I just got done reading Deborah L. Jacobs’ Forbes article on how lying about having a degree in computer science led ex Yahoo! CEO Scott Thompson to resign from his position. Thompson should have learned from the top tech guns.

Facebook CEO Mark Zuckerberg, Microsoft founder Bill Gates and the scores of other wildly successful tech moguls not only proved that it isn’t necessary to have any kind of degree to succeed in tech but have also demonstrated that it provides an esoteric “cool factor.”

Had Thompson made a big deal about not having the degree which he claimed, he’d likely still be in the driver’s seat shouting Yahoo! at the top of his lungs.

Moving right along … Elinor Mills over at CNET posted a story last Friday about startup Artemis, self described as:

… founded by a group of Internet security specialists to deliver real-world solutions for building a more trustworthy Internet. Our premier service is the .SECURE gTLD, developed to provide enhanced and robust security and trust across the rapidly changing Internet with the advent of new generic top level domains. (https://artemis.net/about-artemis.html).

It looks as if the bottom line is that in exchange for following the Artemis regulatory framework, organizations can get a www.yourbrandnamehere.secure URL. The “.secure” ending verifies that the website is “safer” than current .com, .net, .tv, .etc… sites.

Seems like like a great idea, but to be successful Artemis is going to have to overcome some huge public relations challenges. How do you convince the world to move away from CAs and the PKI? This challenge becomes even more difficult when you consider how Google and other powerhouses are investing even more in security assets such as certificates and PKI improvements.

Posted by Joe Franscella, Wednesday, April 11, 2012:

Researcher Brian Royer of SophosLabs had an interesting take on the Utah Department of Health breach that has compromised as many as 500,000 patient healthcare records that included social security numbers. He pushed the value of encryption but says that in this case it would not have helped: Utah Medicaid Breach Exemplifies Value Of Encryption And Access Control.

Mike Lennon over at SecurityWeek tells us that CloudPassage added $14 million to its coffers with an investment round from Tenaya, Benchmark and Musea: Cloud Server Security Firm CloudPassage Raises $14 Million

At InformationWeek, Rob Lemos explains how malware developers use one of the oldest tools in the security and privacy arsenal to add sticking power to their creations: Malware Writers Pack In Better Encryption

At The Last Watchdog Byron Acohido tells it like it is with “beloved” consumer devices and security: Mobile Devices Carry Security Flaws

Steve Ragan at SecurityWeek reports on a interesting finding from AlgoSec showing that management is the toughest IT security challenge: Poor Internal Processes Viewed as the Greatest Threat to Network Securty

Finally, I want to point out a new Security blog ashimmy.com brought o our attention, Pink Hat Security — check it out of you get a chance.

Enjoy!

I came in this morning to a number of stories that broke across various security, tech and biz pubs since 5 a.m. EDT. Aside from being mostly concerned over the MAC Attack (for personal reasons), here are a few of those and some others that caught my eye:

How To Prevent Data Leaks From Happening To Your Organization

By John Sawyer, the Dark Reading special report covers off on everything from locking down the network to having effective SIEM in place. Provides a great clearing-house list of essential technologies mixed with supporting facts and charts.

Web attacks use smart redirection to evade URL security scanners

By Lucian Constantine, this Network World story covers how security researchers from antivirus vendor ESET have come across new Web-based malware attacks that try to evade URL security scanners by checking for the presence of mouse cursor movement.

I fell for the oldest social engineering trick in the book

By Bill Brenner, the title of this editorial on CSO says it all. Bill describes how he became victim to a classic social engineering attack on Twitter. I know the feeling.

Palo Alto Networks Files for IPO

At SecurityWeek, Mike Lennon gives us the rundown on this next generation firewall vendor’s IPO filing. I’ve been watching PAN from the start — best of luck to them!

Anonymous plans more attacks on China, report says

CNET’s Roger Cheng gives us the latest on Anonymous’ disdain for Chinese corruption.

FBI: Smart Meter Hacks Likely to Spread

Brian Krebs, Krebs on Security, tells about how cyber criminals are attacking utility company smart meter technology. Maybe not so smart after all…

Internet thieves piggyback on legitimate users

Adam Sylvain, USA TODAY, writes about how Internet service piracy is on the rise.

Utah Data Breach of 181,000 Records Blamed on Configuration Error

Threat Post’s Dennis Fisher updates us on the data breach on Medicaid and Child Health Plan of Utah that may have compromised as many as 181,000 records.

Flashback Mac Trojan Shakes Apple Rep of Invulnerability

Jeff Burt, eWeek, gives up the latest on the MAC attack that may have infected as many as 600,000 MACs.

Posted by Joe Franscella, Thursday, April 5, 2012 (Updated with corrections, Friday, April 6, 2012, 8:40 PM PDT)

I’ve been reading with great interest all of the rumor and innuendo (as Brian Krebs put it) around the Global Payments  (NYSE: GPN) payment card breach. There are a bunch of killer reports and news articles, all of which have boiled it down to 10 points:

1. Global Payments, a massive payment card processor, is breached
2. As many as 1.5 million cards may have been compromised with up to 800 used fraudulently
3. There may be another “mystery” breach floating around
4. Global Payments continues processing transactions
5. Visa has removed GP from its approved provider list
6. Global Payments stock has fallen
7. Ground zero may be a poorly secured administrative account
8. A Latin American-based gang may be involved
9. An unnamed forensics investigations company is on the case
10. As always ─ on the Internet ─ it’s every man for himself

I have a passion for IT security (one reason I returned to Trainer Communications recently as Director for the IT security practice). Combine this with being former journalist and independent security blogger and I couldn’t stop myself from diving deeper. To find out more, I pursued a conversation with a Visa Qualified Incident Response Assessors (QIRA) on the subject. QIRAs are consultants Visa says are qualified to investigate payment card breaches — the FBI of the payment card industry so to speak (lease keep in mind that there may be other lists, investigators and qualifications out there in addition to this one). The five  QIRAs on the list I found are:

1. 7Safe
2. AT&T Consulting
3. Fishnet Security
4. Foregenix
5. MANDIANT

UPDATE: Friday, April 6, 2012, 8:40 PM — It was pointed out to me that there are in fact 10 QIRAs, in addition to the above they are: Protiviti, Security Metrics, Trustwave, Vectra Corporation Ltd2, Verizon Business (Cybertrust).

Although they could not comment directly on this breach, MANDIANT contact Steve Surdu did answer some of my questions. The Q/A is below. I think Q2 and Q7 provide some great insight into primary IT reasons behind breaches and the future of Global Payments.

Q1 — How likely is it that an organized gang is involved, is organized crime usually involved in payment card breach scenarios?

I don’t feel comfortable speculating about what may be going on at Global Payments.  I can only speak to Mandiant’s experience.  Many of the payment card breach situations Mandiant deals with involve organized crime.  In our experience, this is not atypical for breaches in the financial industry.

Q2 — How likely is it that a poorly protected admin account is attack ground zero?

I don’t really have an opinion on the attack vector and, absent specifics, I think no one option is more likely than another.  We have seen many different approaches.  It depends on both the victim organization’s security posture as well as the attacker’s skills/tendencies.  In payment card breaches we have seen attackers take advantage of firewall configuration issues, host configuration issues, ill-advised browsing by users that infect their systems, third party application configuration issues, default vendor software credentials, security vulnerabilities in web applications and unprotected infrastructure due to mergers/acquisitions that have not been completely brought under the responsibility of the IT organization.

Q3 — Several reports say there will be a mushroom effect that spans the internal network to the cloud, do you expect this will end up being the case?

I’m not sure I understand the question completely but if you are referring to the collective payment processing infrastructure, no, I don’t see this as being substantially different from events that have occurred in the past.

Q4– The Verizon breach report recently published shifted focus from insiders to outsiders as being the biggest threat, do you suspect that there are insiders involved in this breach?

Again, I cannot speak to the situation at Global Payments.  Based on Mandiant’s prior experience, we have not found insider activity to be associated with large-scale payment card breaches.  We have investigated hundreds of breaches and few involve insiders.  While they do happen, insider breaches tend to have very different characteristics from what has been reported in the press for Global Payments.

Q5 — Why is Global Payments allowed to continue to process cards despite being removed from the Visa approved processors list?

Merchants depend on payment processors for their card processing.  It is not feasible/practical for them to instantly switch to another processor in a situation like this.  Security events occur to many organizations and they successfully work through them.  While our investigations are ongoing our clients are very diligent about safeguarding their environments as much as possible to minimize the potential for additional issues.  Once security issues are resolved and organizations are recertified then can become approved by the card brands.  The amount of time required depends on the level of effort to remediate the issues identified.

Q6 — Is this a case of too much compliance and not enough security?

Compliance is always a good start but should never be considered sufficient to safeguard an environment.  Most organizations know this and use compliance as a baseline for their security measures.  Robert Mueller, Director of the FBI, recently said that there are two types of companies – those who have been breached and those that will be. He understands that it is impossible to completely secure an environment especially a large, complex one.  Based on the number of investigations we perform, we realize that many organizations work hard at security and still have issues.  Many are in compliance with their regulatory requirements but are still victimized by attacks they were unaware were possible.  Security is difficult.  It is why we exist – to help.

Q7 — What’s next for Global Payments, how do they bounce back, can they?

This is no different from similar situations that have occurred in the past.  RBS Worldpay was the most public payment processor breach up to this time but there have been others that have received much less attention.  All breach victims face the same issues but I think most come through them pretty well.  It requires them to take the right steps: investigate well so they know what really happened, be good at communicating facts (not suspicions) clearly and to the right constituencies and take the appropriate steps to address the correct security issues (people, process, technology).  It can take a while for an organization to put a large breach behind them but most of our clients use this experience to galvanize their organizations to prevent anything like this from occurring in the future.

Big thanks to MANDIANT for providing an investigator’s eye view. For anyone else interested in getting 360 degrees of coverage on the incident, here is a partial clearing-house list of some of the coverage:

• Kim Zetter – Wired

• Bill Brenner – CSO

• John Ribiero – IDG News

• Alan Shimel – ashimmy.com

• Tim Wilson – Dark Reading

• Ericka Chikowski – Dark Reading

• Erika Morphy – eCommerce Times

• Robin Sidel, Andrew Johnson – Wall Street Journal

• Brian Krebs – Krebs on Security

• E. Scott Reckard and Tiffany Hsu, Los Angeles Times

• David Henry – Reuters

• Taylor Armerding – ComputerWorld

• Tracy Kitten – Bank Technology News

• Donal Griffin – Bloomberg

• Jaikumar Vijayan – ComputerWorld

• Zack Whittaker – CNET

• Dennis Fisher – Threat Post

• Dan Kaplan – SC Magazine

• Jessica Silver-Greenberg – New York Times

• Andy Greenberg – Forbes

• Mickey Meece – Forbes

• Mike Lennon – Securityweek

• Martin McKeay – Network Security Blog

• Mike Mimoso – SearchSecurity

• Avivah Litan – Gartner

• Meghan Kelly – Venture Beat

• Lena Rao – TechCrunch

• Byron Acohido — USA TODAY/The Last Watchdog

And the winners are …..

It is that time of year again! Starting today voting is open for the 3rd annual Social Security Blogger Awards.  You can vote at http://www.zoomerang.com/Survey/WEB22BQFS9A3BN/. Be warned that you must leave a verifiable email and blog address in order for your vote to count. Of course the winners will be announced at the Security Bloggers Meet up at the RSA Conference next month.Before I announce the finalists, I want to give a special thanks to our all star panel of celebrity judges:1. Bill Brenner of CSOOnline

2. Ellen Messmer of Network World

3. Kelly Jackson-Higgins of Dark Reading

4. Larry Walsh of Channelnomics

Without further delay I am very pleased to announce the finalists for the 3rd Annual Social Security Blogger Awards:

Best Corporate Security Blog

• Veracode ZeroDay Labs (http://www.veracode.com/blog/)
• Fortinet – http://blog.fortinet.com/
• Symantec Connect (http://www.symantec.com/connect/)
• Gunter Ollmann/Damballa Research http://blog.damballa.com/
• Arbor Networks http://asert.arbornetworks.com/

Best Security podcast

• Pauldotcom http://www.pauldotcom.com/
• Southern Fried Security http://www.southernfriedsecurity.com/
• CERTS Podcast Series http://www.cert.org/podcast/
• The Silver Bullet Security Podcast http://www.cigital.com/silverbullet/

Most educational security blog

• Jeremiah Grossman (http://jeremiahgrossman.blogspot.com/)
• Chris Hoff – Rational Survivability (http://www.rationalsurvivability.com/blog/)
• Jon Oltsik, Enterprise Strategy Group http://www.enterprisestrategygroup.com/category/our-team/analysts/jon-oltsik/
• Naked Security/Sophos http://nakedsecurity.sophos.com/
• Evil Bytes /John Sawyer http://www.darkreading.com/blog/archives/evil-bytes/index.html

Most entertaining security blog

• Naked Security  http://nakedsecurity.sophos.com/
• View from the Bunker  http://viewfromthebunker.com/
• Uncommon Sense Security/Jack Daniels http://blog.uncommonsensesecurity.com/
• Securosis Blog/Insights/ Mike Rothman http://securosis.com/blog

Security Blog that best represents the industry

• Threat Post http://www.threatpost.com
• Krebs on Security http://www.krebsonsecurity.com
• CSO Online Blog http://blogs.csoonline.com/
• Threat Level (Wired) http://blogs.csoonline.com/
• Schneier On Security http://www.schneier.com/

The single best security blog post of the year

• The Death of Security as We Know It (http://techbuddha.wordpress.com/2010/11/16/2011-the-death-of-security-as-we-know-it-or-operationalizing-security/)
• CyberSecurity and National Policy by Dan Geer (http://www.harvardnsj.com/2010/04/cybersecurity-and-national-policy/)
• Ralph Langner, Langner Communications series on Stuxnet http://www.langner.com/en/2010/12/09/our-stuxnet-timeline/
• “SecurityBSides Turned Me into an Adult” by Michelle Klinger, from her Fear Not the Assessor blog http://topheavysecurity.com/2010/12/13/securitybsides-turned-me-into-an-adult/
• Brian Krebs (krebsonsecurity) Sept. 30, 2010 “U.S. charges 37 alleged money mules” http://krebsonsecurity.com/2010/09/u-s-charges-37-alleged-money-mules/
• “How to Become an Information Security Thought Leader by Chris Eng  http://www.xtranormal.com/watch/7897173)

Every single one of these blogs is already a winner having been selected by our blue ribbon panel of judges. Voting closes at the end of the month, so please don’t wait to vote!

2011 is here, and for those of us in the mix so is RSA Conference 2011. Many of us  have already been working with clients on their plans and pitches for the event and the veterans among us know that by now we should be focusing in on what our news will be and how to best present it within a crowded, competitive and aggressive field.

Last year I polled a number of journalists and analysts regarding what they look for in compelling news, most pointed out directly that they wanted to know two things, 1.) what’s new; and 2.) why is it important to the readers. To expand a little on both:

“What’s New.” This is not just the what’s new surrounding your company and product but also the what’s new to the industry. If you want to be successful with journalists, it is of utmost importance when telling your clients’ stories that you are able to pull out of the marketing exactly what’s new in terms of the technology and its application and why the latest version can do something in a way that has never been done prior.

“Why Important.” I can’t emphasize enough that trying to tell a journalist or analyst that something is important because a vendor says it is just doesn’t cut it. You need facts, data and feedback from the field that validates your position. Trainer Communications managed a recent launch by our client eEye Digital Security where we talked in-depth about the new product line, but to truly achieve recognition we anchored it to a neutral research report that included a survey of over 1,900 respondents — demonstrating the problems and needs within the vulnerability management market. This was just the news journalists needed to make a compelling story.

If you are headed to RSAC 2011 with clients this year, I can’t emphasize enough two things: What’s New and Why is it Important. And, remember to back both up with neutral facts. To read about what the journalists and analysts said last year, visit: Tell Me Something New, Please.

One other thought, this year RSAC is going to be especially productive for Trainer. In addition to representing clients on the show floor, we are also going to host an event in tandem that will focus on educating vendors on how to improve their market visibility through PR and marketing. The venue is being finalized, but the free lunch will play host to a number of enterprise buyers, vendors, press and media who will provide candid opinions on the topic. If you are interested shoot me an email at jfranscella at trainercomm dot com.

We work hard at Trainer Communications, we also like to have fun. As always, the Halloween office dress up …

Left to right — Ross Perich, the Cal Bear, Justin Gillespie, the 70′s rocker, CEO Susan Thomas, opportunity in disguise, Joe Franscella, the Clone Trooper, Kelly Kramer, the PicScout picture scout, April Rudish, the doctor is in, Larry Smalheiser, the vacationeer. Happy Halloween!

I always enjoy reading Jenn Leggio’s Social Business column at ZDNet and am thoroughly enjoying 100 Brains. Today she interviews Microsoft Security Guru Katie Moussouris, focusing on some social media security specifics that I found particularly interesting.

Before writing about what I found specifically intriguing, I want to digress slightly to headlines of the past couple days related to Facebook’s third-party app privacy flaws (or I guess you would call flaws “features” if you were on the third-party app side ). The headlines made it sound as if there was some profound revelation in that Facebook was — can you imagine — not protecting users’ privacy, gasp! When the headlines broke, the first thing I posted on my Facebook was that I could hardly believe by now that anyone using Facebook does not understand that virtually anything and everything they post is, in a word, accessible. Anyone who hasn’t figured out that Mark Zuckerberg is providing a place to “share” and not “hide” information really doesn’t get the whole point of the site.

Back to the Leggio column with Moussouris. The QA I found intriguing (because it backs my opinion) is this:

Q. There’s a lot written about security and social media and education. Do you think it is reaching the right people?

A. I think that it doesn’t matter who it reaches, as there will always be people who will flock to social media sites regardless of whether or not their info is secure.  I personally assume and accept the elevated security risk in using social media. There was a time I tried to resist using graphical web browsers (I used lynx), due to my inherent paranoia, but the draw of The Onion online with hilarious photos drew me in and I began using another browser.  Similarly, the convenience features, and lure of all your friends in social media will draw even some of the most paranoid security people to join in. I think the right education for everyone about current social media and security is to set the expectation that it bears security risk, and that’s that. Use at your own risk!

Facebook, and any online social community, “bears security risk, and that’s that.”

One final thought:

There are instances where security risks on Facebook and the like aren’t inherent in the purpose of the technology, which, again, is to share and not hide information. These instances include social engineers and other attackers who blatantly attempt to suck users in with malicious links and nefarious offers. Does Facebook have an obligation to keep the criminals out and its users protected? I don’t want to get into this philosophical argument but I will opine that we — users — are placing a rather unrealistic expectation on Zuckerberg if we thing that he alone can solve the problem of Internet crime and security.

Market leadership is all about positioning, doesn’t matter if that market is IT, consumer or politics.

Today the Obama Administration made former Chief of Staff Rahm Emanuel’s departure from the White House official. Emanuel now heads back to Chicago to run for the Mayor’s seat. Talk about your long-term positioning strategy in action — nicely played Dems!

If Emanuel succeeds — and BTW he’s not running against an incumbent as current Mayor Richard Daley is not seeking re-election — he’s in a perfect spot to succeed his now former boss as President, if Obama wins in 2012 that is.

If Emanuel wins, his term as Mayor will expire in February 2015, just ahead of the end of (again if he wins) Obama’s second term, which ends in 2016. Can you say perfect timing to run for President?

By removing Emanuel from the top seat and placing him into a tough-and-gritty city ripe for reform and rescue from the recession, the Dems get to position Emanuel as:

•    A successful reformer (the recession will probably end within the next few years and he will get to take credit for Chicago’s recovery regardless of whether or not he has anything to do with it)
•    A Washington outsider but someone who understands Washington politics (he will have been gone from the Beltway for at least four years by the next Presidential election but has spent significant time within it)
•    Oprah’s neighbor

Again, well played Dems, you should get the National MarCom award for long-term positioning strategy.

One final thought, if I was a Chicago resident, I would be very excited over the prospect of Emanuel taking over my town, talk about a man who could scoop up federal funds. I don’t think anyone since Senators Byrd and Kennedy have ever been in that advantageous of a position.

I’m a social mediaphile. I have a passion for all things social media and the technologies that enable them. I was particularly intrigued when a client of mine pointed out the Kansas City firm SocialVolt to me. SocialVolt is a social media management platform that claims to provide management and monitoring of social media discussions across multiple social technologies in a single dashboard-type of location. OK, no big differentiation from what other similar types of tools do. There was one particular capability SocialVolt provided that I found intriguing though — its compliance functionality.

I didn’t have a chance to speak with anyone at SocialVolt, but their website reads:

Using STUDIO’s first in class compliance feature set, organizations can now determine compliance rules, utilize sustainable discussion databases as well as backup and archive all conversations. Organizations can now scale social media across an entire enterprise without having to worry about jeopardizing their brand name!

If it actually works, its impressive to say the least to think that a regulated organization can cut loose on social media without worrying about compliance related issues. What’s even more intriguing is that SocialVolt doesn’t just stop at claiming to enable compliance, it specifies specific regulations it works with:

Whether it’s FINRA, FDIC, OCC, HIPAA or your own internal compliance officers, STUDIO gives you the tools you need to supply detailed research on any social media activity originated in STUDIO and even activity originated outside STUDIO.

Considering the speed at which companies such as Kaiser are utilizing new media services to market health care products and services, HIPAA coverage I think is an especially smart decision they made.

Definitely an intriguing technology that is worth watching, especially as social technologies become more and more embraced by mainstream internal and external marketing organizations now realizing that it is a powerful communications channel that delivers results.

One thing I would like to see out of SocialVolt is a customer use case posted on the website or even some commentary on a blog or two about how regulated companies are using the technology. For now, I rate them as a definite company to watch.