Woohoo!  This is going to be fun.  Hackers gear up for month of MySpace bugs.  Mondo Armando and Müstaschio are going to be hacking away on MySpace next month and publishing security vulnerabilities.  I am very interested in seeing the results of their quest, but what does "monoculture-style danger of extremely popular Web sites" mean?

One definition says, "monoculture is defined as where everyone is wearing, doing, seeing, reading, watching and thinking the same thing".  Okay, that is kind of scary.  Several of my children are MySpacers.  They blog daily.  The chat with friends.  If they wonder what an old friend is up to, they search MySpace.  They generally find the old friend.  MySpace is an amazing networking site.

Don Tennant just hits it home over and over.  Read his recent article entitled, "Do the Right Thing".  Don interviewed four very important CIO's at Computerworld’s Premier 100 IT Leaders Conference last week. 
 
My favorite quote from the article is "he refused to allow a tempestuous political climate to cloud his vision for what he felt he needed to accomplish."  That was Clark Kelso, CIO of the state of California speaking.  Wow.  Can you imagine being responsible for IT for the State of California?  No thank you.  Give me a little state any day of the week - big fish, little pond.
 
I was so inspired by Don's interviews that I am going to have to write my own little column on how politics impact not just IT, but Security.  With the advent of a new governor and new IT Director, our little state is going through drama-trauma.  Fortunately, the CISO's job didn't get cut and he has his head screwed on, so to speak.  It is absolutely amazing how politics gets in the way of doing the right thing.  It takes a very strong person to withstand political pressure in a non-career limiting way.  Is that even possible?  It's a shame when you have to give up your job for what you believe in.  But doing the right thing requires that risk.  You have to stand up for what's right no matter what the cost. 

I heard on the news this morning something about Google's founders getting close to being richer than Bill Gates.  Is money the root or the root of all evil?  I don't know.

I read this recent piece by Preston Gralla, Seven ways to keep your search history private.  I am interested in keeping my searches private from any big enterprise that could correlate my searches to me personally.  It's kind of like the big grocery store chains that give you a shopping card to track your purchases in order to market to you personally.  I don't mind the marketing as much as I mind that everything on my grocery list is in a database attached to my name.  A database that can be compromised.  I don't like it that anyone can compile data on me about my personal preferences, habits, or interests.  It's just an invasion of privacy.  The same feelings apply to the big search engines selling my information (searches) to marketing types.

Come Monday we will know if the patches took.  Seriously, we are not worried about the network gear or server operating systems, or desktops, phone system or email system.  We are worried about the outsourced applications.  We have the vendor's word that they have addressed the issue.  Only time will tell.

I read this article and I just laughed out loud, even though this is not a laughing matter. This is more common than you think.  Texas counties illegally posting Social Security numbers online, AG says.  Our social security numbers have been compromised so many times that I vote for getting rid of them altogether.

In state and county government, there exists a myriad of public records and up until recently, these records contained social security numbers.  Most states have passed laws that forbid the practice of using social security numbers on public records.  I think the way this evolved, and I'm only guessing, there was a mad rush to make information available to the public.  Agencies began putting information on their websites and security was an afterthought.

It seems that I have been busy trying to manage my personal life rather than my professional life as of late.  First it was the bank account that was supposedly compromised and not finding out from the bank until a week  or so later.  (Okay, how hard would it have been for the bank to give me a call?  Instead I received a letter over a week later.)  The bank froze my account and of course all those automated "bill pay" payments bounced, one right after another.  It happened to be at the beginning of the month when I sent out a slew of payments.

This is one of my favorite topics: IT people having total access to the network.  Study notes link between IT sabotage, work behavior is a great reminder that even Systems and Network Administrators should only have access on a "need to know" basis.  "...86% of those who committed cybercrimes held technical positions and 90% had system administrator or privileged system access."

I hope MIT, Harvard, et al, don't mind me using their play on words.  Jeremy Kirk's article Study: Users ignore bank security features points us to the actual study entitled The Emperor's New Security Indicators.  This is a working paper that was been accepted at the 2007 IEEE Symposium on Security and Privacy, May 20-23, 2007, Oakland, California, USA.

Spotting System Intrusions a Big Challenge for IT tells it like it is.  When you read about how data security breaches are discovered after the fact, you might have a tendency to shake your head and wonder what idiot is responsible.  It's just not that simple.  There is no one idiot responsible.  There are complex reasons why intrusions and data security breaches occur undetected.  Be thankful you discover them and plug the holes.

It's really been bugging me lately that our personal information is so easily accessible.  We recently had another "almost security incident", and I say almost because we discovered the mistake immediately, rather than someone else discovering it and plastering it across the front page of our local newspaper. 

I work for a state agency and things aren't so high-tech in some areas.  Many state agencies provide information via their websites and with a simple login and password, constituents can obtain a variety of information about themselves or their possessions, depending upon the topic at hand.  I cringe at the lack of security.

Check this out.  CyberCrooks do a client side attack, gaining the logins and passwords of bank customers, and get away with $1.1M

It's the last paragraph of the story that gets me.  "Nordea has refunded money to all 250 victims, according to a BBC report. " 

Let me back up.  According to the story, it sounds like the crooks targeted a particular bank's customers and sent them an email with a specially crafted Trojan attached.  The message made it sound like the attachment was a "spam-fighting tool".  Oh man.  I can just hear the clicking.  Everyone wants to get rid of spam, right? 

I'd like to reference Eric Ogren's blog on the topic "Are all these compliance regulations productive?"  I quote, "Even though these regulations are reasonably precise about security requirements, the lack of enforcement has led to the lack of investment."

I don't think that's why there's a lack of investment.  It's not the lack of enforcement.  It's the lack in vendor solutions that fully understands the business needs.

I want to take a moment to reinforce the major points of this article by Deb Radcliff The Surprising Security Threat: Your Printers.  Many years ago when I managed security for a financial firm, the company decided to remove the existing networked printers and replace them with multi-function devices.  Multi-function devices can print, staple, collate, copy, scan, and send email.  They have hard drives and operating systems.  The security department refused to sanction the email capability.

I just read this excellent article by Mary Brandel Swimming in the Global Talent Pool.  Mary is an excellent researcher and writer.  I always enjoy her articles.  Let me explain how she piqued my interest and how I related that to security.  Bear with me, the thoughts that follow are completely opposite of the intent of Mary's article.  My thoughts are dark.

As I read, I began to become anxious.  All this talk about "global" this and "global" that made me realize once again that we are living in a global economy and we cannot stick our heads in the sand like ostriches.  We cannot escape it.  Why does this make me jittery?  Why do I give a hoot about programming talent coming out of India? 

Don't get too excited when you read the Washington Post story about Microsoft working with the National Security Agency on Vista security.  I don't think the NSA actually has the time or desire to create an operating system backdoor so it can spy on citizens, which is somewhat inferred here.