Here we go again.

Not Your Average Joe’s restaurant announced today that credit card information of up to 3,500 customers was recently stolen by hackers (or a hacker … the company isn’t sure how many crooks were involved). The data breach took place between early August and late September, the company said.

In response, the Massachusetts-based chain said it has hired an outside “forensic analyst” to identify the cause of the breach, taken steps to tighten its security operations, and is working with credit card companies, local authorities and even the Secret Service to root out the perpetrator(s).

“We take this issue seriously, and want our customers to understand how they may be impacted,” the company said in a statement. “If a customer had fraudulent charges placed on his or her card, he or she would not be held responsible for those charges; the problem can be resolved by calling your credit card company, reporting the issue and cancelling the card.”

Not Your Average Joe’s said the data breach affected only its Massachusetts customers. The company operates 14 restaurants, all in Massachusetts save one located in Leesburg, Va.

According to The Boston Globe, the breach was discovered when officials at a Cape Cod bank notified police that a number of customers had reported unauthorized charges on their credit card statements.

Not Your Average Joe’s spokesperson Diana Pisciotta told the Globe that no unauthorized credit card activity has been reported since Sept. 29, adding, “We’re fairly confident that a customer walking into one of our places today could use their credit card safely.”

Fairly confident? Call me a cynic if you must, but I’m less than reassured by that declaration. Following the TJX data breach (which continues to get worse and worse by the day), you’d think that businesses would have gotten the message by now that customer data security should be priority A-1. But I guess understanding the importance of data security and actually securing your data are two different things.

It’s finally here! Talking spam!

This morning Commtouch Software Ltd., the Israeli antispam service vendor, announced that its Commtouch Detection Center has identified a huge outbreak of MP3 spam. Other antispam vendors have also detected it. These messages come with MP3 attachments that, when opened, play voice messages promoting stocks.

To hear an edited version of one of these messages, click here: click here

That distorted voice is creepy. It sounds like a female version of HAL 9000 in 2001: A Space Odyssey.

Commtouch says it hasn’t detected a virus threat in the spam yet and the files are larger than standard spam, averaging around 85 KB, and reaching up to 147 KB. The message contents are mostly empty. The MP3 files carry the marketing message.

According to Commtouch, these messages have accounted for 7% to 10% of all global spam over the last day or so.

The spammers have of course given names to these MP3 files that are supposed to induce you to open them. Sample file names include dadsong.mp3, oursong.mp3, weddingsong.mp3, smashingpumpkins.mp3, bspears.mp3, gloariaestefan.mp3, beatles.mp3 and coolringtone.mp3. Would anyone really want to open an MP3 from Britney Spears these days?

The federal government is really cracking down on spammers. Here’s a video of the feds processing spam complaints:

http://www.youtube.com/watch?v=IjarLbD9r30

The federal government hopes its criminal prosecution of spammers will act as some sort of deterrent. On Friday, two men who were convicted of spamming millions with pornographic emails were sentenced to five to six years in prison.

I suppose prison time is a sharp deterrent to just about any crime, from murder to shoplifting. But read the details of that story. Jeffrey A. Kilbride and James R. Schaffer, who were convicted in June, earned $1 million in just over a year in 2003. That’s a lot of money for a business that requires very little overhead.

These two men were charged in part under the 2003 CAN-SPAM Act, which bans false and misleading header information and subject lines, requires opt-out methods for recipients of spam (for those of us who are stupid enough to click on anything in a spam message), and mandates that commercial email be clearly identified as an advertisement.

I don’t know about you, but a few dozen spam messages have gotten through the filters on my various email addresses today, and absolutely none of the senders of those messages adhered to any of these requirements.

Hence, the video of Charlie Chaplin above.

But the feds will continue to fight the good fight. Last week, the FTC ordered a halt to spam messages from a company called eHealthylife.com, which was offering “Hoodia” weight loss products and human growth hormone. The FTC is planning to prosecute the company and its owners for violating the CAN-SPAM act.

It’s good that the federal government is making an effort here, but this strategy is similar to building a moat around a sandcastle at the beach. Digging a hole in the sand won’t stop the ocean from washing over it. The vast majority of email traffic across the globe is made up of spam. Prosecuting one case at a time might deter some potential spammers, but it won’t stop all of them.

Analysts have repeatedly told me that Internet service providers (ISP) are the key here. They have to step up their efforts to monitor how their networks are used. They should be policing their own IP addresses for spam abuse. Unfortunately, so many spammers rely on ISPs based in the developing world, where the regulatory environment is pretty loose. The FTC could require better policing by every U.S.-based ISP, and spam would still be flooding our inboxes.

Web 2.0 has made its way into a preponderance of enterprises, but most companies still aren’t adequately protecting themselves from Web 2.0-related threats, according to new research by Forrester Consulting.

Ninety-seven percent of the 153 IT pros surveyed said they considered themselves prepared to handle security threats posed by blogs, wikis and other Web 2.0 technologies, yet 79% still reported suffering frequent malware attacks. That’s because, or so says the survey, less than 5% have “comprehensive” Web 2.0 security plans in place.

The problems with these findings, as I see it, are that the study doesn’t say what percentage of malware attacks were actually related to Web 2.0 (as far as we know, most of the attacks could have been due to more traditional IT threats) and it doesn’t explain just what makes a Web 2.0 threat different from a conventional IT threat. I’ve sent an email to the PR guy to get some clarification on this and I’ll update you if I hear back.

The one interesting, though incongruous, finding of the study, which was sponsored by security vendor Secure Computing, is that 96% of respondents said their enterprise has already found value in using Web 2.0 applications, but 57% believe denying employees access to social-networking and “rich media” sites would “visibly” increase productivity. So most IT pros see the potential value of Web 2.0 technologies but aren’t sure its positives outweigh its negatives.

The study concludes that IT departments need to re-examine security policies and update them to take Web 2.0 into account, and should educate users about what is and what isn’t responsible Web 2.0 behavior. Sounds like good advice to me.

On Wednesday morning here at VoiceCon, Siemens and IBM announced a new OEM agreement that lets IBM license Siemens’ unified communications (UC) application, OpenScape. IBM plans to use OpenScape to improve upon its own Lotus UC offering, called Unified Telephony. 

After the announcement, I sat down with Andy Chew, Siemens senior VP for unified communications, and James Lawton, Siemens VP of strategic system integration. We talked a little about the IBM OEM, but what interested me more were their thoughts on the state of the UC market and Siemens’ approach to SMBs. 

Chew, who’s based in the U.K., told me that he thinks the UC market is still “immature,” but that migrating to UC should nonetheless be a priority for SMBs. In addition to improving communication capabilities and lowering costs, SMBs can adopt UC with little risk if they opt for the hosted services or SaaS route, he said. 

Siemens currently offers hosted versions of its UC offerings, which SMBs can purchase on a monthly basis. If a customer decides Siemens’ OpenScape is not for them, for example, it can simply drop it without having to worry about breaking any long-term contract. 

As for security, Lawton assured me that at Siemens “security is at the base of everything.” While I can’t verify that independently (at least not from the floor of VoiceCon), it’s encouraging at least that a major UC vendor like Siemens seems to recognize the importance of security, especially for SMBs that might not have the resources to withstand a devastating cyberattack.  

Security, Lawton said, “is a mantra for us.” Amen to that.

It’s time to assess the risks posed by sloppy road warriors

One-third of mobile workers make a habit of hijacking their neighbors’ wireless connection or jumping onto unauthorized connections in public spaces, according to a new wireless security survey from Cisco Systems Inc. and the National Cyber Security Alliance (NCSA).SMBs these days have plenty of road warriors, so you should be asking yourself, what are my users doing? And do they know the dangers of this?This Cisco survey said that 73% of 700 mobile users claimed that they are not always cognizant of security threats and best practices when working on the road. Why is this? Take a look at the news and read about the latest stolen laptop with thousands of customer records on it.

The results are in from the Antivirus Fight Club at LinuxWorld, and, as expected, Clam AntiVirus, an open source project, did quite well when measured against commercial products.The competition was much more involved than initially described to me by Dirk Morris, CTO of Untangle. There were three rounds in the fight. Each antivirus product faced three groups of viruses.

First they faced a set of five test viruses (harmless files used for testing antivirus technology) from the European Institute for Computer Antivirus Research (EICAR). The second set consisted of 12 “in the wild” viruses collected by Untangle. The third set consisted of 17 viruses submitted by the public.

Overall, Kaspersky performed the best of any AV product. It stopped 97% of the viruses thrown at it. Clam AntiVirus performed second-best, with an overall catch rate of 91.4%. In third place was Norton, Symantec’s consumer AV product, which had an overall success rate of 88.6%

The worst performers were SonicWall (54.3%), Hauri (45.7%), Fortinet (45.7%) and WatchGuard (2.9%).

In his summary of the Fight Club results, Morris wrote that he is “surprised by how poor [sic] many of these solutions are performing. … Our goal in this test was not to scare people, or even drive people away from some vendors. We simply want to encourage discussion. Tests like these need to be open and transparent

There are bound to be some skeptics about this test. As one reader commented, this sample size of viruses is somewhat small. Would it be useful to introduce a larger test set of viruses?

Also, for some reason Untangle left Trend Micro out of this competition. Perhaps if there is a rematch, it will be included.

Is there a conspiracy here?

Dirk Morris, the CTO of Untangle, thinks so.

Two years ago, Morris did a “bake-off” with a leading open source antivirus (AV) scanner, Clam AntiVirus. He pitted it against a bevy of proprietary AV engines to see how each one did against a bucketful of viruses he had pulled out of the wild.

Morris, whose company sells gateway appliances stocked with open source security software to small businesses, said he was astonished by the results. He figured AV engines were somewhat commoditized, but some big-name vendors, who shall remain nameless for now, had success rates as low as 30%. These were NOT zero-day viruses he was throwing at them. He was pulling stuff from the wild, viruses that had been around for a while. And still, some AV engines had no signatures to fight them.

Looking to get these results reproduced for public consumption, Morris approached a leading testing lab and asked it to test Clam against some of the commercial vendors. The lab, which he declined to name, turned him away.

“They said ‘We won’t test Clam because it’s open source.’ They refused to give us any explanation,” Morris said.

Morris cried foul play. He suggested that the lab didn’t want to show how well an open source project like Clam stacked up against the proprietary heavyweights.

“If they said the open source project was the best product, they’ll have a lot of unhappy customers and they won’t get any paying customers anymore.”

With that in mind, Morris is staging an “Anti-Virus Fight Club” at next week’s LinuxWorld. It isn’t exactly Brad Pitt versus Edward Norton. And Dirk Morris is no David Fincher, but this should be worth checking out.

Morris will take 20 viruses that are roaming about on the Internet and introduce them to machines protected by each AV product. Who will be left standing, and who will be left a bloody mess on the floor, is anyone’s guess. Morris is quite sure Clam, the open source champ, will leave most of the big guys in the dust.

AV scanners from Norton, McAfee, Fortinet, WatchGuard, SonicWall, Hauri, F-Prot, Sophos and Kaspersky Lab will all face the same 20 viruses as Clam, Morris said.

“I suspect what will happen is Clam will be the best,” Morris told me. “Kaspersky will do pretty well. They’ve got a good product. Some of the other vendors will do pretty poorly.”

Interested parties should check out the Fight Club on Aug. 8 from 6 to 7 p.m. at LinuxWorld in San Francisco. It’s a Birds of a Feather session.

Vendors of IM security technology say you really need their products.

Akonix Systems Inc., a vendor of instant messaging (IM) security and compliance technology, emailed me some new data over the weekend. Apparently the company’s researchers have seen a 78% increase in malicious code attacks over IM networks this year. So far, Akonix’s IM Security Center has detected 226 IM malware threats in 2007, including the IM worms Exploit-YIMCAM, Hupigon-SJ, InsideChatSpy, SpyPal, StealthChatMon, Svich and YahooSpyMon.

About a month ago, Akonix competitor FaceTime Communications released data that showed a quarterly decrease in IM-based attacks. It reported that in the first quarter of 2007 it detected 74 attacks via mainstream IM networks (AOL, Yahoo and MSN). The number of incidents dropped to 64 in the second quarter. However, overall malware attacks over real-time communications channels (which includes peer-to-peer file sharing and Web-based greynets in addition to IM) increased by 5% from quarter to quarter. FaceTime, as well as Akonix, provides technology that protects against malware attacks via all these communications channels.

Both of these vendors have uncovered data that seems to indicate that you should buy their products. While that should be no surprise, the rise in overall attacks is worth noting, especially since I can pretty much guarantee someone in your company is using these consumer communications applications.

The computer virus celebrates its 25th birthday this year! It seems like only yesterday it was in diapers, but now it’s all grown up and still wreaking havoc. From the Machinist:

“The computer virus conception story begins in 1981, when a tech-savvy 9th grader named Richard Skrenta got an Apple II for Christmas. Over the following few months he began cooking up ways to trick his friends using the machine. “I had been playing jokes on schoolmates by altering copies of pirated games to self-destruct after a number of plays,” Skrenta once told the tech news site SecurityFocus. “I’d give out a new game, they’d get hooked, but then the game would stop working with a snickering comment from me on the screen.”

When his friends realized his tricky ways, they banned Skrenta from their machines. And that’s when he had an epiphany: He could put his code on the school’s computer, and rig it to copy itself onto floppy disks that students used on the system. Thus was born Elk Cloner, the world’s first computer virus.”

My, how time flies. Read the rest of the Machinist’s musings on the computer virus hitting the quarter-century mark here.