Ashley Bell

A bank that inadvertently sent confidential account information on 1,325 of its customers to the wrong Gmail address is suing Google for the identity of the Gmail account holder. According to court documents, the bank in August received a request from one of its customers asking for certain loan statements to be sent to a third-party. The case, filed in the U.S. District Court for the Northern District of California, involves Rocky Mountain Bank of Wyoming. An employee of the bank, responding to the request, sent the documents to the wrong Gmail address.

When it discovered the error, the bank immediately sent an e-mail to the Gmail address asking the recipient to delete the previous email and the attachment. In addition to the requested loan information, the bank employee also inadvertently attached a file containing names, addresses, tax identification numbers and other details on 1,325 account holders to the same address. The bank also asked the recipient to contact the bank to discuss what actions had been taken to comply with the bank's request. When Google refused to provide any information on the account without a formal subpoena or court order, the bank filed a complaint asking the court to force Google to identify the account holder. When it received no reply, the bank sent an e-mail to Google asking whether the Gmail account was active or dormant and also what it could do to prevent unauthorized disclosure of the inadvertently leaked information.

Rocky Mountain Bank also requested that its complaint and all of the pleadings and filings in the case be sealed. U.S. District Court Judge Ronald Whyte dismissed that request, saying there was no need for the proceedings to be sealed. "An attempt by a bank to shield information about an unauthorized disclosure of confidential customer information until it can determine whether or not that information has been further disclosed and/or misused does not constitute a compelling reason," Whyte wrote last week. The bank said it hopd to prevent unnecessary panic among its customers and a "surge of inquiry from its customers." The bank argued that if the complaint and motion papers are not sealed, all of its customers would learn of the inadvertent disclosure. This is the third time in recent weeks that Google has faced a similar issue. The man alleged that the contributors to the paper had unfairly linked him to government corruption. Earlier this month, the Associated Press reported that a resort developer in Miami had obtained a court order requiring Google to disclose the identities of anonymous contributors to an online newspaper in the Turks and Caicos Islands.

In that case, Google indicated that it would disclose the data only after first informing the paper about the request and giving it a chance to appeal for the court order to be quashed. In the other incident, a court in New York compelled Google to disclose the identity of a blogger who had made disparaging comments about a Vogue model in her blog "Skanks in NYC."

Network companies struggled to obtain venture funding throughout 2009, and finished the year out with another dismal quarter, according to data released this week. For all of 2009, investors gave $5.1 billion to network companies, down from $9.4 billion the previous year and the lowest total since 1996. The total number of companies receiving funding last year was 1,003, the lowest since 1995. "We're down about half from where we were a year ago," says Tracy Lefteroff, a global managing partner of Pricewaterhouse Coopers, which produces the quarterly MoneyTree Report. "There are just no buyers for goods and services that are encouraging venture capitalists to put money in this space." http://www.networkworld.com/news/2009/121409-outlook-tech-mergers-acquis... ">Tech mergers and acquisitions to grow in 2010 If there's one positive stemming from the venture funding declines, it's that companies that do receive funding are likely to have a strong chance at long-term success. "The deals that are getting funded are high quality because the bar is so high in this space right now," Lefteroff says. In Q4 2009, venture funding for network vendors was $1.4 billion, down from $1.9 billion in the previous year's quarter. The youngest network vendors are having the most trouble securing funding, as start-up and seed companies only received $38 million in Q4 2009, less than half the total in the third quarter.

Notable deals that might interest IT professionals include $35 million for Aquantia, a maker of 10GBASE-T Ethernet products; $35 million for Palantir, a maker of data analysis software; $22.3 million for Widevine, a provider of encryption and key management systems; and $21 million for SandForce, a flash memory vendor. The biggest network deal of the fourth quarter went to Cheg, a textbook rental e-commerce site in Silicon Valley that received $57 million from venture firms. In the MoneyTree Report, network companies include makers of computer software, hardware, peripherals and services; data, Internet, satellite and wireless communications; Internet software, e-commerce, digital imaging, computer graphics and other network-related technologies. It's a five-year timeline that were dealing with, I think." Follow Jon Brodkin on Twitter: www.twitter.com/jbrodkin On the whole, investors have been wary of network companies for well over a year and there is little indication that trend might turn around in 2010, Lefteroff says. "I think it's going to be a long, painful recovery," Lefteroff says. "I don't see anything that would suggest that in the next year we're going to see a recovery.

ARLINGTON, Va. - Google's revelation last month that attacks out of China resulted in the theft of some of its data drew attention to the broader question at the Black Hat conference here over what can be done to the villains. The number of people who are arrested and convicted for any of the phishing attacks, intrusions and thefts is tiny. Cyberattacks give rise to anger and a very human desire to strike back, but pursuing attackers in ways that matter isn't accomplishing much.

Several countries, Russia and China in particular, don't want to cooperate on cybersecurity enforcement, said Andrew Fried, a security researcher at the Internet Systems Consortium, a nonprofit group, and a former special agent at the U.S. Treasury Department. "The reality is they don't want to do squat to help anybody," he said, on a panel at the cybersecurity conference today. But Jeff Moss, the founder of Black Hat and director of the conference, questioned whether too much emphasis is placed on that effort. After an attack, such as the China- Google incident, there's always interest in establishing "attribution" - identifying the source of the attack. Moss also serves on the Department of Homeland Security's security advisory council. "We should be spending more energy on dealing with the containment of an attack, reducing the effects of an attack," Moss said. "I don't think we will ever be able to stop the attack." Techies can argue over the source of the Google attack, Moss said, but "is China ever going to extradite anybody? No. So we should probably have a mechanism, a strategy in place, for mitigating, minimizing these attacks." Last month, Google said it was considering pulling out of China after revealing the attacks.

No," he said. "Are we going to go to war over it? Secretary of State Hillary Clinton, in a recent speech on Internet freedom , offered an impassioned defense for the "freedom to connect." But Moss questioned whether Clinton was proposing a U.S. policy for the Internet akin to the "freedom of seas model." "The U.S. Navy spent a lot of time beating up pirates," Moss said. "Is that a call for us to go police the cyber seas ... or does it mean something else, because I don't think that we've got the capability [to defend] the world's cyberspace and keep it free." Google's battle with China in some ways is little more than sideshow compared with what some companies are dealing with. Ben Butler, director of network abuse at GoDaddy, said his department's 19-member staff conducted 232,000 investigations last year over a range of abuses, including spam, phishing and copyright enforcement. Take GoDaddy, for instance, the world's largest domain registrar with more than 38 million domain names. For its trouble, GoDaddy is sued 30 to 40 times a day over the actions it takes, such as suspending a domain, but despite those attempts, "nobody has been successful in suing us yet," said Butler, who was also on a panel. Although most spam is caught in traps, there's enough that gets by to prompt Richard Cox, the CIO of The Spamhaus Project Ltd., a U.K. nonprofit group that tracks spam senders and services, to offer what may be a novel theory as to one of the enablers of the housing bubble.

Among the multitude of security issues, spam is high on the list. He claimed that spam contributed significantly in the selling of subprime mortgages. Air travelers may be screened and searched for explosives, but foreign entities can easily establish a server foothold with co-location providers. "You wouldn't let it happen at the airport, so why would you let the ISPs do it? But Cox was particularly harsh on the U.S. efforts to address security issues. That's effectively what you are doing," he said on a conference panel. His company's research has found that the lapse between initial breach and detection in an organization's security systems is about 156 days. "Attackers basically know that they have unlimited amounts of time once they get into an environment," he said.

In another panel, Nicholas Percoco, senior vice president of SpiderLabs at Trustwave, highlighted the need for more focus on protection. The conference keynote speaker, Gregory Schaffer, DHS assistant secretary of the Office of Cybersecurity and Communications, was asked by one attendee about the U.S. responsibility to defend against attacks launched in other countries. "I think the DHS role, at this point, is to defend the federal civilian executive branch networks," Schaffer said. "We have a leadership role in assisting with the .com space," he said, referring to the commercial sector. Patrick Thibodeau covers SaaS and enterprise applications, outsourcing, government IT policies, data centers and IT workforce issues for Computerworld . Follow Patrick on Twitter at @DCgov , send e-mail to pthibodeau@computerworld.com or subscribe to Patrick's RSS feed . Read more about security in Computerworld's Security Knowledge Center.

Microsoft's new free Security Essentials looks like it can get the job done, according to new scanning tests conducted by AV-Test.org. In a post on the day of its launch, I referenced AV-Test performance results from a MSE beta. The free standalone antivirus product has caused a stir since its Tuesday release, as might be expected when the words "Microsoft" and "free" are involved. We now have new results from tests conducted this week against the final product (available for download), and overall MSE looks good: Malware detection: MSE detected 98.44 percent of AV-Tests's collected zoo of 545,034 viruses, worms, backdoors, bots and Trojans, an entirely respectable showing.

As expected, MSE detected 100 percent of the samples in the Wildlist. However, it didn't do nearly as well when it came to detecting adware and spyware, such as bank info stealers, and detected only 90.95 percent of the 14,222 samples. Most reputable AV apps detect all the Wildlist samples. AV-Test found that MSE doesn't include any effective behavioral detection. Dynamic/behavioral detection: If a program includes behavioral detection, it can identify malware based solely on how it acts on a PC. It's a useful feature for detecting brand-new malware that doesn't yet have a signature. However, AV-Test's Andreas Marx noted that's typically the case for standalone antivirus programs, and that you'll generally need to buy a security suite to get the feature.

Disinfection: MSE was able to clean up all of the active components from 25 different test infections, meaning the malware was effectively neutered. Or, you can pair your free or paid standalone AV program with PC Tools' free Threatfire, which adds an impressive layer of behavioral detection to your security arsenal. As is usually the case, the program often left behind some traces of the infection, such as registry entries or a turned-off Windows firewall. It identified and removed all 25 rootkits (stealth technology used to hide other malware) used in the tests. Rootkit removal: MSE did well here.

Scan speed: When I compared the MSE beta to other free (and finished) AV apps over the summer, it came in last for scanning speed. False alarms: Security Essentials didn't put up any false positives for any of 600,000 known clean files used by Windows, Office and other common apps. In these latest tests, Marx says that MSE scan speed "is quite OK when compared with other AV products" - not the fastest, but not the slowest. However, as Marx notes, most of those files come from Microsoft, so a false positive would have been surprising. As with most other options in that category, it doesn't provide a firewall, behavioral detection, or other security extras. Overall, these results show that Security Essentials holds its own as a free standalone antivirus app.

But since Vista and Windows 7 already include a two-way firewall, and you can add top-notch behavioral protection with another free app, MSE looks like a good budget choice for baseline antivirus protection. Finally, if you're interested in a good business-side opinion piece on Microsoft's move, take a look at this post from Sunbelt's Alex Eckelberry.

Compuware said Wednesday it has agreed to acquire Web application management vendor Gomez for US$295 million. Gomez's technology will work in concert with Compuware's portfolio of tools for managing the performance of on-premises applications, providing coverage "from the data center to the customer," the companies said in a statement. The transaction is expected to close in November. Such capabilities are crucial in today's IT environments, Compuware President Bob Paul said during a conference call Wednesday.

Those competitors offer only "narrow, keyhole views" into various areas, Paul claimed. For example, a retail banking transaction may begin with customers using an iPhone to connect with an online banking Web site, and end up spanning multiple third-party services, back-end databases, ISPs and mobile carriers, Paul said. "The complexity is staggering." The acquisition will bolster Compuware's ability to compete with the likes of Hewlett-Packard, CA and BMC in application performance management. Compuware will also gain fresh footholds in many of the world's largest Web properties. The acquisition announcement follows steps Gomez had taken to prepare for an IPO. The privately held vendor has 272 employees and is based in Lexington, Massachusetts. Gomez has about 2,500 customers, including Google, Facebook, Yahoo and Amazon.com, according to its Web site.

Compuware is not planning any significant personnel changes, according to a statement. Gomez's current product road map will also "essentially remain unchanged," and the Gomez brand will be retained, although plans to integrate the vendors' offerings are afoot, Compuware said.

University of Utah researchers and programmers are creating an iPhone application that will let users edit massive image files containing hundreds of gigabytes of data. It's easy to see the latter being a big hit at Halloween parties this year. When you get bored with that, you can use another of their recently released applications to virtually dissect a real human corpse.

Still in development, ViSUS on the iPhone will let you edit, view and zoom in on such objects as very high resolution, large-scale CT scans, satellite images and geographic images from Google Earth. The university is turning into a hot bed of high-definition iPhone image applications, all released in the last few months and available on Apple's App Store via iTunes. The phone is only a visualization platform: all those gigabytes of image data are running on high-powered servers somewhere else, and stream to the iPhone for rendering. The others, which all run natively on the iPhone with their attendant data, are: * ImageVis3D Mobile - lets you import 3-D images of medical CT or MRI scans, or anything else, to your iPhone and quickly display, rotate and manipulate them. Krueger wrote the iPhone version. "It demonstrates the progress in hardware and [in] software algorithms gleaned from about 25 years of research," Fogal says. "Ten years ago, few people would consider doing what ImageVis3D does without a million-dollar supercomputer.

It's based on a desktop/laptop application originally developed by the University's Scientific Computing and Imaging Institute (SCI), which specializes in software for visualization, scientific computing and image analysis. "Rendering the data on the iPhone is the really incredible thing about this," says Tom Fogal, a software developer with SCI, and co-author of the PC-based software, with Jens Krueger, a German computer scientist. And now, we do it on something that fits in the palm of your hand." SCI is considering porting the application to other mobile platforms, including tablets, but they "have not yet found a device we'd like to target," Fogal says. It's designed for anatomy students, many of whom don't have access to cadavars in anatomy labs. ImageVis3D Mobile is a free application, appearing in the App Store in September. * AnatomyLab - a series of images let you study a real cadaver through 40 stages of an actual dissection. The application grew out of an anatomy textbook project by biology Professor-Lecturer Mark Nielsen, and Ph.D. student Shawn Miller, who created a DVD for the textbook, showing the sequential dissection of a real body.

The application sells for $9.99, and went on sale in July. * My Body - a scaled-down version of AnatomyLab, intended for the general public. They decided to turn it into an iPhone application, and Nielsen asked his son Scott, a physics major at Utah, to write the code. It's $1.99 and has been in the App Store since August. Today the software, originally written for workstations and PCs by Valerio Pascucci, a SCI Institute faculty member, is a powerful 3D visualization program that can deal with massive data sets. ViSUS will take the iPhone's imaging capabilities to a whole new level. One application has been to combine it with tools specifically designed for climate change researchers and meteorologists.  When released for the iPhone, ViSUS will marry the iPhone's big, bright screen to back-end server power, enabling mobile users to render and navigate very large, very detailed images.

According to the university, the best of today's high-definition TV sets has an image resolution of 1,080 x 1,920 pixels. The iPhone has a screen resolution of 480 x 320 pixels. But ViSUS can handle an image resolution of 200,000 by 200,000 pixels. The university says ViSUS handles the images faster, with less processing power, than other software, such as Google Earth. Streaming the images to the iPhone will let users see an entire image, at lower resolution, or zoom in to look at parts of the image, at higher resolution.

The worst economic recession in decades has compelled more companies to spend less on outsourced security services and do more in-house, according to the seventh-annual Global Information Security survey, which CSO and CIO magazines conducted with PricewaterhouseCoopers earlier this year. Related podcast: IT Security Outsourcing in Decline A few years ago, technology analysts were predicting unlimited growth for managed security service providers (MSSPs). Many companies then viewed security as a foreign concept, but laws such as Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (affecting financial services) were forcing them to address intrusion defense, patch management, encryption and log management. Some 7,200 business and technology executives worldwide responded from a variety of industries, including government, health care, financial services and retail. Convinced they couldn't do it on their own, companies chose outsourcers to do it for them.

Although 31 percent of respondents this year are relying on outsiders to help them manage day-to-day security functions, only 18 percent said they plan to make security outsourcing a priority in the next 12 months. Gartner estimated the MSSP market in North America alone would reach $900 million in 2004 and that it would grow another 18 percent by 2008. Then came the economic tsunami, which appears to have cast a shadow over outsourcing plans even though security budgets are holding steady. When it comes to specific functions, the shift has already begun. Respondents cited similar reductions in outsourcing of network and end-user firewalls. Last year, 30 percent of respondents said they were outsourcing management of application firewalls, compared to 16 percent today. Companies have also cut back on outsourcing encryption management and patch management.

Sixty-nine percent said they're budgeting for application firewalls, up slightly compared to the past two years. At the same time, more companies are spending money on these and other security functions. Meanwhile, more than half of respondents said they are investing in encryption for laptops and other computing devices. It was mostly due to the economic conditions more than anything else," he says. "They were certainly looking to see where cost could be reduced or eliminated. The results surprise Mark Lobel, a partner in the security practice at PricewaterhouseCoopers. "When you think about it logically, some IT organizations have the resources and maturity to manage their operating systems and patches, but many don't," he observes. "Hopefully, the numbers simply mean IT shops have grown more mature in their security understanding." Miguel Lopez, a Los Angelas-based IT security practitioner who has worked for such companies as MSC Software and Stamps.com, observed a stark trend toward less outsourcing while at MSC (he left the company earlier this year). "The company was doing less and less outsourcing. I also hear from a few of my friends in other companies that the trend is toward doing more with internal staff." Peter Hillier, director of IT security for CMA Holdings in Ottawa, believes there are three things driving the move toward more in-house security: 1. Organizations have become more adept at do-it-yourself security since first outsourcing, though, Hillier says, "they should have done that prior to outsourcing security the first time." 2. SIM/SIEM growth has been as good for the insourcer as it is for the outsourcer. "If you can do more with less, then why pay someone else to do it?" he asks. 3. Economy is a driver, as others have noted.

Smart business executives understand that they must maintain control of the big picture at all times, even if a third party is managing many of the levers. Charles Beard, SVP and chief information officer for Science Applications International Corp. (SAIC), says that no matter what drives security spending decisions, companies should understand their specific security strategies and where managed security providers can offer unique value. Keeping an eye on security service providers and the risks they are encountering is essential. "CIOs and security officers may outsource certain functions to various degrees, but they should never outsource their responsibility," Beard advises.

Microsoft today said computers in countries with high rates of software piracy are more likely to be infected by malicious code because users are leery of applying security patches. "There is a direct correlation between piracy and the malware infection rate," said Jeff Williams, the principal group program manager for the Microsoft Malware Protection Center. But the company's own data doesn't always support William's contention that piracy, and the hesitancy to use Windows Update, leads to more infected PCs. China, for example, boasted a malware infection rate - as defined by the number of computers cleaned for each 1,000 executions of the MSRT - of just 6.7, significantly lower than the global average of 8.7 or the U.S.'s rate of 8.2 per thousand. Williams was touting the newest edition of his company's biannual security intelligence report . According to Williams, the link between PC infection rates - the percentage of computers that have been cleaned by the updated monthly Malicious Software Removal Tool, or MSRT - and piracy is due to the hesitancy of users in countries where counterfeit copies abound to use Windows Update, the service that pushes patches to PCs. China's piracy rate is more than four times that of the U.S., according to Microsoft's report, published today, but the use of Windows Update in China is significantly below that in the U.S. Brazil and France also have a higher piracy rate, and lower Windows Update usage, than the U.S., Microsoft maintained. France's infection rate of 7.9 in the first half of 2009 was also under the worldwide average.

Other countries with higher-than-average infection rates, however, also have high piracy rates, according to data published last May by the Business Software Alliance (BSA), an industry-backed anti-piracy organization, and research firm IDC. Microsoft is a member of the BSA. By Microsoft's tally, Serbia and Montenegro had the highest infection rate in the world, with 97.2 PCs out of every 1,000, nearly 10%, plagued by malware. Of the three countries Microsoft called out as examples of nations whose users are reluctant to run Windows Update because of high piracy rates, only Brazil fit William's argument: Brazil's infection rate was 25.4, nearly three times the global average. Turkey was No. 2, with 32.3, while Brazil, Spain and South Korea were third through fifth, with infection rates of 25.4, 21.6 and 21.3, respectively. By comparison, the U.S.'s piracy rate was pegged at 20%, and the worldwide average at 41%. Although Microsoft wants users to patch vulnerabilities with Windows Update, people running counterfeit copies of Windows have traditionally been less-than-eager to apply fixes, believing that Windows Update will recognize their software as illegal and mark it as such with nagging on-screen messages. The BSA put Serbia's piracy rate, the percentage of the in-use software that's not licensed, at 74% in 2008, while Turkey, Brazil, Spain and Korea had estimated piracy rates of 64%, 58%, 42% and 43%, respectively. Microsoft's anti-piracy efforts, particularly the technology it pushes to users that sniffs out unlicensed copies of Windows, have met with resistance.

American users have complained about the technology, too. Last year, for example, Chinese users raised a ruckus when Microsoft updated its Windows Genuine Advantage (WGA) anticounterfeit validation and notification technology. In June 2006, Microsoft infuriated users by pushing a version of WGA to XP users via Windows Update, tagging it as a "high-priority" update that was automatically downloaded and installed to most machines. The 2006 incident sparked a lawsuit that accused Microsoft of misleading customers when it used Windows Update to serve up WGA. Last month, Microsoft filed a motion opposing a move by the plaintiffs to turn the case into a class-action lawsuit . Microsoft's security intelligence report can be downloaded from its Web site in PDF or XPS document formats. A year later, a day-long server outage riled thousands of users who were mistakenly fingered for running counterfeit copies of Windows.

Avaya is coming out next spring with chameleon-like appliances that will take on the characteristics of phones, desktop video systems, locked-down contact-center terminals – a whole range of dedicated communications gear. Initially the devices will be wired, but wireless versions could follow, he says. These units will likely be dominated by a video screen equipped with soft buttons that users can configure for a variety of functions, says Alan Baratz, senior vice president and president for Global Communication Solutions at Avaya, in his VoiceCon keynote address scheduled for Nov. 3. "It's hardware without personality purely under software control," Baratz says. "You can turn it into a variety of endpoint devices." He describes this new equipment as a compute engine designed specifically to support real-time broadband audio and low-bandwidth video traffic. He recognizes that businesses have requirements for desktops, laptops and other portable wireless devices, and Avaya would try to fulfill these needs.

Baratz says Avaya will forge alliances with consumer application providers such as Google, Yahoo or Skype to integrate enterprise-hardened versions of their instant messaging into the Avaya platforms. Slideshow: Tech Holiday Wish List Avaya would try to fully integrate software for this chameleon capability into a variety of devices but retain a common feel to the client. This would help in contact centers, for instance, where online customers might want to message call agents, he says. The customizable hardware is just one element of that architecture that will be driven by software, Baratz says. Avaya's goal is to give workers a wide range of communication options so they can use the one best suited to the task at hand. He splits communications options into two groups: realtime voice and video for immediately connecting with others and communications such as texting, instant messaging and the like that leave a written trail and can be used for more thoughtful decision making.

The way Avaya looks at it, communications infrastructure can supply the control mechanisms found in e-mail – delivering content reliably within a common envelope – and apply it to real-time communication. "Presence is an important component to tell you who's available and how you can reach them, and then you use it in interesting new ways," he says. He says he regards e-mail as managing connections between people rather than being a primary communications channel. "It's an envelope to share documents and it's good if you want to repurpose content," he says. So, for instance, a person might leave a voicemail that a network-based application automatically turns into an SMS text message to the same person, Baratz says. Avaya is working on accomplishing this and one component will be end-user control sequencing of applications available in the network. The recipient can pick up the message using the method most convenient to them at that time, he says. "It uses presence as a vehicle to understand who's available when and how, but not burden the user to think how to engage the person," he says.

So a person might engage the application to translate a voicemail into an SMS message or record a conference call that has been set up via other applications, he says. A new release of Avaya's Aura communications server will support auto registration of endpoints and applications to the network so they can be more easily accessible to each other he says. The infrastructure, which will roll out over the next six to nine months, will enable users to choose applications from the network that they need to create these types of custom communications channels.