Spammers are very clever people. They particularly like to use the anti-spam vendors' tactics against them.

Here is a report of a Trojan virus called Trojan.Spammer.HotLan.A that leverages the disposable email address feature of Yahoo! and Hotmail to send out thousands of spam from legitimate email accounts.

Note that the classic techniques of bayesian poisoning (using literature to confuse the filters) and a random subject line affect the 'bulk-ness' algorithms by solutions like Commtouch's  Recurrent Pattern Detection service.

Secure Shell (SSH) was first written in 1995 by Tatu Ylönen, a Finnish university researcher who developed the program after a hacker attempted to harvest passwords used in telnet and other login and remote administration protocols in use at that time.

The company, SSH Communications Security was formed shortly after that. Earlier in May, I had coffee with George Adams, the CEO of SSH, Inc, which is a publicly traded company on the Helsinki Exchange, with offices just down the road from me in Wellesley MA.

The old security idea that perimeter safeguards (firewall, remote access and VPN servers, SBCs and 802.1X authentication systems) are all you need is quite obsolete. The best practices in security use perimeter security for sure, but also apply strong authentication and privacy features to those internal services that are really sensitive to the successful operation of the corporation.

I use SSH (which came with Mac OS X) to login to my servers and manage database connections and the like which is where most applications of SSH reside - secure, remote login for system administrators. However, the standard implementation is not a scalable solution which is where the commercially available SSH Tectia offering fits.

The commercially available SSH Tectia does more than sysadmin secure sessions. It's security infrastructure can be used to enable secure FTP sessions, secure transparent TN3270 sessions and secure terminal access to servers. It's support for X.509 certificates on both the server and the client, assure strong authentication is also available.

Tectia incorporates a client, a server and a security system administrator. The client and server editions are both optimized for a wide array of computer operating systems encompassing IBM zOS (mainframes), Linux, Solaris, AIX, HPUX and Windows computers and can be purchased online at the company's website. The mainframe client/server is able to access the IBM mainframe security acceleration hardware too.

The SSH Tectia Manager software is where scalability comes in. Here's where the management of the security policies are defined, automated and audited. The product includes links to the enterprise certificate authority (think Public Key Infrastructure) and APIs into software management applications (BMC), and can present meta data about syslogs, audit trails.

George and the company have taken significant steps to validate their technology with Visa, Mastercard to earn credible deployments in the financial services sector which is not just concerned with privacy of file transfers. They need audit-ability. They need to be able to adapt their security policies with the crank of a dial or flick of a software switch.

With annual revenues of $15 million and 80 people in the company, SSH Communications is well positioned to grow, by addressing the need for scalable infrastructure supervision.

What a great idea - everything you need to survive a power outage. Born from the recent flurry of hurricane activities, the experts behind the Life-SaferPak researched what people really need in the event of a sudden or with-warning disaster affecting electrical power. Included in the carryon cart is a stove, TV, fan, phone, water proof document envelope, cooler, duct tape, first aid kit, signal horn and many other necessities.

Sure beats running to the Home Depot to see what everyone else is buying (you'll notice at the check out or by the empty shelves ).

Only $225, available over the web.

Should enterprises have a disaster survival kit? What would need to be in it?

Related report: First Communications (Disaster Recovery Priority).

Touring the show floor at Interop Las Vegas gives one a chance to see some fun marketing ideas, cool new ideas, simple new ideas and meet interesting people with passion about their vision. Two such people I met at the show (there were dozens - more than at any other I've been to in the past six or seven years) were Dan Chmielewski (left) principal of Madison Alexander PR and Jason Sloderbeck, VP Service Delivery for Positive Networks (right).

Jason and I connected pretty quickly - his experience in broadband data networking at Sprint in the latter 1990s coincided roughly with products and services of my neighbor in Allen TX. As it turns out, many of the leadership team of the company, Positive Networks are former Sprint Broadband executives who had founded the company in 2001 as a Software-as-a-Service for network security and in particular remote access.

Although a valuable offering for many enterprises and an impressive customer list, I was most jazzed about the PhoneFactor. This patent-pending method is designed to overcome the shortcomings of more established two-factor methods.

Strong authentication techniques combines something you have with something you know. 

The EMC RSA SecureID fob is a server software that is integrated with the authentication server and a user clock that changes its six digit number every ten seconds. Users submit their login credentials and are then challenged by the server for their token response. Typing in and submitting the number displayed authenticates the user.

The aggressive competitor, Entrust IdentityGuard is a two factor method that uses a pre-printed wallet card instead of a digital dongle or fob as the item you have. The server challenges the user and the user looks up the appropriate response and reports it to authenticate.

The PhoneFactor similarly integrates a server software with the authentication mechanism of the application to be protected. Attempting to login generates a call request to the Positive Networks server which looks up your appropriate telephone number. The challenge is delivered by the telephone through the extensive VoIP network of Positive Networks. Your phone rings and you are told that Positive Networks is calling and are asked to authenticate. In some implementations it might be appropriate to hit the # sign and hang up. In other implementations a PIN may be required to be entered.

It is expected that users will tend to prefer to use their mobile telephone in this method.

I think back to my own experience with the SecureID card at a high tech manufacturer. I constantly lost the little fob, or broke it. At one point I asked my authentication administrator for a stack of pre-addressed mail back envelopes to improve my productivity. The ability of the PhoneFactor to simply use my mobile phone (something I already have with me) greatly improves the likelihood of a successful authentication. In fact, I can lose my cell phone, but because it's the number that authenticates, simply replacing the phone and keeping the number means I can still authenticate to my network and services.

More importantly, the pricing for the service is designed to disrupt the authentication market - it's free. Monetization comes with features like support.

This is certainly one of the most compelling security highlights of Interop 2007.