Although the leaked 2009 State Department wire message will bring scrutiny to Chinese hackers, three things stood out.

First, language in the wire looks familiar:

CNITSEC enterprises was said to has recruited Chinese hackers in support of nationally-funded “network attack scientific research projects.”

China is not the only country to recruit hackers. Remember when the press release announced “Hacker ‘Mudge’ gets DARPA job”? He was quoted as saying “I want to be at the sharp pointy end of the stick.” Imagine if a Chinese hacker had said that to the press…actually, imagine if anyone going into a military role said that in any country.

The point here, no pun intended, is that countries frequently recruit experts from industry, and have done so for quite a while (as LinkedIn members often boast).

Even more to the point, the US military has only just announced cybersecurity as part of basic training, as explained in “US Air Force Recruits Train to Become Cyber Warriors”. With the Air Force only just starting to train from within, it likely will be years before they can avoid hiring from outside.

The Chinese hiring outside hackers is probably taken by many to be a sign of intent or motive, but to me it signals more that they lack talent within.

Second, the timing is interesting:

From June 2002 to March 2003, TOPSEC employed a known Chinese hacker, Lin Yong (a.k.a. Lion and owner of the Honker Union of China), as senior security service engineer to manage security service and training. Venus Tech, another CNITSEC enterprise privy to the GSP, is also known to affiliate with XFocus, one of the few Chinese hacker groups known to develop exploits to new vulnerabilities in a short period of time, as evidenced in the 2003 release of Blaster Worm (See CTAD Daily Read File (DRF) April 4, 2008)

March 2003 was only a month after Bill Gates signed major trade agreements with China. It also was about half a year before Microsoft gave the Chinese access to its source code for “security” purposes.

Chinese hacker and company “affiliations” with Microsoft could sound ominous in some ways, but in 2003 the company openly traded and gave access to Chinese security experts. That gives a different spin to the wire and again emphasizes that China lacked talent within. They relied on experts in the field with unusually close ties to Microsoft.

Third, although this is a wire leak and not a press-release, I am reminded of when the Japanese media were said to be using reports of Honker (hacking group said to be nationally affiliated with China) activity and threats to “make China look bad”.

I often emphasize in my security breaches presentations that retailers get a lot of attention yet they represent a small percentage of the overall number of breaches.

A story by Oregon’s KCBY about a Secret Service investigation in Seattle is a good example of this. They call it “cyber attack larger than first thought”:

…the U.S. Secret Service tells KOMO News we’re dealing with a much bigger crime than first expected. Agency spokesman Bob Kierstead says the total number of accounts compromised could be in the high hundreds.

“It could go over a thousand,” said Kierstead. “We are very close to pinpointing the actual person or persons who perpetrated this crime.”

The fraud is real and the harm should not be discounted. This story does a good job emphasizing the importance of a breach of hundreds or thousands out of the community that has eaten at or lives near the Broadway Grill.

However, it does not pull in any industry data, financial services names, or even a national view to put this breach in perspective.

News sources, taken together, suggest that a back-end servers were storing card data after authorization. They also suggest sniffers were used to pull data processed in the clear from other retail locations. I hardly see either of these as a new attack vector for retailers. It has been a known problem, and the subject of breach reports, since the beginning of the PCI DSS compliance standard over six years ago.

Capital Hill news points out that the restaurant used Action Systems’ Restaurant Manager software and and may have been on a version at least four years old.

Restaurants using Restaurant Manager v15.0 or earlier have been notified repeatedly that they must upgrade to a more current version of the software before they will be able to operate as a PCI Compliant business.

It is the restaurant’s responsibility to act on these repeated warnings.

Although this points readers back into the retail operation, the reality of the hack is that the restaurant was an entry-point but not the true target. The attackers moved from the restaurant system into the transaction processing system where they hoped to collect a large stream of card data. Even though they hit a sensitive area their breach achieved far less than the exposures we have seen in the past few years. The numbers indicate the risk and impact of retail breaches have declined. Compare it with what other industries experience now — ones that lack a compliance standard like PCI DSS — and “into the 1,000” could be seen as part of an overall downward trend in risk.

CNN has a February-themed (hearts and relationships) report on the struggles of Mint.com’s data aggregation. This is a good study of data integrity risks in the cloud model.

“The dirty, behind the scenes thing is just how complex it is,” said Mint.com CEO Aaron Patzer, who described the first few months moving users to Intuit as particularly “rough.” But he added, “Intuit’s platform is getting better at a much faster pace now.”

But most consumers don’t care about the nuts and bolts — they just want the same service they’ve always been able to get.

Customers paid for a service that ran on a different Software as a Service (SaaS) platform. Clearly the acquisition team did not properly assess and plan for data integrity risks. The new platform seriously impacts the customer experience, which is not supposed to happen with giant SaaS cloud providers, even when the service is “free”.

Nearly $200 million was spent on Mint by Intuit. It makes a personal copy of accounting software running on an Infrastructure as a Service (IaaS) provider a good security comparison. Is SaaS worth the high risk to integrity (e.g. Mint), high risk to confidentiality (e.g. Google SREs, maps, wifi) and/or high risk to availability (e.g. Twitter whale)? Control of when and what features are added to a service(s) can be a problem with SaaS. The struggling Mint users might be ready to go for something better — something that gives more control over the quality of service delivered.

A beta period, for example, is one way of handling the transition with more user control. Another option would be migration in batches, where users elect to be migrated and then given a higher-level of service while bugs are worked out of the system. These methods are not fool-proof. Perhaps Mint used them but extrapolated experiences of a few users too far.

The bottom-line is users need control — a way to trust that controls are working, as I have discussed before. While some analysts say users “don’t want to know what’s going on in the kitchen” (Forrester quote) that is completely wrong. Forrester confuses trust with a lack of care. Users will know and judge what is going on in the kitchen as soon as they are served. They do not want to be unpleasantly surprised.

Imagine sitting down at a restaurant and saying “I don’t want to know…just serve me whatever”. You would only do that if you trusted the kitchen. And you would only trust the kitchen if…

Customers want to know that what goes on in a “kitchen” is what they expect; that is why they agree to sit and “pay” for a meal. In fact, you could say they chose to sit in a particular restaurant because they thought they could tell what would go on in the kitchen based on things like prior experience, reviews, decor, other customers, etc.. They care about the things that affect them, and when they sign up for a “service” they want to trust that someone is taking care of details.