Tues. and exploit Thurs., where attackers will reverse engineer patches and exploit the systems within 48 hours. Timely patching is no longer a recommendation it is a requirement.]

Exploit Thursday? That is a worrying, if expected development. Attackers have obviously built some sophisticated tools to quickly reverse engineer patches and then use the knowledge gained to add a new attack vector into their malware. This is far easier than trying to track holes themselves. Very smart.

The Mac in the Gray Flannel Suit

From BusinessWeek:-

Soon after Michele Goins became chief information officer at Juniper Networks (JNPR) in February, she decided to respond to the growing chorus of Mac lovers among the networking company's 6,100 employees. For years, many had used Apple's (AAPL) computers at home and clamored for them in the office as well. So she launched a test, letting 600 Juniper staffers use Macs instead of the standard-issue PCs that run Microsoft's (MSFT) Windows operating system. As long as the extra support costs aren't too high, she plans to open the floodgates. "If we opened it up today, I think 25% of our employees would choose Macs," she says.

I think the 25% estimate is low. People who have changed to Mac's are really enjoying the experience. There is the initial honeymoon period where it's more emotional than rational, but that no longer ends in divorce. People are genuinely finding OS/X easier to use, stable and pretty.

Millions of consumers are seeing the Mac in a new light. Once an object of devotion for students and artists, the Mac is becoming the first choice of many. Surging demand for the machines led Apple to predict revenues will rise 33% in the second quarter, to $7.2 billion, even in the face of an economic slowdown.

We are seeing this as well. We have just completed a weekend long, 30 workstation plus an XServe deployment in a design department. As a result of the process, two people who normally use Windows bought Macs, and a internal support technician on hand to help with IT issues was blown away at the ease of the deployment.

Mac fanboys have been singing Apple's praises for years, of course. But now the call is coming from mainstream users, people who may have started off with an iPod, then bought a Mac at home and no longer want a "Windows-by-day, Mac-by-night" existence. At Sunnyvale (Calif.)-based Juniper, CEO Scott Kriens is one of the people with a new MacBook laptop. "Everybody told me I should get one," he says. "It's not anything to do with negative perceptions about Microsoft. It's just that Macs are cool." IBM (IBM) and Cisco Systems (CSCO) are running similar tests on whether to let Macs into the office. Google (GOOG) has allowed employees pick their machine of choice for years.

Others are sure to follow suit. Mark Slaga, chief information officer of Dimension Data , a large computer services firm based in suburban Johannesburg, says he has received 25 e-mails recently from employees who want permission to use Macs at work. So far he has refused, because he doesn't want to hire people to provide Mac tech support, but "it'll happen someday," he concedes. "Steve Jobs doesn't need a sales force because he already has one: employees like the ones in my company."

If you have not yet tried a Mac, maybe it's time you considered doing so. From the desktop to the server, you will find a product that has a lower TCO then you expected. Macs are more stable, have less security and virus issues, enjoy a longer effective life span and they are ready for the Enterprise. Each of these alone would be reason enough to consider a switch to Macs. Put them together, factor in the nervousness associated with Vista and the end-of-life of XP and I think a serious case can be made for looking in Apple's direction.

Nine Memory Sticks Stolen from Hong Kong Hospitals

From SANS NewsBites Vol. 10 Num. 36

(May 5, 2008)
In the last year, nine memory sticks have been stolen from five Hong Kong hospitals. In all, the devices hold personally identifiable information of more than 3,000 patients, including 700 children with developmental problems. Those files also hold patient interviews, assessments, and for some, photographs and identity card numbers. A task force has been set up to investigate the thefts and develop ways to avoid similar data security breaches.

Monsters and Critics
The Standard

[Editor's Note (Schultz): A six month delay in notifying potential victims of identity theft is inexcusable. Until harsh punishments are handed out for such negligence, this kind of thing will continue to occur.]

This is becoming such a common problem that reports are being relegated to the back pages. Stolen or lost storage devices such as memory sticks, phones, portable drives and even laptops can contain critical and/or strategic information. Users in companies are demanding that their information be available to them from wherever they are. This means that payroll spreadsheets get downloaded to cell phones, business plans are saved onto memory sticks or server passwords are kept on iPods.

The IT department will never be able to roll back the tide of convenience that this brings, not should they try to. What they should do is plan for disaster when devices with critical data are lost, even in the event that the loss is not reported.

Start implementing a policy that ensures that data on mobile devices is secured. Software like TrueCrypt can secure devices under Windows, OS/X and Linux. Simultaneously develop a password storage policy to deal with the initial tide of lost or forgotten passwords for encrypted devices. Password Management software will help immensely with this task.

Court Ruling on Electronic Border Searches

From SANS NewsBites Vol. 10 Num. 35

(April 23, 30 & May 1, 2008)
The Association of Corporate Travel Executives (ACTE) is warning members "and all business travelers to limit proprietary information on laptop computers when crossing US borders." ACTE issued the warning after an April 21 federal appeals court decision that "gives customs officials the unfettered authority to examine, copy, and seize traveler's laptops - - without reasonable suspicion." The decision covers a range of electronic devices; in addition to seizing data from laptops, US Customs and Border protection officials can seize data from cell phones, handheld computers, digital cameras and USB drives. The EFF, the American Civil Liberties Union (ACLU), and the Business Travel Coalition have written a letter asking that the House Committee on Homeland Security "consider legislation to prevent abusive search practices by border agents and protect all Americans against suspicionless digital border inspections."

Computerworld
ACTE
The Register

[Editor's Note (Ranum): It's as if someone in the administration mistook his copy of "1984" for a road-map not a novel.
(Schultz): Customs officials' ability to seize any kind of property without reasonable suspicion lamentably once again shows the current level of disregard for individual rights in the United States. Big brother is not only watching; big brother is being totalitarian.
(Honan) A number of organisations outside the US have banned staff from travelling to the US with laptops or other electronic devices.]

It's bad enough that trojans and adware can spy on your every move, or that lost and stolen laptops can expose reams of confidential data, but now the US government also wants in on the action. In the name of the War on Terror.

This is like everything America does. The rest of the world will simply have to accept that that's the way it's going to be. We can hope that US citizens will do something about it, but until then it might be a better idea to give us a call to setup a VPN that you can use to remotely access confidential data directly from your network rather than trying to carry it into the US on a laptop.

It's probably a better idea anyway when one considers the prevalence of laptop theft.

Latest Major Whaling Attack Uses US District Court Subpoena

From SANS Newsbites Vol. 10 Num. 31

(April 16 & 17, 2008)
A spear phishing attack emerged this week targeting high-level executives at US firms. The emails, which include the executives' names and other specific information, appear to be subpoenas from the US District Court in San Diego. The link, which is supposed to be a copy of the subpoena, actually installs malware on the victim's computer that is capable of logging keystrokes and sending the harvested information to the attacker. An additional piece of malware allows the attacker to take remote control of the victim's computer. Phishing attacks that
target corporate "big fish" have been referred to as "whaling."

NY Times
The Register
Computerworld

[Editor's Note (Honan): As these "Whaling" attacks are becoming more prevalent you should ensure you make your senior management on this threat. Reviewing their profiles on online business networks and Googling their names is one way of highlighting to them the amount of personal information they are leaking which could be used against them.]

I guess there is a certain amount of satisfaction when 'the bosses' get conned, evidenced by calling this whaling, but the truth remains that social engineering is still the easiest way to penetrate an organisation or a computer. And anyone can fall prey to this attack vector.

This attack is obviously more sophisticated than those that simply fire off thousands of anonymous mailings claiming to be from a bank that you may or may not use. However, in this case, the rewards for a successful attack are also much higher as the targets are likely to have more valuable information on their computers.

It's also an important heads-up. One of the easiest ways to recognize a phishing attack is the generic nature of the mailing. This highlights that just because a message contains specific information about a target is no reason to assume that it's legitimate. It's now important to also know what information about yourself is publicly available.

And that means that you have a legitimate excuse to indulge in a bit of ego-surfing... go on, Google is your friend.