It’s been more than five years since California passed its pioneering SB-1386, which requires companies that lose personal information of customers to notify them, took effect. Since then, about 45 states have followed suit.

But still no federal law. (To find out why, perhaps it would be wise to ask those five hold-out states why they haven’t approved similar legislation).

It’s not that Congress hasn’t tried. Over the past few years, a number of bills have circulated the two houses. But none have found their way to the president.

When President-elect Obama takes office, there surely will be renewed optimism that such a law could get the green light. After all, the Illinois senator seems more interested in cybersecurity than President Bush - and he’s receiving detailed guidance from the Commission on Cybersecurity for the 44th President.

But, corporations and consumer-rights advocates will continue to wrangle over what the threshold should be to report. And, remember, Congress will be busy. There’s that whole worst-economic-climate-in-80-years thing to deal with.

I’m thinking we’re going to have to wait until 2010. Of course, another TJX just may fast-track a federal data security bill right to the Oval Office.

One thing is for sure, though: Creating a nationwide law will standardize and, as a result, simplify the reporting process for companies that experience a breach. And as we all know, it’s not “if” but “when” you’ll be drafting that “We lost your Social Security number” letter to consumers.

I have a surefire way to gauge the state of the economy: Count how many holiday cards I receive in my office mailbox.

Two years ago, plenty. Last year, a whole lot. This year, not so much.

Most of the cards I receive here at the offices of Haymarket Media in New York come from PR agencies with whom I deal on pretty much a daily basis. This year, a majority are opting to send their warm wishes (A.K.A. - keep writing stories about our clients) to my inbox.

It’s gotta be the economy. Why shell out 42 cents (and the cost of paper) to send a letter when you can do it for free over the internet?

But with all this Christmas goodwill comes a real risk: Some of these e-greeting cards are actually fakes, containing an embedded trojan or a link to a malicious site.

Now, that’s not to say the rogue cards are coming from my PR contacts (although I was kind of - shall we say? - short with a few of them over the course of the year).

But there are lots of others out there looking to take advantage of our instinct to open a card. This is a threat worth paying attention to. And, as email security firm Commtouch will tell you, these socially engineered cards are becoming more and more real looking.

Kind of makes me yearn for the good ‘ole days of greeting cards I could touch. But then, there’s that whole recycling thing to worry about.

Each and every day, we write about the latest IT security news - and often our connection to the story ends right after we hit “Publish” in our CMS.

However, this week, the SC Magazine editorial team - as well as the hundreds of other employees of our publishing parent, Haymarket Media - are witnessing firsthand how potentially serious cyberthreats can be.

That’s because so far this week, we have received two separate emails from IT, one warning about a virus outbreak believed to be emanating from Facebook and MySpace, the other about the wicked Internet Explorer zero-day.

As a result, IT has recommended users browse the web on Firefox only until Microsoft issues a patch. (Considering the extent of this exploit, the fix might come before next month’s regularly scheduled security update).

OK, no big deal, I use Firefox anyway because I find it’s more stable on my work PC.

But it was the other email that is really going to hit home. IT has blocked access to Facebook and MySpace until our London offices contain the problem.

If you just heard a scream, it was me.

Now, one would think that because I write about this stuff, I might be more understanding to defense strategies that must be applied to remediate malware occurrences. After all, I knew exactly what IT was referring to in those emails.

But nope, I’m in serious withdrawal. Need my Facebook. (To bosses reading this: I only log onto Facebook while eating lunch. I swear).

Oh, well. IT has assured me that access to the popular social-networking sites should be returned to the good graces of our whitelist in short order.

And I always have my web-enabled cell phone if the urge gets really overwhelming.

This had to tick off a lot of people: I read this week that convicted New Zealand bot herder Owen Thor Walker, 19, did not receive any jail time for his lead role in a major botnet operation that involved at least eight Americans.

Instead, a judge gave him a fine, despite Walker admitting to running a botnet that compromised upward of a million computers. (By comparison, Robert Alan Soloway, who was charged in a similar FBI investigation, received a 47-month prison sentence).

Authorities in New Zealand defended the judge’s decision by saying:

“The worst thing that society could have done was put him in jail, where his mind would have been corrupted,” Maarten Kleintjes, head of e-crime at the New Zealand Police, said during an interview on New Zealand’s 60 Minutes show, according to an IDG News Service story.

While that may have been true, this type of mentality absolutely diminishes what law enforcement across the world is trying to do to stem the pervasiveness of botnets.

If cybercriminals know they’ll get off the hook because they are too smart to go to jail, then — I’ll just take a wild stab at this one — they’re going to keep doing it until they get caught.

Now, by all accounts, Walker may be far gifted than most crooks associated with botnets. And, according to the story, he’s currently working on the right side of the law, with a software company.

But still, this certainly sends the wrong message and only works to deter what is needed: A cooperative effort among back-end providers, ISPs, enterprises, law enforcement and end-users to eliminate bots and all they’re capable of, namely spam, DDoS attacks and information stealing.

If you do the crime, expect to do the time. Even if that means trading in your laptop for prison garb at the door.

** What is up with Apple’s flip-flop on its support note that recommended Mac users install anti-virus software?

First, Cupertino says users should deploy AV, then the company removes the note, calling it “old and inaccurate.”

My money is on this: Lots of media outlets picked up the story of Apple quietly encouraging users to install AV. That surprised the computing giant. They didn’t want potential customers to start thinking that Macs weren’t as safe as they have been made out to be.

So Apple, sensing a possible impact on its computer sales, decided the best way out of the problem was to remove the document and pretend like it was never there to begin with.

But with the sales of Macs rising and more malware writers taking notice, Apple will have to do something other than roll over and play dead the next time the conversation of AV comes up.

Something, soon, will have to give. Communication will be key.

*** All of us here at SC Magazine are counting down the minutes - literally, just check out the home page - until our inaugural, two-day SC World Congress kicks off next week at the Javits Convention Center in New York.

So far, the response has been great. Since this is our first event of this kind, there is certainly an air of anxiousness and tension, but considering our strong speaker list, we are confident the show will be a huge success.

It promises to be quite the event, with the goal of providing attendees with as much practical advice as they can carry out of the conference center doors.

If you can’t join us, please follow along with the latest news, photos and videos at SCMagazineUS.com.

In today’s sophisticated threat landscape, innovation is a critical component to an effective defense strategy.

That innovation typically comes to bear at the tiny technology companies, whose goal, in most cases, is to create that next big thing, so the firm can go public or get acquired.

But with the economy in ruins, investors are growing increasingly wary of taking chances with their money. As a result, the funding needed to support startups - in our case, those focused on IT security - is drying up ever so quickly.

According to the Arizona Republic, venture capitalists nationally invested $7.1 billion in 907 deals this year compared to $7.8 billion in 981 deals last year.

So it was certainly good news to hear this week of plans by the University of Texas at San Antonio to launch an incubator inside its Institute for Cyber Security.

It works sort of like a hospital incubator might for a premature baby - IT security firms who face challenges that prevent them for launching on their own can turn to the incubator to “fast track their product development efforts and expedite time to capital, market and profitability.”

In return, participants must agree to “significant collaboration” with university staff.

While the incubator only stands to help a few companies at a time, hopefully it will encourage other universities to embark on similar missions. For more information, visit here.

Spam filters, junk mail folders and honeypots across the globe got a much-needed respite this week after a Northern California-based web hosting firm - McColo - was taken offline by a pair of its upstream internet service providers.

Few people have ever heard of McColo, but apparently this small Silcon Valley tech company was providing connectivity to countless groups of shady cybercrooks. It’s doubtful McColo was in on the scam, but when it was shut down, security pros saw an estimated two-thirds to 75 percent drop in the amount of spam circulating around the world.

Practically every major security company noticed the stunning decline and made mention of it in research posts and blogs. But practically everyone also agreed that this likely was only a flash-in-the-pan-type victory against the spread of unwanted (and often malicious) messages.

Some experts have predicted the amount of spam would soon begin creeping back upward, with numbers returning to normal levels by the holidays, just in time for the traditional influx of fake e-greeting cards and the like.

While bonet herders will quickly find a new host to which they can connect their command-and-control centers, this news shows that companies who provide access to these crooks, especially if they are based in America, won’t be tolerated.

Many companies such as McColo and Atrivo/Intercage - which was rendered a similar fate earlier this year - will play dumb as to the types of operations they are supporting.

But the fact is, going after these enablers who are turning a blind eye to to the motives of their customers seems to be the most effective solution anyone has come up with yet to stop the spread of junk mail.

There is plenty of reason for cautious optimism, though. As long as there is money to be made, criminals will find a way. So maybe Bill Gates’ prognostication will never come true.

Lately, it seems everything’s (and everyone’s) been going rogue.

You might be most familiar with claims by an aide of Sen. John McCain that GOP vice presidential candidate Sarah Palin is going rogue and instead concentrating on her own run for the president in 2012.

But, when faithful readers of SC Magazine hear the word “rogue” - especially of late - they likely immediately think of rogue anti-virus software, the au courant way to steal money off unsuspecting victims.

It seems many of the recent malicious payloads are fake pop-up warnings alerting users their computer is infected with viruses. To fix the “problem,” they must pay - usually $40 or so - to purchase the attacker’s rogue AV solution.

Except it fixes nothing.

Cybercrooks appear to be dropping traditional keylogging and phishing attacks in favor of preying on the fear factor. After all, fear is in the air.

The way they figure, why not have the victim send money directly to them instead of going through the often challenging process of stealing it from them.

Makes sense to me. So until users catch on to this growing trend, the criminals are going to keep doing it.

Protect yourself by protecting yourself. If you know you’ve got the latest real anti-virus product running, then you can safely ignore any pop-ups telling you otherwise.

(BTW, we’re going to host a podcast Monday with researcher Joe Stewart of SecureWorks on this very topic, so please be sure to listen starting next week).

WIth that said, it’s getting near 5 p.m. EST on Friday. Almost time for me to go Rogue.

Actually, that’s go to Rogue - this publishing company’s favorite watering hole on 6th Avenue between 25 and 26th streets in New York.

Talk to you next week. And remember to vote!

It wasn’t too long ago that Microsoft bore constant criticism for its lack of transparency regarding security vulnerabilities and subsequent fixes.

One cannot objectively still accuse the software giant of similar evasiveness.

Nowhere has this change in approach been more evident than Thursday’s unexpected out-of-cycle patch for a Windows Server service vulnerability. Immediately following the issuance of the fix, Microsoft staff wrote posts on not one, not two, not three, but four different Microsoft blogs. You can find them here.

That’s not to mention the webcasts — Microsoft added two on Friday because of popular demand – where end-users could hear specifics about the major flaw.

Certainly this was an urgent matter that companies across the globe needed to be aware of and act on quickly to prevent the possibility of a major internet worm a la Nimda, Code Red and Blaster.

And Microsoft realized that corporations would have a lot of questions - why did Microsoft rush this fix? How did this one get past the secure code team? Which Windows versions are most affected? What do the active attacks look like - and the software giant did its best to provide answers.

They should be commended, especially on the heels of the first-ever round of Patch Tuesday bulletins that included an Exploitability Index, by which users can measure the likelihood of the vulnerability in question being exploited.

Needless to say, Thursday’s out-of-cycle fix aimed to correct a gaping hole that could have been consistently exploited.

And thanks to Microsoft’s candor, not only are businesses patching before anything got out of hand but they are patching with an understanding of what and why they’re patching.

And information is power, after all.

Fox News, in an exclusive, says yes.

Citing some unnamed sources, Fox reported Friday that the World Bank, which provides financial assistance to developing countries, has had some 40 servers compromised and an unknown amount of personal data stolen.

The bank, however, denies this, saying no sensitive information has been hijacked and that most businesses suffer attempted hacks, so this is nothing out of the ordinary.

I think the truth lies somewhere in the middle. Sounds as if attackers may have been targeting the venerable organization in much more sustained ways that your average business might see. But it also is likely that no major breach has occurred.

We’ll have to see what comes of this.

But a general takeaway: Monitor your network for suspicious activity. Whenever we hear about a mega breach, the attackers, it seems, were able to go about their business without disturbing a soul.

When I wrote this week about the breach at the University of Indianapolis, in which the personal data of some 11,000 students, faculty and staff was potentially compromised by hackers, I couldn’t help but think about that SNL Weekend Update skit called “Really?!“ 

It’s a hilarious segment where Amy Poehler and Seth Meyers make fun of famous people for lacking common sense.

Well in the case of this breach, I was just shaking my head when I read a quote from University President Beverley Pitts:

Our investigation leaves no doubt that this was a professional job from outside, and it was well beyond our control.

Really, Beverley!?! Beyond your control.

OK, first of all, the University of Indianapolis should be lauded for no longer using Social Security numbers as identifiers, something the federal government is currently evaluating itself. (It appears, in this case, the hackers lifted old credentials that were still floating around in some database).

And yes, colleges face bigger IT security challenges than a lot of verticals, due to their open environments, limited budgets and sometimes inexperienced staff.

But - to say it was beyond your control, in 2008, considering all the awareness and all the headlines and all the security solutions, is just plain senseless.

Maybe it was a poor choice of words, Beverley. But if you get breached, admit that there was a shortfall somewhere in your baseline and then immediately work on rectifying it so that it never happens again.

Don’t proclaim helplessness.

Really!?!