All the security attention paid in recent years to securing the Windows desktop and the applications running on it have paid off a little, Cisco found, making it harder for computer scammers to successfully carry off their intended crimes on that platform. The trouble is they’re now starting to focus more attention on mobile devices, including Apple’s iPhone and iPad, and devices running Google’s Android operating system, Cisco said.

Meanwhile, the overall global volume of spam, which often contains troublemaking links that are used to deliver attacks, decreased for the first time ever in 2010. Even so, spam still increased in some developed countries where broadband connections are multiplying. In the United Kingdom, spam volume nearly doubled, while the volume in France went up 115 percent. The U.S. saw a slight decline–11.1 trillion messages down from 11.3 trillion in 2009. Spam in Brazil, China and Turkey also declined. Some of the decline can be attributed to last year’s arrest by FBI agents in Milwaukee of a Russian accused of being the “king of spam,” and to the shutdown of a few botnets used by scammers to send spam.

One thing about Cisco’s report that’s likely to draw some attention is its finding that the raw number of vulnerabilities on Apple products appear to be growing. Apple users are usually pretty sensitive about this topic, and any comparison of the Mac to Windows on the security front tends to make them grind their teeth and pound out annoyed comments on tech blogs. I know because I’ve done the same teeth-grinding and have in the past criticized other reports for similar findings.

Here Cisco is addressing vulnerabilities that Apple has itself documented and patched in software updates. One thing that’s not clear to me–though it sure looks like it–is whether Cisco is combining vulnerabilities found on both iOS (iPhone and iPad) and OS X (the Mac). The data it’s using is from its IntelliShield service, which tracks vulnerabilities and security incidents, and shows that over five years Apple’s vulnerabilities rose, from less than 200 in 2006 to more than 350 in 2010. That rate was higher than Microsoft and Hewlett-Packard and Cisco itself, the report found, though it goes on to say that Apple has worked harder than most other vendors to protect its users. Security is one of the reasons Apple imposes such strict rules on what’s available in the App store, though people still jailbreak their phones.

Another trend Cisco found is something called “money muling.” Tom Gillis, VP and general manager of Cisco’s Security business unit, describes money muling as using unsuspecting people who are attracted by “work at home” spam messages and Web ads to participate in money laundering by moving small amounts of money into bank accounts, just a few thousand dollars at a time. He says the operations around this are becoming increasingly elaborate, and criminals will devote a lot of effort to developing it this year.

I talked with Gillis about the report and other security trends that Cisco found. Here are a few highlights from our conversation:

NewEnterprise: So you’re seeing fewer attacks on Windows and more on mobile devices. Is that simply because there are more of them?

Tom Gillis: It’s the simple fact that there’s this new class of mobile device coming into the enterprise that used to be a phone and now it’s a computer, and it can access enterprise information. So what we’re seeing is that the raw number, but not the severity, is down on Windows. Part of this is that Windows 7 was a very good release on Microsoft’s part from a security standpoint. And we’ve got these new devices coming into the enterprise, and so we’re seeing a shift in focus of attacks on these mobile devices. They’re vulnerable to attack and they’re relevant in the enterprise. Two years ago this would have been too small a population to be meaningful.

What kind of attacks are you seeing?

It varies. In some cases there’s a little “phone home” code in a free gaming app. Pretty gentle stuff so far. But as people start using smartphones to access sensitive information we need to start thinking about security considerations on these devices. There’s a larger theme here that the whole nature of attacks is changing dramatically. The fact that spam volumes dropped at all is a big tell. For 10 years this has only gone up. We’re not forecasting a steady decline in spam, but the fact that it slowed down at all is an indicator of the shift in the way that attackers are using email. The attacks are more targeted and personal, for one thing.

Can’t some of this decrease be attributed to some of the arrests that happened last year?

It can. There’s been a handful of arrests. And they went after not only the botnet operators but other parts of the spam value chain. There are firms and entities that build botnets of compromised machines that relay the spam, and then there are other firms and entities that rent time on those botnets that do the merchandising. The biggest category is selling fake pharmaceuticals. Some of these fake pharma operations were shut down and the people associated with them arrested. It’s not an easy thing to do, because they’re global, they move around, and so to make an arrest in this space is a huge accomplishment.

So what is the thinking now about securing the mobile device?

We think there are two ways to make mobile devices work in the enterprise. The flood of devices into the enterprise is huge, and everyone wants to use them to check their email and access corporate directories and other fundamental things. There needs to be some kind of software on the end point–the phone or device. It will have to be light. You can’t have some kind of antivirus suite running on the phone. It would be a little piece of software that’s on all the time that knows when you’re behind the corporate firewall and when you’re not, and manages your connection accordingly. We bought a company called ScanSafe that has 40 data centers around the world. When you’re outside the firewall it connects to you the nearest data center and enforces your corporate policies, but all you as the user know is that it just works. This notion of being on or off the corporate network goes away. And we can do all kinds of scanning for security, independent of the device that’s being used.

This year we also saw the Stuxnet attacks, which we now know for certain were carried out against the Iranian nuclear program. Clearly this is a new kind of attack that can be mounted against industrial control systems via computer networks. Is Cisco researching this?

Massively. Often these types of attacks are targeted against Cisco’s biggest enterprise customers. Who buys Cisco’s infrastructure? The biggest banks in the world, the defense contractors. If the goal of an attacker is to disrupt an economy, their targets will be our customers, and they’re demanding a response from us. I like to call it global threat correlation, but it comes down to taking huge samples of network traffic and picking out good traffic from the bad. Cisco has a good advantage here because our equipment is so widely deployed around the world. As we start measuring traffic we can develop reputation data on every publicly routable IP address on the Internet. As we start putting telemetry info into that equipment–and the customer can choose to enable it or not, and it’s turned off by default. But people turn it on because it helps them against the unknown kind of attacks that are popping up. If a Web server says its a Web server, but you just saw it sending spam three minutes ago, there’s a pretty good chance it’s part of a botnet. Once you know that you know that, you can start to mount a pretty good defense. We’re putting a lot of energy into developing that, and it’s proven to be pretty robust.

A lot of this stuff has been out in one form or another, but the narrative is pretty fascinating. If you plow through the document embedded at the bottom of the post, bear in mind that it’s a tale told by Matthew Broad, a detective in San  Mateo County Sheriff’s office. So it’s possible that other parts of the story, and/or different versions of the same story, may still end up coming to light.

Among the highlights:

• Apple knew that Brian Hogan, the 21-year-old who found the iPhone, had the thing because his roommate, Katherine Martinson, called and told the company he had it. Her reasoning, according to Apple (AAPL) security chief Rick Orloff: “Suspect Hogan connected the stolen iPhone to her computer and she believed that Apple would eventually trace the iPhone back to her via IP addresses. Therefore she contacted Apple in order to absolve herself of criminal responsibility.”
• Martinson told police that Hogan had offered the phone to Gizmodo, AOL’s (AOL) Engadget.com and PC World. While Gizmodo owner Gawker Media had previously said it paid $5,000 for access to the phone, the affidavit is a bit fuzzier. Martinson says Hogan told her Gizmodo offered $10,000 for the gadget and later said he’d received $5,000 from Gizmodo and a total of $8,500. But she wasn’t clear where the other $3,500 came from. “Martinson said Hogan also told her that he will receive a cash bonus from Gizmodo.com in July if and when Apple makes an official product announcement regarding the new iPhone.”
• There’s a long cops-and-robbers interlude where police show up at Hogan’s house, but he takes off and is eventually tracked down at his father’s place. In the end, Hogan and Thomas Warner, another roommate, help the cops retrieve a computer, a flash drive and other equipment they’d removed from their place “in order to ‘protect’” Hogan.
• Apple CEO Steve Jobs did indeed reach out to Gizmodo to ask for the phone back. Here’s editor Brian Lam’s response to Jobs, via email (click to enlarge):

And here’s the entire affidavit, which we’re able to see because a group of media companies, including CNET, Bloomberg, Wired and the Los Angeles Times, petitioned a California judge to unseal it. Gawker Media, via COO Gaby Darbyshire, declined to comment on the affidavit and its contents.

UPDATE: Here’s Gawker’s position, via an email Darbyshire sent Saturday afternoon:

First of all, the warrant and supporting affidavit do not appear to acknowledge the sanctity of the newsroom or even address the serious issues at stake.

Second, the idea that it is a felony trade secret theft to photograph an item that was admittedly left in a bar is ridiculous.

Finally, Gizmodo from the start was attempting to investigate if this item was a genuine prototype of a product belonging to Apple; we believed that confirmation of its authenticity and ownership quite reasonably needed to be made in writing – and once we obtained that, the item was returned immediately.

EFF has a detailed piece on the warrant issue here.

Gizmodo-iPhoneOrder

The Laughing Squid blog points us to the site, Chatroulettemap.com, which puts users–and their images–on a Google (GOOG) map, based on their IP address. The site doesn’t map everyone on Chatroulette (right now it lists only about 2,500 people), and it doesn’t mean that anyone who logs onto Chatroulette will be mapped. But it does provide an interesting glimpse of Chatroulette for those who don’t want to try the service.

The still pictures are about what you’d expect–which means some of them aren’t safe for work. But more importantly, they make the point that anonymity on the Web isn’t always all it’s cracked up to be.

Read the rest of this post on the original site

Anonymous sources close to the investigation into the attacks, which targeted dozens of American corporations, tell the New York Times they originated at Shanghai Jiaotong University and the Lanxiang Vocational School. The former boasts one of China’s top computer science programs; the latter has been known to train computer scientists for the Chinese military and reportedly has ties to Baidu, the dominant search engine in China.

While the implications of these findings seem obvious, insiders differ on what they really mean. Some suspect the schools are being used as a cover for Chinese government operations. Others speculate that they’re being used to hide intelligence operations run by a third country. Still others wonder if there’s no government involvement here at all, speculating that the attacks are criminal in origin and were intended to steal intellectual property from American tech firms.

Regardless of which scenario seems most plausible, it’s important to remember that just because the attacks have been linked to IP addresses at these schools’ networks doesn’t mean they necessarily began there.

Asked about the possibility the attacks originated at his school, a professor of Web security at Jiaotong’s School of Information Security Engineering said it was certainly possible.

“I’m not surprised,” the source told the Times. “Actually students hacking into foreign Web sites is quite normal. I believe there’s two kinds of situations. One is it’s a completely individual act of wrongdoing, done by one or two geek students in the school who are just keen on experimenting with their hacking skills learned from the school, since the sources in the school and network are so limited. Or it could be that one of the university’s I.P. addresses was hijacked by others, which frequently happens.”

PREVIOUSLY:

• Nearly a Month After Debut, Google’s “New” Approach to China Still a Lot Like the Old One
• Google CEO: Ask Not What Google Can Do for China–Ask What China Can Do for Google
• China on “Google Farce”: Our Internet Is Open
• China to Google: No Worries, We Were Planning to Clone Those Android Phones Anyway
• U.S. State Department to Complain to China About Google Hack. Not That China’s Going to Listen.
• Microsoft: “Don’t Be Evil” Is Google’s Motto, Not Ours
• What’s the Chinese Word for Bing? Google Threatens to Leave China.

[Image Credit: China Security Blog]

Google has long claimed that the server log data it collects are a critical driver of innovation. Over the years, to appease privacy advocates, the company has tweaked its treatment of those data and the length of time it stores them. Google continues to collect IP addresses, though it makes them anonymous after nine months (it used to do so only after 18-24 months).

This may soon change. And not because of any initiative on Google’s (GOOG) part but because of one by Microsoft (MSFT).

Responding to Article 29 Working Party guidelines for protecting users’ personal data online, Microsoft this morning said its new search engine, Bing, will purge all the data it collects on users after six months. Not make the data anonymous, but purge.

“Today we sent a letter to the Article 29 Working Party notifying them of our intention to make a change to Bing’s data retention policy,” Bing Privacy Manager Reese Solberg wrote in a post to the Bing blog. “Specifically, we are reducing the amount of time we store IP addresses from searchers to 6 months. Currently we keep that information for 18 months before we delete it.”

Elaborating, the letter continues, “Generally, when Bing receives search data we do a few things: first, we take steps to separate your account information (such as email or phone number) from other information (what the query was, for example). Then, after 18 months we take the additional step of deleting the IP address and any other cross session IDs associated with the query.”

In conclusion, the letter describes Microsoft’s initiative succinctly: “Under the new policy, we will continue to take all the steps we applied previously–but now we will remove the IP address completely at 6 months, instead of 18 months.”

Microsoft’s move leaves Google in the uncomfortable position of being far less a friend to privacy than Microsoft. And hard as the company might argue in favor of storing user data, it will likely have to match Microsoft.

It’s difficult to claim that server log data are “a crucial arm in the battle to protect the security of our services against hacks and fraud” when a prominent rival is essentially claiming exactly the opposite.

Google (GOOG) handed over the woman’s identifying information to Liskula Cohen, who was trying to find out who had insulted her on “Skanks in NYC,” a now-defunct site created using Blogger. Cohen argued that she had been defamed by the site’s anonymous proprietor and needed to find out who that person was in order to sue him or her. On Monday, Supreme Court Justice Joan Madden agreed, and yesterday Google complied with her order.

In an interview with “Good Morning America” host Dianne Sawyer today (sorry, no embed!), Cohen says her antagonist is a frenemy of sorts–“an irrelevant person in my life…that girl who was always there,” and that’s she not sure whether she’ll sue her after all.

The bigger question is whether the case sets a new precedent for unmasking anonymous voices on the Web, and I suppose it’s possible that it will: If you don’t like what people have written about you and you can hire a lawyer who can convince a judge that you’ve been defamed, you can out them.

But the truth is that the anonymity most people think they’re enjoying on the Web has always been an illusion.

Every time you use the Internet, you’re leaving a trail of identifiable information–even if you never log in to a single service, your IP address can give you away, or at least come close to it. And if you do use any kind of service at all, or at least one based in the U.S., your identity has always been available to someone who can get a subpoena. Worth thinking about next time you want to spout off without signing your name.

New York Police Commissioner Raymond Kelly said Wednesday that hackers make at least 70,000 attempts every day to access computer systems of the New York Police Department, the largest police force in the U.S. Kelly said most of the attacks originated from computers with IP addresses in China and the Netherlands, according to Newsday, but that all attempts have failed thanks to the department’s security system.

Read the rest of this post on the original site.

“The majority of all internet traffic is file sharing, which is why nothing other than the new IPRED law can explain this major drop in traffic,” Anti-piracy Agency lawyer Henrik Pontén told Metro. “This sends a very strong signal that the legislation works.” Christian Engstrom, vice chairman of the Pirate Party, a group seeking copyright law reform, agreed, but said the decline is likely to be only temporary. Once the public realizes that the odds of being busted for file-sharing are low, Internet traffic will return to normal levels again. “Today, there is a very drastic reduction in internet traffic,” Engstrom told The BBC. “But experience from other countries suggests that while file-sharing drops on the day a law is passed, it starts climbing again. One of the reasons is that it takes people a few weeks to figure out how to change their security settings so that can share files anonymously. We estimate there are two million file-sharing [computers] in Sweden, so even if they prosecuted a 1,000 people to make an example of them, for an individual user it is still a very small risk.”

[Image credit: Chart courtesy Royal Pingdom]

It has, indeed. Which is why it’s so supremely ironic to hear that Viacom (VIA) and Google have reached a deal to mask the user IDs, visitor IDs and Internet protocol addresses contained in the YouTube database. From the agreement:

When producing data from the Logging Database pursuant to the Order, Defendants shall substitute values while preserving uniqueness for entries in the following fields: User ID, IP Address and Visitor ID. The parties shall agree as promptly as feasible on a specific protocol to govern this substitution whereby each unique value contained in these fields shall be assigned a correlative unique substituted value, and pre-existing interdependencies shall be retained in the version of the data produced.”

Why go to such trouble to conceal information that both companies claim isn’t personally identifiable?

Apparently, to protect the privacy of tens of millions of YouTube viewers who it personally identifies.

The federal judge presiding over Viacom’s (VIA) $1 billion copyright infringement lawsuit against Google (GOOG) and YouTube denied a motion for the pair to produce their source code Wednesday. “YouTube and Google should not be made to place this vital asset in hazard merely to allay speculation,” U.S. District Judge Louis L. Stanton wrote.

Apparently he didn’t feel quite as strongly about the privacy of YouTube users because he felt entirely comfortable turning that over to the media company. And so he ordered Google to provide Viacom with YouTube’s Logging database, which contains:

…for each instance a video is watched, the unique “login ID” of the user who watched it, the time when the user started to watch the video, the internet protocol address other devices connected to the internet use to identify the user’s computer (“IP address”), and the identifier for the video. That database (which is stored on live computer hard drives) is the only existing record of how often each video has been viewed during various time periods.”

To Stanton such data isn’t a “vital asset,” although the authors of the Video Privacy Protection Act and anyone else with an interest in personal privacy would likely disagree. Said the Electronic Frontier Foundation, “The Court’s erroneous ruling is a setback to privacy rights, and will allow Viacom to see what you are watching on YouTube. We urge Google to take all steps necessary to challenge this order and protect the rights of its users.”

And Google will almost certainly do that. But it may have its work cut out for it, because in this case it’s fighting not just Viacom and the presiding court, but itself. You see, in granting Viacom’s request for YouTube’s Logging database, Stanton cited Google’s own argument that IP addresses aren’t always personal data. “Defendants argue that the data should not be disclosed because of the users’ privacy concerns, saying that ‘Plaintiffs would likely be able to determine the viewing and video uploading habits of YouTube’s users based on the user’s login ID and the user’s IP address,’ ” Stanton wrote. “But defendants cite no authority barring them from disclosing such information in civil discovery proceedings, and their privacy concerns are speculative. Defendants do not refute that the ‘login ID is an anonymous pseudonym that users create for themselves when they sign up with YouTube,’ which without more ‘cannot identify specific individuals,’ and Google has elsewhere stated:

We … are strong supporters of the idea that data protection laws should apply to any data that could identify you. The reality is though that in most cases, an IP address without additional information cannot.”

–Google Software Engineer Alma Whitten, Are IP addresses personal?, GOOGLE PUBLIC POLICY BLOG (Feb. 22, 2008)

Ironic, no?