In what likely will be a recurring theme for companies that deal in software, aerospace manufacturing giant Lockheed Martin has announced it is partnering with the SANS Institute to certify 75 of its programmers in secure code development.

Bethesda, Md.-based Lockheed, a $42 billion company that provides IT solutions and services to the federal government, becomes the first systems integrator to offer application assurance to customers, SANS’ research head Alan Paller said.

Programmers will receive skills development, assessment and certification under the SANS Global Information Assurance Certification standard. They will be trained in common language frameworks, including Java and .NET.

“Lockheed Martin integrates all aspects of information assurance into every solution it delivers and continues to invest in proactive security measures,” said Eric Cole, senior cybersecurity fellow at Lockheed. “We are committed to improving secure software development practices and are certifying our employees who are working in the area of cybersecurity on customer programs.”

This news is particularly important because Lockheed’s largest customer is the U.S. Department of Defense.

Lockheed said that depending how successful the certification program, it may extend beyond the 75 programmers.

The company did not say what might happen to the programmers if they are unable to achieve certification.

The topic of security is one that is undoubtedly working its way into different IT roles and functions - including code development - but at least some backlash is sure to emerge. It is likely that training in secure code writing will be something new for these developers, and they may, at least initially, bark at the idea of another training requirement.

But that mindset is sure to change across verticals. While it may always be impossible to make a piece of software vulnerability free, it is nice to see a mega corporation like Lockheed blazing the trail.

Without a doubt, the two biggest news-making retail breaches in the past year were TJX and Hannaford.

TJX lost as little as 11 times and as much as 25 times more records than Hannaford, but both merchants suffered massive hacker attacks that resulted in endless news stories, federal investigations and costly lawsuits. We’ve covered that sort of collateral damage ad nauseum in the online pages of SC Magazine, so I’ll spare you.

What I want to talk about today is the spectacularly contradictory ways the two retailers have handled their public relations since the breach.

TJX, from the start, has never admitted to doing anything wrong. Sure, the Framingham, Mass.-based discount clothing merchant issued an apology to customers, saying they sorry any inconvenience lobbied customers’ way, but they never talked in detail about how the breach occurred.

Others speculated; TJX never confirmed.

Maine-based Hannaford, on the other hand, has embodied transparency. They issue press releases. They make their spokespeople readily available. They explain how it happened (malware planted on servers). Heck, yesterday, they got their CEO and CIO on the phone with reporters to candidly - as much as they can considering the ongoing investigation - talk about the breach and mention specific solutions they are deploying to mitigate future risk.

They are contrite.

TJX, if they are sorry, are not letting anyone know about it.

Here are two contrasting approaches for dealing with one of the biggest challenges either company has ever faced.

It appears that TJX has failed miserably, whereas Hannaford took a low point and turned it into study in effective crisis response.

But, at the end of the day, I’m not so sure whose approach is best.

TJX never lost customers. It skated past any major lawsuit settlements.

Perhaps, TJX executives knew in the back of their minds that there was no way their customers were going to abandon them. After all, where else can you get a designer tie for $15 (Marshalls) or a brand-name dress for $25 (T.J. Maxx)?

So the powers-that-be decided they should apply the “Goodfellas” approach, namely “Never admit to nothing” and “Always keep your mouth shut.”

Perhaps Hannaford wasn’t afforded such a luxury. There were other options for their customers. Other grocery chains that offered similar prices and similar selections. So they had to respond in a different kind of way, with openness.

We hear so much these days about how everyone’s biggest fear is landing on the front page of the Wall Street Journal - hey did you forget about SC Magazine? - or in front of the cameras of CNN, where they are left explaining how they just lost millions of sensitive customer records.

We’ve read studies how customers swear they will never shop at a compromised company again.

Then, I look at TJX, and I wonder if all the effort to communicate and apologize really means anything, whether poll respondents are just saying what they think is right and whether, in the end, it’s just too much effort to get up and leave.

Tell me I’m wrong, please.

Deb Radcliff filed this after attending RSA Conference 2008.

Everyone’s always asking those of us from the trade press about trends we see at RSA.

Some will tell you RSA this year was all about virtualization, which already seems like an old story with vendors like Blue Lane Technologies and Reflex Security stepping in to monitor the heretofore unwatchable layers created by virtual machine managers and their guests.

Others will say it’s all about data leakage protection, and we sure saw a lot of that at the conference this year, with Symantec, Trend Micro and others taking leakage protection to a more comprehensive level at the endpoint and gateway.

Unified authentication and use of federated identity frameworks are also gaining momentum, with Microsoft discussing its unified access approach, TriCipher announcing over 50 web applications (SalesForce, WebEx, Google, etc.) in its user single sign-on portfolio, and so on.

Ultimately (true to RSA President Art Coveillo’s Tuesday morning keynote), the overall conference boiled down to more holistic management of risk under the following bullet points:

• Looking at security from inside out instead of outside in (protecting data instead of the network)
• Driving protections deeper into the infrastructure to make it more of an operational function rather than a separate security function
• Using security as an enabler for new types of business

All good and necessary aspirations. But one theme that subtly carried across and outside the conference was this nuance of surveillance – surveillance of children (Symantec’s upcoming family security suite), surveillance of IP traffic, including through the ISPs.

The theme of being watched resonated outside the conference, starting with hotel rooms booked through the RSA block. On Monday night, little piles of colorful conference bling and fliers appeared on doorsteps of all RSA attendees who registered through that block. They know where you are, and so does everyone walking down the hallways looking at the bling in front of all those doors. RSA used a middleman to deliver the bling to the doors, according to a spokesperson, but that’s still creepy.

That same feeling also carried over to the end of RSA bash Thursday night, in which RSA Conference organizers put a lot of work and expense into setting up different forms of entertainment in the Marriott ballrooms. In the Karaoke room, for example, local entertainers set up a 20-foot black pyramid topped with a giant, 12 by 10-foot face-shaped screen with a nose protruding. Onto that screen was projected the face of a real person taking questions, acting all knowing like the Wizard of Oz, while looking ominously down upon them. (See my friend Liz Safran’s picture of said face here.)

Then there was the face painting room. With security and privacy blended so closely together, it was amazing how many security practitioners blithely stood in line to get barcodes painted on their foreheads. Not only did the fake barcodes wreck their coiffures, they made their bearers repulsive – every time one walked by it made you think of the ‘mark of the beast’ predicted in biblical revelations.

All in fun, one might say. But given the level of desensitization among this crowd, it looked more like a parody of things to come. — Deb Radcliff

I just got off a completely full (as opposed to just full, I love how flight attendants add unnecessary words to things) redeye from San Francisco to JFK.

My journey back east follows four non-stop days at the RSA Conference, so needless to say I am exhausted.

But I think our site looks great, with a lot of dynamic content (videos, podcasts) and updated news stories. And our annual awards show was an across-the-board hit.

I don’t think my body will allow me to work a full day today, but before I leave, I felt obliged to give at least a couple of thoughts on the show, so here it goes:

• I agree with other bloggers who have said there didn’t seem to be any one specific offering that emerged as a theme. However, I did hear a lot about identity management, data-centricity and product integration as a way of responding to sophisticated attacks and compliance regulations.
• Consolidation hasn’t taken root yet, as judged by the large number of vendors - from the best-of-breed start-ups to the big IT infrastructure players - pushing solutions.
• From a news perspective, the show lacked many headlines. But there were a couple of interesting research revelations (related to routers and virtualization), and DHS Secretary Michael Chertoff drew widespread coverage for placing the spotlight on the threats cyberattacks pose to national security.
•  As for major product announcements, none stole the show, so to speak. One person I spoke with thinks that RSA has gotten so big, companies figure it’s better to announce major news during another time of year in hopes of getting more ink from the trade pubs.
• Still, the RSA show is the only time all year where you don’t have to walk around for long without bumping into a mover or shaker. It’s a chance to connect faces with names.  There are a number of great sessions addressing timely topics. And most of all, as I said prior to leaving for the show, it’s an opportunity to connect with peers.

I’m happy to say, I saw a lot of networking going on. Whether it was over coffee before the 8 a.m sessions began or over a last-call cocktail at the W.

As if we needed more validation that we are living in an information security crisis, two reports emerged just days before security gurus are set to gather for the annual RSA Conference in San Francisco.

Based on the findings published in these reports, the biggest information security show in the world couldn’t come at a better time.

So far this year, according to the Identity Theft Resource Center, the number of data breaches has doubled over the same period last year.

And what I’m noticing as a writer covering these events is that they are not your average lose-a-laptop-type events. To the contrary, many breaches this year have been sophisticated hacker attacks.

But the most troubling figures to surface this week come out of the 2007 Internet Crime Report, published by the Internet Crime Complaint Center (IC3), a joint operation between the FBI and National White Collar Crime Center.

The report shows that IC3 referred more than 90,000 complaints to law enforcement last year, totaling about $240 million in reported losses. That’s $40 million more than the previous year.

$40 million more!

While the complaints did include age-old crimes such as non-delivery of purchases, they also involved computer attacks, spam and credit and debit card fraud.

Clearly, there’s a lot of work to be done. RSA will help.

There will be scores of educational sessions that will touch on every possible IT security topic, ranging from website attacks to forensic investigations to securing the 2008 election to corporate espionage to the debate over a national data breach notification law.

There also will be scores of vendors, each pushing a product or service that might be able to help. Yes, the marketing folks might annoy you as you browse the floor. But as always, the RSA expo is a good indicator of where the threat landscape is heading.

(Plus, I’m sure some of the booths will have beer and food).

If I could offer one piece of advice for RSA - this will be my third year, so now I feel I can offer at least one tidbit of advice - it would be to make friends with your peers. Exchange ideas. Talk about what’s working and what’s not. Talk about a breach that may have happened to you. Talk about how you responded.

As a reporter, I regularly have to awkwardly approach people to chat about things. It seems instinctively wrong but don’t get anxiety over it. Everybody wants to talk and meet people as well.

Chances are, you’ll get more out of collaborating with your peers than you will in any session or any booth.

Yes, even the ones with beer.

If you noticed something big missing from last week’s settlement between breach extraordinaire TJX and the Federal Trade Commission - that being dollar signs - you weren’t alone.

But before you go criticizing the FTC for going soft on a retailer that exposed some 45 million credit card numbers - or double that if you go by court filings - keep this factual tidbit in mind: The agency isn’t allowed to impose fines.

The rule has been a thorn in the FTC’s side for years, especially as it goes after more and more companies with lax data security practices in place.

Right now, the FTC can force companies to fork up ill-gotten gains and force them to pay for customer redress. That may work fine for spam and spyware purveyors who make a pretty good chunk of change preying on innocent web users, but the agency typically can’t apply that to legitimate companies such as TJX.

The FTC is lobbying Congress for additional power. In the meantime, the fines for breaches will come from the credit card brands (for violating Payment Card Industry standards) and countless lawsuits.

Although one must wonder how much fining power Visa and MasterCard can have if the merchant was PCI-compliant, as was the case with the recent Hannaford Bros. breach, at the time of the data loss.

As expected, heck maybe even sooner than expected, two lawsuits have been filed against Hannaford Bros. supermarket chain over the huge data breach announced this week.

More surely are coming.

First reported by the Boston Globe, one suit was filed in Portland, Maine by Philadelphia law firm Berger & Montague, and a second in Bangor. That suit named Melinda Ryan as the lead plaintiff.

Both actions were taken on behalf of consumers who argue that Hannaford was negligent in its protection of sensitive data — namely some 4.2 million debit and credit card numbers that were exposed during the card verification process, according to the company.

Hannaford maintains that its systems are among the most secure in the retail industry and that it was in compliance with the Payment Card Industry Data Security Standard (PCI DSS).

If that’s true, something went wrong. Either Hannaford fell out of compliance, PCI needs some serious rethinking or hackers are just getting that good.

Needless to say, post-TJX, retailers who fall victim to massive data breaches are going to have to do a lot of explaining. And consumers are going to be even more anxious to go after them.

In just one week, the IT security world almost certainly lost two hard-nosed cybercrime enforcers.

They will leave for different reasons.

One will go to a highly coveted job. 

One will be forced to deal with a life of regret of what could have been.

But today we don’t stand to judge.

Instead, let’s celebrate their legacy as it relates to stemming cybercrime.

Deborah Platt Majoras, chairwoman of the Federal Trade Commission, announced last week she plans to vacate her post at the end of this month. Ever the champion of identity theft awareness and punishing purveyors of spyware and spam scams, Majoras will be missed. We were so impressed with her work at the FTC that SC Magazine named her one of the top thinkers in IT security in 2006.

She will take over as head of Procter & Gamble’s anti-trust and litigation practices. It’s doubtful she’ll have much to say on the ID theft-fighting front from there, but she certainly laid a solid foundation at the FTC for many years to come.

Then there’s New York Gov. Eliot Spitzer, who, at the time of this writing, does indeed remain governor. But after being linked as a client - Client 9, to be exact - to a high-priced prostitution ring, Spitzer’s seat as head of state sits on very shaky ground.

Many will denounce Spitzer as the definition of a hypocrite, as a man who, as attorney general, was steadfast in his efforts to weed out the corrupt but who had a scandalous side in which he gladly welcomed the services of at least one high-priced prostitute - a petite brunette known as Kristen.

But no matter how much this may cost Spitzer, both at work and at home, his righteousness cannot go for naught.  As attorney general, Spitzer went after a number of spyware firms who tried to pass themselves off as legitimate marketers. He also recognized the dangers of the internet.

“The internet has become the new Main Street of our society,” he once said, after a ranking of complaints showed the internet was the biggest thorn in the side of consumers. “It has brought great benefits, but also new opportunities for the unscrupulous.”

Spitzer and Majoras recognized the troubles that lie ahead. That’s more than we can say for other government officials.

Here in New York, a group of friends and I make it priority to regularly attend concerts, considering so many great acts come into the city. We don’t claim to be connoisseurs of underground music or indie bands.

No, we’re pretty mainstream, actually. Since we formed the concert crew about a year ago, we’ve checked out The Killers, Third Eye Blind, Fall Out Boy and - don’t laugh - Kelly Clarkson. (I was duped into this after a night of being over-served).

Last Thursday, it was Linkin Park at Madison Square Garden. And they rocked. They played all of their hits and, to a roaring ovation, Jay-Z showed up for the ”99 Problems” encore.

Anyway, I was still buzzing the next day when I came across a news story that might just explain why the band seemed to have a spring in its step.

The day before the concert, a woman convicted of “cyberstalking” Linkin Park lead singer Chester Bennington was sentenced to two years in the slammer.

According to news reports, Devon Townsend - at the time a 27-year-old single mother with a baby son - used her government computer at Sandia National Laboratories in New Mexico, which performs nuclear research for the Department of Engergy, to hack into the rock star’s email account.

While Townsend was granted high-level access privileges because of her job, all she needed to perform the attack was to properly guess Bennington’s mac.com email password - ”Charlie” - to gain access to his messages. She was able intercept the crooner’s family photos, Social Security numbers, record company dealings, information about travel plans and contact details for friends.

This paragraph from a well-researched “Wired” story sums up Townsend’s score:

Townsend suddenly had access to all of her idol’s messages. Soon she had Talinda’s (Bennington’s wife) Yahoo address, too, and after guessing the password, she reset it. From there, her infiltration was a feat of feverish social engineering. As Townsend pored through the Benningtons’ email, she began cataloging every detail of their lives: friends, Social Security numbers, photos, plans. Getting Chester’s cell phone data was a snap: All she’d needed was his wireless number, his zip code, and the last four digits of his Social Security number to register his Verizon account online and get complete access to records of his calls. Even Townsend herself seemed astonished at how easy it was. When she opened the Verizon account, the user ID she chose was “ohs*ititworked.”

As Townsend was being tracked down with the help of a retired Secret Service agent and cybercrimes specialist, Bennington lived in fear and trusted nobody except his family. The once friendly rocker, who was always open for chatting with fans, was thrust into a life of misery and fear.

In the end - I think I just quoted a Linkin Park song title - this was not a sophisticated cyberattack.

Sure, the laboratory could have deployed better content monitoring solutions - or any at all - to detect that Townsend was spending much of her work day digitally stalking Bennington. Yet, it ultimately came down to choosing an easy-to-guess password. As the Wired story points out, the password Bennington chose - “Charlie” - is his middle name.

But all is well that ends well I guess. If anything, we now have at least one more security-aware end-user in the world. In this case, that person can now solely focus on what he’s good at, rock ‘n’ roll, not computer forensics.

We all know that colleges are among the hardest hit targets when it comes to cybercrime.

I’ve heard a number of reasons why this is the case but there are a few that regularly stand out:

• The openness of the academic infrastructure. This may promote the free flow of information but makes controls difficult to enforce.
• Decentralized environment. In most colleges, each department is responsible for its own systems, and many view the central IT team more as an annoyance than a protector.
• A migrating user base. Every few months, students connect new systems - many times lacking the appropriate patches and anti-virus software - to the school network.
• A test run. Many hackers view colleges as a place to try out their latest attack methods.
• Loads of personal information. Colleges are notorious for holding on to critical data, like Social Security numbers, for way longer than necessary.
• Not your smartest user base. Students today may be the most tech-savvy when it comes to operating computers and applications, but they fall quite short when it comes to safeguarding themselves from attack.

Colleges are trying to get all of these issues under control.

Some are taking innovative approaches.

One merits some recognition: The University of Michigan at Flint recently launched its second annual Computer Security 101 Exam. And it’s not just another test, students will be happy to know.

It’s a test with prizes - some pretty cool and sought-after stuff, actually, including Dell laptops, Apple MacBooks, iPods and Nintendo Wiis. Students are tested on their ability to spot online fraud, namely malicious pages attempting to phish one’s credentials or install malcode.

Students can retake the tests until they achieve a perfect score. At that point, they’ll be eligible to win the prizes.

Incentives do work, so we applaud the University of Michigan-Flint - which was the victim itself of a hacker attack in December - for taking such an approach. 

Because, in the end, end-users are the weakest link. Perhaps some businesses can learn a thing or to from this proactive measure.