In the conclusion of this two-part video series, Information Security magazine Senior Technology Editor Neil Roiter explores security services in the U.S. telecom market. In an interview at RSA Conference 2008, Stan Quintana, vice president of AT&T Security Services discusses the company’s strategy. He talks about what makes carriers qualified to offer security services and some of the challenges facing the industry.

Technology blog Engadget is reporting that Intel is about to debut LoJack like technology for laptops. Few details are available about the technology. Ars Technica had the original post on the subject. Let’s hope it does more than track down a lost notebook. It’s either got to have functionality to brick a laptop, erasing all data, or make the data completely useless to thieves.  Ars said the technology would prevent the laptop from booting. Lenovo, Fujitsu, Phoenix, and McAfee are partnering with Intel on the technology.

By the way, LoJack currently licenses out technology to track down laptops in the event of theft. Dell sells the protection in a line of laptops for businesses. The software is available on some sites for about $90.

This week’s headline may not fit perfectly with the analogy I had in mind yesterday, but I’m running with it anyway because all week I’ve been thinking of what the lessons are regarding the recent data security breach at Hannaford’s supermarkets.

The biggest lesson was eloquently explained in a column by my colleague Dennis Fisher, in which he cites the decline in emphasis on security in favor of a sometimes maniacal focus on compliance with various standards and regulations that has created a climate where passing an audit or satisfying a regulator is deemed more important than actually doing what’s necessary to protect critical assets.

There are plenty of vendors out there who link the use of their products to both compliance and security, and I’ve spoken to many a public relations flak who talk about the two as if they are the same thing. As Dennis points out, they are not the same thing. True, a lot of the work that’s required for the sake of compliance can improve enterprise security. But security is about so much more than buying a bunch of technological tools on some assessor’s checklist and plugging them in.

Being a history geek, I always find myself looking for historical references to match up with the things we’re writing about, and this case reminded me of the farewell speech President Eisenhower gave a few days before leaving office in 1961 in which he warned of the military industrial complex.

Now, I know you’re waiting for the big analogy, and in the end there isn’t much of one to make. The military industrial complex is something far different than the compliance complex I see today. But I do see a few similarities worth mentioning.

Ike warned that as the U.S. fought the Cold War, it needed to “guard against the acquisition of unwarranted influence…by the military-industrial complex,” which included members of Congress from districts dependent on military industries, the Department of Defense and privately owned military contractors like Boeing, Lockheed Martin, and Northrop Grumman. Ike feared that the military-industrial complex inspired policies that might not be in the country’s best interest and he feared that its growing influence, if left unchecked, could undermine American democracy [see more detailed description from Encyclopedia Britannica]. 

I’m not trying to suggest that compliance vendors are trying to influence the course of American policy. As I admitted earlier, this is an imperfect analogy.  But I do believe there’s a danger of individual businesses being influenced by a compliance complex in which execs desperate to pass the compliance test fall under the spell of vendors promising that their tools will not only help them pass the test but keep them secure. In the end, some make decisions that are not in the best interests of the company’s security program. In other cases, the technology purchased does its job well but the company fails to implement a bunch of other security measures technology alone can’t address — because the vendor or assessor assured them that investing in their product would be all that’s needed.

The Hannaford breach has sent shockwaves through the retail world because it turns out the company had achieved PCI DSS compliance. Many were stunned to see a living example of a compromised business that spent a lot of money on compliance products and thought they were secure.

The silver lining around the Hannaford breach may be that other companies are broken of the compliance complex. Dennis does a good job of mapping out what security is really about, but I leave you with some blog chatter from security experts who make similar points this week:

Burton Group analyst Randall Gamby writes in his company blog that PCI DSS and the work of complying with it has achieved a false sense of security in many corners.

“I’m not saying PCI isn’t important, after all this breach may have never been found if PCI measures weren’t put in place, but enterprises have to look beyond the task of being compliance and take whatever additional steps may be needed to secure their data against breaches,” he writes.

Security management expert Mike Rothman makes the point more bluntly in his Daily Incite blog: “If security professionals think that an audit makes them secure, they are idiots.”

Rothman goes on to say compliance does not equal security. Maybe it makes the senior folks sleep a little better, he writes, “but they’d be dumb, too.” Anyone in a position of power needs to understand about risk and containing risk, he says.

I’m probably going to get a bunch of emails telling me how stupid my analogy is, and one of them might even come from Mike. But instead I’m hoping to hear what readers have to say about the points he and others are making.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

Covering the security breach at Hannaford Bros. Supermarkets this week was a particularly interesting experience for me. Unlike the other breaches I’ve written about, this one really hit me where I live.

Of course, the bank did send me a new debit card after my old one was compromised in the TJX data breach, but that’s only because of one purchase I made there during the period when the data raids were in progress.

I shop at Hannaford’s every week. Even though there are several supermarkets closer to home, I’ve been making the longer trek to the store in Hampstead, N.H., because I found the prices and food quality better than the others. Despite, the breach, I won’t stop shopping there. My bank was quick to issue me a new card and I think the retailer will do what’s necessary to prevent a repeat. Of course, the company will lose a lot of money to fines and lawsuits in the meantime.

Of course, after any data breach it’s important to explore how it happened and what the affected company could have done better from the outset, and Hannaford’s is no exception.

I found plenty of security bloggers doing just that. Here’s some wisdom from two blogs high on my favorites list:

Rich Mogull, former Gartner analyst and founder of security consultancy Securosis, wrote in his blog that since the information was stolen during the authorization process and was distributed over many locations, a compromise of the central authorizations system or the credit card processor is the likely source. “It could be as simple as sniffing unencrypted communications, or a more complex compromise of a database or application,” he said. “My money is 70% on sniffing, 30% on something in the database.”

Of Hannaford’s claim that no personal data such as names, addresses or telephone numbers were divulged — just account numbers, Mogull wrote, “This can’t be true. Without names, the card numbers are unusable.”

Mogull also used Hannaford’s PCI DSS compliance as an example of how he believes “PCI is worthless” if the chain was allowed to be ruled compliant in the first place.

“The fraud was detected by the banks or credit card companies, then it took a little under two weeks to contain,” he wrote. “Not great, and indicative of either a little sophistication on the attacker’s part, or a lack of sophistication on Hannaford’s part. How to prevent this? We won’t know until more information is out, but since they shouldn’t be PCI compliant if they transmitted credit card numbers in the clear, perhaps my guess of sniffing is off. I’m still laying odds on that, and if so, encryption is the answer.”

Security blogger Martin McKeay wrote of a silver lining in the Hannaford’s breach.

“Hannaford does not associate card numbers and expiration dates with the cardholder names and addresses,” he noted. “This in a day when your local grocery store offers you a discount if you’ll just enter your phone number at the PIN pad so they can track every single purchase you make and send you a personalized weekly ad. Most stores would have had card numbers, your home address, the names of all of your relations and possibly the name your teacher in first grade. Well, maybe not the last one, but they would have every purchase of every embarrassing purchase you’ve ever made.”

The downside to this lack of association between card numbers and cardholder names, he wrote, is that they have no way of knowing who should be contacted in the breach. He said he’s not sure if that will absolve Hannaford’s of having to contact anyone or make it necessary for them to contact all of their customers. They probably haven’t figured that one out yet either, he said.

Good points from both. I’ll end by saying that the big reason Hannaford’s won’t lose me as a customer is because I see them as more of a victim than a villain.

Through my own reporting on PCI DSS compliance I know the company had made investments to bolster the security of its point-of-sale machinery and wireless set-up.

Some are making much of the fact that this breach happened even though Hannaford’s was PCI compliant. Surely, they say, this speaks to the weaknesses of PCI DSS itself. I actually explored that angle in the wake of the TJX breach, and most of the analysts, IT pros and vendors I talked to defended the security standard. After all, it turned out, TJX was nowhere near being where it needed to be for PCI compliance.

Regardless of what one thinks of PCI DSS, it does appear that Hannaford’s was and still is working to improve its security.

But as a police officer once told me after my house was burglarized despite the burglar alarm we had installed, if the thief wants to get in badly enough, they’ll find a way.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

Finjan released an interesting report today about a database it uncovered with more than 8,700 harvested FTP account credentials — including username, password and server address — that are apparently in the hands of the digital underground.

The vendor says these stolen credentials allow the bad guys to inject crimeware into servers and in turn infect end users. Stolen accounts include those of Fortune-level global companies in a wide range of industries such as manufacturing, telecom, media, online retail, IT and government agencies. The stolen FTP accounts include some of the world’s top 100 domains as ranked by Alexa.com.

“Software-as-a-Service has been evolving for sometime, but until now, it has been applied only to legitimate applications. With this new trading application, cybercriminals have an instant ’solution’ to their ‘problem’ of gaining access to FTP credentials and thus infecting both the legitimate websites and its unsuspecting visitors. All of this can be easily achieved with just one push of a button,” Finjan CTO Yuval Ben-Itzhak said in a press release.

The fur has been flying this week over whether Congress should extend the life of a controversial surveillance law or let it expire tonight.

The firestorm surrounding the Foreign Intelligence Surveillance Amendments Act (FISA) is just the latest battleground in a debate that has raged throughout the war on terror — whether the threat of another attack on U.S. soil justifies unfettered government surveillance of most of its citizens in hopes of finding the few evil seeds that hide among us.

As my colleague Dennis Fisher wrote this week, the bill would grant retroactive immunity to telecoms that aided in President Bush’s warrantless wiretapping program. The bill’s passage would effectively prevent the public from ever discovering the details of that program, privacy experts told Dennis. In a follow-up posting in this blog, Dennis noted the increased likelihood that Congress will let the current extension expire tonight rather than try to work out a compromise between separate bills passed by the House and Senate that would extend the legislation for several years.

“Democrats in the House, who are opposed to a provision in the Senate version of the bill that would grant retroactive immunity to telecoms that aided in President Bush’s warrantless wiretapping program, apparently decided simply to not act on the legislation,” he wrote. “Bush and Republican Congressmen ripped the Democrats for their decision, saying that it places the country at greater risk of terrorist attack.”

I must admit I’m torn on the issue. On the one hand, we are in a war where a small band of radicals are hiding in the shadows, bent on unleashing more death and destruction, including the variety where nuclear and biological weapons may be used. There’s a reasonable argument to be made that wiretapping is a necessary evil to catch enemies who play by unconventional rules.

On the other hand, I have no doubt the Bush Administration has used the threat as an excuse to trample on our basic rights, stoking our fear to get public approval. It’s maddening to me when people are duped, by their fear, into giving the government carte blanche to invade any private space it wants in the name of security. That’s what the terrorists want, isn’t it?

Here’s what some bloggers have to say:

Phantom Lady, a conservative FISA bill supporter and keeper of the Frustrated Incorporated blog, ripped at Sen. Hillary Clinton for not showing up to vote on the issue, Sen. Barack Obama for voting against it (though she praised him for at least showing up to vote); and she praised Sen. John McCain for voting for it. In the entry, she uses this nugget from the Rush Limbaugh website:

“Congratulations to Senator McCain. He made sure he was there while fighting off this challenge from Governor Huckabee. He voted to preserve the powers of the intelligence agency in the executive branch to defend and protect this country. Also, hats off to Senator Obama. He showed up. He voted. He voted against it. In so doing, he demonstrated he is not fit to lead this country as commander-in-chief. He has voted against every reasonable authority that has come before him in the form of legislation in terms of intelligence and protecting this country. But at least Obama showed up. At least he voted. At least he told the country he’s incompetent.”

A blogger named Scarecrow took the opposite view in the Firedoglake blog, writing that House Democrats finally said enough and called George Bush’s bluff. “The President had threatened to leave the country in an intelligence blackout if Congress did not accede to his demands for sweeping warrantless surveillance and telecom immunity,” Scarecrow wrote. “But this time, for the first time, Democrats said, “we don’t believe you.” That moment of courage may well define the fall campaign.”

Errington Thompson wrote in the Where’s the Outrage blog that the House has finally stood firm and that it’s confusing as to why the Senate bowed to the White House.

“Mr. Bush’s rhetoric is simply tiresome,” Thompson wrote. “The terrorists this and the terrorist that. Are we so lame that we can’t do anything without trying to figure out what the terrorists will do? Hell, don’t we need to be more worried about our own homegrown crazies?”

I realize this week’s topic runs astray of what I usually set out to do — write about the latest IT security issues and point to blogs where IT pros can go for guidance. But this is a case where telecoms are helping the government in what many consider an invasion of privacy. The reach of the telecoms stretches to practically every enterprise, and that’s where there IT shops face a potential security quandary.

A big part of IT security is about keeping hackers from breaking into company networks and accessing sensitive information. But what do you do when it’s the government breaking in, all in the name of national security?

Please share your thoughts on this one.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

It’s taken a while, but it seems that someone is finally making some sense in the debate on whether network owners should be trying to stop pirated content from crossing their networks. The folks at Verizon looked at the issue of filtering for copyrighted content and said, No thanks, we’re all set. A company spokesman told The New York Times this week that Verizon found a number of problems with trying to weed out copyrighted content, including infringing on the privacy of its customers and the “slippery slope” that could result in other third parties expecting the company to start filtering out pornography, offshore gambling traffic, etc. Tom Tauke, Verizon’s VP of public affairs also said this:

When you look back at the history of copyright legislation, there has been an effort by Hollywood to pin the liability for copyright violations on the network that transmits the material. It is no secret they think we have deeper pockets than others and we are easy-to-find targets.

Good for Verizon.

There are any number of reasons that Verizon, AT&T and other network operators should not be looking for copyrighted content on their networks, and Tauke is right on with his description of the hazards this misguided idea presents. It is the responsibility of the copyright holders themselves–not the network owners, ISPs or anyone else–to find people who infringe on their copyrights and enforce those rights. Demanding that network operators do this for them smacks of intimidation and laziness on the part of the Hollywood big shots. It also shows a fundamental lack of understanding of the problem.

The epidemic of illegal file-sharing is no more the fault of the network operators than it is of the PC manufacturers. Sure, both of their products are used in the process, but the ultimate responsibility lies with the individual who is downloading pirated material. The executives at the record labels and movie studios understand this, of course, but they’ve had precious little success going after individual file-sharers, and even when they do get someone to settle, it’s for a relatively small dollar amount. So they take a look around and see who in this pipeline has the most resources, and their gaze inevitably settles on the network operators. At least one operator, AT&T, has shown a willingness to filter out copyrighted content, but thankfully Verizon and the other large telecoms have so far resisted the pressure from Hollywood.

I’m not naive enough to think that Verizon is doing this solely out of some altruistic concern for its customers’ privacy. The kind of filtering it would take to look for pirated content would cost the company a lot of money and also likely would cost Verizon customers. So there’s plenty of self-interest at work here. But the company deserves credit for not laying down for the studios and record labels on this.

Valentine’s Day isn’t for another month, but that’s not stopping controllers of the Storm Trojan from using the holiday theme to trick users into downloading the malware.

A posting on the SANS Internet Storm Center Web site describes another wave of Storm emails with a subject designed to catch the recipient’s attention and an email body with a URL consisting of only an IP address. Once a user visits the Web site he is “served with a nice web page and a link to download an executable,” the ISC says — the same trick used in previous attacks. The user will see something like this:

The advice here is the same as always: Don’t click on URLs and email attachments from sources you don’t know and trust.

It seems that Sears, which sells just about everything under the sun, has decided to get into the spyware business too. The retail giant recently has come under fire from a researcher at CA who discovered that Sears’ Web site installs a nifty piece of tracking software developed by ComScore on the machines of some people who join the company’s My SHC community. The researcher, Benjamin Googins, describes in great detail on CA’s security blog exactly what the software does, how little notice Sears.com gives users about the program’s capabilities and how much data it collects.

Here is a summary of what the software does and how it is used. The proxy:

• 1. Monitors and transmits a copy of all Internet traffic going from and coming to the compromised system.
• 2. Monitors secure sessions (websites beginning with ‘https’), which may include shopping or banking sites.
• 3. Records and transmits “the pace and style with which you enter information online…”
• 4. Parses the header section of personal emails.
• 5. May combine any data intercepted with additional information like “select credit bureau information” and other sources like “consumer preference reporting companies or credit reporting agencies”.

In addition, My SHC Community requires a variety of personal information during registration - like name, email, address, city, state, and age. All of this information can be correlated with intercepted data to create a comprehensive profile.

Sounds a whole lot like spyware, no? Googins thought so, and even details which portions of CA’s Anti-Spyware Scorecard the software violates. A company VP responded to Googins by saying that the software is part of an initiative at Sears “to improve our customers’ Internet experience and help guide the future development of Community.” Users must be invited to participate in the program and, the Sears spokesman argues, “My SHC Community goes to great lengths to describe the tracking aspect for those members who receive an invitation. Clear notice appears in the invitation. It also appears on the first signup page, in the privacy policy and user licensing agreement.”

Googins responded in turn by essentially taking apart Sears’ arguments piece by piece and showing screenshots of the signup process on the Web site and the consent notice, such as it is. Bad, right? It gets worse. The CA posting caught the attention of Benjamin Edelman, an assistant professor at Harvard Business School who specializes in spyware and its revenue models. He did his own analysis of the Sears software and installation process and came to the same conclusion that Googins did: “Sears’ claims of adequate notice are demonstrably false. The SHC/ComScore violation could hardly be simpler. The FTC requires that software makers and distributors provide clear, prominent, unavoidable notice of the key terms. SHC’s installation of ComScore did nothing of the kind.”

How this differs from the tactics that companies such as DirectRevenue and others have been using for years is unclear to me. This is not 1999 and it’s implausible for any company of the size and sophistication of Sears to claim that this is all a simple misunderstanding. Without clear notice of the software’s capabilities and disclosure of what the collected data will be used for, this is spyware, plain and simple.

A couple weeks ago at the monthly meeting of the National Information Security Group (NAISG) in Waltham, Mass., I gave a couple of PowerPoint presentations when the scheduled speaker hit some travel snags and couldn’t make it. I’m on the NAISG board of directors and it was my turn to take one for the team.

One of the presentations was about how SearchSecurity.com and Information Security magazine is focused like the proverbial laser beam on the security challenges of IT professionals. My goal was to make the point that it’s crucial for us to talk to IT admins on a regular basis to get the best sense of what their challenges are and what kind of information we can put in our stories to help them do their jobs better.

Whenever I finish this presentation and start taking questions from the audience, the conversation always shifts to which Web sites and blogs I visit each day to find the latest news and analysis. The vast majority of what I look at each day is more in the form of technical advisories and security dashboards fitted with the various threat level boxes kept by Symantec, IBM ISS and many other security vendors.

But the blogosphere is becoming an increasingly important source of news and analysis, and while I wouldn’t think of giving away all of my source material, I think it’s useful for me to flag some blogs you can all get some use from. Some are straight roundups of the news of the day, others are more opinionated summaries of the news and then there are blogs offering a bit of both.

And so here is a list of some blogs that have become favorite stopping points during my so-called morning scan, the daily ritual where I fire up the laptop at 5 a.m., coffee in hand, and browse cyberspace in search of breaking news that may require our fast attention:

Liquidmatrix: This is the site of IT security professional Dave Lewis, where he offers, among other things, a daily “Security Briefing” of whatever the big news of the morning may be. It’s set up to read like a scan of the morning newspapers.

The Daily Incite: This is another daily morning roundup — but with a heavier dose of attitude and analysis — from Mike Rothman, president and principal analyst of Security Incite. Once in awhile Mike will take issue with something written by me or one of my colleagues, but he offers a lot of fair analysis on the daily news that can be helpful when you’re trying to make quick sense of whatever has just happened.

Donna’s Security Flash: She keeps meticulous track of daily news items, summarizing and linking to various news stories of note.

The Breach Blog: This one reads like the typical advisory for software vulnerabilities, only the focus is on the latest reported data security breaches. Entries include the date an incident is reported, how many people affected and a summary of what specifically happened.

Techdirt: OK, this blog isn’t security-specific. It’s more of a wide-angle overview of technology news. But they include a ton of security news, helpful links and attitude that makes for interesting reading.

PogoWasRight.org: This is another daily roundup of security breaches and other privacy-related news such as legislative developments, linking to various news stories around the Web. One of the most impressive aspects of this blog is how up to date it is. You’ll usually find fresh data breach reports milliseconds after the news has broken.

Happy reading!

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.