Newsflash: Gartner says social-networking technology could be the next security threat. Or maybe not the next one, but soon. Or maybe not soon, but eventually. You know, like they have noticed that people use social networking and software delivered over the Internet so those are probably going to have some security issues with them, and at some point you should probably think about it. Maybe think about it right about when you are already thinking about it and say to yourself “oh, yeah, Gartner said this would be a problem“.

Pescatore didn’t provide specific timeframes for these next-generation threats, but he says they could hit anywhere from two to six years from now.

“Threat forecasting is fun – it’s like weather forecasting and about as precise as weather forecasting,” Pescatore says. “But the key is if the climate changes, we want to understand it.”

Great stuff. Gartner, thanks for offering to understand and notify me of climate change after it has already happened, or predict that the weather will be different two to six years from now.

This smells a lot less like weather forecasting and more like gag-gift rocks that say “If I’m wet, it’s raining; If I’m missing, it’s really, really windy”.

Dark Reading has reposted the findings of the breach report, highlighting faults:

Key points in the study lay blame at the feet of Kerviel’s supervisors. “The direct supervisor lacked trading experience and was not given a sufficient degree of support in his new role,” the report says. Neither the supervisor or the manager above him took the time to adequately review Kerviel’s trades or benchmark Kerviel’s falsified reports against the company’s actual financial positions, the investigators say.

Kerviel’s actions also revealed some significant flaws in the company’s trading control systems, which did not immediately identify the fraud, the report says. For example, the company’s IT systems did not grow in a fashion that was consistent with the “very strong growth” in transaction volumes in Kerviel’s equities division, it says.

I’m not sure what that really means, but I think they are saying that IT was not funded sufficiently to handle the risk. That sounds like if they had spent a bit more on security and controls within the organization, they could have avoided some of the $7 billion. Wow. Imagine the possibilities for control systems if they had spent just $100 million. The magic number for security spend of best-performing companies now seems to be 12%. If your company is spending less, and especially if it is spending under 10%, you probably want to read the report.

The Finjan MCRC Blog has a very interesting and detailed description of the investigation that revealed free and open Internet access to stolen identity information.

During our research for the latest Malicious Page of the Month that has just been released, we came across a domain that was being used as a command and control for the Crimeware that was executed on attacked machines. This domain was also used as the “drop site” for private information being harvested by that Crimeware.
When we further examined this server, we found that the stolen data on it was unprotected and freely accessible to anyone – we found no access restrictions, no encryption whatsoever!
In total, we found more than 1.4Gb of personal and business data (including emails and web related data) for grabs, collected from infected PCs.

They show how attacks were organized into “campaigns” and a Crimeware administrator could use a PHP-based web application to control infected systems. Real examples shown include bank and medical records.

This is an excellent case study of the current threat model to and consequences of weak data controls.