Also, it would appear that web proxies are also worth probing, as TCP:8080 was third in the list, which suggests that hackers see this as another backdoor.

The threat producing counties have shifted around again this month. India has become the single biggest producer of internet viruses in the world, followed by Russia and then the US. Viruses from the UK have dropped this month slightly  – perhaps even our virus writers take a little time off in the summer. The top spam-producing countries are the US, India and Brazil (with the UK fourth in the list).

The full list of this month’s threats are on our website.

The alternative theory is that for the Pentagon, like any big organisation, security is a huge task that may be under-funded; and – if it is like most organisations – is reactive rather than proactive.  We knew, even in 2008, that viruses could spread by USB keys and that they had to be treated with great care.  Obviously even more so in the case of the military. But as this was the first significant security breach, it would be understandable if the policy had been to trust internal users to be sensible and security conscious, and so let security procedures lapse.

I am hoping here, that the alternative – that nobody thought of this attack vector – cannot possibly be true.

However, people are a problem and soldiers are just ordinary folks (better armed and organised than your average reading group admittedly), so it isn’t greatly surprising that something like this would happen. After all, it has happened to a lot of other organisations.  So perhaps this is just human and organisational failure rather than some dark scheme. Obviously it is a real worry as almost certainly the herder of this worm was not from the US; they may have extracted data and they may have tried to sell it.  That’s what writing viruses, trojans and worms is all about. It is possible that they were really expecting credit card details and account logon details, so a pile of military secrets might not be what they normally traded in.

Having said all this, it has probably happened to quite a few companies. The important thing is, what has been the reaction?  Was it to impose a quick ban on all USB keys (which is one way to deal with this, but it could impact normal business)? I expect that is not all that has been done. If this way in to the Pentagon was missed in the first place, are there others? Any security breach like this, for any organisation, calls for a complete review of security.

If this hasn’t been done, then it should be – and soon. Yesterday, if possible.

This article comes after a PC Pro article, published last month, which showcases a new simplified password system from Microsoft, which allows users to pick a simple password, as long as not many other users have chosen the same one or the desired password was not an “…attractive target for a statistical guessing attack”.

So, should passwords be long and complex, or short and easy to remember? We’ve been recommending 12 character passwords made up of combinations of lower and upper case letters, numbers and symbols. But the truth is the password security problem has been around for as long as passwords have existed and at the moment no method is 100 per cent secure. Those people who do come up with complex passwords may chose to write them down, or save them on a memory stick because they simply cannot remember multiple unique complex passwords – thus nullifying the extra measures that they have gone to.

The websites and applications that authenticate customers by asking for the username and passwords should look at improving their methods of authentication.

One standard method they could use which would be a real barrier against brute force attacks would be to ensure that if a customer gets their password wrong five times they are unable to try again for half an hour, and once they do successfully log on, the customer should be notified that someone has tried to access their account, which will allow them to check if their password is secure, and change it to something less easy to guess if necessary.

The result of this method would be that no matter how fast the brute force attack was, it would have to wait half an hour for every five password attempts. With this method, it really wouldn’t matter how powerful the hardware of the attacker was, they would still have to go through the process.

In our guide on authentication, released in September 2009, we discussed two-factor authentication as a possible solution. The system, already being used by some bank customers, takes something the user knows (their password) and combines it with something they have in their possession (a key fob or device which generates a random number) to create a more secure system. But having to carry around a different device for each service you use is somewhat impractical.

On the other hand, using a password by itself leaves the user wide open to abuse from keyloggers and phishing attacks. If your computer is infected, or if you are tricked into telling someone your password, your security is compromised. Add a token into the mix and it greatly reduces the risk of exploitation, as the hacker would have to be close enough to take the token from your possession, making it harder for the hacker to do and easier for the authorities to catch them if the try.

No matter how long or complex you make your password, or how often you change it, the password will not be immune from being compromised. Whether by an infected PC, a conned user or someone absent-minded who keeps all of their passwords written down in their laptop bag, there will always be a way to crack a password. But, until the systems we access implement stringent authentication measures of their own the best thing we can do as users is come up with passwords that are as secure as possible whilst being memorable.

Why worry about what employees do on the internet during their breaks at work?

Businesses need to protect their bandwidth. Run low on bandwidth and you’ll soon be unable to download content. Our latest figures reveal that YouTube, a website which places a huge drain on bandwidth, is responsible for 10.2 per cent of corporate bandwidth usage. Add Facebook, which uses another 5 per cent of bandwidth and 15 per cent of available corporate bandwidth is used by websites that are probably not being used for business purposes.

Malware is another issue that businesses could face when they permit their employees to use social networking sites. In our sample, Facebook alone received over one billion hits from people at work between April and June 2010, this represents a significant risk of corporate networks coming into contact with viruses and phishing attacks on the site. Of course, some businesses may wish, or even encourage social network use for business reasons, in which case measures need to be taken to ensure that network security is not compromised. (See our securing social media series of guides for further information on how to achieve this).

However, Google, which is the second most visited website whilst at work – and probably for work related purposes, has been suffering a malware problem of its own with malicious links appearing in the search results.

It’s abundantly clear that managers need to ensure that business networks are fully protected against internet threats. This means:

-    Staying on top of the latest trends in online communication, to know what security is required.
-    Implementing and enforcing an internet usage policy.
-    Educating employees about the risks that they are likely to encounter online.
-    Budgeting for expert advice, training, personnel and solutions to keep the network protected 24/7.

The survey tracked 14 billion URLs and 225,000 GB of bandwidth usage between April and June 2010.

The top five websites (by the number of hits) visited from business addresses in Q2 2010 were:

1.    Facebook  7.2%
2.    Google  3.9%
3.    Yimg  (Yahoo’s image server)  2.9%
4.    Yahoo  2.3%
5.    Doubleclick  1.6%

The top five websites ranked by the bandwidth they use were:

1.    YouTube  10.2%
2.    Facebook  5%
3.    Windows Updates  3.2%
4.    Yimg (Yahoo’s image server)  2.9%
5.    Google  2.5%

Our latest guide, examines what areas of network security are suitable for delivery via the cloud, and which should remain on-site.

Cloud delivered security is perfect for securing, encrypting and archiving email. In fact, we’ve just launched a cloud-based email archiving service, based on Webroot’s technology. The cloud can also be great for filtering internet access in the cloud to prevent employees visiting non-work related sites or downloading unapproved content which would otherwise take up huge amounts of bandwidth and expose corporate networks to increased risks of malware.

Too often, we think of IT security as being email and web filtering. These are important, of course, but there are other – critical – elements of business security that cannot be managed completely in the cloud, such as a properly configured firewall and IDP system.

Remote working is more common place (helped in part by cloud technology and business services), but companies that use remote access often leave themselves wide open to potential security breaches by not using a virtual private network, and using an easy to set up, but far less secure remote desktop service. Setting up a VPN can be difficult, but it’s better to invest in getting one professionally set up, than risk costly damages to your firm as a result of using an insecure service.

The most important thing to remember is that no security system, whether cloud based, or on-site, can fully replace stringent security procedures. Human error is still the number one factor in breaches of IT security, and whilst it will never be completely vanquished, companies can improve their chances by ensuring that strong security policies incorporating good change control and monitoring are in place in addition to cloud and on-site security.

Routing and hardware/software updates are also areas where businesses can come unstuck. Poorly configured routing can leave the network vulnerable to attack and un-patched systems can expose the network to malware threats.

As ever, what is needed when thinking about cloud delivered security versus on-site security, is experience and knowledge. Choosing the right combination can depend on a number of factors but to create a comprehensive security system it must be backed up by strong procedures.

To read the cloud security guide in full, download it for free from the Network Box website.

The Mariposa botnet, which infected some 12 million computers and some HTC mobile devices, also impacted major banks and US Fortune 500 companies. The virus allowed hackers to steal online banking and credit card details, as well as giving them access to other sensitive data.

This further arrest is a good example of what can be done when nations co-ordinate their fight against cybercrime, and it does serve as a warning to other hackers that their business is more risky than they may imagine. However, at the moment the major ‘wins’ in the fight against cybercrime – at an international level – seem to be high profile attacks that target major corporations and financial institutions. Which is somewhat inevitable given the work required to co-ordinate efforts across borders. Somehow, this co-operation has to be encouraged and eased so that the vast number of smaller attacks which are businesses and home users can be dealt with.

Our July internet threat statistics, which have just been published, clearly demonstrate that now is not the time to neglect the fight against cybercrime (something which the recent policing green paper may indicate).  The UK now produces around five per cent of the world’s viruses and spam, coming in fourth place in the top 10 worldwide hotspots. The United States still dominates the charts, producing over 14 per cent of viruses and 11 per cent of spam in the world.

If we compare the most recent statistics to January 2010, a few things become apparent:

-    Brazil, responsible for 15 per cent of the world’s viruses in January, doesn’t feature in the top ten virus producers in July, and produces 2.7 per cent less spam than it did (it’s now responsible for 4.9 per cent).
-    The UK, which was in neither the spam or virus charts in January, is now producing five per cent of the world’s spam and viruses.
-    The US remains a top three virus and spam producer, increasing virus production by 3.4 per cent (to 14.6 per cent) and spam production by 1.4 per cent (to 11.4 per cent).
-    India’s virus production has risen by six per cent (and is now 9.5 per cent) and spam production has risen by two per cent (to 8.7 per cent).

The figures show how dynamic the cybercrime ‘industry’ is. Often comprised of a global network of infected computers, employing people working alone or in small teams, these gangs can operate in a far more fluid way than legitimate organisations and will move their base of operations to less stringent jurisdictions if they feel threatened. This is why there needs to be an international solution to the problem, otherwise it will continue to get worse and we’re likely to see more countries being responsible for less malware as the cyber gangs spread around the world – making it harder for law enforcement to put out the fires.

This scam has actually been around for quite some time and whilst police may struggle to stop criminals from setting up business under a new name once they have been shut down, the potential victims can take control of the situation by putting the phone down.

It is, however, concerning that people are still willing to not only give a cold caller their card details, but also allow them remote access to their computers. These people are taking huge risks with their personal data, not to mention the potential illegal content that could be installed whilst the machine is under someone else’s control.

It’s not clear where these criminals are getting their call lists from. Comments on a Guardian article reveal that the data could be leaking from other Indian call centres that call people for legitimate reasons. What is clear is that the callers know what they are talking about. They seem to be highly trained technicians and can therefore easily befuddle the less technical-minded computer user into granting unfettered access to their PC and handing over their card details for the privilege.

The easiest way to prevent becoming a victim of this scam is by knowing that you only allow someone you know and trust to have access to your computer, and by putting down that phone on all others.

My concern is that, at a time when government has to be seen to be cutting down on quangos, there will be resistance to creating a DPA review panel. But asking the public what do to about the data protection – a complex technical issue about which the majority of informed citizens will probably have only a passing knowledge – seems a step too far in popularist government.

Of course, most people are going to say data protection is A Good Thing. No-one wants their child’s details to be lost or stolen (as we saw today by the ICO’s action against London Borough of Barnet, West Sussex County Council and Buckinghamshire County Council). But understandably, most people (unless they have a real interest in this area) won’t know the multiplicity of ways that data can be used to carry out identity theft, fraud or other criminal activity. If they did, the problem wouldn’t be as serious as it is.

Even people who should be really informed in this area have been caught out. We have seen Yahoo again compromised with Bob Dvorsky (a US senator). This is probably done in the same way as Sarah Palin’s account was compromised, weak password reset questions being just one way of exploiting people.

Let’s hope, then, that those citizens the government chooses to survey are those who are experts in this area, who know that workable solutions are not always straightforward; and even so-called experts don’t always get it right (the Digital Economy bill showed us that).

The result was a temporary decline in malware originating from Russia which suggested that this botnet was largely populated by systems in Russian itself though this might have been co-incidence.  However, as predicted, those figures are up to their usual levels again this month. Russia is once again one of the top four virus-producing countries, behind the US, Korea (South Korea in the main), and India.

The lesson from this is that, unfortunately, criminal gangs are not as easy to shut down as the hosting services they use. Shutting down the site will inconvenience the criminals for a short period – but the financial gains to be made in criminal activity online are sufficient that they will find a way of getting back up and running.

Our analysis – which you can see here – also showed that the levels of spam and viruses coming from the UK are still high. In times of economic uncertainty, criminal activity naturally increases. As ever, our advice to all internet users is to be cautious. If a deal seems too good to be true, it probably is.