With March Madness coming up, I recently spent the morning in some rather distinguished company simulating the effect of a March Madness smartphone app that turned out (within the confines of the simulation) to be malware.

A new set of vulnerabilities came to light this week at Black Hat DC, and its appearance provides a good look at our bleak "next-gen" security future.

We just released the October issue of the CSI Alert to CSI members, and this month we focus on Windows 7. This issue is, in some ways, a follow-up to last year's issue, "The Fate of the Secure OS," in which I said some nice things about Windows Vista, and advised it would be imprudent to completely ignore Windows Vista -- eyes-closed, fingers-in-ears, chanting I'm-not-listening-I'm-not-listening.

Imagine a world in which you can do all manner of smooth, rich, user-friendly online commerce with mighty security. You can have complete faith in the validity of customers' login credentials and payment data (thereby reducing fraud costs, for starters). You can protect users' privacy...and never need to worry about securely storing -- or even seeing -- customers' credit card data or other legally protected personally identifiable information. Wait 12 to 18 months, and you might just have that.

Social networks really do bring people together, don't they? Old friends. Long-lost relatives. Bots and bot-herders. Warms the heart.

When I arrived in Las Vegas, I already smoldered and grumbled about the facts that online trust mechanisms are untrustworthy, and that browsers' fundamental weaknesses persist despite the fact that better browsers would make an incalculable impact on overall Web security. Yesterday's sessions simply added more kindling to the fire.

The rumor here is that the attacks did indeed happen, but the significance of it is actually quite small--not worth paying attention to, since attention is clearly what the attackers are seeking. More info to come...

BlackHat, Kinda: Yesterday a hacking group released details (http://r00tsecurity.org/files/zf05.txt) of a number of successful attacks they conducted, apparently with the principal purpose of embarrassing some of the security industry's most well-known experts. The group claims that they collected about 75,000 passwords, including those of a few security experts speaking at the BlackHat Briefings today and tomorrow.

"Welcome one and all to the real Black Hat Briefings," reads the site. "Live from the underground, coming right at you free of charge."

We've been saying for a while now that better identity management -- more so than secure Web app coding or even more secure browsers -- could fuel a quantum leap in Web security. The "Identity 2.0" community can be credited with wonderful research and truly significant advancements in identity management technology. In many ways, we're poised for an identity revolution. However, the efforts have been hampered by a lack of public awareness, a lack of interoperable standards, usability concerns, and a fundamental chicken/egg problem.

I just took a close look at the Article 29 Data Protection Working Party's opinion report on online social networking. While some of its recommendations are what you'd expect, others came as a surprise.

Citizens of the Information Security Nation, to you I say Classify and inventory your data and assets!

Tedium? Odium? Delirium? Yes, probably all three. But worth the trouble.

Dr. Peter Tippett, vice president of research and intelligence for Verizon Business Security Solutions, will discuss the results of the company's "2009 Verizon Business Data Breach Investigations Report" (DBIR) at CSI SX: Security Exchange, taking place May 17-21 in Las Vegas.

Want a case study on the slings and arrows of outrageous SIEM implementation? Sure you do. (Really. You do. Trust me on this one.)

I've been talking quite a bit about whether or not (not) users of cloud services can prove compliance with security, privacy, and e-discovery laws. Now a story from The Register has me thinking about yet another issue -- the inescapable question of a service provider's financial stability.

Yesterday Nick Reynolds of the BBC directed me, as well as many other writers, to the BBC's official response to allegations that its technology show, Click, violated the U.K.'s Computer Misuse Act when it purchased and used a botnet as part of an investigative report into cybercrime.

Saturday, "Click"--"the BBC's flagship technology programme"--broadcast an investigative report on cybercrime. The exciting thing about this particular program is that they purchased and used a botnet as part of their investigation. The creators of the program are under the impression that their experiment was perfectly legal, because they had no criminal intent.

They are mistaken.

Today I saw two fraudulent charges on my bank account, and a few weeks ago I accidentally wiped off all of the data from my BlackBerry.

Why?

Because I love too much.

Note to Web browsers: With great power comes great responsibility.

Maybe I'm stretching a bit, but let's say that operating system developers slimmed down their standard OSes enough so that eventually they'd be skinny enough to have a career in fashion and, more important, run on mobile devices. And, if so, would this be a good thing for mobile device security?

The Estonian Parliament has passed a law that will allow citizens to vote via cell phone by 2011. In the past, Estonians were able to cast their votes over the Internet, which apparently worked seamlessly despite security concerns. (See Sara Peters' coverage of e-voting in Estonia in the November 2005 Alert, Academic Group Publishes Criticisms of e-Voting; membership required.)

There are some ways to effectively begin securing your information in the cloud. We’ve recently been pondering whether one can prove compliance with security and privacy regulations in the cloud. Luckily, while cloud services still may not be right for handling health or payment card information, security vendors and cloud service providers are beginning to offer ways to effectively secure your cloud-based computing resources and satisfy some compliance requirements.

Earlier this week it was implied that early warnings of an Islamic terrorist attack were "lost in the system." At this time, I am not able to find a credible enough source to prove whether this was actually the case, but it is rumored that the warning was specific in that the attack would come from the sea.

Google designed Chrome to be faster, more stable and most importantly, more secure than other Web browsers. So with these features in mind, Google Chrome was built from scratch to be a Web browser designed for today’s web application users. As more businesses venture into the cloud, it’s becoming increasingly important that your browser doesn’t crash when you’re creating reports in Google Docs or when you’re video conferencing. In order to prevent crashes, Google Chrome developers sandboxed each tab, so that if one tab malfunctions, the whole browser doesn’t crash. If one tab does go down, a “sad tab” will appear depicting a ‘sad face’ emoticon.