The cybersecurity group at the Department of Homeland Security has had a hard time hanging onto its leaders, for various reasons, since the department started five years ago. DHS officials have tried a number of approaches in trying to find the right man for the job, going first to government veterans such as Howard Schmidt and Amit Yoran, who had both government and industry experience, and then landing on Greg Garcia, the current assistant secretary for cyber security and telecommunications, who was a lobbyist before he joined the department.

Now, with its recent appointment of Rod Beckstrom as director of the nascent National Cyber Security Center at DHS, officials are trying a completely different approach: bringing in someone with no security or government experience. Beckstrom is a serial entrepreneur who has founded a number of successful companies and also has written a book on leaderless organizations. All kidding about how his knowledge of leaderless organizations will serve him well at DHS aside, I think the DHS folks deserve a bit of credit for going outside the playbook and giving a shot to an outsider such as Beckstrom. His role will not necessarily be a technical one, as he was brought in specifically to encourage better communication and information-sharing among the various components of the federal government that handle cybersecurity.

Former officials who have worked in the National Cyber Security Division at DHS and those in the private sector who work with the department have consistently criticized DHS for its poor communication on security issues and lack of willingness to share intelligence on attacks and vulnerabilities. What can it hurt to try a different approach? The ones they’ve tried in the past clearly haven’t worked, so maybe a little new blood and some unconventional thinking will jump-start things.

Covering the security breach at Hannaford Bros. Supermarkets this week was a particularly interesting experience for me. Unlike the other breaches I’ve written about, this one really hit me where I live.

Of course, the bank did send me a new debit card after my old one was compromised in the TJX data breach, but that’s only because of one purchase I made there during the period when the data raids were in progress.

I shop at Hannaford’s every week. Even though there are several supermarkets closer to home, I’ve been making the longer trek to the store in Hampstead, N.H., because I found the prices and food quality better than the others. Despite, the breach, I won’t stop shopping there. My bank was quick to issue me a new card and I think the retailer will do what’s necessary to prevent a repeat. Of course, the company will lose a lot of money to fines and lawsuits in the meantime.

Of course, after any data breach it’s important to explore how it happened and what the affected company could have done better from the outset, and Hannaford’s is no exception.

I found plenty of security bloggers doing just that. Here’s some wisdom from two blogs high on my favorites list:

Rich Mogull, former Gartner analyst and founder of security consultancy Securosis, wrote in his blog that since the information was stolen during the authorization process and was distributed over many locations, a compromise of the central authorizations system or the credit card processor is the likely source. “It could be as simple as sniffing unencrypted communications, or a more complex compromise of a database or application,” he said. “My money is 70% on sniffing, 30% on something in the database.”

Of Hannaford’s claim that no personal data such as names, addresses or telephone numbers were divulged — just account numbers, Mogull wrote, “This can’t be true. Without names, the card numbers are unusable.”

Mogull also used Hannaford’s PCI DSS compliance as an example of how he believes “PCI is worthless” if the chain was allowed to be ruled compliant in the first place.

“The fraud was detected by the banks or credit card companies, then it took a little under two weeks to contain,” he wrote. “Not great, and indicative of either a little sophistication on the attacker’s part, or a lack of sophistication on Hannaford’s part. How to prevent this? We won’t know until more information is out, but since they shouldn’t be PCI compliant if they transmitted credit card numbers in the clear, perhaps my guess of sniffing is off. I’m still laying odds on that, and if so, encryption is the answer.”

Security blogger Martin McKeay wrote of a silver lining in the Hannaford’s breach.

“Hannaford does not associate card numbers and expiration dates with the cardholder names and addresses,” he noted. “This in a day when your local grocery store offers you a discount if you’ll just enter your phone number at the PIN pad so they can track every single purchase you make and send you a personalized weekly ad. Most stores would have had card numbers, your home address, the names of all of your relations and possibly the name your teacher in first grade. Well, maybe not the last one, but they would have every purchase of every embarrassing purchase you’ve ever made.”

The downside to this lack of association between card numbers and cardholder names, he wrote, is that they have no way of knowing who should be contacted in the breach. He said he’s not sure if that will absolve Hannaford’s of having to contact anyone or make it necessary for them to contact all of their customers. They probably haven’t figured that one out yet either, he said.

Good points from both. I’ll end by saying that the big reason Hannaford’s won’t lose me as a customer is because I see them as more of a victim than a villain.

Through my own reporting on PCI DSS compliance I know the company had made investments to bolster the security of its point-of-sale machinery and wireless set-up.

Some are making much of the fact that this breach happened even though Hannaford’s was PCI compliant. Surely, they say, this speaks to the weaknesses of PCI DSS itself. I actually explored that angle in the wake of the TJX breach, and most of the analysts, IT pros and vendors I talked to defended the security standard. After all, it turned out, TJX was nowhere near being where it needed to be for PCI compliance.

Regardless of what one thinks of PCI DSS, it does appear that Hannaford’s was and still is working to improve its security.

But as a police officer once told me after my house was burglarized despite the burglar alarm we had installed, if the thief wants to get in badly enough, they’ll find a way.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

A 25-year-old man in Japan was arrested after an Internet service provider complained to authorities that he was clogging the pipeline with huge amounts of spam.

Police told local media that Yuki Shiina allegedly sent out over 2 billion unsolicited emails. It is believed he bought 600,000 email addresses off the internet for 100,000 yen (US $927) and earned over 2 million yen (US $18,540) through the spam campaign.

Shiina broke Japanese laws by allegedly faking sender information on emails in an attempt to avoid detection.

Will these arrests do any good? Sophos believes so.

The vendor’s evangelist, Graham Cluley, a senior technology consultant, said police are increasingly cracking down on spammers.

“No-one who hears about a single person believed to have sent 2.2 billion spam emails can be in any doubt as to the scale of the problem, and it’s essential for a clear message to be sent out that the police are serious about catching the criminals responsible,” Cluley said in a press release.

Cluley is right that we’re hearing more publicly about spammer arrests. Last May, U.S. investigators arrested Robert Alan Soloway after years of investigations. Some experts said that it could result in a short-term dip in the volume of spam. There was a short term dip, but it was mainly associated with the summer months.

In November another “Bot Roast” was announced by the FBI. Eight people were arrested and charged in that campaign.

Has spam been reduced? Nope.

The fur has been flying this week over whether Congress should extend the life of a controversial surveillance law or let it expire tonight.

The firestorm surrounding the Foreign Intelligence Surveillance Amendments Act (FISA) is just the latest battleground in a debate that has raged throughout the war on terror — whether the threat of another attack on U.S. soil justifies unfettered government surveillance of most of its citizens in hopes of finding the few evil seeds that hide among us.

As my colleague Dennis Fisher wrote this week, the bill would grant retroactive immunity to telecoms that aided in President Bush’s warrantless wiretapping program. The bill’s passage would effectively prevent the public from ever discovering the details of that program, privacy experts told Dennis. In a follow-up posting in this blog, Dennis noted the increased likelihood that Congress will let the current extension expire tonight rather than try to work out a compromise between separate bills passed by the House and Senate that would extend the legislation for several years.

“Democrats in the House, who are opposed to a provision in the Senate version of the bill that would grant retroactive immunity to telecoms that aided in President Bush’s warrantless wiretapping program, apparently decided simply to not act on the legislation,” he wrote. “Bush and Republican Congressmen ripped the Democrats for their decision, saying that it places the country at greater risk of terrorist attack.”

I must admit I’m torn on the issue. On the one hand, we are in a war where a small band of radicals are hiding in the shadows, bent on unleashing more death and destruction, including the variety where nuclear and biological weapons may be used. There’s a reasonable argument to be made that wiretapping is a necessary evil to catch enemies who play by unconventional rules.

On the other hand, I have no doubt the Bush Administration has used the threat as an excuse to trample on our basic rights, stoking our fear to get public approval. It’s maddening to me when people are duped, by their fear, into giving the government carte blanche to invade any private space it wants in the name of security. That’s what the terrorists want, isn’t it?

Here’s what some bloggers have to say:

Phantom Lady, a conservative FISA bill supporter and keeper of the Frustrated Incorporated blog, ripped at Sen. Hillary Clinton for not showing up to vote on the issue, Sen. Barack Obama for voting against it (though she praised him for at least showing up to vote); and she praised Sen. John McCain for voting for it. In the entry, she uses this nugget from the Rush Limbaugh website:

“Congratulations to Senator McCain. He made sure he was there while fighting off this challenge from Governor Huckabee. He voted to preserve the powers of the intelligence agency in the executive branch to defend and protect this country. Also, hats off to Senator Obama. He showed up. He voted. He voted against it. In so doing, he demonstrated he is not fit to lead this country as commander-in-chief. He has voted against every reasonable authority that has come before him in the form of legislation in terms of intelligence and protecting this country. But at least Obama showed up. At least he voted. At least he told the country he’s incompetent.”

A blogger named Scarecrow took the opposite view in the Firedoglake blog, writing that House Democrats finally said enough and called George Bush’s bluff. “The President had threatened to leave the country in an intelligence blackout if Congress did not accede to his demands for sweeping warrantless surveillance and telecom immunity,” Scarecrow wrote. “But this time, for the first time, Democrats said, “we don’t believe you.” That moment of courage may well define the fall campaign.”

Errington Thompson wrote in the Where’s the Outrage blog that the House has finally stood firm and that it’s confusing as to why the Senate bowed to the White House.

“Mr. Bush’s rhetoric is simply tiresome,” Thompson wrote. “The terrorists this and the terrorist that. Are we so lame that we can’t do anything without trying to figure out what the terrorists will do? Hell, don’t we need to be more worried about our own homegrown crazies?”

I realize this week’s topic runs astray of what I usually set out to do — write about the latest IT security issues and point to blogs where IT pros can go for guidance. But this is a case where telecoms are helping the government in what many consider an invasion of privacy. The reach of the telecoms stretches to practically every enterprise, and that’s where there IT shops face a potential security quandary.

A big part of IT security is about keeping hackers from breaking into company networks and accessing sensitive information. But what do you do when it’s the government breaking in, all in the name of national security?

Please share your thoughts on this one.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

It now appears as though the Congress will allow the current extension to the controversial surveillance law to expire on Friday night rather than try to work out a compromise between separate bills passed by the House and Senate that would extend the legislation for several years. Democrats in the House, who are opposed to a provision in the Senate version of the bill that would grant retroactive immunity to telecoms that aided in President Bush’s warrantless wiretapping program, apparently decided simply to not act on the legislation. Bush and Republican Congressmen ripped the Democrats for their decision, saying that it places the country at greater risk of terrorist attack. From The Washington Post:

At a hastily convened press briefing on the South Lawn, Bush said he would delay his planned trip to Africa this weekend if he is needed in the capital to work on or sign a surveillance bill.

“I urge congressional leaders to let the will of the House and the American people prevail and vote on the Senate bill before adjourning for their recess,” Bush said. “Failure to act would harm our ability to monitor new terrorist activities and could re-open dangerous gaps in our intelligence.”

Though the Democrats have decided to leave for a week-long recess, there is still a slight chance that a compromise could be reached by party leaders. But for right now, it looks like the surveillance law is a dead issue.

The United States’ public and private networks are under constant attack by both foreign governments and other groups, and that trend is likely to continue. That’s the net takeaway of the cybersecurity section of the Annual Threat Assessment of the Director of National Intelligence for the Senate Select Committee on Intelligence, a report issued this week by DNI Michael McConnell. If you’re looking for the cogent analysis in that section, keep looking. McConnell spends less than a page assessing the current threats to the country’s computer networks, and essentially all of the information contained in that assessment is common knowledge anyone who has been paying even a little bit of attention to the security landscape since, say, 1999. To wit:

We assess that nations, including Russia and China, have the technical capabilities to target and disrupt elements of the US information infrastructure and for intelligence collection. Nation states and criminals target our government and private sector information networks to gain competitive advantage in the commercial sector. Terrorist groups—including al-Qa’ida, HAMAS, and Hizballah—have expressed the desire to use cyber means to target the United States. Criminal elements continue to show growing sophistication in technical capability and targeting, and today operate a pervasive, mature on-line service economy in illicit cyber capabilities and services available to anyone willing to pay.

The assessment goes on to say that the government can’t afford to sit back and worry about attacks only after they occur; it needs to stop them from happening in the first place. Not to put too fine a point on it, but isn’t that precisely the job of the national intelligence community, not just with regard to cybersecurity, but in the physical world as well?

Perhaps just as worrisome as this outdated view of information security is the opening section of the report, in which McConnell implores the committee to extend the provisions of the infamous Protect America Act. He uses the classic fear, uncertainty and doubt argument, saying that without an extension of the act’s far-reaching warrantless wiretapping provisions–and the retroactive protections for ISPs that participate in these operations–the intelligence community will be severely hampered.

Expiration of the Act would lead to the loss of important tools the Intelligence Community relies on to discover the plans of our enemies. As reflected in your Committee report, merely extending the PAA without addressing retroactive liability protection for the private sector will likely have far reaching consequences for the Intelligence Community…Over the past several weeks, proposals to modify the Senate Intelligence committee bill have been discussed and I would ask Members to consider the impacts of such proposals on our Nation’s Intelligence Community and its ability to warn leaders of threats to our Homeland and our interests. As my testimony will describe, the threats we face are global, complex, and dangerous; we must have the tools to enable the detection and disruption of terrorist plots and other threats.

In other words, if you mess with our ability to tap communications on domestic networks, very bad things will happen. The problem here is that proponents of this line of thinking have a powerful trump card that they love to play whenever this argument arises. It goes something like this: Since 2001, Congress and the courts have granted the government sweeping new surveillance and wiretapping powers and there haven’t been any more terrorist attacks, so therefore those powers are preventing terrorist attacks. This is as flawed as logic gets, but it’s worked like the Jedi mind trick for several years now, and there’s little chance the government will be abandoning it anytime soon.

It’s taken a while, but it seems that someone is finally making some sense in the debate on whether network owners should be trying to stop pirated content from crossing their networks. The folks at Verizon looked at the issue of filtering for copyrighted content and said, No thanks, we’re all set. A company spokesman told The New York Times this week that Verizon found a number of problems with trying to weed out copyrighted content, including infringing on the privacy of its customers and the “slippery slope” that could result in other third parties expecting the company to start filtering out pornography, offshore gambling traffic, etc. Tom Tauke, Verizon’s VP of public affairs also said this:

When you look back at the history of copyright legislation, there has been an effort by Hollywood to pin the liability for copyright violations on the network that transmits the material. It is no secret they think we have deeper pockets than others and we are easy-to-find targets.

Good for Verizon.

There are any number of reasons that Verizon, AT&T and other network operators should not be looking for copyrighted content on their networks, and Tauke is right on with his description of the hazards this misguided idea presents. It is the responsibility of the copyright holders themselves–not the network owners, ISPs or anyone else–to find people who infringe on their copyrights and enforce those rights. Demanding that network operators do this for them smacks of intimidation and laziness on the part of the Hollywood big shots. It also shows a fundamental lack of understanding of the problem.

The epidemic of illegal file-sharing is no more the fault of the network operators than it is of the PC manufacturers. Sure, both of their products are used in the process, but the ultimate responsibility lies with the individual who is downloading pirated material. The executives at the record labels and movie studios understand this, of course, but they’ve had precious little success going after individual file-sharers, and even when they do get someone to settle, it’s for a relatively small dollar amount. So they take a look around and see who in this pipeline has the most resources, and their gaze inevitably settles on the network operators. At least one operator, AT&T, has shown a willingness to filter out copyrighted content, but thankfully Verizon and the other large telecoms have so far resisted the pressure from Hollywood.

I’m not naive enough to think that Verizon is doing this solely out of some altruistic concern for its customers’ privacy. The kind of filtering it would take to look for pirated content would cost the company a lot of money and also likely would cost Verizon customers. So there’s plenty of self-interest at work here. But the company deserves credit for not laying down for the studios and record labels on this.

Here’s something that didn’t surprise me in the least: Stopbadware.org has added the immensely popular RealPlayer to its hit list of misbehaving apps.

The group’s problem is that RealNetworks doesn’t sufficiently disclose that its media player is bundled with adware programs.

Here’s the details from the Stopbadware.org blog:

“RealPlayer 10.5 and RealPlayer 11, both of which are distributed widely, both violate our badware guidelines, but in different ways. RealPlayer 10.5 is badware because it doesn’t tell the user that its “Message Center” feature will pop up ads from the system tray if the user doesn’t register the application. RealPlayer 11 is badware because it installs the Rhapsody Player Engine without notifying the user. When the user uninstalls RealPlayer, Rhapsody Player Engine is left behind, unless the user also knows to uninstall it separately.”

To RealNetworks’ credit, the company seems to be taking its medicine on this one.

Stopbadware.org says RealNetworks has been upfront about these tactics and acknowledged that it was a mistake on their part to not offer to uninstall Rhapsody Player Engine when uninstalling RealPlayer 11.

“We expect that the next version of RealPlayer will correct the issue and provide better disclosure, and we encourage RealNetworks to work with their downstream partners to ensure that older versions are replaced by the new version,” Stopbadware.org says.

Remember ChoicePoint? Four years ago the data broker kicked off what became a years-long deluge of enterprise data breaches by allowing more than 160,000 customer records to be stolen. It seems like small potatoes today, but back in 2005 things were so bleak that ChoicePoint landed at the top of our 2005 IT winners and losers year-in-review column. Hint: it wasn’t a winner.

Today, things are looking up for ChoicePoint, at least in part. This following word that ChoicePoint has settled a class-action lawsuit over the theft, agreeing to fork over $10 million to make it go away. I’m not a math genius, but 10 million divided by 160,000 or so (minus legal costs) doesn’t seem like a very satisfying outcome for the victims.

Adding insult to injury, the SEC has decided against pursuing legal action against CEO Derek Smith and COO Doug Curling, who together pocketed more than $16 million in profit by selling ChoicePoint stock after the company found out about the data breach — but before word of the breach was disclosed to the public.

So as the story closes, victims get enough scratch for a few cups of coffee at Starbucks, and rich executives ride off into the sunset. Hmmm, Hollywood might want to rewrite the ending to this one.

It’s that time of year where we in the news business love to make lists of the top news stories of the year. I’ve drawn up a Top 5 list of my own for your amusement, but admit that my judgment could be off. And so I ask you, the reader, to look over my list and tell me if there’s anything you would add or detract. I’ll work your feedback into our final Top 5 story.

My list:

5.) Problems slow the deployment of Windows Vista

IT professionals struggled mightily to make sense of Microsoft’s Windows Vista, but compatibility problems slowed enterprise-wide deployments to a crawl.

4.) Security of the iPhone in doubt

Apple’s iPhone — the year’s most hyped piece of technology — quickly gained the attention of hackers eager to find security weaknesses. It didn’t take them long to find something.

3.) The pain of PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) got plenty of attention as the list of data breaches grew and compliance deadlines approached. By year’s end many were still struggling to meet all of PCI DSS’s requirements, but that didn’t stop some experts from insisting on even tougher provisions.

2.) Malware takes cyberspace by Storm

When Storm was first discovered in January, it looked like another typical worm outbreak. But Storm kept spreading throughout 2007 and it soon became clear that the malware was the creation of sophisticated botnet builders. By year’s end, it was continuing to spread in the form of smaller, more customized botnets capable of launching a variety of attacks.

1.) TJX data breach exposes 94 million records

TJX acknowledged a massive data breach in January that ultimately exposed more than 94 million records to online fraud. To date, it is the biggest systems breach in history.