News this week that Juniper Networks had pulled Barnaby Jack’s planned Black Hat presentation and demo on ATM software vulnerabilities was met with dismay by the security community.

Is anyone else tired of this already? It seems not a year passes when a researcher isn’t threatened with a lawsuit for plans to expose flaws in a particular technology. (This one probably struck most people harder than others because Jack actually planned to wheel an ATM on stage and make it spew out twenties).

I know that if the craps table had been mean to me the night before — everyone else always seems to have the luck — I would’ve been running for the cash and worried about getting quotes later.

All kidding aside, I just wish this “responsible disclosure” debate was just sorted out already by the courts so we wouldn’t have these same issues year after year. Wouldn’t it be easier if, say, there was a Nevada law that required researchers to supply affected vendors with X number of days notice prior to presenting flaw findings. And if they didn’t have the problem fixed by then, then it’s game on?

Because, as it stands now, it sounds as if companies such as Juniper, where Jack works, immediately cave to any semblance of resistance from the affected technology manufacturer.

ISS, IOActive, they’ve all done it in recent years.

Researcher Alexander Sotirov suggests that this epidemic of nixed presentations likely can be blamed on overly sensitive researcher’s employers. He tweeted on Tuesday:

Barnaby should quit Juniper and join me in being an independent consultant. The corporate environment stifles interesting security research.

For me, I think the right answer is telling these software and hardware makers to build their product secure from the start, so smart researchers like Jack can’t figure out a way to exploit them.

At the minimum, vendors should get their act together to issue a patch in time for the researcher to present his or her findings. That’s the least they can do for someone who likely saved them a fortune before the bad guys figured out the security hole.

News late last week that Jeff Moss was appointed as one of 16 fresh faces to the U.S. Department of Homeland Security Advisory Council didn’t quite draw the same amount of attention as President Obama’s cybersecurity speech did a few days earlier.

But it should have.

You see, Jeff Moss is a hacker.  He still is widely known by his online alias Dark Tangent.

A hacker being named to a government advisory role? It can’t be.

Look how far we’ve come.

To put this in some perspective, the HSAC is chaired by a judge and a senator. Its member list is undeniably blue blooded, riddled with titles such as CEO, president, partner, governor, trustee, mayor.

Moss is a refreshing addition.

Granted, Moss is no longer on the side of the fence that could land him in jail. Actually, that’s why he gave up the trade after high school. But as the founder of the Black Hat and DEFCON conferences — arguably the biggest hacker events during the year — he clearly still considers himself very much a part of the security research community, which quite often blurs the line between the lawful and the questionable.

With that said, Moss’ representation on the council serves as an eye-opening moment for the federal government. I liken it to placing a former mobster on anti-racketeering board. Moss is very smart; he can offer perspective that few others can.

Our nation’s leaders finally understand that to fight cybercrime requires the cooperation of everybody, even if that somebody formerly hacked phone systems so he could make free international calls.

Moss will be able to draw from his rich experience as a hacker and call on his many interactions with both the good guys and, I’m sure, the bad guys.

Of course, that’s not to say that Moss can’t also lend some perspective as a business leader. He did start Black Hat and DEFCON from scratch, successfully selling the former to CMP Media in 2005. Moss also has held roles at Ernst & Young and Secure Computing — so he surely knows a thing or two about wearing a tie to the board room.

Apparently, the DHS isn’t only looking to the private sector for advisory help. The Pentagon also is leveraging America’s IT security gene pool to recruit “hacker soldiers,” who will help the government prepare for the next generation of war. The kind that isn’t fought on the deserts of Iraq or Afghanistan.

I see these developments as two great positives.

Experience ultimately can save our nation’s cyberinfrastructure. No more political posturing.

First it was Microsoft, then Oracle, then Cisco, and now Adobe.

The San Jose, Calif. maker of the ubiquitous Acrobat and Reader software is the latest software vendor to announce a strategy for dealing with vulnerabilities. Adobe announced this week that it plans to release quarterly fixes, joining a number of other high-profile players who decided to make their security patches available on a scheduled basis, to make life easier for everyone.

In addition, Adobe said it will begin placing increased efforts on hardening its code (to prevent vulnerabilities wherever possible) and distributing pertinent information to security professionals (if a flaw can’t be avoided).

This undertaking by Adobe was critical, considering the company was getting some serious bad press within the blogosphere after it took a while to patch a critical zero-day early this year. Some experts — and rightfully so — asked why organizations have decided to make Reader their de facto standard, when other, seemingly more secure (or at least less targeted) PDF viewers exist.

Adobe recognized the possibility of losing market share over this - and responded. 

While we’re on the subject of major software makers, when is Apple going to get its act together? My own issues aside — Apple is notoriously poor at responding to press calls — the Cupertino computing giant must start being more transparent with its security efforts.

As it stands now, Apple gives little information about issues affecting its Mac OS X platform, and users typically are caught off guard when patches are released. This has incensed a number of very smart security researchers. It even prompted one, Landon Fuller, to this week publish an, albeit benign, proof-of-concept for a Sun Java bug that was fixed months earlier but still was present in the Mac OS X ships. Fuller, a former Apple engineer himself, said the only way to get Apple to act is by demonstrating a flaw’s severity.

Apple, we know your box is not nearly as targeted as Windows. Maybe it’s because of more secure code. Maybe it’s because you have a lesser market share. Heck, maybe it’s because a lot of hackers like the iPhone and feel bad trying to intrude on your IP.

But, even so, even if one person in the world uses your platform, it’s your duty to be as responsive about security issues as you possibly can be. 

And right now, you’re failing at it. (And not returning my phone calls to boot).

If there was one buzzword during the recent RSA Conference that permeated across the session halls at the Moscone Center (and likely even reached the bar at the W), it was information sharing.

The concept is pretty simple, really. For a discipline as young but profoundly complicated as information security to succeed, communication is key. Because, in the end, information systems all touch each other and, really, we’re all in this together.

(Insert image of IT admins sitting around a campfire singing “Kumbaya.”)

Of course, getting people into a room and talking about breaches they’ve had or threats they’ve seen is inherently complex because of things like fear of punishment, competition, and classified documents.

But mostly everyone has recognized that information sharing is an absolute must if America is to keep up with the sophistication of hackers, some of whom are state-sponsored and thereby threatening the very foundation of the country as a whole.

Perhaps in no other industry is protecting the networks as fundamentally important to the nation’s day-to-day living than the electric grid. But as we know, this sector is far from immune from the wrath of cybercriminals, as SCADA control systems are now being built on top of traditional operations systems, such as Windows or Linux, which contain IP-based components.

In other words, the networks tasked with keeping the lights on are susceptible to the same types of attacks that can impact an average business.

One organization has been quietly meeting over the last several years to make sure these critical systems stay protected. Now, they’re ready to let everyone know about them.

The Energy Sector Security Consortium, or EnergySec, is made up of about 75 of the power sector’s 1,800 asset owners - but now they are trying to “scale” out and reach a wide audience. (Scalability: another RSA buzzword, by the way).

The goal of the organization is to, you guessed it, share information. But here’s why they may succeed at it.

According to Chris Jager, the group’s chairman, and Seth Bromberger, its director, the energy sector doesn’t compete - therefore, asset owners are more likely to collaborate. And with no fear of sanctions, they may be more willing to volunteer the type of information that could prevent another power company from suffering the same type of attack.

Jager says the energy industry has had a tough time responding to today’s security threats because many of the publicized events have been based on unnamed sources and classified information. EnergySec, however, wants it members to feel comfortable detailing specifics of a breach so that the group can better arm its members with information.

“We’re not interested in putting any names in lights,” he says. “It’s more like these types of incidents have occurred and this is how you should mitigate your exposure.”

And EnergySec can also value the government by providing them with real-time and historical data that they can use to “validate or nullify some of the assertions they’re making concerning threats and vulnerability,” Jager says.

If there is any industry that needs some cold, hard facts about hacker attempts, it’s energy. And it sounds as if EnergySec is going to help sound the alarm on an increasingly worrying situation.

“There are people poking at these networks,” Jager says. “That’s real.”

I just got finished reading a lengthy article about Facebook in New York Magazine - easily my favorite magazine in the whole world, well, aside from SC Magazine - and, like I figured, it failed to touch on any of the information security risks of the popular social-networking site.

That’s not to say the story overlooked the privacy ramifications of the site. In fact, much of the article revolved around the inarguable fact that Mark Zuckerberg and his cronies are amassing huge amounts of data on you - you gotta be on Facebook, right? - and tens of millions of your friends all over the world (even if they promise to protect it while you’re here and get rid of it if you decide to leave).

But I’m not here to debate this point, although it seems as if Facebook is making a good faith effort to satiate privacy advocates. The problem with Facebook, and other burgeoning social networking sites like Twitter, is that we get all caught up in this data privacy issue and never talk much about the insecurity of web applications - and how that can be a really bad thing.

We saw it over the weekend, up close and personal, when an attention-seeking teenager from Brooklyn (aren’t they all, really?) devised a cross-site scripting worm that was able to cut across Twitter and infect -albeit benignly - a vast number of profiles.

But what if this attack were more profit-driven? What if the worm spread links to a more malicious website than it did? What if the code asked the user to divulge personal information?

Sites such as Facebook and Twitter have a lot on their minds, mainly figuring out how to monetize their insane popularity. (It’s harder than it seems; nobody wants to pay for anything on the internet.)

But amid their revenue-generating boardroom meetings, they must stop for at least a few minutes to show users their committment to code security and recognize their place as a pioneer in the web’s revolution. Pretty soon, everyone is going to be doing something at least somewhat similar to Facebook and Twitter.

As a blog post on the Gnucitizen think tank said soon after the Twitter attack:

There is no merit in discussing how this has been done and for what purposes but this incident is yet another proof that the attack landscape is rapidly changing and moving towards web enabled infrastructures and the client-side. Soon or later almost every website will be equipped with social capabilities (google’s own opensocial and friendconnect platforms) and than simple persistent XSS attacks will turn into quite nasty problems.

John Pescatore of Gartner was a tad more terse in his “Twelve Word Tuesday” blog post:

Malware just taught Twitter the lesson Microsoft learned in 2001: security matters.

We’re looking up to you Facebook, Twitter, MySpace, etc. Please don’t let us down.

*** The SC Magazine editorial team will be out in San Franciso next week for the annual SC Magazine U.S. Awards Gala and, of course, the RSA Conference. A quick scan of the conference agenda reveals some potentially meaty sessions. I’ve noticed many are going to be hitting on either cloud computing security, organized crime or government. I think that’ll end up being the theme of the show.

Follow us on Twitter (SCMagazine) and please frequently visit the website (www.scmagazineus.com) for updated news, blogs, videos, etc.

Rest your livers! We’ll see you out there.

Well, as most rational-minded people predicted, April 1 came and went with a barely a whimper (as far as we know) from our pal Conficker.

I have mixed feelings about this worm. 

The positive side is that, because of mainstream news coverage such as the 60 Minutes segment last Sunday, Conficker’s presence undoubtedly raised awareness to the dangers of internet threats. In the 3 1/2 years that I have been writing for SC Magazine, this is the first time that my family has called me with a computer security question. (My mom called Tuesday morning, my older brother the night before. Both were convinced, as Lesley Stahl may or may not have wanted them to believe, that the sky was falling).

The negative side is that this threat, much like media-hyped worms of the past, are the only times the average end-user seems to pay any attention to security at all. They may assume that the only times they need to be careful are on these “D-Days,” when in fact, they are much more likely to have their identity stolen on an idle Tuesday in November.

These days, in the cybercrime world, it’s all about the money. More so, though, it’s all about flying under the radar and not raising suspicion. That’s why if Conficker ever causes a big problem, it’ll be when nobody is expecting it. 

That’s why people should be more concerned about well-groomed social engineering attacks trying to get you to enter in your credit card information, or buy some fake anti-virus, or click on some sketchy attachment.

Just yesterday, Microsoft announced a dangerous, zero-day PowerPoint vulnerability that is being actively exploited?

Funny, my mom or brother never called me to ask about it. But I bet you they wouldn’t think twice about clicking.

I have a pretty good feeling that on April 1, the joke will be on us.

Us, being the media, which has flocked to news that on Wednesday, Conficker’s code is programmed to contact some 50,000 websites for more instruction — which conceivably could give the millions of compromised machines the power to do almost anything. The major news outlets are fully on board with this story, because, after all, who doesn’t love to report on a doomsday scenario?

(SC Magazine is planning its “What will happen?!?!” expose next week).

The possibilities are real, of course, if the botmaster really got serious about what is under his (her?) control. A massive DDoS attack could be launched. A mega spam campaign could be unleashed. Historic amounts of confidential data could be hijacked.

Or, perhaps, searchable and sellable data — as one researcher told The New York Times:

 What if Conficker is intended to give the computer underworld the ability to search for data on all the infected computers around the globe and then sell the answers?

While I’m one to typically fall for the hype — or at least Armageddon prognostications — this one I’m not buying. I’m going with the prediction of SophosLabs Global Director Mark Harris who told me today that he thinks next Wednesday brings nothing more than infected machines getting an updated version of the worm.

That’s what I’m betting on.

Then again, I’m not really the best gambler. I had UCLA going Final Four. Maybe we should ask this guy what he thinks.

Was the campaign for Sen. Norm Coleman, R-Minn., serious when it tried to throw around a bunch of fancy security technology jargon and emotion-provoking adjectives in the wake of its data breach revelation?

Based on a statement from the campaign and the senator himself  (who reportedly used words like “chilling” and “frightening” to describe the attacks), you might think the campaign was the target of some sophisticated hacker attack. And, I guess that’s believable, considering Coleman is locked in a nasty legal battle with Al Franken over who won November’s election.

(Franken is all but assured the seat, once the mess is sorted out).

But this data-loss incident was anything but “chilling” or “frightening” or the subject of a breached firewall or any other complicated compromise, as the campaign suggested in a statement. Instead, it was an IT consultant who randomly stumbled upon a spreadsheet — sitting publicly available on the web — and containing Coleman donors’ credit card records.

From the Minneapolis Star-Tribune:

One of the first to discover the exposed database was Adria Richards, a Minneapolis freelance technical consultant. Richards checked the Coleman site on the night of Jan. 28 after getting reports that heavy traffic had crashed it; less than two minutes of poking with her browser put her into the database, she said. “A third-grader could have done it,” she said.

Third-graders don’t know how to breach firewalls, but they certainly know how to type a URL into an address bar and find a document that shouldn’t be publicly viewable on the web.

Shame on you, Coleman campaign for trying to spin this like some big-bad hacker infiltrated your database.

And while we’re at it, the campaign should also be sorry for not alerting the victims sooner.

Maybe they were doing a recount, hoping the number wasn’t really 4,700.

The SC Magazine team was not in Washington, D.C. for the Black Hat show, but we certainly didn’t want the great research revelations and other talks that came out of the hacker conference to go uncovered.

Here are five (abbreviated) highlights, in no particular order, that we put together based on news reports of the event:

1. Dan Kaminsky - The researcher who made all the news at last year’s Black Hat Vegas show over the big DNS flaw he discovered (by accident) stumped for the first time for DNSSEC, an Internet Engineering Task Force set of specifications that secures communication between DNS name servers and clients. Kaminsky had never spoken favorably about the implementation, which he said is riddled with challenges, until now. He said we have find a way to make DNSSEC deployments - now a requirement for all federal agencies - easier.
2. Michael Sutton - The vice president of research at online web startup Zscaler showed how Google Gears, a browser plugin that allows web apps to work offline, when used on a site vulnerable to cross-site scripting, can be exploited by hackers to steal sensitive, locally stored data. He described the attack scenario (better than I certainly can) on his company blog.
3. Nguyen Minh Duc - The researcher at a Vietnam-based security firm demonstrated how hackers can fool facial-recognition technologies of Lenova, Toshiba and Asus, allowing them access to computers. The vulnerability exists because the solutions can’t tell a real face from a digitally mastered one.
4. Paul Kurtz - The current executive director of SAFECode and a member of the Obama transition team delivered a keynote that warned audience members that the government has a poor disaster recovery plan in place in case of a major cyberattack. Likening the situation to Hurricane Katrina, Kurtz said no agencies are prepared to take an immediate lead role. To respond to a massive assault, the United States should considering militarizing cyberspace, he said.
5. “Moxie Marlinspike” - The researcher detailed the use of a “SSLstrip” app that enables the launch of a man-in-the-middle attack that will bring users who try to access an “https” version of a website to the unencrypted “http” version. The only way users could tell anything is up is if they look in the browser, but few would notice the URL switched to “http.”

The latest trend in cybercrime appears to be trying to crack into the websites belonging to companies that are in the business of stopping cybercrime.

Two weekends ago, a Romanian hacker going by the handle Unu first blogged about using a SQL injection attack to gain access to Kaspersky Lab’s U.S. support website. Then, he chronicled a successful infiltration of F-Secure and BitDefender.

In none of the cases was any sensitive data exposed. It’s difficult to say whether that is because the hacker stopped short of doing this because he merely was trying to demonstrate the insecurity of these sites — or because he simply was not sophisticated enough.

Either way, his point was well taken. Because of the amount of code used to build today’s flashy and information-filled websites, pages are going to be insecure. And while Kaspersky, for good reason, expressed shame and disappointment over the hack, situations like this are going to happen.

After all, if a determined hacker wants to find a way in, chances are, he will.

I was speaking recently to the owner of a security consulting firm who said he was absolutely sure that, sooner than later, hackers were going to compromise his site. Just to prove they could do it. He could run the latest and greatest to stop them, but an attack was inevitable.

So how does he sleep at night, knowing the phone might ring at 3 a.m. (sorry, Hillary), telling him that his site was illegally accessed?

By doing the most important thing one can do: Mitigating the threat by limiting the amount of sensitive data that resides in database servers serving public-facing websites.

This should be a best practice that not only applies to SQL databases but across enterprise networks. If you don’t need it, don’t keep it.

The worst-case scenario, my source told me, was that the thieves would get some email addresses.

Sounds a lot better to me than names, Socials and credit card numbers.