bmonday.com

Back in May I wrote "Dirty URL Tricks" about the increasing risk presented by the rise of URL shortening services like Bit.ly and TinyURL, driven largely by short messaging services like Twitter.  I closed the article by predicting that scammers were going to start aggressively exploiting these services as a means of masking their malicious URLs.

Judging by the dramatic spike in URL shortening service usage by spammers and phishers the following month, I'd say that the entire scamming community must be reading my blog.  However, since I'm quite in tune with the number of readers I have, and I'm fairly confident that spammers number well above those single digits, I can't really back that up with figures.

But, regardless of the trigger, there is little doubt that spammers and phishers have had the inevitable epiphany, and are now very aggressively utilizing these free shortening services in an attempt to further obfuscate the malicious nature of links they are sending via email.

Consider the following graph, which illustrates the rise of URL shortening techniques in spam, courtesy of the folks at MessageLabs: 

Over 90% of all email is spam.  It's more critical now than ever for end users to warily consider clicking on any links they cannot practically verify prior to going to the target website.   URL Lengthening services, such as  LongURLPlease and shortText, are emerging in an attempt to fill the need here, but the long-term fix is for users to appreciate the dangers of blindly clicking on links sent to them in email and other comm methods.

Took longer than I expected for ComCast to bring my business-class Internet connection into the house, but I'm back online as of tonight.

Oh, and for the record, my Chrysler transfered my data at the rate of 230Kb/s.  It would have been faster, but the 98mph speeding ticket I got on the way through Colorado spooked me for the rest of the trip.  I spent the rest of the drive going about 5mph over the speed limit.

The blog will be dark for a few days while I transport my server and accoutrements from Oklahoma to Seattle, and get it set back up. I'll calculate and publish the data transfer rate of my Chrysler 300C upon my arrival (yeah, it's got a Hemi).

I have been doing a lot of thinking lately, given the state of the economy and some of the discussion I've had with many of my colleagues.  What I've come to realize is that I have taken a different approach than many of my colleagues when it comes to leadership and Information Security.  It's well past time to reinvent the information security field, and reverse the impression that we are the Ministry of No, and the buzzkills that are constantly looking to shut down everyone's chat.  Our role is so much more than that. Too often we paint ourselves into that corner because we are unwilling or unable to engage the organization at a higher level, or learn how to make the business function better.

Given the landscape of the past and the changes due to economics, a successful infosec leader must do the following things, and do them well, to cultivate a healthy information security program that will support and align with the business:

Communicate to the business about the business 

When we started, years ago, we most often looked for the most technical person in the room for senior [information security] positions, and now we're finding that we're replacing those technical execs with execs that truly understand, and can take a holistic approach to, risk.  What we're finding in the jobs that we're filling, not just at the C-level, but at many levels, is that they're asking us for folks that really understand how to communicate effectively to the board.  -Joyce Brocaglia, Alta Associates, RSA 2009

Risk is the language of business, and if you cannot communicate risk to the powers-that-be in your organization, your infosec program (and career) will never evolve.  You will never be invited to the table if you cannot demonstrate that you belong there by helping them make critical business decisions.

Businesses manage risk, day in and day out.  What is the risk of investing in a new product line?  What is the risk of leaving out Feature X until Version 2?  What is the risk that the $10,000 investment in the new marketing campaign won't result in an uptick in new business?

If you learn how to quantify risk, you will never be accused of trying to scare the business into buying needless security widgets (the Chicken Little syndrome), and you will be able to justify the investments that make sense for the business.

Never let "it's a best practice" be a justification for a security initiative
"Best practice" is an excuse, not a justification.  Best Practices are what you resort to when you don't know what the right thing for your business is. The company isn't in the business of aligning its security program with industry best practices.  The company is in the business of selling widgets.  How many more widgets will the company sell if they implement your suggestion?  Is some significant risk reduced by implementing the suggestion?  These are the arguments that will allow the business to say Yes. 

Never say "No"
No is rarely an acceptable response to someone communicating a requirement.  Someone's secretary wants to access Facebook during lunch?  "No" isn't going to get you anywhere.  How about "Sure, we can do that, but given the various threats coming from Facebook lately (demonstrate some), we'd be wise to implement some additional protections around that traffic."  I bet you can leverage that secretary's lunch desires to reduce her rights on the system, which kills 2 birds with one stone.  Or, if the organization isn't willing to spend the money on the necessary controls. you can go back to the secretary and let her know that you went to bat for her but failed.  Either way, you're the guy that tried to help, not the bad guy who just said "No".  Chances are, she'll come back to you the next time she wants to do something risky.

No doesn't make you friends.  "So what, I'm not here to make friends, I'm here to secure the enterprise," I hear some of you say.  Well, your job will be orders of magnitudes harder if you are viewed as an obstacle that must be overcome, rather than a friend of the business.  How many groups will invite you to the conversation when all you do is burden them with costly and time-consuming controls and processes?  Which brings me to...

Be approachable
Encourage dialog.  Reach out to end users.  Introduce yourself to business owners, solicit their opinion on things, and ask them what their challenges are, how they work, and their perspective on information security.  Learning what the end users really think rather than what you assume builds a relationship of shared ownership. The result are allies that will enable you to sell future initiatives with their help.

Don't let the first contact with your end users or business owners be only after you have discovered a problem.  Integrate yourself into the onboarding process.  5 minutes spent in a new hire orientation, introducing the infosec organization, and going over basic guidelines will make a night-and-day difference in the attitude end users will have of you and your program.  Sharing with them why security is integral to the business and making it personal will give them motivation to support information security on an ongoing basis.

Conduct brown-bag sessions on security topics.  Make them short.  15 minutes is my target, with questions for however long they need.  Record them, if you can, so you can distribute them via intranet to people at other sites or who couldn't make it to the live show.

Speaking of which...

Learn to talk like a human being
If you have a conversation with 99.999% of the population on this planet, and you toss out words like "AES256" or "Diffie-Hellman", you will not connect with your audience.  All you are doing is confusing your audience, at best, and probably alienating them.  End users don't need to know how the sausage is made, only that they have ready access to sausage and that It's A Good Thing(tm).  You can go into a little more detail during Brown Bags, but be clear about the level of technical depth of the talk, so you will hopefully get an appropriate audience.  But I would argue then that you should be spending time on topics that will reach a larger portion of your user population.

What you *can* do, however, is...

Blow your end users' minds from time to time
End users get complacent about their computer usage habits.  Always have a small collection of ready-to-roll, and easily demonstrated exploits in your bag of tricks, even if they have been long since fixed.  Maybe it's a virtualized image of a poorly patched Windows box that you can bring up at a moment's notice.  Doesn't matter.  Demonstrating the sneakiness of attackers is often an eye-opening experience for your end users.  I once orchestrated a demonstration of a chromeless window exploit to a group of system admins, and their mouths all dropped.  Demonstrations like that tend to re-engage your users, and remind them that they are critical part of the company's security posture.  That's a win for you.

Cultivate your reputation
Develop a reputation for protecting the business.  Understand the risks of the changes you are proposing and work diligently to reduce them.  Even if the company doesn't have an official change management program, you should.  Even if it's just yourself.  I can count on my hand the number of times a security control under my purview has negatively impacted the business' ability to operate.  Availability trumps security every single time, and those security controls will get ripped out if they impact the business' ability to operate.

Develop a reputation for being a straight shooter.  The business needs to know it can count on your for a fair and accurate assessment of risk, countermeasures, controls and technology.  Also ensure that you include ancillary costs (personnel, OS licenses, etc) associated with solutions you propose, to minimize having to go back to the well for more funding than what the business owners originally approved.  The business needs to trust that the solution you've proposed can be realized with the financial outlay you've indicated.

Develop a reputation as a problem solver.  You want business units to approach you with problems, and ask for help solving them, rather than route around you with a solution they know is poorly considered.  See above guidance regarding "no".  You need to be seen as a business enabler, not an obstacle that must be continually overcome.

Develop a reputation for being pragmatic.  Don't blindly follow the industry.  Reevaluate your beliefs, frequently.  If the password policies don't make sense, change them.  Ignore best practices if they don't fit the realities of the business, even if it means bucking an auditor in the process.  Mold the information security program to the needs of the business.

Understand that robust security begets compliance, not vice versa
If you have a solid information security program, you will not have to worry about audits or regulatory compliance exceptions, because you are 99% there on most compliance obligations your company is likely to have.  That does not mean implementing every suggestion from NIST or similar bodies of infosec standards.  Remember, "best practices" are recommendations for what to do if you don't otherwise know what's best for your business.  If you blindly implement controls and processes to satisfy your PCI audit, for instance, it doesn't mean your business is secure.  Secure your business, and compliance will be trivial.

Befriend your auditors
If you have an adversarial relationship with your auditors, internal or external, you're doing it wrong.  Your auditors are partners.  They help you measure (and demonstrate) improvements you are making to the business, and help you justify investments in additional areas.  If you have a healthy relationship with your auditors, your audits will go more smoothly and they'll be out of your hair quicker.  An adversarial relationship with your auditors will only result in them looking harder and longer for cracks in your program, and every hour they spend doing so costs your business money.  Once the auditors develop confidence in your program, and understand that they can't run up the bill generating finding after finding, they'll be motivated to complete their report and move on to the next engagement.  Reducing your company's annual audit bill is a fantastic way information security can contribute to the company's bottom line.

Contribute to the InfoSec Body of Knowledge
The information security profession relies heavily, perhaps more than most other fields, on information sharing and peer review.  You should be writing; be it articles, blog postings, or contributing answers to questions posted in online forums.  A good infosec leader should be continually contributing to the InfoSec Body of Knowledge, even if the contributions sometimes seem trivial.

Show up at local infosec events, and speak at one at least once a year.  One thing you should take away from the other habits listed above is that your communication skills are critical to being successful in the information security field.  Hone them, exercise them.  If you are not an effective communicator, you will not be an effective information security leader.

In conclusion
This isn't the same business many of us were introduced to when we started our infosec careers.  For example, the CISO role didn't even exist when I entered the business, and it is being redefined constantly.  Hard economic times have put increased pressures on all business units within a given company to innovate and bring new ideas to the table about how to make the business run better.  By aligning yourself with the organization's larger goals, and adopting the strategies outlined here, you will help Information Security transcend the stereotypical roles and evolve into a business unit that has true and measurable impact on the success of the business.  And that's a win for everyone.

Some interesting infosec cases coming up in court cases recently.

Last month, the Supreme Court agreed to hear a case challenging the constitutionality of the Sarbanes-Oxley Act of 2002 (aka SOX).

More recently, Wired reports that Merrick Bank is suing PCI QSA Savvis for giving Card Systems a passing grade on a PCI audit just 3 months prior to Card Systems getting hacked and ultimately exposing 40 million credit cards to the intruders.  The breach cost Merrick nearly $18M to fend off the resulting fraud, settle claims, and replace compromised cards.

While SOX has been a driver of security investments in the years since it was enacted, it is clearly overburdensome for most companies, and misses its goals in a number of areas.  There is general consensus, even in the security industry, that it should go.

The jury is still out on the Merrick/Savvis PCI case, however.  If Merrick is successful in its bid to attach fault to Savvis for giving Card Systems an improper passing grade on its PCI audit, that will send a chill down the spine of most security staffs.  PCI audits are onerous enough already, and I'd hate to think how much time and expense we're going to have to expend on them after the QSAs figure out they can be sued if they miss the tiniest detail.  And it's still a point-in-time certification.  Just because an org is PCI-compliant today, doesn't mean they won't silently fall out of compliance tomorrow.  Are QSAs going to demand recurring audits of the environment throughout the year to satisfy their own legal teams that the client is still worthy of a passing grade?  It's a slippery slope, to be sure.  I don't like the direction we're headed on this one.

A recent study conducted by British Telecom claims that 94% of the companies they polled expected to suffer a compromise sometime in 2009.

I guess companies are finally acknowledging one of Information Security's most sacred truths:  Prevention eventually fails.  I first heard this truism while reading Richard Bejtlich's fantastic book The Tao of Network Security Monitoring.  In it, he claims that preventive controls are doomed to eventual failure due to 2 factors: Some intruders are smarter than the people securing the systems, and intruders are unpredictable.

These sobering facts recently prompted InfoSec pioneer Dan Greer to comment in an interview:

[...]the world we live in now is one where the rate of change is so great it is hard to develop a skilled craft because by the time you do, the problem set has moved on.

I think information security is quite possibly the most intellectually challenging profession on the planet. For that reason that what was true yesterday may not be tomorrow. In information security in particular, the rising fraction of R & D that is done by the opposition, and is funded by the opposition by its own revenue, is quite fascinating and makes things very difficult. At the same time, have we made progress? Sure. But the challenging aspect to this continues to be this rate of change and the degree to which you need to be on your toes all the time.

So, given that you will, eventually, suffer a breach, what's your plan?  You *do* have an incident response plan, don't you?  If you thought you had a 94% chance of getting into a car accident, you'd plan for that eventuality, wouldn't you?

If you don't have an Incident Response Plan, NIST's 800-61 publication, originally published in 2004 and refreshed last year, is a great place to start, and considered required reading by most InfoSec practitioners who have accepted the reality that prevention eventually fails.

I've preached for years the need for users to scrutinize heavily any URLs in emails they receive, especially in emails from financial institutions.  As applications and operating systems get more and more secure, hackers are increasingly relying on tricking the end users into clicking on a hostile link or otherwise actively enable the compromise of their own system.

Traditionally, one of the mechanisms you can use to determine that an email is a phishing attempt is to scrutinize the link or button the email wants you to click.

For instance, you can hover your mouse over this http://www.Visa.com link, and determine pretty easily that it actually takes you to www.ClickHereToGetOwned.com.  Right?  Just say "Right!" for me.

But what if the link looks like this? tinyurl.com/ozn4lm.  Clicking that link will also take you to the Click-Here-To-Get-Owned site, but it passes our usual sniff test because the redirection to the malicious site happens on TinyURL's end.

For those unfamiliar with TinyURL (go ahead and click, it's OK), it's a free service that allows anyone to shrink an obnoxiously-long link to something shorter so that it survives emails and other communication mechanisms that do unkind things to links that exceed one line in length.  The explosion of Twitter, which has a hard cap on the number of characters you can send in a single message, has dramatically increased the use of URL shrinkers.

But it also enables a phisher to obfuscate the true destination of a given link in a way that is not mitigated by the guidance we've been giving people for years.  The popularity of TinyURL, in particular,  has become nearly ubiquitous, leading to complacency when a potentially hostile TinyURL link arrives in email or Twitter.

Thankfully, TinyURL does allow users to preview the location of a given URL to allow users to see where they will end up if they click it.  If you allow cookies, you can even set TinyURL to *always* bring up the preview of the URL before it takes you to the destination.  Good on them.

But there are other URL shrinking services that don't offer such protections.

Besides, what if your URL looks like this:

Don't laugh, it's a URL in the style of an Aztec barcode, and if you have a handheld device, like an iPhone, chances are you can consume it using your device's camera and send your device's browser to only-god-knows-where (in this case, the Wikipedia page for Aztec barcodes).  Airlines are using them increasingly to send check-in information to airline passengers' mobile phones.

Or how about this one:

This is a format currently being pushed by Microsoft, called HCCB, or Microsoft Tag.

As URLs continue the trend towards machine-readible, and away from human-readible, their potential for abuse by phishers and other malicious actors will only increase.  It's up to the users to scrutinze inbound communications they receive, including the context, and only click on URLs that they can realisticaly trust.

Well, bmonday.com has undergone a number of major redesigns over the years, why not the owner?

There were two reasons for my nearly-2-year sabbatical in Oklahoma.  Officially, the public reason was to reconnect with my family, but the less publicized reason was to reinvent myself.  My 15 years in Seattle had left me solidly in a rut, and one I didn't much like.  The recurring theme in the unpleasant bits of my life was the fact that I wasn't very happy with the man I'd become, outside of a very successful career.  I had gotten complacent in my personal life, and needed to mix things up.  Change of scenery, change of environment, change of personnel.  I needed a hard reset.  I bought a house in Oklahoma, near my family, packed up the cats, and left.

Meet the most important woman in my life over the last year (she's the one without the beard, in case you're confused.  The bearded one is me.):

The twig of a woman standing next to me in the pic is Katie Baxter, a personal trainer at Aspen Fitness of Edmond Oklahoma, and she's been my 3-a-week habit for the last 7 months.  Under her diligent oversight I went from 307lbs to 250.  I went from 35% body fat to 20%.  I shed 58lbs of fat in the time we were together, and put on a couple pounds of muscle just for grins.

Katie is the primary reason I was successful in the remodel of myself.  She provided the accountability, the inspiration, and the encouragement that I hadn't been able to produce organically from within myself.  She committed to me as much as I to her.  If I needed to squeeze in an extra workout session before a trip, she bumped other clients to make a hole for me in her schedule.  We worked out on Thanksgiving day, like it was any other Thursday morning.

The other keys to my success were several:

I put my health above all other things.  Remember the pic of the fridge full of Fat Tire?  The Fridge Full of Win?  Yeah, I still have that.  Still full of Fat Tire, but that Fat Tire is about 4 months expired now, because I don't drink beer any more, except on rare occassions, and never at home.  If you knew me from my Seattle days, you'll appreciate how hard that was.  I leave the beer there to reinforce my willpower, and remind myself of the sacrifices I've made.  It's next to the water pitchers.  I also had to give up my 3-a-day Starbucks habit, which prompted the subsequent shutdown of my local Starbucks (well, they may have had other reasons for closing the store), and angry exclamations of "we thought you were dead!" from the barristas when I crashed the store's wake on their last day.

I ate healthily.  Not healthy, necessarily.  Healthily.  I'll give up beer and Starbucks, but red meat?  That's crazy talk.  I tried to make good choices in meals.  I've had french fries maybe 3 times in the last 7 months.  Lots of vegetables, cut down on the processed foods and empty carbs.  I switched to ground turkey in place of ground beef.  I ate 5-6 times per day, and tried to eat breakfast (usually oatmeal).  I found an energy bar I could tolerate and made sure I was never without one in case a craving hit (Balance Bar, Cookie Dough flavor, for the record).  I had sworn off sodas years prior, but wasn't a big water drinker.  Changed that: I bought 2 Brita pitchers and always had one within reach in my office or living room.  I tried a number of over-the-counter supplements, but they weren't effective for me, so I took a multivitamin daily and nothing else in that regard.

The big key was to put my return to health above all other things.  I once read a sign at a gym in Seattle that said "Showing up is half the battle", and I showed up.  I showed up at our early morning training sessions no matter what.  It didn't matter that I was up until 5am on a scheduled maintenance at work, and got about 2 hours of sleep.  I showed up.  It didn't matter that I stayed up until the wee hours of the morning drinking whiskey diets and smoking cigars with friends.  I showed up.  It didn't matter that I spent the night at a friends house in Tulsa, and had to drive 90 miles back to OKC to make it to our 8am workout.  I showed up.  I didn't miss a workout for any reason, unless I was deathly ill (once) or traveling.  When I traveled, I juggled my travel schedule to minimize the number of sessions I missed.  In a couple cases, when my travel was unusually lengthy, Katie provided me a workout plan that I could give to a surrogate trainer that I hired at my destination.  I worked out every day.  While Katie could only put up with my antics every other day, I did cardio on my own every single day (twice a day towards the end, once in the morning and again at night to keep my metabolism stoked).  I didn't accept meetings that conflicted with my workouts, and I didn't take my cell phone with me to the gym.  Any emergency that happened at work was simply going to have to wait an hour until I got back from the gym.  My family had to just understand that there were 3 times per week that I was simply unavailable, and they did, even when I was all mysterious about the whole thing in the early days.

I had missteps.  My frequent returns to Seattle, and the socializing with my old friends that inevitably resulted, derailed me more than once.  I remember one particular week-long trip to Seattle, early on in the endeavor, that erased an entire month worth of effort in the gym.  I was crushed, and so was Katie.  That's when I stopped drinking beer.

The results were more than I could have hoped for.  My pants size went from a 48 waist to a 38 (if I don't try to breathe too much).  I went from buying XXXL shirts to buying Large, or maybe XL if I expect shrinkage.  I have to buy new clothes on a constant basis now, as the seasons change and I drag out my seasonally-appropriate clothes only to realize they no longer fit.  I no longer need to shop in Big-and-Tall stores, and can actually wear the swag I get at conferences, which is invariably XL.  Every time I flew back to Seattle for interviews I had to buy a new suit because the one from the month prior no longer fit.

But the biggest result has been what I intended:  I'm happy with myself once again.  I can go out to dinner with my rediculously-gorgeous friends and not feel out of place.  I'm getting chatted-up in bars by random women, and I carry myself with a confidence I could not have summoned 6 months ago.  I no longer glare at my friends when they want to include me in a photo with their kids.  The profile photo on the home page of this blog was the first photo of me to appear here (aside from the pic of me in pink-bunny-suit drag) and it was a reward to myself after Katie and I hit our first milestone of losing 30 pounds.  When I finish off the 2nd 30 pounds I'll probably be replacing it with a new one.

As I make my return to Seattle I feel like a new man, and that was exactly the point.

Verizon's first report of 2009 is the 4th such report published publicly by Verizon (they have performed 28 such analyses to-date, but only recently decided to go public with them).  Verizon's goal is to release these reports on a roughly quarterly basis going forward.

The report largely focuses on breaches occurring in the 2008 calendar year, but does reference data gathered from prior years.  The 2008 year saw an unprecidented number of records compromised.  Verizon alone responded to breaches representing 285 million records, more than all prior years (2004-2007) combined, and those are the focus of this report.

The Actors
I think we can finally put to rest the “80% insider” myth that has been erroneously thrown about for the last decade or longer.  Verizon's investigations, in fact, showed that nearly 80% of the intrusions were from external sources.  Only 11% of the intrusions were the result of an insider acting alone (an additional 9% of cases involved insiders duped by an external actor into aiding an attack).

A more concerning statistic is the number of breaches that come from partner networks.  While the number dropped somewhat in 2008, more than a third of all breaches were traced by to trusted supplier connections.

Of the 90 breaches analyzed by this report, 22 of them were conducted from Eastern Europe (an increase of 9% over 2007),  followed closely by East Asia with 18 incidents (up 15%).  North America was the 3rd-most common source, at 15 incidents.  It is clear that organized crime is continually frequent driver for these kinds of breaches, particularly in the Eastern Europe region, and Verizon, in concert with appropriate law enforcement organizations, was able to verify organized crime links in 19 of the 90 cases, and arrests were made in at least 15 of those, to date.

In the cases involving partners, it was nearly always a case where the partner network had been compromised by an external actor who was then able to leverage a trusted connection to extend their attack to the ultimate victim network.  Verizon makes the point, accurately, that organizations continue to struggle with the management of partner connections, and are often ill equipped to monitor or audit the security posture of those trusted networks.  This is a huge opportunity for improvement in most organizations.  Partner connections should be scrutinized heavily, and reconfigured for least privilege and least access.

It's interesting to note, before we leave the subject of 3rd party culpability, that in none of the cases were the systems actually hosted at the partner's site.  It was largely the case where administrative work had been outsourced, particularly in the food-and-beverage and retail segments, where outsourcing of POS system management is common.

The Victims
I was initially skeptical that the dataset analyzed in the report would skew heavily towards the large corporations.  I mean, who calls a major telco for help with a security incident but the deep pocketed corporations?  Well, turns out, everyone seems to.  Verizon was called in to investigate breaches at companies as small as 1-10 employees, and as large as 100,000+.  In fact, full 50% of the breaches addressed in this report occurred in companies with 1000 or fewer employees, with fully 1/3 coming from companies with fewer than 100 employees.

There is one area where the data is heavily skewed though, and that is the industries represented by the victim companies.  93% of the records compromised occurred at companies in the financial services space.  Which really isn't much of a surprise, given that's where the bulk of valuable credit card data is being managed.

This does not mean that the financial services industry was the most frequently attacked, however.  In fact, the retail industry was attacked slightly more frequently.  But the financial sector seemed to attract the most determined, motivated, and skilled attackers, and gave up the vast majority of compromised records as a result.

The Attacks
Let's talk about the nature of the attacks for a minute.  In terms of percent of records exposed, 94% of those involved hacking, closely followed by malware at 90%.  These two methods were by far the most popular, with deceit coming in a distant 3rd with 6%, and Misuse and Physical attacks bringing up the rear at 2% each.

However, there is a mitigating element here that is important to consider.  Error (misconfiguration, etc) is a contributing factor in 67% of the cases.

Given this, you can see the traditional attack methodology that we're all too familiar with:  Vulnerability identified and exploited by hacker, malware placed in victim network to enable further attacks.

A particularly worrisome methodology that Verizon has been tracking is the harvesting of data in the server's RAM.  Most application vendors do not encrypt data residing in RAM, even if they do encrypt data on the disk storage subsystem.  This is proving a rich source of unencrypted data, and hackers are starting to go after it.

There is another important factor to highlight here, while we're discussing the attacks themselves.  85% of the records breached were harvested using malware customized for the target.  As a result, most malware used for these attacks is not detectable by modern antivirus systems.

I'll cover the contents of the 2nd half of the report in a followup post.

What do you get when you mix a bunch of techno-miscreants and a decommissioned Titan-1 Ballistic Missile Silo?  ToorCamp 2009, that's what.

ToorCamp is the United State's first ever full-scale hacker camp. Modelled after the camps in Holland and Germany, ToorCamp will focus on all of the technology topics that ToorCon has become famous for but will expand out into other areas of society. ToorCamp will offer 2 days of talks on many different topics -- Security, Internet, Emerging Technologies, Hardware Hacking, and Privacy are just some of the areas we will be covering. ToorCamp will also feature 2 days of hands-on workshops on a multitude of different skills that you may have never found yourself interested in learning about before. Blacksmithing, Lock Picking, Orienteering, Logic Design, Archery -- these are just a few of the topics you can expect.

ToorCamp is run by the same group that runs ToorCon and will also be heavily supported by many other hacker conferences in the US. ToorCamp will be organized as a bunch of different campsites which will be fully run by autonomous groups. We will provide the power and internet -- you provide the rest. We're heavily encouraging groups to build structures, setup art projects, throw parties, and generally do things that will show to the world that US hackers can throw a kickass hacker camp too!

Oh, and did we mention it'll be at a Titan-1 Missile Silo? We've managed to find one of the best locations in the northwest to throw this event. We've partnered with a group of people who are currently retrofitting the Silo into an ultra-secure datacenter so internet connectivity won't be a problem. ToorCamp will be situated in central Washington roughly 3 hours driving distance from Seattle and within 15 minutes drive of a private international airport. Don't miss this once in a lifetime opportunity to make history with us and help launch the first public US hacker camp!