Security vendor Marshal says the Srizbi botnet has grown to be the worlds largest spam botnet, outpacing the Storm Trojan in sending unwanted email and compromising computers. Srizbi now accounts for half of all spam. In comparison, Storm accounted for 20% of all spam at its peak.

In figures released by Marshal’s research team, Srizbi compromised more than 300,000 machines and sends more than 60 billion spam messages per day, according to Marshal. The botnet is also spreading malware, using social engineering tactics to get computer users to click on a malicious link in the spam email.

Marshal points to efforts to combat the Storm botnet as the reason for its decline. Microsoft’s Malicious Software Removal Tool has been successful in slowing Storm.

What is clear now is that no botnet has a firm footing as the number one player on the block. Marshal said the Storm botnet was outpaced in January by the Mega-D botnet, otherwise known as Ozdok. Srizbi came grew strong enough to be recognized in February.

Other researchers, Damballa for example, are tracking far more malicious botnets. Kraken has been spreading dangerous malware and is more sophisticated, allowing its maker to evade detection by simply moving its command and control function to another domain in a hard-coded list.

Damballa saw more than 400,000 unique infected IP addresses on one day in March, with the number continuing to trend upward from about 300,000 in early March.

Which botnet is the biggest? It depends on what month and which security research team you talk to. I’m not sure it really matters.

I recently tripped over a blog write-up from independent analyst Eric Ogren about his irritation with security vendors using FUD to sell products. It’s an older posting from 2006 but his message is as relevant today as it was two years ago.

Building his case around a threat report Websense released at the time, he wrote, “I’m not sure that the world is better off with yet another security vendor telling us that Phishing, malicious websites, malicious code, hacking tools, P2P, IM and Chat attacks have all increased.”

He dismissed the report as FUD marketing designed to create demand for security products, but that he believed the reports could actually have the opposite effect by pointing out the futility of security products to stop attacks.

He’s not the first security expert to rail against the FUD factor. Security luminary Bruce Schneier has devoted huge chunks of his time speaking out against security ‘theatre’ — policies and products that are more about offering the perception of security rather than addressing the actual risks.

And, rightly or wrongly, the Apple crowd is constantly crying FUD whenever something is written about a security flaw or malware affecting their beloved Macs.

I bring up the issue because it’s long been a source of irritation for me. As a security writer, I’m constantly buried beneath tons of voicemail and email from vendors looking for attention, and the PR machinery almost always uses FUD to make a case for buying the latest compliance-out-of-the-box appliance or the “first of its kind” bot/spyware/worm/common cold zapper.

Along the way, the PR community likes to invent new words or phrases to define the threat, many of which start with the letters “ph” (phishing, pharming, phlooding).

I’ve been looking back through four years of writing for the sake of nostalgia. The big thing that strikes me is that we’ve written a lot of stories about the latest flaw or exploit and someone is always banging on the alarm bell with a hammer.

In the final analysis, it’s prudent to flag the latest flaws and exploits because IT security professionals need to be aware of these things and incorporate the information into their patch management process. Heck, alerting them to these things is what we’re here for. But the tone and level of alarm that should go into these stories is always something we wrestle with.

Everyone has a role to play in information security, from the IT pros to the vendors, analysts and media. But from the content I look back on, I see little evidence that vendor-generated fear has ever made a difference.

Warnings about some flaw or exploit opening the door for a catastrophic Internet-ending event are never followed by the big doom. On the other side of the spectrum, the epidemic of data security breaches shows that all the FUD and security spending in the world can’t prevent the bad guys from punching through. The recent Hannaford supermarkets breach proves you can respond to the fear and spend a lot of money on new technology and still get whacked.

I recently asked Rhode Island-based network engineer Edward Ziots whether he jumps at every exploit warning. Here’s what he told me by email:

“We don’t jump, it would be imprudent to do so. Basically I read up on how the exploit works, even look at the code offline to ascertain if it would be available to be downloaded or how much effort would it take to be in a working exploit. Next, you basically need to adjust your risk assessment based on the controls you have in house, and how many systems could be affected and in what manner.

“Lastly communicate the adjusted risk assessment to management, security and await decision on whether to raise priority for patching, or to deploy other security measures to mitigate until all systems can be patched.

“Honestly, it makes it very difficult with exploit code in the wild and reports of working exploits not to raise your risk level and deploy extra manpower and time and effort to get all systems patched. It’s just due diligence.”

My advice is to take the FUD with a grain of salt and remember that while cyberspace is a dangerous place and you’ll sometimes have to raise your level of alertness as Ziots does, most enterprises will survive with the proper mix of security tools, policies and a calm awareness of the risks.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

(ISC)2 Executive Director Ed Zeitler talks about the unique security challenges facing the financial industry and whether the current turmoil in the financial markets could put a strain on IT budgets. Zeitler has 23 years of experience in developing, implementing and managing information security programs at financial firms. Most recently, he served as chief information security officer (CISO) for Volkswagen Credit, where he created and implemented its information security program. He also served as CISO for Charles Schwab & Co., Inc., Fidelity Investments, Bank of America and Security Pacific National Bank.

Technology blog Engadget is reporting that Intel is about to debut LoJack like technology for laptops. Few details are available about the technology. Ars Technica had the original post on the subject. Let’s hope it does more than track down a lost notebook. It’s either got to have functionality to brick a laptop, erasing all data, or make the data completely useless to thieves.  Ars said the technology would prevent the laptop from booting. Lenovo, Fujitsu, Phoenix, and McAfee are partnering with Intel on the technology.

By the way, LoJack currently licenses out technology to track down laptops in the event of theft. Dell sells the protection in a line of laptops for businesses. The software is available on some sites for about $90.

This week’s headline may not fit perfectly with the analogy I had in mind yesterday, but I’m running with it anyway because all week I’ve been thinking of what the lessons are regarding the recent data security breach at Hannaford’s supermarkets.

The biggest lesson was eloquently explained in a column by my colleague Dennis Fisher, in which he cites the decline in emphasis on security in favor of a sometimes maniacal focus on compliance with various standards and regulations that has created a climate where passing an audit or satisfying a regulator is deemed more important than actually doing what’s necessary to protect critical assets.

There are plenty of vendors out there who link the use of their products to both compliance and security, and I’ve spoken to many a public relations flak who talk about the two as if they are the same thing. As Dennis points out, they are not the same thing. True, a lot of the work that’s required for the sake of compliance can improve enterprise security. But security is about so much more than buying a bunch of technological tools on some assessor’s checklist and plugging them in.

Being a history geek, I always find myself looking for historical references to match up with the things we’re writing about, and this case reminded me of the farewell speech President Eisenhower gave a few days before leaving office in 1961 in which he warned of the military industrial complex.

Now, I know you’re waiting for the big analogy, and in the end there isn’t much of one to make. The military industrial complex is something far different than the compliance complex I see today. But I do see a few similarities worth mentioning.

Ike warned that as the U.S. fought the Cold War, it needed to “guard against the acquisition of unwarranted influence…by the military-industrial complex,” which included members of Congress from districts dependent on military industries, the Department of Defense and privately owned military contractors like Boeing, Lockheed Martin, and Northrop Grumman. Ike feared that the military-industrial complex inspired policies that might not be in the country’s best interest and he feared that its growing influence, if left unchecked, could undermine American democracy [see more detailed description from Encyclopedia Britannica]. 

I’m not trying to suggest that compliance vendors are trying to influence the course of American policy. As I admitted earlier, this is an imperfect analogy.  But I do believe there’s a danger of individual businesses being influenced by a compliance complex in which execs desperate to pass the compliance test fall under the spell of vendors promising that their tools will not only help them pass the test but keep them secure. In the end, some make decisions that are not in the best interests of the company’s security program. In other cases, the technology purchased does its job well but the company fails to implement a bunch of other security measures technology alone can’t address — because the vendor or assessor assured them that investing in their product would be all that’s needed.

The Hannaford breach has sent shockwaves through the retail world because it turns out the company had achieved PCI DSS compliance. Many were stunned to see a living example of a compromised business that spent a lot of money on compliance products and thought they were secure.

The silver lining around the Hannaford breach may be that other companies are broken of the compliance complex. Dennis does a good job of mapping out what security is really about, but I leave you with some blog chatter from security experts who make similar points this week:

Burton Group analyst Randall Gamby writes in his company blog that PCI DSS and the work of complying with it has achieved a false sense of security in many corners.

“I’m not saying PCI isn’t important, after all this breach may have never been found if PCI measures weren’t put in place, but enterprises have to look beyond the task of being compliance and take whatever additional steps may be needed to secure their data against breaches,” he writes.

Security management expert Mike Rothman makes the point more bluntly in his Daily Incite blog: “If security professionals think that an audit makes them secure, they are idiots.”

Rothman goes on to say compliance does not equal security. Maybe it makes the senior folks sleep a little better, he writes, “but they’d be dumb, too.” Anyone in a position of power needs to understand about risk and containing risk, he says.

I’m probably going to get a bunch of emails telling me how stupid my analogy is, and one of them might even come from Mike. But instead I’m hoping to hear what readers have to say about the points he and others are making.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

Covering the security breach at Hannaford Bros. Supermarkets this week was a particularly interesting experience for me. Unlike the other breaches I’ve written about, this one really hit me where I live.

Of course, the bank did send me a new debit card after my old one was compromised in the TJX data breach, but that’s only because of one purchase I made there during the period when the data raids were in progress.

I shop at Hannaford’s every week. Even though there are several supermarkets closer to home, I’ve been making the longer trek to the store in Hampstead, N.H., because I found the prices and food quality better than the others. Despite, the breach, I won’t stop shopping there. My bank was quick to issue me a new card and I think the retailer will do what’s necessary to prevent a repeat. Of course, the company will lose a lot of money to fines and lawsuits in the meantime.

Of course, after any data breach it’s important to explore how it happened and what the affected company could have done better from the outset, and Hannaford’s is no exception.

I found plenty of security bloggers doing just that. Here’s some wisdom from two blogs high on my favorites list:

Rich Mogull, former Gartner analyst and founder of security consultancy Securosis, wrote in his blog that since the information was stolen during the authorization process and was distributed over many locations, a compromise of the central authorizations system or the credit card processor is the likely source. “It could be as simple as sniffing unencrypted communications, or a more complex compromise of a database or application,” he said. “My money is 70% on sniffing, 30% on something in the database.”

Of Hannaford’s claim that no personal data such as names, addresses or telephone numbers were divulged — just account numbers, Mogull wrote, “This can’t be true. Without names, the card numbers are unusable.”

Mogull also used Hannaford’s PCI DSS compliance as an example of how he believes “PCI is worthless” if the chain was allowed to be ruled compliant in the first place.

“The fraud was detected by the banks or credit card companies, then it took a little under two weeks to contain,” he wrote. “Not great, and indicative of either a little sophistication on the attacker’s part, or a lack of sophistication on Hannaford’s part. How to prevent this? We won’t know until more information is out, but since they shouldn’t be PCI compliant if they transmitted credit card numbers in the clear, perhaps my guess of sniffing is off. I’m still laying odds on that, and if so, encryption is the answer.”

Security blogger Martin McKeay wrote of a silver lining in the Hannaford’s breach.

“Hannaford does not associate card numbers and expiration dates with the cardholder names and addresses,” he noted. “This in a day when your local grocery store offers you a discount if you’ll just enter your phone number at the PIN pad so they can track every single purchase you make and send you a personalized weekly ad. Most stores would have had card numbers, your home address, the names of all of your relations and possibly the name your teacher in first grade. Well, maybe not the last one, but they would have every purchase of every embarrassing purchase you’ve ever made.”

The downside to this lack of association between card numbers and cardholder names, he wrote, is that they have no way of knowing who should be contacted in the breach. He said he’s not sure if that will absolve Hannaford’s of having to contact anyone or make it necessary for them to contact all of their customers. They probably haven’t figured that one out yet either, he said.

Good points from both. I’ll end by saying that the big reason Hannaford’s won’t lose me as a customer is because I see them as more of a victim than a villain.

Through my own reporting on PCI DSS compliance I know the company had made investments to bolster the security of its point-of-sale machinery and wireless set-up.

Some are making much of the fact that this breach happened even though Hannaford’s was PCI compliant. Surely, they say, this speaks to the weaknesses of PCI DSS itself. I actually explored that angle in the wake of the TJX breach, and most of the analysts, IT pros and vendors I talked to defended the security standard. After all, it turned out, TJX was nowhere near being where it needed to be for PCI compliance.

Regardless of what one thinks of PCI DSS, it does appear that Hannaford’s was and still is working to improve its security.

But as a police officer once told me after my house was burglarized despite the burglar alarm we had installed, if the thief wants to get in badly enough, they’ll find a way.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

As the rash of large data breaches and thefts continues unabated, it’s important to resist the urge to lump them all together. Not all breaches are created equal, and the latest one, at Hannaford supermarkets, illustrates this point perfectly. A lot of people are comparing the incident to last year’s breach at TJX, but the two stories have far less in common that it appears at first blush.

While both companies are retailers, the attacks on their systems look to have come from markedly different points. The folks who broke into TJX’s network did so by sitting outside one of its stores and capturing wireless network traffic. A simple, common attack. The details of the Hannaford incident are still pretty murky, but the language in the statement from the company’s CEO and other bits of data that have emerged today suggest that the chain may have been the victim of a man-in-the-middle attack. The company said that customer credit card and debit card numbers were stolen during the card verification process, meaning that there was a bad guy somewhere between the point-of-sale device that captures the data and the third-party system that verifies it and authorizes the purchase. This could be anything from a Trojan on Hannaford’s own network to a rogue employee of the grocery chain or its payment partners. It’s impossible to tell at this point.

The other key difference between TJX and Hannaford is that the thieves who attacked Hannaford didn’t bother messing with the customer database; they went straight for the highest value assets, the card numbers. The TJX hackers took customer Social Security numbers, addresses and other personally identifiable information, which is scarier to consumers. But many of the card numbers that were taken from TJX were obfuscated and so were of no use. The Hannaford attack looks much more like the work of professionals, which should be scarier for security staffs.

East Coast supermarket chain Hannaford Bros. Co. said Monday that its network was broken into and customer credit and debit card numbers were stolen.

The Associated Press reported that company officials said the breach exposed 4.2 million credit and debit cards and led to 1,800 cases of fraud.

In a statement on the company’s website, Hannaford CEO Ron Hodge said the stolen data was limited to credit and debit card numbers and expiration dates; no personal data was accessed. The card numbers were stolen from Hannaford’s computer systems during transmission of card authorization.

The breach affected Hannaford stores in New England and New York, Sweetbay stores in Florida and some independently-owned retail locations in the Northeast that carry Hannaford products. Hannaford discovered the intrusion on Feb. 27 and alerted law enforcement officials.

The company advised customers that made purchases at its stores using credit and debit cards over the last three months, and who suspect their accounts may have been compromised, to immediately notify their card issuer or bank.

In his statement, Hodge said Hannaford “doesn’t collect, know or keep any personally identifiable customer information from transactions.” He added, “We sincerely regret this intrusion into our systems, which we believe, are among the strongest in the industry.”

Meanwhile, the Massachusetts Bankers Association said in a statement Monday that Visa and MasterCard have notified 60 to 70 banks in Massachusetts about a large data breach involving what the card companies would only describe as a major retailer.

The MBA estimates that “hundreds of thousands” of credit and debit cards owned by consumers in Massachusetts and northern New England states could be affected, and urged consumers to monitor their accounts. The association said it has been in discussions with the card companies and pursuing legislative alternatives that would require that the name of the retailer involved in a breach be released.

Canada is not immune. It looks like some low-tech identity thieves are facing fraud charges for their activities in British Columbia and Alberta.

There was a technical element here. Police seized 100 CDs containing thousands of people’s personal data profiles. In addition to driver’s licenses and the like, police discovered card readers and debit terminals.

If anything, it’s an example that it’s becoming easier for less tech-savvy criminals to get their hands on the devices and steal identities. When they weren’t stealing IDs, they were either using or dealing drugs. Eight ounces of crystal meth and a .22-calibre rifle also were taken.

Finjan released an interesting report today about a database it uncovered with more than 8,700 harvested FTP account credentials — including username, password and server address — that are apparently in the hands of the digital underground.

The vendor says these stolen credentials allow the bad guys to inject crimeware into servers and in turn infect end users. Stolen accounts include those of Fortune-level global companies in a wide range of industries such as manufacturing, telecom, media, online retail, IT and government agencies. The stolen FTP accounts include some of the world’s top 100 domains as ranked by Alexa.com.

“Software-as-a-Service has been evolving for sometime, but until now, it has been applied only to legitimate applications. With this new trading application, cybercriminals have an instant ’solution’ to their ‘problem’ of gaining access to FTP credentials and thus infecting both the legitimate websites and its unsuspecting visitors. All of this can be easily achieved with just one push of a button,” Finjan CTO Yuval Ben-Itzhak said in a press release.