Blue Christmas

'Tis the season to be generous. That means lots folks are logging on to the web sites of non-profits like CARE and the Red Cross to make donations, either for themselves or as gifts to friends and family who already have all the electronic gizmos and consumer crud they need.

Unfortunately, some of those good-hearted souls are going to find a lump of coal in their Christmas stockings in the form of stolen email addresses and passwords. As reported in Computerworld on November 28th the FBI is investigating a data breach at Convio Inc., a firm that specializes in recruitment and fund raising software and services for the non-profit sector. According to the report, criminal hackers managed to lift information on 92 non-profit organizations (including The Red Cross and CARE) and were preparing to help themselves to data on another 62 when Convio discovered the leak in their data dike and plugged it.

How did this happen? Here's a Convio spokesperson, as quoted in Computerworld:

The intruder obtained a log-in and password belonging to a Convio employee," wrote Dave Crooke, a company staffer, on a mailing list used by nonprofit professionals. "It appears that their PC was compromised, but we are still investigating".

Those of you who read my earlier blog entry on the importance of keeping your PCs secure will not be surprised to discover that I rolled my eyes as I read that. A chain is only as strong as it weakest link. A company's data is only as secure as its most clueless employee's PC. Your personal data is only as secure as your own PC. Why is it so hard for some people to comprehend this?

The situation isn't going to get any better. Cybercrooks are getting smarter as operating systems become more secure. Windows and OS X are too locked-down to be easily exploited? No problem - there are plenty of individual applications (like QuickTime, Windows Media Player, Firefox and - of course - Internet Explorer) with vulnerabilities. The corporate love affair with outsourcing application development to countries (such as China, Brazil and Russia) that are havens for cyberthieves, combined with the tendency for developers to consider security as less important than bells and whistles, provides fertile ground for a bumper crop of exploits. And, of course, good old-fashioned social engineering, phishing, and other techniques based on the notion that there's a sucker born every nanosecond will continue to be useful to what The Saint referred to as “The Ungodly”.

But don't take my word for it. Take a look at the SANS Institute's Top 20 2007 Security Risks report. According to them, “[t]he number of attempted attacks for some of the large web hosting farms range from hundreds of thousands to even millions every day.” If computer security is an arms race (which it is), the Bad Guys are 'way out in front.

With apologies to The King: You'll be doin' all right with your Christmas of white, but security pros will have a blue, blue Christmas.