The launch today of Android, Google’s new cell phone OS, has elicited the usual hoopla.

The system, in partnership with T-Mobile’s G1 cell phone, may prove to be, despite some lukewarm reviews, a worthy competitor to Apple’s iPhone. While many of its features are similar, offering the now standard Wi-Fi and Bluetooth, the prime selling point is the OS’s underlying Linux-based open source mobile platform.

The company is touting how this will allow its app store, called the Android Marketplace, to be completely open – the inference being that it will be easier for developers to create and distribute their applications for the device without the policing Apple provides with its app store.

Critics are already pointing out how this lack of security oversight could lead to viruses and malware being dropped into coding as easily as adding salt to a recipe.

In a piece today, NY Times tech and gadget guru David Pogue responds to those accusations, saying, “[Google] will remove apps that contain malware, copyright infringement, pornography, etc…”

But we have to wonder. Last year, Google got things rolling by offering $10 million in prizes to developers. Recently announced winners included Wertago, a social networking app that lets users hook up with their friends; and cab4me, which enables users to summon a taxi with one click.

Certainly, the first wave of apps will prove useful and fun for the ever-burgeoning techno set. However, the next wave of apps is sure to take advantage of the popularity of the new smart phone technology to launch insidious malware attacks.

Gene Munster, an analyst at Piper Jaffray, predicts that Google’s take from mobile search revenue will reach about $2 billion by 2012. So the stakes are high.

After word spread that a hacker leaked the contents of vice presidential candidate Sarah Palin’s Yahoo email account by knowing a couple of pieces of background information about the Alaska governor, I could hear the collective mouse-click of panicked web mail users, from Wasilla to Worcester.

If it was that easy for someone who’d never met Palin to break into her email account, what did that mean for the millions of users of Google Talk, Yahoo, MSN Hotmail, AOL, etc. whose identities could be just as easily impersonated.

Here’s what went through my mind:

“What does my account require to retrieve a forgotten password? What’s my ’secret’ question? Darn it, everyone knows who my childhood best friend was….Why did I pick that as my question?”

Well you get the idea. But this is a real risk for so many people who rely on personal emails to transfer back and forth a lot of critical information about their lives.

Seriously, I doubt I was the only one who after hearing about the Palin incident, had flashbacks of that crazy ex who knew a lot about you and wouldn’t mind using that knowledge to excavate your email account in hopes of confirming her wild suspicions of where you really were on that night when you swore you were working on an all-night project at work…I digress.

But I’m a curious guy, so I decided to try it out myself. With the permission of my twin brother, I tried to access his Gmail account.

So I entered his username and clicked on the “I cannot access my account” link, then the “I forgot my password link.” What I learned was that my brother set up his account so the proper password would be sent to his AOL account.

Hmmm. Well, I’ll try there then. So I go to AOL.com, enter in his username, some annoying CAPTCHA and then it asks me: What is your favorite movie? Bingo, I’m almost there.

Well I tried three films that I was certain would get me in - and they didn’t work. So I tried one or two more. No luck. Then it said the account would be locked for 24 hours due to too many attempts at this. Oops. Sorry, Dave.

Turns out, the guesses I made were the ones my brother thought they’d be. Either way, I’m assuming that if I would’ve correctly answered that “secret” question, it would’ve been pwnage.

(My little experiment sounds cool, but not nearly as well-documented as our friend Hugh Thompson wrote here in an article he did for Scientific American).

Since the Palin hack, my inbox has been predictably flooded with a number of requests to speak with vendors who claim to be able to solve this weak web mail authentication issue. From the Trusted Platform Module to outright blocking, there’s a lot of of ideas out there.

But one thing is for sure: While we can never expect personal email accounts to undergo the same scrutinies and protections as corporate accounts, the burden is on the web mail providers to offer users some more comprehensive security.

Something beyond what someone’s favorite movie is or where a husband and wife originally met…These answers are easily discoverable on the internet.

Didn’t the Yahoos and Googles of the world ever hear of social networking sites or, better yet, internet searching?

Oh, right.

Considering two years of feedback have gone into revising the Payment Card Industry Data Security Standard (PCI DSS) for its next coming-out party, the most prescriptive IT security mandate in all the land actually hasn’t changed that much.

And that’s good news. It proves that a set of guidelines can be industry driven, without any reliance on the government, and still motivate companies to take action.

That’s, of course, not to say there hasn’t been lots of kicking and screaming along the way, but considering Visa’s latest compliance figures, merchants are accepting the reality that is PCI DSS.

Version 1.2 of the standard gets released today to the hundreds of participating members of the PCI Security Standards Council. On Oct. 1, the day 1.2 officially takes effect, everyone can see it.

With that said, there are some very significant additions to the new version.

Chief among them is the removal of references to the WEP (Wireless Equivalent Privacy) encryption standard, an outdated algorithm that, depending on who you ask, is filled with more holes than Swiss cheese. By 2010, organizations encrypting wireless communication must have fully transitioned to the WPA (Wi-Fi Protected Access) model, a grown-up version of WEP.

Other changes include making requirement 6.6, which says organizations need to either perform application code review or implement a web application firewall, mandatory - no longer just a best practice.

There also are some clarifications and adjustments, such as using consistent terminology, like “strong cryptography,” in addition to defining some deadlines not in terms of time but based on risk to that individual merchant.

Absent from the latest version is a requirement to encrypt internal communication from point-of-sale device to credit card processor, something I thought might have found its way into the updated version after the Hannaford breach.

I met with Bob Russo, the PCI council’s general manager on Thursday, who told me the change could someday become part of the standard. But if retailers comply with existing sections of the standard, they should be able to avoid a rogue person inserting a sniffer on their private network. Plus, the council - which administers the standard - tries to avoid pushing out new, potentially time consuming and costly requirements on merchants, whenever possible.

“My objective when I put out a new standard is not to put people out of compliance,” Russo says.

He also told me that he has yet to know of a single retailer who has been PCI compliant and simultaneously breached. When I asked him about Hannaford, which supposedly had just successfully completed a PCI audit prior to its major data compromise, he told me the supermarket chain’s former CIO could never prove it to him.

Regardless, I have to believe that even if retailers are close to PCI compliance, they’re in pretty good shape. The cybercriminals of the world are looking for the lowest common denominator, the type of business whose defenses aren’t going to make it difficult on them.

Believe me, there are still plenty of TJXs and Hannafords to go around.

So keep it up, merchants! I know PCI can be costly and riddled with some complexities but isn’t it better to be told what to do by your peers rather than the federal government?

Oh, and be happy version 1.2, not 2.0, is showing up at your doorstep in two weeks. Because that would mean a lot more work would be in order.

To believe the data, the trends, the analysts and the other interested observers, lawlessness is the status quo in computer security.

I’m just talking here. And as a colleague of mine used to grumble, I know nothing…

But what happened to the implied social contract of the internet?

In society, the theory goes, people go about living without fear because of protection afforded by the policing function of government. In fact, the need for effective protection arose from an inability of ordinary individuals to curb lawlessness.

And where does lawlessness stem from? Criminal minds, of course. That is the purview of criminologists, right? Criminology theoretically draws on the study of multiple disciplines from biology to anthropology. Crime relates to a multiplicity of conflicting and convergent influences, so any understanding of causality remains hard to pin down.

In general, however, security implies prevention – preventative measures and investigation of incidents after the fact (in theory to prevent future incidents and discourage wrongdoers). Most organizations are on their own in terms of prevention; and investigating is the last measure one would engage in if it involves outside help and notoriety.

Even if outside help were relied on, the nature of computer offenses is not something that lends itself to everyday recourses. In this country, there is a very disjointed system of governmental administration, including thousands of disparate municipal and county law-enforcement agencies and even more federal, state, and local agencies with specialized jurisdictions. 

Whether or not you agree that computer security is a law-enforcement problem, the enforcers cannot be expected to create order from whole cloth; we’re talking about a criminal behavior quite different from the usual street crime.

That is, though crimes are considered injurious to society, the onus of cybercrime is addressed mainly by commercial products aimed at prevention of overt acts in private organizations.

People engaged in business should be able to go about being productive without concern that assets they create and work with will be drained and sold in cyberspace. This freedom of action has to be protected, and it is now only through a strange amalgam of government and private efforts.

Where does one begin and the other end?

A new spam campaign is emerging that exploits the seedier side of computer users. In a new wave of social engineering, in language that might have been written by Borat, the spam promises videos of presidential candidate Barack Obama having “sex action with many ukrainian girls.”

If a moron clicks on the moronic message, a sex video begins playing. But at the same time, in the background, information-stealing code is downloaded to the victim’s machine, according to a release from Websense, which claims it discovered the email campaign.

This email campaign loads a trojan dropper, which then installs a file in the computer user’s Temporary Internet Files folder, according to the Websense report. A browser helper object (BHO) is also registered, an information-stealing app that siphons off data from the end-user to a site registered in Finland.

We’ve been seeing various methods of phishing scams being perpetrated that exploit the topicality of the presidential campaign, but this one is particularly outrageous for the blatancy of its lies. It almost obliterates ethics in its stupidity. The message is so obviously untrue, yet it attempts to gain a measure of credibility by associating itself with a real person/event. It almost doesn’t matter that it is discrediting Obama. It could just as well be promising free jewels.

We’ve seen it before. Any item in the headlines – a natural disaster or celebrity disaster, say — draws out the malicious exploiters intent on capitalizing on people’s natural proclivity to be empathetic, or their being susceptible to voyeuristic opportunities.

While the Red Cross solicits funds for victims of hurricanes, ruthless parasites get in on the action to redirect the well-intentioned, or the bored.

As the field of information security continues to evolve into, well, a true field, many professionals are starting to ask themselves: How should I be approaching my career?

A new (fairly vendor neutral) survey seeks to answer that. Created by executive recruiter Lee Kushner, independent infosec professional Mike Murray and Max Kilger, senior member of the Honeynet Project, the 63-question survey is meant for security workers of all skill levels.

“The benefit of it is getting a true sampling of the industry,” Kusher told me this week. “It’s not going to be people who have the same career goals in mind.”

The purpose, he said, is to get a overall handle on how information security pros are managing and investing in their careers (certs, degrees).

It’s easy to look at this as just another survey, but I think these career-oriented ones are particularly important because there is a lot of confusion out there. In fact, SC Magazine undertook a similar endeavor in June with our 2008 Salary and Career Survey.

“The competition for the best positions out there is definitely increasing,” Kushner said. “A lot of people are having a hard time figuring out how to climb the ladder.”

If you want to participate, the survey can be found here. It closes Jan. 15, 2009.