Business Continuity Management: Sounds boring yet saves lives, companies, butts

Lately, I've been revisiting an area of information security into which I have dived deeply on several occasions over the years: Disaster Recovery, which is pretty much the same as Business Continuity Management or BCM, which includes Business Continuity Planning (BCP). Along the way I have assembled a list of high quality BCM resources and articles that folks might find useful (and available for free in most cases). You will find the list at the end of this article. Here's a scene-setting quote from one of the articles:

Disasters can strike at any time – often with little or no warning – and the effects can be devastating. The cost in human lives and property damage is what makes the evening news because of the powerful tug of human interest. Much less coverage, however, is given to the disruption, struggle and survivability of business operations. A study fielded by the Institute for Business and Home Safety revealed that 25 percent of all companies that close due to disasters – hurricanes, power failures, acts of terror and others – never reopen. (Disaster Preparedness Planning: Maintaining Business Continuity During Crisis, Disruption and Recovery)

Internet voting security: a scary tweet that reached 227,391 (even before Heartbleed)

Last month I tweeted a picture of some computer code that was part of an Internet voting system. That picture was re-tweeted so many times it reached more than 220,000 Twitter users. So, that had to be some pretty amazing code, right? Yes, as in amazingly frightening. Take a look, and then read on for a short explanation, and also a long one if you have the time.

A very clever computer scientist, Joe Kiniry, has been concerned about the security of Internet voting applications for some time. Joe is a former Technical University of Denmark professor, now Principal Investigator at Galois. In his research Joe noted this section of code in a program that was actually used for national elections in a European country.

The coder(s) have included a comment reminding themselves that security checks still need to be coded. My tweet suggested that this slide nicely illustrated the question of “what could possibly go wrong?” when it comes to Internet voting. Of course, the best answer to that question is: So much could go wrong you simply cannot use the Internet to elect public officials in a fair, honest, secret ballot!

A call to action we ignore at our peril

You don't have to watch all of this video to know that Josh Corman has clearly articulated the massive scope of the IT security challenges we face today, and he has done it using language that even a CEO or a Middle School teacher can understand. I think the whole thing is worth watching, but if you cut to minute 15 you get to the crux of the matter:

"Our dependence on technology is growing faster than our ability to secure it....Issues of public safety and public concern require public discussion and public solutions...We are going to be the ambassadors of technical literacy."

My committment to my ambassadorial duties is my New Year resolution. Let the educational outreach begin.

The Privacy Meter Redux

My prediction that data privacy is going to be a hot topic in 2014 was not surprising, but I am surprised at how many interview requests I've had so far, and we're barely halfway through January. Yesterday I found myself filling a last minute request to appear on a local TV channel. So I dusted off the trusty privacy meter.

I created this learning device in 2001 and it went into my privacy book that came out in 2002. And it is just a visual device, an image to use as a tool when discussing privacy. (Feel free to use it, you have my permission, it is released to the public domain.)

The idea is to ask people to self-assess where they fit on a scale from closed book to open book. They do not need to reveal their "privacy reading" but they do need to think about whether or not it is fair to impose their position on others.

In other words, there is no correct reading, but plenty of scope to use the meter as a basis for discussion. For example, suppose you are an open book. Is it fair to make others become open book about their personal data if they prefer to be more of a closed book? On the other hand, if you think you are a closed book, are you prepared to provide information about yourself in order to authenticate your identity and establish trust?

Why there is so much cyber crime: #1 It's our spending priorities

With the number of potential victims of the Target data breach now topping 100 million, a lot of people who have never really given much thought to cyber crimes are asking: Why? How is it that criminals can commit computer crime on this scale with apparent impunity? After all, we pay taxes to be protected from the kind of scum that perpetrate crimes like this.

There are a number of answers to the question "why is there so much cyber crime?" But for me, the first answer on the list, the one that has been ignored by most of the talking heads who've been hashing over the scant details of the Target breach on TV, looks like this:

Despite all the hot air from politicians over the last 15 years, repeatedly pledging to do something about computer crime, the U.S. has failed to make fighting cyber crime a priority. I think these relative spending numbers make that clear. I would love to hear anyone argue that we are spending enough money to track down and prosecute cyber criminals right now.

An academic study published in 2012 put the total U.S. law enforcement spend on the fight against cyber crime at $200 million per year. I decided to be generous in my chart and rounded it up to $250 million.

The figure of $15 billion is often cited as the annual cost of the war on drugs, so apparently that is 60X more important than cyber crime. We know from the Snowden revelations that spy agencies spend over $52 billion per year, so apparently we think that what they do is 200X more important than fighting cyber crime.

How about we shave $0.5 billion off the intelligence agency budgets and spend it on bringing cyber criminals to justice? That's a 3X increase over what we spend right now. That might well be enough to put a significant number of perpetrators behind bars, including the ones we could afford to bring to the U.S. from other countries, thereby tipping the risk/reward equation against the bad guys and in the favor of honest citizens.

I'm writing to my representatives in Washington to tell them what I think our priorities should be. I'm sending them this chart. If you agree, I invite you to send it to the folks who are supposed to be representing you.

My #4 personal privacy and security prediction for 2014: A BIG year for good/bad news

As we enter 2014 it is clear that two events in 2013 have rocketed data privacy and information security to the highest level of public awareness that these the complex topics have ever attained. I'm talking about the Snowden revelations and the Target breach.

For me, this surge in public awareness of the importance of data privacy and cybersecurity is both exciting and frightening.Why? Because 2014 is obviously going to be a big year for those of us who work in these closely intertwined fields, a year when more people than ever before will be concerned about securing their data, yet more distrustful than ever of the folks who are trying to help them do that (among whom I count myself).

Consider that I have spent the better part of 20 years writing and speaking about these issues, starting with computer security, then network security, system security, information assurance, data privacy, and now "cybersecurity." You could say that I have wanted nothing more than to make the world aware of the importance of these things, for the simple reason that, without such awareness, the true potential of digital technology will never be realized.

Let me put it a different way: Are you wondering where the flying cars are? Are you disappointed that in 2014 we don't yet have them, or transoceanic high speed rail service, or the handheld medical scanner that can diagnose the top 100 medical conditions in a single swipe? I believe we would have achieved these or similar technological marvels by now if it were not for the massive distraction of information insecurity.

I don't want to wander off into too many examples, but consider one: Towards the end of the last century email was poised to become a universal tool for managing transactions cheaply and easily. Then came the spam-plosion, a massive surge in unsolicited commercial email that rose to become 80% or more of all email and had Internet service providers (ISP's) buying new servers once a fortnight just to maintain legitimate service. Combine that with the inability of the major email providers to agree on improvements to email protocols, and you have the death of transactional email that is still hampering large slices of our economy, like banking, healthcare, government, and retail.

So the good news / bad news in 2014 goes like this:

• Are most consumers now aware that cybercrime is a serious problem? Yes. Can a young working mother buy diapers at a discount store without fear of losing her identity, and all the money in her back account, despite the billions that have been spent on cybersecurity? No, because we have grossly under-funded the vital work of catching the cyber-scum at the root of that fear. 
• Are most companies now aware that cybercrime is a serious problem? Yes. Can a company develop new products without fear of them leaking from their computers to a nation state agency and/or its clients? No, because it is possible that every piece of hardware and software you buy to build your dreams has already been hacked, back-doored, or otherwise compromised, thanks in part to your own tax dollars at work (see this article or the pictures here if you are not clear on this).

Now this next bit may sound self-serving, but I assure you it is not. I am employed by a company that sells security software, some of which requires root access in order to protect systems. However, the company doesn't pay me to sell this software, they pay me to think about security and privacy and explain of much of this stuff as I can to as many people as possible. The company has, in my considered opinion as a 20-year industry veteran, the very highest ethical standards. All of the people that I work with, in this company and in many of our leading competitors, are dedicated to eliminating the scourge of malware and other threats perpetrated by the world's cyber-scum. A fair number of us have been at this for 10 or 20 years or more. Yet today, in 2014, we are being asked: Are you helping the government spy on its people?"

The answer is no, but although part of me feels hurt and even insulted by this line of questioning, objectively-speaking I cannot object, particularly when I see these pages from a catalog of hardware and software crippled by the NSA, in other words, produced by my own government. I am sure that the people who developed these things thought they were doing the right thing, and only intended them to be used for righteous purposes like defending our nation. But the people in charge clearly failed to consider what would happen to the nation when the world found out about them.

I bet you a box of donuts that in 2014 at least one person will ask me where they can get a USB cable that is certified uncompromised. The fact that I don't have a good answer really bothers me. More people than ever before are going to be asking security professionals for help in creating secure systems, even as those professionals try to deal with NSA-fueled doubts about the very building blocks of such systems. One way or another, or both, it's going to be a BIG year.

My #3 personal privacy and security prediction for 2014: Cyber won't be icky any more

I predict, and sincerely hope, that in 2014 most of us information security professionals will stop apologizing whenever we use the letters c-y-b-e-r like in cyber crime, or cyber security. I also predict/hope we will stop putting "cyber" in ironic air quotes or pronouncing it in a snide tone that implies we are above using words that the world has thrust upon us.

Let's face it, computers, networks, information systems, endpoints, digital devices, tablets, smartphones, Internet-enabled-DVD-players, Bluetooth insulin pumps, they are all cyber. 

So computer security, network security, information system security, endpoint security, digital device security, tablet security, smartphone security, Internet-enabled-DVD-player security, Bluetooth insulin pump security, they are all cyber security, or cyber-security, or cybersecurity.

In 2014 we are going to have to answer a lot of questions about the security of digital information. In our answers we can call it digital security, or refer to "the security of all things digital", but it is also okay to say cyber security. And referring to the bad guys as cyber criminals is a lot easier than saying "those who would subvert any or all things digital with criminal intent."

In 2013 there were times when I said things like cyber scammers and cyber scum well as cyber criminals. I'm not going to apologize for that because I think the general public gets what cyber means. It means all things digital, it means my data and the devices and systems that process and store them. Cyber security is about protecting that stuff. Let's save our erudition and expository powers for the many other, more complex and nuanced concepts that will need to be explained in 2014, like why public key encryption needs private keys, and what pseudo random number generators have done for us lately.

My #2 personal privacy and security prediction for 2014: NSA-GCHQ-NRO will dominate

Here is another of the privacy and security predictions I am making for 2014. This is in addition to the ones I contributed to We Live Security where I had the honor of presenting predictions from my fellow researchers at ESET. Note that the following are my personal opinions, which may differ from those of my employer (although my employer has some pretty cool opinions).

The #1 privacy and security story in 2014 will be the NSA

Snowden-sourced papers will continue to leak, further revealing just how thoroughly America's National Security Agency has pursued the goal set by its leadership: make sure no piece of information about any person anywhere is beyond reach. While the NSA has dominated much of the privacy and security news in 2013, the story may evolve into a triple play in 2014, with GCHQ on one side, NRO on the other.

The National Reconnaissance Office has already made a big play for attention with its latest spy satellite, NROL-39, launched in early December sporting a logo that many pundits will claim says it all: NOTHING IS BEYOND OUR REACH.

While NSA and GCHQ are initials known to millions around the world, the NRO has lurked in the shadows, despite having a budget about the same size as the NSA; that's $10.3 billion and $10.8 billion, for the NRO and NSA respectively for 2013, according to the Washington Post.

Note that in the mid-1990s the budgets were $6 billion and $3.6 billion, with NRO spending far-outpacing the NSA and CIA.

Expect someone to put more detailed spending numbers together as the work of these agencies comes under increased scrutiny in 2014. For example, all three have a history of using military employees who are paid out of their respective armed forces budgets. So the total U.S. spend on surveillance and code-breaking activities may be more than has yet been reported.

If the NROL-39 logo is any indication, very little of the NRO budget has gone into public relations and incident response planning. It is hard to imagine more disastrous imagery and sloganeering for a spy satellite launched post-Snowden. No wonder that within a few days we heard loud and clear from the world's technology giants demanding global surveillance reform. (A topic I discussed recently over on Tech Republic.)

My #1 personal privacy and security prediction for 2014: Antivirus will be slandered, again

Here is one of the privacy and security predictions I am making for 2014. This is in addition to the ones I contributed to We Live Security where I had the honor of presenting predictions from my fellow researchers at ESET. Note that the following are my personal opinions, which may differ from those of my employer (although my employer has some pretty cool opinions).

The media will repeat a massive lie about antivirus technology

I predict that in 2014 every major newspaper and magazine will perpetuate, to the detriment of data security and human understanding, the grossly erroneous notion that "for an antivirus firm to spot malware, it first needs to have seen the malware, recognized that it's malicious code, and written a corresponding virus signature for its products."

I predict that, although this assertion is simply not true, and has not been true for many years, that fact will not deter people from repeating it, over and over. This is a bit like Car and Driver or Consumer Reports saying that cars cannot be started without first engaging the crank handle.

True, there was a time, long ago, when crank handles were routinely used to start cars, just as some antivirus programs were, in the distant past, based solely on signatures derived from known bad code. I've got a free t-shirt and more for the first mainstream journalist who breaks rank from the ill-informed herd and points out that any AV app worthy of the name today uses a lot more than signature matching to protect systems from malicious code. 

(With huge hat tip to the guys in Norway who posted that YouTube video of a hand-crank start: they are braver men than me; I've seen how much pain a crank handle can cause.)

Free professional security advice for Palestinian hackers

First of all, welcome. I am glad you found this page. Please don’t hack it.

Who am I? I am a computer security professional with over 20 years experience, just one of many people in the computer security world who have great sympathy for the Palestinian people. We agree with you that the Palestinian people deserve to live in peace. We let our politicians know what we think. We use social media to spread news and awareness of the injustices suffered by the Palestinian people at the hands of Western governments and their allies in the region (for example, see my pins of infographics about the Occupation).

As computer security professionals, we also work hard to protect the privacy and cybersecurity of hundreds millions of individuals around the world. Some of those people are Palestinians. For example, I work at ESET, a company which protects the computers and smartphones of many millions of people in more than 180 different countries. I’m guessing some of them are Palestinian sympathizers.

More information security articles from Stephen and Michael

Here's an update on the information security stuff we've been writing. Three articles from SearchSecurity by Mike and a link to my archive on We Live Security.

• Expert Michael Cobb discusses why known Java security vulnerabilities are on so many endpoints and how to contain them -- without updating Java. 
• Identifying and locking down known Java security vulnerabilities
   
• The recent Ruby on Rails security vulnerabilities can be patched. Expert Michael Cobb discusses the fallout and offers help with remediation planning. 
• Remediation planning for Ruby on Rails security vulnerabilities

• Is Microsoft's Bing search engine more susceptible to search engine poisoning than Google? Expert Michael Cobb discusses Bing security.  
• Bing security: Is search engine poisoning a problem for Bing users? 

• From NIST's Cyber Security Framework to NSA's impact on Wall Street. 
• Stephen Cobb's articles on WeLiveSecurity.com

Criminal hackers force down volunteer site serving hemochromatosis help

Just a quick note to say that the website I created at CelticCurse.org is offline at the moment due to compromise by illegal access. It looks like criminal hackers forced their way into the server that hosts the site and installed their own code to launch DDoS attacks.

If you are not familiar with the site, it is an entirely volunteer project that serve up information and resources for people with hemochromatosis, a potentially fatal genetic disorder that affects millions around the world. Due to low awareness in the medical community hemochromatosis is widely under-diagnosed and often ill-treated, leading to a lot of needless pain and suffering.

I am working to restore the site, but in the meantime people who need more information about hemochromatosis can visit:

• The Facebook Hemochromatosis page (please Like the page, it will help spread the word).

If you want THE book on hemochromatosis, we highly recommend:

More security articles from Michael Cobb, CISSP-ISSAP

• Heading Off Advanced Social Engineering Attacks

  March 18, 2013
  An inside look at how social engineering attacks are developed -- and how you can protect your organization

• What Antivirus Shortcomings Mean For SMBs

  January 23, 2013
  Accepting the risks that come with relying solely on AV not only puts data at risk, but also could kill future earning potential

• Six Security Services Every Small Business Must Have

  January 10, 2013
  A look at managed services for small and midsize businesses, and how to choose the ones that work for your organization

• Five Security Tools Every Small Business Must Have

  January 08, 2013
  Small businesses often are short on security skills, staffing and budget. Here are five tools that can help

• Measuring Risk: A Security Pro's Guide

  August 07, 2012
  A look at the tools for evaluating security risks -- and some tips for putting the resulting data into business context

• Evaluating And Choosing Threat Intelligence Tools

  July 15, 2012
  So you want to collect and analyze your own threat data. What tools do you need? Here are some tips for finding the right ones

• When To Outsource Security -- And When Not To

  June 04, 2012
  New Dark Reading report offers insights on the advantages and pitfalls of bringing in a third party to help with security

• How Did They Get In? A Guide To Tracking Down The Source Of An APT

  April 18, 2012
  Advanced persistent threats can be complex and sophisticated. Here are some tips on how to analyze them

• How To Detect And Defend Against Advanced Persistent Threats

More Cobb security resources

This is just a quick post to update links to Cobb-sourced information security resources. Here's a round of articles by Mike Cobb, CISSP:

Best Practices: 6 Security Services Every Small Business Must Have

Best Practices: 5 Security Tools Every Small Business Must Have
Strategy: Evaluating and Choosing Threat Intelligence Tools
Strategy: Measuring Risk: A Security Pro's Guide
Strategy: Finding the Right Security Outsourcing Balance
Strategy: Tracking the Source of APTs
Strategy: Detecting and Defending Against Advanced Persistent Threats
Strategy: Stop Illicit Data Dumps
Biometrics for the Rest of Us
Strategy: Biometrics

And here is a handy link for the articles Stephen Cobb posts on the ESET blog:

Stephen Cobb on the ESET blog 

More Cobbs on Information Security: Selected articles by Stephen & Michael

As you may know from my previous post, my first book on computer security was published in 1992. That led to an invitation to speak at the 1994 Virus Bulletin conference, and in 1996 I was one of the first people to pass the CISSP exam. A few years later, my brother Michael Cobb, became an MCDBA and then a CISSP, and later a CISSP-ISSAP.

Michael, who also writes as Mike Cobb, is also CLAS (stands for the UK's CESG Listed Advisor Scheme--CLAS consultants play a key role in providing Information Assurance advice to government departments and other organisations that provide services for the government.)

Over the year's Mike and I have written and spoken a lot about security. W've taught a lot of security classes, and delivered a host of security and privacy themed seminars, podcasts, and webcasts. Right now I am working up the strength to create a library of links to as many of these as I can find online. But in the meantime, here are 5 recent items from each of us.

Michael's List

Mike/Michael Cobb writes for a variety of publications, including SearchSecurity and Dark Reading. Here are 5 recent articles:

1. Measuring Risk: A Security Pro's Guide
2. Evaluating and Choosing Threat Intelligence Tools
3. When To Outsource Security - And When Not To
4. How Did They Get In? A Guide To Tracking Down The Source Of An APT 
5. How To Detect And Defend Against Advanced Persistent Threats 

Stephen's List

I write for the ESET Threat Blog as well as my own blog and SC Magazine's Cybercrime Corner. Here are 4 widely read items and an index of my posts from the ESET blog:

1. Data security and digital privacy on the road, what travelers should know 
2. FBI Ransomware: Reveton seeks MoneyPak payment in the name of the law
3. Malware RATs can steal your data and your money, your privacy too
4. Privacy and Security in the Consumer Cloud: The not so fine print
5. Library of Stephen Cobb's articles on the ESET Threat Blog 

I hope you find this material helpful.

Cobb's PC and LAN Security: 20th anniversary of publication (available as a free download!)

The Stephen Cobb Complete Book of PC and LAN Security first appeared in print in 1992, an amazing 20 years ago. In celebration of this anniversary, I'm publishing a PDF copy of the most recent version of the book, freely downloadable under a Creative Commons license. The large file size of this 700 page tome led me to publish it in three easily digestible parts: Part One; Part Two; and Part Three. (Yes, my organizational skills are legendary.)

Despite the title, which was imposed by the publisher, the volume that appeared 20 years ago was by no means a "complete book" on the subject; nor is it now a contemporary guide. However, you can still find it on Amazon, even though Amazon.com did not exist when the first version was published. The images immediately on the right are the current Amazon listings of the three versions (which I will explain shortly).

If you are inclined to take this particular trip down computer security's memory lane, I suggest you download the free electronic version rather than purchase on Amazon. On that trip you will find a few items of note, such as this:

The goal of personal computer security is to protect and foster the increased creativity and productivity made possible by a technology that has so far flourished with a minimum of controls, but which finds itself increasingly threatened by the very openness that led to its early success. To achieve this goal, you must step from an age of trusting innocence into a new era of realism and responsibility, without lurching into paranoia and repression.

I'd say that's a decent piece of prognostication for 1992. It's one of the reasons I have kept the book available all these years, a mix of nostalgia and history. At some point in the future it might be interesting to see what computer security looked like in the late 20th century.

Three Versions and a Free Version

I made a lot of changes when I turned that 1992 volume into The NCSA Guide to PC and LAN Security--a 700 page paperback that was published in 1995--but that edition is also very outdated these days. Around 12 years ago I obtained the copyright to these works and, through an arrangement with the Authors Guild, got it reprinted as Cobb's Guide to PC and LAN Security. This was done largely for sentimental reasons and the copies are only printed on demand. However, in that process I obtained a high resolution scan of the entire book. I then converted this to text using Adobe OCR software. The result is what I have put online. (Warning: you may encounter OCR errors and artifacts; no claims are made as to accuracy of the information in this document; use at your own risk and discretion).

LEGAL STUFF: THIS FREE ELECTRONIC EDITION IS LICENSED BY THE AUTHOR FOR USE UNDER CREATIVE COMMONS, ATTRIBUTION, NONCOMMERCIAL, NO DERIVATES. 

Computer Security Prognosis and Predictions 

I plan to post more thoughts on computer security "then and now" but for now I leave you with another quote from the 1992 Stephen Cobb Complete Book of PC and LAN Security:

The most cost-effective long-term approach to personal computer security is the promotion of mature and responsible attitudes among users. Lasting security will not be achieved by technology, nor by constraints on those who use it. True security can only be achieved through the willing compliance of users with universally accepted principles of behavior. Such compliance will increase as society as a whole becomes increasingly computer literate, and users understand the personal value of the technology they use.

Stuxnet, Flame, Information Security and Privacy Blog Posts

I thought I would update the blog for June by listing some of my recent articles and posts from elsewhere, mainly the ESET Threat Blog, unless stated otherwise.

• Stuxnet, Flamer, Flame, Whatever Name: There’s just no good malware
• The negative impact on GDP of state-sponsored malware like Stuxnet and Flame
• Data security and digital privacy on the road, what travelers should know
• Cybercrime and the small business: Basic defensive measures
• Malware RATs can steal your data and your money, your privacy too
• Privacy and Security in the Consumer Cloud: The not so fine print
• Cyber crime as a market - Information security experts often talk about the costs of cybercrime to businesses, but a new report from Russia quantifies how much criminals make in the "cybercrime market." (SC Magazine)
• America's privacy and security enforcer - The FTC has made major moves this year in its fight against cyber crime, and if enterprises and organizations aren't careful, they may be facing a team of the agency's investigators. (SC Magazine)

As you can see, the reports that Stuxnet was indeed a U.S. government project sparked a couple of articles. It also got me talking on a podcast: Demystifying nation-state attacks and their impact

QR Code Privacy Issues and AT&T

Ouch! After saying that I thought AT&T had done a better-than-average job with its QR code scanner app for the iPhone someone pointed out that AT&T's scanner is one of a number of such apps that have privacy issues. The point was made in a comment on the ESET Threat Blog by Roger Smolski who runs this excellent website focused on QR codes.

It seems that, like me, Roger is a fan of technology but keeps a wary eye on potential downsides, like a QR code scanner that does more than the user bargained for. This definitely seems to be the case with the AT&T scanner, which let's AT&T know what you scan. I liked the AT&T scanner for installing with a preview option by default, but now dislike it because of this under-disclosed sharing of data that I consider personal (i.e. what QR codes I choose to scan).

According to Roger, confirmed by his technical code scanner analysis, some QR scanner apps, like NeoReader, are gathering data on your use of the app. The AT&T scanner is an example of this. An example of a decent scanner that does not do this is Bar Code Scanner for Android. I am going to have to look further for an iPhone QR Code scanner app that is independently confirmed as "non-tracking." In the meantime, here are other QR/privacy articles by Roger Smolski:

• Are There Privacy Issues With QR Codes?
• Four Ways You Can Scan QR Codes Safely

Oh, and BTW, FYI, it seems QR Code is a registered trademark of Denso Wave Corp. So maybe I will adopt Roger's usage of 2D codes to avoid stepping on anyone's IP toes.

AT&T Gets QR Code Scanner Right

AT&T might not be the best-loved company in America but it deserves praise for getting something right: The QR code scanner that it supplies for the Apple iPhone has a preview-and-authorize mode installed as the default. 

I have explained why this is important in this article on QR codes and NFC tags which includes a video that makes the point quite vividly: You should not let your hardware act on the instructions embedded in a QR code of NFC tag without first knowing what those actions are. The AT&T code scanner for iPhone is set up to do that. Other scanners also have that ability but do not behave that way by default.

I have bashed AT&T for poor wireless products and service on numerous occasions, but I believe in praise where praise is due. Security has long been a priority at AT&T. Over the years I have trained thousands of AT&T employees on everything from server security to security in the workplace. So I was happy to see their QR code reader was designed right.

Cybersecurity Reading List for March 2012

Cybersecurity reports, blog posts, and white papers are not in short supply these days, so I thought I would help folks decide what subset to read. I'm hoping this will make up for some of the neglect this blog has suffered over the past few months, due in no small part to my heavy--yet enjoyable--workload at ESET.

• The paper "Follow the Money" offers great insight into the spam business today. A lot of other papers worth reading are listed on the same page.
• The Trustwave Global Security Report 2012 has a lot of interesting statistics, some quite surprising: "Industries with franchise models are the new cyber targets: more than a third of 2011 investigations occurred in a franchise business."
• The Verizon 2011 Data Breach Investigation Report (pdf) is almost a year old but still worth reading is you haven't already. Good background for the 2012 report.
• Some highlights from the forthcoming Verizon 2012 DBIR, like "29% of threat incidents involved the ability to guess a user's password correctly."
• Selections from the ESET Threat Blog: 
• Drive-by FTP: a new view of CVE-2011-3544. Novel way to distribute the payload for the most common java exploit.
• OSX/Imuler updated: still a threat on Mac OS X and hiding Trojan code in erotic pictures.
• Modern viral propagation: Facebook, shocking videos, browser plugins, spreading Koobface, Boonana, Win32/Delf.QCZ, Yimfoca, and more.

Chinese hacks and Anonymous hacking: Lessons of the end game when nothing is 100% secure

I read about the hacking of the California State Law Enforcement Association or CSLEA website by Anonymous "for fun and m4yh3m!"just after reading about the latest round of hacking of Chinese websites. Nota Bene: I am NOT saying Anonymous hacked the Chinese websites; I'm NOT talking abut Chinese hacking of U.S. websites; and I'm NOT writing as an employee of any organization.

Etymologically Speaking: Cracking or hacking, mobile phones or voicemail?

In the wake of the News of The World (NOTW) scandal in which "journalists" are alleged to have listened to, and sometimes erased, messages left on phones that did not belong to said journalists, the term phone hacking has shot up the charts of widely misused phrases.

As this very helpful article on Geek News Central points out, the NOTW scandal is not really about phone hacking, it is about voicemail hacking, which the article's title tries to make clear: How To Hack Mobile Phone Voicemail.

Like the proverbial Trojan Horse, which was really neither horse nor Trojan, we are probably stuck with phone hacking as a phrase hacked together by hacks to describe some types of phone system manipulation and/or phone user duping. Such subtle distinctions may not matter to some people, but I think they matter to information security professionals. Why? Because part of our role in society, one that I personally take very seriously, is trying to bring clarity to matters involving the theft of information, unwarranted invasions of privacy through the abuse of information systems, use of computer systems to commit fraud, and so on.

And perhaps no word in recent memory has been more abused and hacked than hackers. As Steven Levy firmly established more than 25 years ago in his book, Hackers: Heroes of the Computer Revolution, the word started out with a positive connotation, a subject he addressed at the recent DefCon hacker conference in Las Vegas.

For almost as many years, my good friend Dr. Mich Kabay has tried to maintain a consistent distinction between hackers and criminal hackers. In his copious writings and teachings on information assurance, Mich diligently avoids omitting the word criminal from the phrase, either for convenience or brevity (see these Google results for examples).

(In the 1990s, some people tried to get criminal hackers shortened to crackers but that was doomed by ambiguity, between the decidedly non-technical use of the term cracker in the Southern states and people who specialize in cracking encryption codes.)

While criminal hackers are generally to be reviled for the mess they are making of otherwise beneficial technology, some hackers may be deserving of praise. You can get a personal perspective on this distinction by watching the excellent documentary made by another good friend, Ashley Schwartau, titled "Hackers Are People Too."

All of which underlines the ambiguity--some might say neutrality--of information technology, and the need to use care, as well as clear and specific language, when discussing its use or abuse. Voicemail can be incredibly useful, but it can be abused and cause pain when "hacked" by people of questionable ethics. Encryption can protect your private information from prying eyes, or allow a criminal hacker to hold your data for ransom. Cracking encryption can save lives or expose people to their enemies.

You might say that the problem with technology is the people who abuse it. We need to distinguish them from the people who try to improve it. And choosing our words wisely is one way of making that distinction.

Footnote: I will have a lot more to say about this and other aspects of information security after September 1, which is when I transition to a new position: Security Evangelist for ESET.

The NOTW Phone Hacking Scandal: Lessons for risk managers keep coming

In the context of data privacy, cyber security, and risk management I once wrote: "Failure to police your employees and sub-contractors can have serious consequences."

In the last 6 days we have seen massive proof of that as the News of the World (NOTW) phone hacking scandal has erupted onto the world stage, spewing a toxic mix of consequences, the like of which we have never seen before.

Consider anyone who owned stock in BSkB. I documented their bad news yesterday. And consider any innocent employees of the News of the World who are suddenly without a job. If those people find it hard to get new jobs because of the stigma of being ex-NOTW employees, they could argue that NOTW robbed them of their professional reputation and possibly sue NOTW and its executives on that basis.

I will admit that the possibility of getting sued for running a company in such a disreputable manner that you drag down your employees with you is not a risk that I had previously considered. But we now see that such a thing could play out as a consequence of a company hiring people to do illegal hacking, or turning a blind eye to hacking, in other words, failure to enforce ethical business practices and appropriate privacy policies. Here's what the Guardian wrote on the subject around the 1.52pm mark on their July 10 live blogging of the NOTW scandal:

Dismissed News of the World journalists who are unable to find replacement jobs and feel their professional reputations have been severely damaged could have legal grounds for suing News International, according to one employment law source. Owen Bowcott, who is the Guardian's acting legal affairs correspondent, writes about a Lords ruling that could have implications:

"There is a precedent in a 1997 House of Lords judgment that covers the predicament of two former employees of the collapsed Bank of Credit and Commerce International who claimed they suffered the "stigma" of being associated with the ex-employer that put them at a "serious disadvantage" of finding new work. "In [Malik vs BCCI] the House of Lords upheld, in principle, the right of innocent ex-employees to sue a former employer for common law damages where revelations concerning the employer's corrupt practices had damaged their prospects of future employment in the industry," one employment expert suggested. "Corruption was assumed as a hypothesis for purposes of the decision"."

Bowcott went on to say "Loss of reputation, the 1997 judgment pointed out, is "inherently difficult to prove" but it added that there is an implied mutual obligation of trust and confidence between employer and employee." The House of Lords judgment concluded. "Difficulties of proof cannot alter the legal principles which permit, in appropriate cases, such claims for financial loss caused by breach of contract being put forward for consideration."

So, there you have one more risk of bad corporate governance: Revelation of the company's corrupt practices damaging the employment prospects of your employees, leading to lawsuits. And to think it all started with a voicemail PIN number being guessed or social engineered.

Hacking Costs Billons in Stock Losses: 2.88 billion more reasons to enforce security policies

The negative impact of information security incidents on stock prices has been documented numerous times over the past ten years, but I think we are now witnessing the most dramatic hacking-related stock losses ever seen, as reported in the Guardian last Friday under the headline BSkyB shares fall £1.8bn. For American readers:

• BSkyB is British Sky Broadcasting, a satellite TV company 
• BSkyB is like DirecTV only bigger (based on Market Cap), 
• the Guardian is a very reputable British newspaper,
• one British pound is worth about $1.6,
• that share drop erased $2.88 billion from the company's value.

What information security incident at BSkyB triggered this share drop? That's a trick question! The stock dropped because of the illegal hacking of voicemail by a person or persons hired by a British newspaper, News of the World, often referred to as NOTW.

The owner of NOTW is Rupert Murdoch's News International (NASDAQ:NWS) which has been looking to buy BSkyB, pending approval by regulators, who may not be so keen to approve the deal given the mess that News International is now in as a result of the scandal surrounding the voicemail hacking. When you look at how the stock of NWS fared today you see where the term "fell off a cliff" comes from:

Bear in mind that NWS owns the Wall Street Journal, the New York Post and Fox everything, from movies to TV channels to TV stations.

So what we have here is an amazing example of how a few people committing acts of hacking on behalf of one relatively small part of a big company can cause massive damage that extends beyond the company itself, not to mention the victims of the hacking, like the parents of deceased soldiers and at least one murder victim.

And the collateral damage will roll on. People who own shares of BSkyB and NWS may sue the company executives. People laid off by the News of the World, which has been closed for good, may sue for loss of reputation by association. Victims of the hacking may sue.

All of which could have been avoided if the News of the World had adhered to privacy standards and ethical business standards. But the company allowed this to happen, over a period of years, so there can be no defense based on the existence of policies. (If you have your company network password taped to the bottom of your keyboard, in violation of company security policy, there is legal precedent for saying that is not grounds for dismissal if the company has tolerated everyone doing the same thing for some time.) 

There will be much more about this hacking-induced upheaval as the days roll on...including the huge irony of hacking closing a major British newspaper, not because of outside criminal hackers breaking in, but because of insiders illegally hacking people outside the company.

BTW, if you want the whole sordid story of this hacking debacle prior to this latest development, including police corruption and royal family secrets, this Wikipedia article is a good source. I will end with a footnote on the BSkyB share value: the amount wiped out by the end of today was $3.84 billion.

CIA Website Hack Recalls Early Days of eCommerce

Recent hacking of the CIA website brings back memories of the earliest days of eCommerce on the Web and the first wave of website hacking. The first defacing of the CIA website was carried out in September 1996. For those too young to remember, here's what it looked like:

The hacking was done by Swedish hackers using the name "Group Power Through Resistance" and their goals went beyond embarrassing the CIA. According to TechWorld Sweden:

"The attack messages were primarily intended for the then Swedish state prosecutor [Bo Skarinder] who accused members of the Swedish Hackers Association of hacking. The sentence "Stop lying Bo Skarinder!" is remembered to this day."

The most recent CIA website hack, as of this post, was the following effort by an Indian hacker who goes by “lionaneesh":

Lionaneesh claims to have gained access by exploiting an XSS or cross-site scripting vulnerability (here's a detailed explanation of XSS written by my brother Mike).

When Lionaneesh tweeted about his exploits on a Twitter account his name was listed as Aneesh Dogra (that name has since been removed, but the Twitter account is still active). Posting a "follow me" message on a hacked CIA web page is one of the more interesting ways to gain followers (of which @lionaneesh now has 206).

Via Twitter, Aneesh expressed affinity with LulzSec, the hacker group that claimed responsibility for an attack on the CIA earlier in the week.The page defaced by Mr. Dogra was taken down quite quickly, but a screenshot of it was posted on The Hacker News (as reported on GMA NEWS, the Filipino news site).

That first round of government agency website hacks in 1996 served as a wakeup call to eCommerce sites which were starting to come on line at that time (a time when I was providing consulting services to such companies, via the NCSA that later became ICSA Labs, and the Miora Systems Consulting company that later became InfoSec Labs, founded by Michael Miora, Vincent Schiavone, David Brussin, and of course me).

When I was writing my first paper on the topic of Internet Commerce, delivered at a conference in Hong Kong in early 1996, I struggled to find examples of website defacing. The one that does stick with me is a fur dealer who was targeted by animal rights activists. That sent a strong message about brand-tarnishing and activist-hacking, which became known as hacktivism. It also alerted companies to the truly global nature of the world wide web. you might write your website content for your customers, but the entire world can read it if they choose to do so.

To this day I would advise companies against publishing content on their websites that advocates an unpopular point-of-view or employs insensitive language, unless they are well-prepared to repel attacks from people who do not share that point of view. An example I used to cite was a timber industry website that was thinking of putting its newsletters online, the content of which was standard stuff within the industry, but a red flag to environmental extremists (who would be able to find it much more easily on the web than by getting a copy of the printed edition.)

A quick read of the Wikipedia page on hactivism will tell you the term is still emotion-laden because both hacking and activism remain ambiguous terms, seen as the illegal actions of bad actors by those on the receiving end, and the right thing, done for good reason, by the doers. The issue is not made any easier by the pugnacious "shoot-the-messenger" reaction of many organizations to news that their systems are vulnerable.

My wife encountered this when she questioned a suspicious network connection at a government facility containing highly sensitive classified data. She was angrily asked: "What do you think you're doing probing this network?" As a graduate of the Stephen Cobb School of Tact and Diplomacy she avoided snapping back with the obvious: "My job!" Instead, she calmly explained that her boss had asked her to create a map of the network for which he was responsible and, in doing so, she had found an undocumented connection to an insecure network. Thanks to a boss who stood by his employee [my wife] the issue was resolved, but not before the threat of prosecution was raised by the "offended" party who owned the insecure network (and who chose to remain in denial of its insecurity).

Many such stories are documented on the web and one can imagine a hacker finding a flaw in the CIA website wondering what to do about it. Tell the CIA? Who may come looking for you because they can't accept that a. their site is insecure, b. your intentions are honorable. Clearly this is a dilemma. When you exploit the vulnerability that you have found you create an example that can be used to remind governments and companies that web security is not a fix-and-forget challenge but an ongoing effort. Nevertheless, the right thing to do is NOT hack the site. And hacking it for personal glory does nothing to help your claim that you were trying to do the right thing.

Finally, it has to be said that if any federal government agency ought to be a showcase of website security best practices it is the CIA. I'm NOT saying they deserved to be hacked, but they deserve to be on the receiving end of probing questions. As do other government entities. For example, the method that Private Bradley Manning used to remove copies of classified government documents from SIPRNET, the ones that ended up on Wikileaks, was clearly a violation of policies and procedures that my wife laid down over ten years ago to address such problems. It is hard to argue that the people who chose not to enforce such policies are entirely blameless for what their actions, or inaction, allowed to transpire.

Internet Security and Satellite Internet: A gap that needs to be patched?

Today there are over a million computers in America that connect to the Internet via a satellite connection, and the number continues to grow. During this past winter I used my spare time to write a white paper on satellite Internet connectivity, mainly to drive home the point that it is no substitute for DSL/cable/fiber when it comes to broadband access for rural communities. The white paper has just been published by the Rural Mobile and Broadband Alliance (RuMBA).

However, an interesting security issue came up in the course of writing this 22-page paper and I thought I would highlight it here. If you like, you can download the full report at no charge from this link. (You can also read more about this research in this blog post.)

One of the reasons nobody should seriously consider defining satellite Internet as broadband is the daily download limit that satellite services impose, typically about 400 megabytes a day, which is less than some operating system upgrades we have seen in recent years. These capacity limits are not just a serious inconvenience, they have serious implications for computer security.

Basically, satellite Internet users have to turn off automated updating of operating systems and applications to prevent incurring costs and usage restrictions arising from bandwidth caps. However, as I am sure you know, computer and software makers increasingly rely on these automated processes to distribute the security “patches” required to prevent exploitation of computers by criminal hackers.

Computers with unpatched operating systems and applications are a prime target for hackers as these machines are more easily exploited and turned into “zombies” under the control of attackers. Zombies are then orchestrated into “botnets” that are used to attack other systems, from commercial and government websites to utility systems and entire sections of the Internet itself. The Department of Homeland Security today considers unpatched consumer computers a threat to national security and the problem has been openly discussed by cyber-security officials at the federal level since at least 2002.

Some might argue that computers on a relatively slow satellite connection (you're lucky to get above 256Kbps when uploading) are not attractive to botnet builders, But some botnet attacks don't need much speed or capacity to be effective. The fact that the IP address blocks occupied by these "at risk" systems are relatively easy to identify may also be considered an added risk factor.

Solutions are possible, like special exemptions on bandwidth caps for authorized OS and application patches, but so far I have not heard any talk of these being implemented. Since the federal government is currently handing over tens of millions of taxpayer dollars to satellite Internet service providers to help them build their subscriber base, maybe that money should come with strings, like better provision for prompt security patching.

Twitter Spam Getting Bad, Now Poisoning Health-Related Search Results

What is Twitter spam? A whole bunch of "people" tweeting the same thing from accounts that are likely automated. These bogus accounts have a human name followed by a number, like Colettaj339. When you check out the profile you see this person has:

• Sent many tweets (all pushing links), 
• Not followed anyone (Following=0). 

In other words, the account merely exists to direct clicks to a promotion in return for money. Following the pattern of previous forms of spam this Twitter-spam is growing fast and targeting vulnerable people.

For example, I have been encountering more and more of this stuff when searching Twitter for the term "hemochromatosis" which is a scary and potentially fatal genetic condition that causes iron overload, a toxic buildup of iron in joints and organs like the liver, heart, brain, thyroid and so on.

Given the pathetically poor level of knowledge about this condition that exists in the general medical population it is very common for people who find they have hemochromatosis to turn to various channels on the Internet for information, including Twitter.

My hemochromatosis search on Twitter today found a bunch of tweeted links leading to a pitch page for an eBook on Iron Overload priced at $37. Bear in mind that the highly regarded and medically reviewed Iron Disorders Institute Guide to Hemochromatosis can be purchased in paperback on Amazon.com for a lot less than half that price, and can be had as an eBook on Kindle for $9.89.

Maybe the tweet-spammed book is brilliant and worth $37 but the large number of spam Tweets makes me doubtful. And this is by no means the first targeting of hemochromatosis sufferers on Twitter. Tweet spam leading people to an article site has also used this hook. In fact, I'm willing to bet that whenever you search a nasty disease, for example multiple sclerosis, you will see this Tweet spam. Here are some observations about this depressing phenomenon:

1. Cobb's First Law of Communications Technology: Every new communications technology will quickly be abused, most likely by people lying in the hopes of making money.
2. Twitter has not done enough to make sure new accounts are opened by real people.
3. Twitter is not doing enough to remove blatant spam accounts (email me as scobb[at]scobb[dot]net for the algorithm to identify these accounts guys, it's not that complicated)
4. A depressingly large number of people need to ask themselves whether what they are doing with their computers is helping or hurting their fellow man, woman, or child.
5. Until the median level of morality among computer literate humans starts to rise, we will see spam, scams, fraud, and the like continuing to poison the technology and waste precious resources (like the energy that email spam wastes, enough to power millions of homes).

BTW, if you want solid information about hemochromatosis, visit The Iron Disorders Institute. If you want Twitter to do more to stop Twitter-spam contact the company. I find that a fax to the CEO is a good communications channel to use: Mr. Evan Williams, CEO, Twitter, Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, fax 415-222-0922.

Cost of a data breach climbs higher

Well worth paying attention, whether you are in privacy or security, in business or investing in businesses, CIPP or CISSP:

Cost of a data breach climbs higher - Dr. Ponemon's blog

"The latest U.S. Cost of a Data Breach report, which was just released today, shows that costs continue to rise. This year, they reached $214 per compromised record and averaged $7.2 million per data breach event. The fact is that individuals still care deeply about their personal information and they lose trust in companies that fail to protect it.

It’s not only direct costs of a data breach, such as notification and legal defense costs that impact the bottom line for companies, but also indirect costs like lost customer business due to abnormal churn. This year’s study showed some very interesting results. In my view, there are a few standout trends."

Mobile Payments: One Trillion More Reasons to Think About Mobile Security

It is hard to think of anything more attractive to hackers than a widely-deployed digital payment system. And the world is now witnessing the fastest rollout of a digital payment system ever, to your mobile phone, a.k.a. smartphone, cellphone, iPhone, tablet/slate, i-device. Consider just two stories that appeared one day last week:

"With corporate behemoths such as Starbucks Coffee Co. and McDonald's Corp. leading the way, 50 percent of consumers will have made a mobile payment of some kind by 2014, according to Juniper Research."

And "according to this report, U.S. mobile payments could reach $1 trillion by 2015."

That's one trillion dollars with a "T' headed to a bunch of devices that are, from an historical IT perspective, barely out of beta testing. Consider a couple of random stories I found hanging around in my browser cache when I sat down to write this post:

November, 2, 2010: An analysis of the kernel used in Google’s Android smartphone software has turned up 88 high-risk security flaws that could be used to expose users’ personal information, security firm Coverity said in a report published on Tuesday.

December 29, 2010: Mobile security firm Lookout is sounding the alarm about a Trojan targeting Android devices that, while confined to China so far, represents one of the most sophisticated pieces of malware it has seen to date. The malware, named “Geinimi” is the first Trojan to display botnet-like capabilities, allowing it to receive remote commands...

And don't think that using an iPhone or Blackberry will eliminate security risks. Just check out this page of stories about password cracking software available from Russia. Something to bear in mind when you read that "MasterCard's PayPass wallet application can be password-protected so that a lost or stolen handset cannot be used to make payments"

But let's get back to what I meant when I said it's hard to think of anything more attractive to hackers than a widely-deployed digital payment system. Notice I didn't qualify "hacker" in this context. That's because hackers of all stripes find computerized payment technology fascinating. Back in 1995, when I spoke for the first time at DefCon, the now legendary annual hacker convention in Las Vegas, the speaker ahead of me presented a detailed explanation of just how easy it was to make fake credit cards that worked.

When I cited that presentation as an example of the damage that hacking could do, the response was vociferous and articulate and could be summed up like this: The banks are to blame for using such lame technology when a few tweaks to the system and a little more effort could actually make it a lot more secure, as shown in the presentation.

That was a valuable lesson for me. Not everyone who hacks payment systems is out to steal your money. Hence the useful qualifier "criminal" as used by my friend and colleague Mich Kabay who is always careful to say criminal hackers when that is the type of hackers to whom he is referring. A lot of people see a spectrum of hackers. One can describe it, if you leave out the nuances, like this: black hat hackers who are criminally-minded, gray hat hackers who may hack for profit, and white hat hackers who are trying to find solutions to hacks before the hacks are widely exploited (and may profit professionally for so doing).

What I'm saying is that every shade of hacker is likely to look long and hard at hacking mobile payment systems, from those who want to hack the system for illegal gain to those who seek to gain fame for finding the holes. The question is: Can the systems now being rolled out withstand the scrutiny? History gives me a clear answer: No.

Unless some fundamental changes have occurred in the technology and banking industries, changes of which I am unaware, that negative answer has a high probability of being right. I predict holes will be found and some of those holes will be exploited for illegal gain before they are plugged. I also predict that:

• Mobile payment systems will still be rolled out, and 
• Companies that already have a good track record in mobile security will do very well this decade.

One to Watch: MAD's MECS is mobile security made real

There is no doubt in my mind that the new information security frontier is mobile, as in mobile phones and mobile pads/slates/tablets. More and more data is going to be processed by, stored on, and accessed from mobile devices. You can see this very clearly if you spend any time in the world of consumer marketing where the biggest buzzword right now is "mobile" as in mobile advertising, mobile shopping, and mobile payments.

And where the money goes, criminal hacking is sure to follow, along with scams, spammers, phishing and fraud. Which is why I've been very interested for a while now in a mobile security company called MAD, a company of which my good friend Winn Schwartau is Chairman.

MAD's flagship product has already won several awards like this. And I can assure you that awards like these don't grow on trees. Industry analysts don't like to get burned by endorsing flash-in-the-pan products that leave them looking all egg-faced in 12 months if the product peters out. Bear that in mind when you read this assessment:

“The Mobile Enterprise Compliance and Security Server (MECS) innovative solution focuses primarily on delivering a new dimension of security, management and compliance to enterprises. Compared to standard mobile device management (MDM) solutions, which are not regarded to be viable security platforms, M.A.D.’s offering promises to provide the utmost protection for mobile enterprise devices.” and goes on to state that “Owing to the extensive capacity offered by M.A.D.’s solution, Frost & Sullivan feels that the company has gained a significant advantage compared to its competitors...”

Pretty impressive! MAD's MECS  is definitely one to watch as the struggle to secure the mobile frontier heats up in 2011.

Wikileaks, Assange, Cyberwar and the Real Information Security Story

Time for some perspective on Wikileaks, the cyber attacks against it, and for it, and the real informaton security story that may get lost in the mix. (Note: I am not under any illusion that the world has been holding its breath waiting for me to weigh in on this subject, this is more of a "memo to the file" undertaking).

For me, the real meat of the Wikileaks story is the content of the documents that are being leaked. Coming a close second is the pathetic state of information security within the US government in general and military/intel systems in particular.

(BTW, I commented on this in the context of a Danger Room story on Wired which apparently was not deemed worthy of approval--one reason I am repeating myself here: American taxpayers have been thoroughly ripped off when it comes to the money spent protecting state secrets.There used to be policies and procedures in place to prevent something like Pfc Manning recording secret documents on a CD-RW labeled Lady Ga Ga, but the army brass likes its tunes too much to put up with that kind of inconvenience, part of the same mindset that leads so many of them to use the same lame password for everything).

However, the BIG story may be the implications of hactivists taking up cyber-arms against the perceived foes of Wikileaks. It reminded me of a Network World column by my friend Mark Gibbs in 2005 titled "The selfish 'Net and the Big One." In that piece I reiterated my longstanding opinion that "the Internet continues to function at the whim of those who know how to bring it down."

As the hactivist fans of Wikileaks tone down their attacks on dot com sites there may be a temptation to dismiss them as a sideshow. However, it would be a big mistake to just say "Those guys couldn't take down Amazon.com" and leave it at that. I would argue that the only reason Amazon.com or any other website is still online is that the people who know how to take it down have decided not to do so. Remember: "the Internet continues to function at the whim of those who know how to bring it down."

To put it another way, the world's virtual economy is built upon a web of trust and mutual self interest, not a bullet-proof framework of resilient technology. To think otherwise is to risk massive losses should a real cyberwar break out.