Internet and messaging security firm Websense has uncovered its first Christmas virus scam, and we aren't even out of November.

The scam, which is so devilish it can only have come from the Grinch, offers a lucky email recipient the chance to feel like they have the sort of friends who send out tedious e-cards, but has a nasty little payload.

Yep, apparently some swine has spoofed a reputable firm's type of message and put a stinky pile of malicious code in the back of it. Websense said that a URL within the postcard leads the recipient to a .exe file. If downloaded, this creates a backdoor on their computer which allows access to and control of the compromised machine. And all this from a Christmas message celebrating the season of goodwill.

However, it's difficult to not be dismayed with the type of person who would be conned by such a virus. "During the install process an image called xmas.jpg is displayed to the user as a distraction technique," Websense explains. A distraction technique - what are they, monkeys? It's amazing the impact a picture of some elves in Santa's grotto can have on IT security best practice.

Author: David Neal

November 28, 2008 | Permalink | Comments (0)

The UK government has announced it will not be implementing a data breach notification law. Rather than do something that sounds really sensible, like force businesses to let their customers know when they have hemorrhaged personal data, the Ministry of Justice has decided that it is best to require them to do nothing much at all. Unless they really fancy it.

"As a matter of good practice any significant data breach should be brought to the attention of the ICO [Information Commissioner's Office] and that organisation should work with the ICO to ensure that remedial action is taken," the Ministry report recommends. This is despite the fact that over in the US, data breach notification rules are thought to be a rather wise move; and closer to home, the dusty old House of Lords can even see the good sense inherent in the idea.

However, although a data breach notification law sounds like a good proposal, what effect it would have on the UK public is unclear. It seems that hardly a day goes by without a terrible announcement about some organisation or other shedding personal data like a skin, so surely the public ought to be made aware of it. But think of the panic and widespread confusion that daily admittances would cause.

The country is already in a state of flux, do people really want to know if someone in a shop down the road from them has exposed the details of their morning newspaper delivery by casually throwing away an old ledger, or do they want to be alerted every time someone in the NHS does something stupid? Perhaps not.

Perhaps, for once, a softly softly approach is the best idea and we should let firms assess the severity of the incidents themselves before tackling them in the appropriate manner. After all, less fuss, less panic, and the more faith we can all have in the industries, organisations and enterprises that we all use on a daily basis.

Alternatively, we could just let Christmas and the recession get out of the way and reconsider the whole mess. We are all far too busy at the moment to worry about anything like boring old data.

Author: David Neal

November 27, 2008 | Permalink | Comments (0)