Hackers are exploiting web sites en masse to infect downstream PCs. You have to think 500k+ infected websites just added several million zombies to the world’s botnets.

CSO is doing home security now? Don’t CSOs rate having their own magazine any longer, or are their responsibilities expanding? As a non-CSO, I don’t have to feel guilty about reading it now :)

I am helping VANTOS launch a new blog about Enterprise Investigation Management, which is a new take on the convergence of forensics, investigations, risk mgt, e-discovery and how this is changing the nature of managing corporate investigations.  We have a lot of industry luminaries who will be posting soon, we welcome your collaboration.  Click here to check it out and post comments.

This article describes a new speed record in smashing the CAPTCHA filtering technique with Botnets.  We are going to have to figure out how to fight botnets indirectly, the direct tactics don’t seem to be working and they are getting stronger.

Based on what’s reported in this Washington Post article, the U.S. Customs and Border Protection (CBP) agency thinks so.   Seems like there are cases of people being searched and forced to not only surrender their laptops and other electronic devices, but to provide passwords and instructions for accessing their systems as well, allowing the officials to create exact copies of all information in the device including documents, browsing history, calendars, email…..everything.

While this has obvious privacy concerns (the Electronic Frontier Foundation and Asian Law Caucus have filed suit to force the disclosure of CBP policies in this situation, including which rules govern the seizing and copying of the contents of electronic devices), it also has serious ramifications for us as security professionals.  What controls will we need to implement and enforce if this practice is found to be acceptable and becomes more common?

 - Andy Brinkhorst

Look very closely, I think that is Bruce Schneier as one of the contestants.  You gotta have fun in our industry…

And they allow flames! Knock yourself out, I want to avoid secondary screening.

By Jim Reavis

It is my great pleasure and honor to provide my personal endorsement of Dave Cullinane for the position of Information Systems Security Association (ISSA) President. Elections will be held online from June 1-30, and if you are an ISSA member, I urge you to get informed about the candidates and vote when the polls open.

It is my hope that the many discussions about the candidates that will occur at chapter meetings and online will be high-minded and will focus on the positive merits of each candidate. I also hope that each individual ISSA member will take the initiative to vote their own conscience and that chapters that vote as a bloc will be a thing of the past.

While I think we have three excellent candidates for President this year, my reason for making a public endorsement is that I feel that Dave Cullinane is a clear choice as the person to lead the ISSA for the next two years. Before I explain my opinion, I would like to briefly mention the other two presidential candidates:

• Howard Schmidt has been and will continue to be an outstanding ambassador for the information security industry. As I review his candidate goals, I think they are for the most part very fitting for an ambassador and I think he can accomplish those goals in a capacity other than that of the presidency.
• I am sorry to say that I do not know Brian Schultz as well as the other two candidates, but feel that I know him well enough to say that he is a highly competent security professional who is well respected by his peers. I can picture him as an ISSA President at some point in the future. I would like to see him take on some more international projects on behalf of the association and strengthen his global resume first.

This brings me back to Dave Cullinane. Dave is not only a professional with a wide range of experiences on his resume, but he has truly excelled in his various roles. Dave received SC Magazine’s Global Award as Chief Security Officer of the Year for 2005, and also received CSO Magazine’s 2006 Compass Award as a Visionary Leader of the Security Profession.

Dave is the Chief Information Security Officer for eBay, which to me looks like the most challenging CISO job in the world. Not only must Dave keep up with the scaling issues of an Amazon or a Google, he must instill trust in the billions of peer to peer transactions in this enormous marketplace. Dave is excelling in this position in many ways, and to top it off was able to bring the infamous hacker Vladuz to justice with the help of Romanian authorities.

Dave’s candidate goals, to me, stand out as goals that are fitting for a CEO. They are visionary, and reflect Dave’s keen insight into the challenges this industry and the association face. In his past tenure as President, Dave put his vision into action, and was the driving force behind the creation of the CISO Forum and the Alliance for Enterprise Security Risk Management. Simply put, Dave gets things done and is the most competent security professional I know - anywhere in the world.

This ISSA has been around for 24 years, and in some respects is at risk of having the the industry pass it by. It must grow more evenly on a global basis. It must attract the younger security professionals. It must adapt to the technological changes and stay relevant within the industry convergence we are now seeing. I feel that Dave’s strategic vision combined with his ability to execute are vital assets to the ISSA for the tough decisions that are ahead.

Again, this is my opinion alone and based on my honest opinion of the challenges ahead, and with the insight gained as a past ISSA board member and former association executive director. Please make sure that you participate in the process and cast your ballot.

This story briefly details the corporate spying case brought against News Corp by Dish,  a satellite TV competitor.   News Corp hired hackers, ostensibly to secure their own network, however one of them infiltrated Dish’s network and stole intellectual property.  A News Corp exec being deposed admits keeping the hacker employed 6 years after being informed of the criminal activities, which of course means the exec likely ordered the hit.

I would go into my lecture against hiring hackers that claim to be crossing over to the good side being a myth that belongs in the dustbin of history, except that the situation above involves a company subsidizing the criminal behavior.  Hopefully this won’t be treated any differently than the culpability a corporation faces when the CFO cooks the books.

It is clear that talented hackers are highly coveted and have many illicit options to monetize their skills.  It is too bad that legitimate companies are among the illicit options.

By Jim Reavis

That poor Olympic torch has never had it so bad. It has been getting more attention than Britney Spears on a cigarette run, and it isn’t even safe in a wheelchair. Much of the world, of course, is outraged over the unrest in Tibet and the Chinese government’s tactics.

At the same time, in our little parallel universe of information security, we see an ever growing sophistication in a wide variety of attacks coming from the East. DDoS attacks are pretty effective, take a look at this attack launched against SlideShare. And of course, CNN was targeted 2 weeks ago. There has been a spate of infected USB devices: thumb drives, hard drives, even digital picture frames that have been manufactured in China. The private groups that I belong to have been busy cataloging all types of malware, botnets, SQL injection attacks, infected websites and those dangerous parts of the net enabling the badware, what I call the IISPs (Illicit Internet Service Providers). I talk to my friends with real jobs protecting real websites and they all have the same “whack-a-mole” story: block a Chinese net range, wait a few minutes to a few hours, and the badware is back.

Yeah, I know, I am sounding like an unoriginal broken record, many of you know this stuff already. But, what I want to know is, are we leveraging some predictive analytics to forecast how these scenarios are going to be playing out this year? How bad can it get? From a technology perspective, the artillery pieces are being lined up. There is no reason to expect anything other than an escalation in tensions in Tibet through the Olympics in August. An opening ceremonies boycott has been a political football in US presidential politics. I am really not here to talk about the politics, but even Democracy Jim can understand how a few million Chinese might get a little upset at one of their own being jostled in her wheelchair.

Political leaders, protesters and everyone can do what they think is right. And so should CISOs. We might want to think about how these scenarios might play out and how to be ready for them. As nice as August can be, I don’t think I would want my top incident response people taking extended vacations this year.

Apparently a cross-site scripting bug in the community blogs section of Senator Obama’s website was exploited by a hacker, redirecting visitors to Senator Clinton’s website instead. Cross-site scripting is old and lame, but as we know there are a lot of vulnerable sites still out there. This is boring news, I was just looking for an excuse to post this picture:

I was forwarded this BusinessWeek article by a CISO, which I missed as I was at RSA when it came out.  It is one of the better articles detailing the increase in hack attacks on the U.S. government, including sensitive installations.  Espionage is exploding, and the techniques that are successful, such as spear phishing, will look very familiar to those in the private sector. 

By Jim Reavis 

The criminal who has been terrorizing eBay users for several years has been apprehended.  It took many years of work, but Romanian authorities and the FBI collaborated to bring Vladuz to justice.  This is by far the greatest problem with information security - bad guys need to go to jail.  From my front row seat I have seen the ups and downs, thank you eBay for taking a stand and getting the job done.

By Jim Reavis

I always try to plan a nice quiet week in the office after the RSA Conference and I am almost feeling back to my normal self.  When I was sitting in the bar at the W with a colleague on the Sunday before the conference started, another friend came up to us and asked us how long we had been in San Francisco.  “5 beers ago”, my colleague said.  Well, more than 5 beers later, here are some of my more memorable personal moments:

The Olympic Torch.  Who is responsible for this scheduing snafu, taking press away from Art Coviello?  A friend of mine went out to watch the torch go by, figuring that controversy aside, this is an historic moment.  He recounted standing next to two protestors, one of which was weary of the delays, asking his fellow agitator, “Do you want to keep protesting, or do you want to have lunch?”.  Lunch won.

Craig Mundie.  I enjoyed the End to End Trust keynote from Microsoft’s Chief Research and Strategy Officer, delivered fireside chat style with ACS CISO Chris Leach.  Mundie’s folksy, pragmatic view of privacy and strategy was interesting, and he showed humility in the face of the daunting challenge of E2E.  It is a big ship to turn around, but Mundie explained that MS has been working from the bottom up - you cannot argue with the progress made at the lower layers.  I also ran into several great security experts from Microsoft who told me a few years ago they would never work there.

GRC.  The Governance, Risk & Compliance “buzz-acronym” was bigger than I expected.  When you looked at the sessions beforehand, there was nary a mention of it, but it seemed every session referenced it, not to mention it being all over the show floor.  I guess it makes sense when you figure sessions were nailed down several months ago.  A CISO on my compliance panel put the concept of GRC best when he said he uses risk management to turn tens of thousands of vulnerabilities into just a few hundred that must be remediated for compliance reasons.

MSSPs are getting some scale.  I was pretty impressed by how much business the MSSPs have been pulling down in the last 12 months.  There is still a little too much compliance checklist services vs making organizations more secure, but you have to give the customer what they are looking for.  On a bizarre and twisted note, I ran into a former employee of an MSSP named Breakwater that I used to consult for a few years ago, and he told me that one of our colleagues there became a mass murderer.  For the record, I do not believe that managed security makes you crazy, but on the other hand I never had to wear a pager tied to an improperly tuned IDS.

Best Party.  I didn’t go to any parties, but I heard that Greylock’s had the best networking and McAfee’s was the most fun.

Michael Chertoff.  He seems sincere that it is different now at DHS, and the focus on cybersecurity is real.  The appointment of wiki guru Rod Beckstrom as the cyber leader is certainly interesting and I hope he brings some changes, but if Beckstrom doesn’t last, he won’t be the first entrepreneur who got frustrated by the DHS red tape.

Al Gore.  I had to catch a plane Friday and missed his closing keynote, but I did notice it was about 10 degrees warmer than Thursday, so I guess that was good for him.