As some of you know, I hit the ground running when I landed in San Diego at the beginning of September, happy to be back in California, wrestling with my first love, information security.

Okay, so that prose was a trifle purple–not to be confused with a delicious purple trifle–and information security is not, strictly speaking, my first love.

But hopefully you get the point: I was ready to up my game in the fight against digital malfeasance after three fun years focused on the marketing of marketing software to marketers (three highly successful years, I might add, because the marketing software, Monetate, was clearly headed for best of breed from day one and can now be found on major websites from PETCO to QVC).

There were a number of happy congruencies in this latest development. My marketing skills had been honed, my marketing experience broadened, just in time to sell a fresh message of cybersecurity awareness to a deeply digital world. That message goes like this: “The bad guys are badder than ever, better funded, more organized, but there are simple steps we can all take to make cyberspace a lot safer tomorrow than it is today.”

For me, this was just the right time to run into ESET, a Slovakian company with a growing presence in North America and a strong commitment to the public good, as evidenced by a pioneering community initiative called Securing Our eCity. I spend part of my time working on this initiative and the rest on research and publication, in all its forms, including blogging, tweeting, and speaking. Here are just a few of my efforts so far:

On TV:

• On Digital Pros Fight Cyberspace Predators on NBC
• On What to Bring When Buying Online on NBC

Speaking:

• On Cybersecurity in the Workplace for Excelsior College
• On Information Security Policies for SMBs and several more webcasts
• On Becoming a Security Detective by Dark Reading and InformationWeek

Quoted:

• On Cyber Monday threats in SC Magazine
• On Attackers Gearing Up for Cyber Monday With Scams, Deals by eWeek
• On Online anonymity hard to achieve but not impossible by ZDNet Asia
• On Apple Shoots the Messenger by PC World

Published:

• Video blog on Search Poisoning of McCartney and Gaddafi
• Blog post on Malware Delivery via Canada Post
• Cybercrime column on Freezing assets and turning up the heat
• Many more security blog posts
• Various articles ESET Global Threat Report

Bonus Security Video: Malware Delivery Scam:

So here’s something way more ironic than anything in the Alanis Morissette song of the same name. My wife found a gorgeous apartment to rent in San Diego, for only $1,000 a month (I will explain why she was looking in a moment). The place looked great in the photos and it sounded great in the description on Craigslist:

“2 Bedroom, 2 Bath, fully furnished, modern kitchen and bath, cable TV, Internet wi-fi, electricity, water, local phone included. Nestled in a quiet, almost suburban-like setting, you’re just a few minutes away from world-class dining, shopping and the verve of theaters, clubs and nightlife. Great location, great features. All at a location that’s exactly right, exactly where you want to be.”

All that for $1,000 in San Diego, California? Sounds fantastic, but hardly ironic. So let me add the most interesting thing about this place, something not immediately apparent: it is also for rent in Boston, San Francisco, Seattle, Washington, and many other cities in America. But even that’s not ironic, that’s just another sick cyber-scam.

Let me add some more data points. My wife and I have spent many years working in the field of information security–where uncovering online scams and other cyber-crime was part of the job–and we are planning to move to San Diego next month, for my new job as Security Evangelist for ESET, a software company dedicated to fighting cyber-crime. We don’t need a furnished apartment, but this place looked inviting (and it could lead one to think rent in downtown San Diego is very affordable).

So here’s the irony: The apartment that I wanted to rent in order to facilitate my move to a new job fighting cyber-crime turned out to be a cyber-scam!

I was going to provide links to the scam pages (they were mainly on Craigslist) so you could check them out–they were quite professional with fewer typos than your average scam –but after my wife sent Craigslist a description of the scam they pulled it from all the cities mentioned above.

Of course, there may have been other complaints but my wife actually got the scammer to send her an email, which provided further details of the scam that she passed along to Craigslist. Apparently the scammer claims to be out of the country and seeks to get the prospective renter to send her a deposit, presumably before they find out that the whole thing is a fraud.

Notes: I say “her” only because the name most often associated with these fake apartment listings is Amanda Dawson (although I’m pretty sure that is not the scammer’s real name). Also note that I think Alanis Morissette is a very good actor and singer, I just don’t like the song  “Ironic” because most of it isn’t. I don’t know why I have a problem with errors in works of art, but I do. For example, the great big hole in Lord of the Flies–you can’t use a short-sighted person’s glasses to make fire–spoils that book for me (maybe it’s because I’ve been myopic since I was 11 and tried using my glasses to burn paper on several occasions until my father sat me down and told me the facts of light).

In its fourth annual study on data breaches, the Ponemon Institute examined the costs of 43 companies that had been hit by a data breach. The study found, not surprisingly, that the cost per record breached had risen (actual numbers coming up).

I have always thought it ironic that one of the biggest obstacles to getting organizations to take action on issues of data privacy and security is a lack of data, namely data about what a security failure might cost. If known, that cost can then be weighed against the cost of putting security measures in place.

After all, Adam and Eve did not cover their bodies in the garden of Eden,  likewise organizations operating in crime-free utopias have no need to spend money to protect against data exposures. In the real world, however it is sad but true that a certain percentage of people are not sufficiently constrained by either personal ethics or a fear of consequences and go about steal data for personal gain.

Thus the need for security spending to avoid the costs, which are now averaging over $200 per record. So, next time you read a story about some bank or retailer exposing thousands of records, you can just multiply by $200 to figure the hit they have just taken).

This study is more good work by Larry Ponemon and the Ponemon Institute. Consistently reliable data over time is particularly useful. For example, if you read up on all the data breaches that have been happening you might have formed the impression that more of them are now coming from third parties, i.e. people who process customer data for retailers, banks, etc. And the survey shows that yes, third party data breaches were reported by more organizations in 2008 than in 2005 (21% then, 44% now). Less predictable perhaps is the finding that third party data breaches are more expensive, $231 per compromised record versus an overall average of $202.

As you might expect, breaches experienced by data loss “virgins” are more costly, $243 versus $192 for “experienced” companies, sardonically referred to as “repeat data screw-ups” by Larry Dignan in the TechRepublic blog post referenced at the beginning of this post. What surprised and saddened me is that more than 84% of all cases examined by Larry Ponemon’s team were repeat data breach offenders.

Sadly, until there is an uptick in the general standards of human behavior, things are likely to carry on like this. Data entrusted to the feckless will be exposed by the lawless, innocent lives will be disrupted, money will be lost, and the cost to defend against miscreants will mount.

I got a nice nod last week from Norwich University in an article about Wiley’s soon to be launched 2,000 page behemoth: “Computer Security Handbook, 5th Edition.”

It turns out that 37 of the 80 chapters are by people with Norwich connections. That includes me (Chapters 4, 7, 15, 20) and Chey (Chapters 15, 41, 73).

Although I got interviewed for the article, to highlight cooperation between Norwich professors and students, I kind of wish they had also mentioned Chey. She wrote a lot of the curriculum material for the original Master of Science in Information Assurance at Norwich. And I think she and I are the only couple to work together on a chapter in the new opus (Chapter 15: Penetrating Computer Systems and Networks, also with Mich Kabay).

On the whole, David Corriveau did a good job with the article. Hopefully, my comments conveyed the fact that Mich Kabay should get the credit my collaboration with Corinne LeFrançois at the NSA. It was a classic electronic encounter. Pure email, we never met in person. (It is worth noting that I also met Mich online, about twenty years ago, while I was living in Scotland and he was living in Montreal. That was back in the days of CompuServe.)

Mich is the one is the thread that runs through all of this, the MSIA program and the Computer Security Handbook, both CSH4 and CSH5. And with that, we wish the best of luck to “Computer Security Handbook 5th Edition” and all who sail in her!

When it comes to books about the US intelligence agencies there’s a lot of mumbo-jumbo and plain old BS out there. The shining exception has been the work that James Bamford has published about the National Security Agency [NSA]. And Bamford’s latest book, the just released Shadow Factory, is really going to shake things up in the IC (spook-speak for Intelligence Community).

I ordered my copy from Amazon today and I urge you to do the same. But before your copy arrives you can get an idea of some of the shocking information it contains by checking out this explosive interview available in mp3 and Real Video. If the world was not in the middle of an economic meltdown right now, revelations like this would be headline news. Spoiler Alert: This interview includes explanations of how:

• the NSA pays foreign companies and private contractors to create copies of all your Internet traffic;
• the CIA prevented the FBI from tracking the 9/11 terrorists in America;
• contractors in America swap tapes of our soldiers in Iraq calling home to their wives and girlfriends;
• the head of the NSA, now the head of the CIA, General Hayden, agreed to Cheney’s demands for an illegal domestic surveillance program to avoid personal embarrassment.

Bamford first brought the National Security Agency to the world’s attention in 1982 with The Puzzle Palace. Back then the very existence of the NSA was classified, the book was essentially banned in the US, and Bamford was…well Bamford darn near landed in jail. Of course, today’s NSA, now officially “out” and openly recruiting on college campuses, takes a “never happened” view of those events. Fortunately, I learned of The Puzzle Palace in 1989 while living in Scotland and researching my first book on computer security.

[Just in case you missed a meeting, the NSA is a clandestine agency that is many times larger than the CIA in terms of manpower and budget. It conducts surveillance operations around the world, in space, and under the ocean. The NSA is also in charge of code-breaking for the US government and actually owns any bright ideas you have about encryption--having the right to review all crypto-related patent applications and seize any it deems a risk to national security.]

Before I dig deeper into the reasons why you should read Shadow Factory I should make it clear that James Bamford is no fringe journalist. He spent nearly a decade as the Washington Investigative Producer for ABC’s World News Tonight with Peter Jennings. Furthermore, while I can’t say that my wife and I know Jim well, we have had several long conversations with him. We think he is fair and pragmatic in his views. Despite some very disturbing things he has learned about the way the IC has been run over the last twenty years, he remains respectful and supportive of the many thousands of dedicated professionals who serve diligently and responsibly in that community (as a former contractor to the NRO, an agency in some ways even bigger than the NSA, my wife knows something about the subject matter of Jim’s books).

Jim followed up The Puzzle Palace with Body of Secrets in 2002. By that time the NSA was “out” and aparently prepared to accept that Jim was a decent American just trying to document, often with admiration for its postive accomplishments, this huge agency which consumes an untold amount of taxpayer money (untold as in, the agency budget is a matter of national security and you can’t find out how big it is or what exactly it is used for). We heard Jim speak and spoke with him shortly after Body Secrets came out. The impression we formed was that Jim had a great deal of respect for many of the NSA personnel he had met during his intensive research (which includes some great examples of open source investigation).

But although Body of Secrets came out in 2002, it was researched and largely written before the terrorist attacks of 9/11/2001. Those attacks are the kind of thing that the existence of an NSA and a CIA and an FBI and the dozen or so other taxpayer-funded intelligence agencies are supposed to prevent. And I think, and this is a personal assumption on my part, the failure of the IC to prevent those attacks really got to Mr. James Bamford. He decided to find out what went wrong and why. Now he is telling the world what he found and he is not being coy about it. He’s naming names, and places, and dates. And Jim probably knows more of these than anybody outside the IC.

The 9/11 Commission partially documented the failure of the NSA, CIA and FBI to share vital information prior to 9/11. Bamford goes into a lot more detail and leaves you with the clear impression that 9/11 would never have happened if those agencies had shared. And as if that failure to communicate was not bad enough, he shows how it led to a huge invasion of privacy in America and the lives of Americans living and serving abroad, including our own troops. This massive expansion of government powers–strongly resisted it must be said, by many NSA employees–has probably not produced useful intelligence. Instead, and partly through the expanded use of shady contractors, it has likely led to faulty intelligence upon which our military has acted unwittingly, with tragic consequences.

I could go on, but this is already too long for a blog post. Let me just say that if you’re concerned about your government spying on you, this is the book to read. This in not conspiracy theory stuff. No tinfoil-hats are involved. This is the way things really are. And it is probably going to upset you quite a bit.

Yesterday I reflected on the emergence of the spam problem and some early work on anti-spam strategies. I’d like to continue the topic today with a second observation from early in 2001:

2. A lot of people want to receive relevant offers.

This is not the same as observation #1 in my previous post: Some people like unsolicited email. Back in 2001, point #1 was true: a not insignificant percentage of email users were open to getting email they didn’t ask for. This percentage dropped rapidly over the next few years as the quantity of unsolicited email that these people received increased, together with the proportion of that email which was deceptive and distasteful.

What did not change is point #2; it is human nature to be receptive to a good deal IF it is relevant. We realized this… …when we researched spam in 2001. Back then it was not unusual for fairly “respectable” companies to send out commercial email to consumers even if those consumers had not explicitly asked to get email from that company. The reason is another side of human nature: what business person could resist the temptation to contact, tens of thousands, possibly even millions, of potential customers, at virtually no cost?

So, one might occasionally get a coupon or other offer, out of the blue, and relevant. For example, you might get an email offering 20% off new drapes from Beyond Beds and Things just as you were deciding your living room needed new drapes; or an invitation to test drive a new model of pickup truck, just as you were deciding you were in the market for a pickup. While such happy coincidences were not, at least in my experience, all that common, they pointed out the fact that people like relevant offers. Furthermore, just like many of us don’t want to miss out on a good deal IF it is relevant, many of us are prepared to share, to a certain degree and under certain circumstances, what our interest are, in order that we recieve relevant offers.

Now, in 2008, no respectable company is going to send out an email blast to people who have not given permission for that company to send them email. That’s because anti-UCE sentiment increased dramatically, at the same that the smarter of the marketing folks figured out there was a big difference between putting junk mail in your snail mail box and putting junk mail in your email inbox. The latter is a. way more annoying, b. way beyond the control of the postal inspectors (a lot of spam content, if sent through the U.S. Mail, would result in heavy fines). Furthermore, the sleazy nature of a lot of spam threatened to give all commercial email a bad name.

So, we saw a shift of behaviour in which market forces–namely the desire to make friends with customers as opposed to annoy them–put the brakes on UCE from “legitimate” companies. Some firms saw the light sooner than others. Some had a hard time reigning in their marketing people, some of whom tried to weasel their way around the issue of permission (e.g. pre-selecting permission boxes on order forms or otherwise implying permission to email someone when that permission was not explicit). But in general, a new and acceptable standard was set. In retrospect the shift was fairly rapid.

Pretty soon most companies had policies in place to prevent themselves from sending spam, together with procedures by which consumer could reliably opt out of any email list the company used. Assisting the shift was the realization that it was much more productive to send email to customers who had asked to receive it, rather than just take a chance with an unsolicited mailing (a chance which included the possibility of annoying the recipient to the point where you soured the relationship even before you got started).

Which brings me back to the question of how technology can help companies communicate with those consumers who are prepared to share, to a certain degree and under certain circumstances, what their interest are, in order to receive relevant offers. If UCE was not the answer, then what? I will get to that in my next post on this topic.

Computer security news out of Massachusetts this week could be a sign of big troubles to come for IT managers in enterprises, government agencies, and SMEs, in the U.S. and around the world. It’s not a virus or worm or Trojan as such, although they may be involved. No, it’s a case in which an innocent man lost his job and his reputation, and may now win a landmark suit against his former employer. Why? Because he was fired for having child pornography on his company laptop without adequate forensic evidence that he put it there.

The case of Michael Fiola could become a landmark of sorts, although some observers seem to have missed the point I’m going to make: Any employer considering taking action against an employee, based solely on what is ‘found’ on an employer-issued computer, must have solid forensic evidence to justify that action, and preferably be in a position to justify the action on additional, non-forensic grounds. Why? Because failure to do so could have serious consequences.

An employee may hire a forensic examiner of his own. And that examiner may determine, through a detailed analysis, that, as in the case of Mr. Fiola, the employee did not, as alleged, put the offending material on the computer. In other words, the ‘mere’ presence of child pornography on a computer does not prove an allegation that the user of that computer is a paedophile.

Now, I use the qualifier ‘mere’ with hesitation because I’m not suggesting that child pornography is anything other than the vile and execrable abomination which every decent person knows it to be. But the fact is, its presence on a Internet-connected computer is increasing beyond the control of the average computer operator. To say “I didn’t put it there” or “I didn’t know it was there” is no longer a blatantly transparent excuse. Mr. Fiola’s poorly-configured, employer-issued laptop was performing all sorts of operations without his knowledge, accessing child porn sites being one of them.

And beware the temptation to smugly bluster that “He should have known,” lest your computer be the next to undergo superficial analysis and ye be judged. How sure are you of the defenses you have installed on your system? And what about the obvious problems? A superficial analysis of the very laptop upon which I am writing this blog post could turn up objectionable photographs that I did not seek out. Anyone who runs Google Image Search with SafeSearch turned off will know that pornographic images sometimes appear as a result of quite innocent searches, and anyone who has a basic understanding of browser caches will know that the thumbnails displayed by Google in the results page are likely to linger on the hard drive for some time. Obviously, you need to go a little further than the mere presence of a file to make a judgement about how it got there.

Nevertheless, it might be a good idea for employers to require that SafeSearch is active on all company-issued laptops. And employers should already be taking steps to make sure their employees know the facts of temporary Internet file life. But should employers be held liable for failure to keep malware protection on a company-issued laptop up-to-date? That’s a good question. However, the big question that this case raises for me is quite different: What are those IT managers who are responsible for forensic work performed on suspect employee systems doing to ensure that the quality of such work is high enough to justify claims of fact in a disciplinary action?

The bar for acceptable computer forensics has now been raised. To where, we don’t yet know. But if Mr. Fiola files suit for wrongful dismissal and gets a judgment in his favor the case could establish an important precedent. And if it turns out the IT manager had signed off on the evidence against Mr. Fiola, the implications for IT managers will be significant to say the least. We may see several trends emerge. Employees may demand better security on company laptops. IT managers may demand more resources for forensics, or refuse to sign off on investigations without some form of immunity.