There are plenty of cities in the U.S. that want to lay claim to becoming the “next” Silicon Valley, but a dusty desert town in the south of Israel called Beersheva might actually have a shot at becoming something more modest, and more focused. They want to be the first place you think about when it comes to cybersecurity research, education, and innovation. If things go right there, it may well happen.

You can read my article in ITworld here about my recent trip and what they are doing.

As calls for breach accountability across industries grow louder, and the government introduces new cybersecurity initiatives, frustrated security experts say change will only occur when lawsuits from shareholders hold C-level executives and boardrooms accountable for lax security practices.

While agreement on what “good enough security” entails is hard to come by, chief information security officers can take actions to mitigate the security and risk tradeoffs that can result from business decisions, to make their organizations less vulnerable to security threats.

You can read my article for SearchSecurity here.

I feel almost embarrassed writing this column, but I figured if it can happen to me, it can happen to you. Google is running this cute promotion this week where you can tack on another 2 GB of storage to your account. The only thing you have to do is run through a series of security settings on your account. It will take about two minutes at the most. You go to this page for the detail to read more and then navigate over to your account. Go ahead, I will wait until you come back.

Nice, hunh? Well, not so nice for moi. I found out that someone was using a Windows computer last week in Kentucky and signed in as me. I quickly changed my password, and then forced everyone else to logout of my account. Borderline creepy, right? What happened? I have no idea. I guess that is one of the reasons why the promotion is so useful to them: they can tighten up everyone’s credentials quickly, and the extra storage costs them close to nothing.

Part of the security assessment is to see what connected apps are signing into your account. It is always a good idea to bring up the corresponding screens in other Web services to make sure that you know what is happening. I call this an “app audit” and I mention how to do it for LinkedIn, Twitter and Facebook (but curiously, forgot about Google) in this post from several years ago. That will take you another few minutes.

Please, for your own protection, run through these checks now.

It is almost a cliche, but the femme fatale — the allure of a female spy who gets the lonely male soldier to give up military secrets — is still very much alive and well in the current Syrian civil war. But instead of using actual people, today’s take on Mata Hari has more to do about social networks, phishing, and clever use of a variety of keylogging programs.

A report this week by FireEye has tracked this trend in Syria and makes for interesting reading. Hackers operated between November 2013 and January 2014 to collect battle plans and specific operational details from the opposition forces’ computers. The information was substantial: FireEye found more than seven GB of data spanning  thousands of Skype conversations and 12,000 contact records. So much was taken from the soldiers and insurgents that FireEye was able to assemble profiles of several of them for their report:

What is astounding is how easily the various Syrians fell for some pretty old-fashioned social engineering. Skype contact requests would be sent to the fighters from unknown and seemingly female correspondents. Once they were engaged in text chats, the hackers would ask what kind of computer they were on, and then send them a “better photo” of themselves that, surprise, surprise, turned out to contain malware. Then the data extraction began, and they moved on to others in the target’s contacts.

It isn’t just that loose lips sink ships. It is that lonely guys are so easily manipulated. Back in WWII days, we needed a lot more human infrastructure to collect data to track enemy movements. Nowadays, all it takes is a female avatar and some sympathetic IM patter, a few pieces of code and let the gigabytes roll in.

The hackers were thorough. FireEye found “whole sets of files pertaining to upcoming large-scale military operations. These included correspondence, rosters, annotated satellite images, battle maps, orders of battle, geographic coordinates for attacks, and lists of weapons from a range of fighting groups.” In addition to using the fake female avatars on Facebook and Skype, they also setup a bogus pro-opposition website that would infect visitors with malware. The whole effort was aided by the fact that often soldiers shared computers, so once an infection landed on one PC it could collect multiple identities quite easily.

Finally, the hackers focused on Android phones as well as Windows PCs and had malware created for both environments.

Figuring out who was behind this massive data collection effort isn’t easy, of course. FireEye thinks there are ties to Lebanese or other pro-Syrian groups, and have tracked its command servers to outside of Syria. That could be almost anyone these days. Still, the report is quite chilling in what a determined hacking group can accomplish during wartime.

I have been spending time studying up on what actually happened at Sony over the past month. There has been a tremendous amount of inaccurate reporting, and a dearth of factual information. Let’s try to set that record a bit straighter. From where I sit, the attack and the activity about the movie were two separate events and were probably caused by at least two separate entities. Assigning blame across both of them to the same actor is ludicrous. (And Dr. Evil has a few funny things to say about the whole situation too.)

First, the sad irony of a company that deliberately injects malware into their products being hacked yet again. While many, including President Obama, were quick to assign blame to the North Koreans, the actual initial breech appears to be the work of a Sony insider who could guide the hackers toward specific servers and IP addresses.Certainly, this level of detail could have sussed out with lots of clever hacking, but the simple explanation is a dissatisfied former employe, of which there are many.

Second, the sad irony of the press becoming so enthralled with the sordid details of the leaked content that they so forgot their actual duty in telling the story of what happened. They share the blame with the hackers, who knew exactly how to manipulate them and feed our hunger for celebrity gossip.

The third irony is that Sony’s security should have been better: this isn’t their first rodeo and certainly now wont be their last. Storing passwords as plain text, using the word “password” or other commonly guessed words, and having no mechanism to monitor the exfiltrated data were all shameful practices. What is doubly wrong is that they have had numerous opportunities to improve their IT procedures, and haven’t.

Ironic that their passwords were so poor that a security researcher was able to inject a fake Sony SSL certificate by guessing one of them. Thankfully, this wasn’t a deliberate hack, just a demonstration of how easy Sony’s procedures could be circumvented.

Ironic too are all the calls for posting the movie on various online streaming services to counter the cancelled Christmas Day release. So the way to combat censorship, even self-imposed, is to take your content to the cloud, so that more people can see your movie. Wasn’t this was many private citizens were asking the MPAA to let them do when they posted movies online?

Also ironic are stories about how the MPAA and Sony were using denial of service methods to try to keep people from seeing their movies, including The Interview. See irony #1 about injecting malware, etc. And how ironic was it that the peer file sharing services actually working in cooperation with the movie studios to take down the leaked content, including some copies of pre-released movies, quickly once the hackers uploaded them?

Also ironic how one of the first things that our government is asking for a joint effort with the Chinese to cooperate in controlling this hack: perhaps the same unit within the Chinese government that we recently indicted for cyber espionage could be used? Granted there is a line between espionage and criminal hacking, or at least there used to be one.

Finally, while not ironic it is sad that the film’s creators so insisted on using the actual name of a living president in their film. While not the first time this has happened, they could have scored their satire points by going the Chaplin/Great Dictator route which doesn’t actually name Hitler but in every other way goes about pillorying him. Certainly, you can’t blame the North Koreans on this point: had someone used a similar plot line with our president, chances are even our bumbling Secret Service would have been all over that one too.

If you want to read a very solid collection of the various events of the past month, the folks at Risk Based Security (a Virginia security VAR) are worth your time and clicks. They continue to add to their coverage as new events unfold.

So what are some action items you can take? Here are a few:

• Understand that all it takes is an unhappy employee with a thumb drive and basic file copying skills. You should think about your HR and data leak prevention policies accordingly.
• Get thy passwords in order, puh-leeze. This isn’t something that will cost megabucks.
• It is way past time to encrypt your email, especially if you communicate with global brands And even if you don’t, still more the reason.

And to wrap up, I want to quote S. Cobb’s blog where he says:

“Rather than berate those who are being realistic about our current weaknesses, let’s put our anger and our energy into demanding companies and governments do a better job of securing our digital assets and defending the digital world.”