The second and final day of Black Hat is upon us, but with all the robust content the show is producing, it feels for many like the conference has been running much longer.

• Not as long, perhaps, as the line in the hallway to acquire a a badge for DEFCON, the sister conference that kicks off this weekend.

And it is no ordinary conference badge. Over the last five years, DEFCON has become famous for its skillfully designed electronic badges. This year's version is the brainchild of Joe Grand, owner of Grand Idea Studio and  host of Discovery's "Prototype This!" Grand is one of the world's most famous hardware hackers.

The badge may not look impressive to people who have become enamored by flashy web software. But to the hardware geeks, this is the creme de la creme.

The badge is an aluminium circuit board with laser engraving. It includes a 128-by-32 display screen designed by Kent Displays. The display requires no power to keep the screen image on.

The badge even has a social networking aspect to it: Users can push a few buttons on the back of the badge (basically a circuit board) to display icons of their interests, such beer bottles and floppy disks. 

"It's the whole community thing," Grand told reporters today. "They want to share one piece of data with everyone else."

• Security firm SecureWorks unveiled new research, the culmination of a three-month-long investigation into the workings of a cunning Russian check counterfeit gang.

Essentially, the cybercrooks installed Zeus and Gozi trojans onto victims' machines, which enabled them control over the computers. They used the infected PCs to get access to check image archiving services. They also cracked into job websites to deliver messages to unsuspecting individuals, who were recruited as money mules to cash checks on behalf of the racket. Nearly 3,000 job seekers responded, and they cashed counterfeit checks worth in excess of $9 million.

Sounds like a standard Russian mob cyber scam, right? Not quite.

What made the operation so original was the crooks' usage of VPN tunnels, which enabled them to make it appear as if the botnet was not operating. From the report:

Although it is very common for trojans (especially ones designed to aid in financial fraud) to employ proxy
server capability, this is the first time that the CTU has seen the use of VPN technology in such software.
However, by employing the very simple VPN functionality built right in to Windows, the criminal bypasses the need to develop complex systems, and can simply route his/her malicious traffic over the VPN. If done correctly, this gives the criminal three primary benefits:
1. The VPN traffic can be encrypted, defeating signature-based network IPS/IDS devices that
might detect the malicious transfer of data
2. A VPN can give the criminal the ability to connect-back into the protected computer, and even
use the infected system as a route to other systems on the protected network
3. The criminal could route all traffic from the bots to the botnet controller over the VPN, and deny
connections to the VPN controller from all sources but the VPN exit IP address. In doing so, the criminal
could make it appear to the world that the botnet controller is offline, while still serving commands to and
stealing data from the infected systems under its control

• The Black Hat crowed seemed to enjoy this morning's keynote quite a bit more than yesterday's less content-rich presentation from Jane Lute, deputy secretary of the U.S. Department of Homeland Security.

Today's keynote came from Ret. Gen. Michael Hayden, a former director of the CIA and deputy director of national intelligence, who spent his talk defining cyberwar and discussing what rules apply to cyberwar.

Cyberspace, like the air, land, sea and outer space, is also a military domain, he said.

But unlike the physical domains, a number of questions about cyberspace remain unresolved, such as what constitutes an attack or a cyberwar.

“We are thinking a lot about it [cyberspace], but not very clearly,” Hayden said. “We throw the term 'cyberwar' at everything unpleasant.”

Additionally, one unique aspect sets cyberspace apart from other military domains, he said.

“God made the other four, you made the last one,” Hayden said. “God did a better job.”

While the physical world has mountains and other terrain that aid the military in their defense operations, the
landscape of cyberspace only provides advantages to attackers, not those seeking to defend it. Fixing this problem, Hayden said, requires altering the architecture of cyberspace.

“You are going to build rivers and hills into the web,” he said. “You are going to create geography that is going to help the defense.”

Here are some interesting tidbits coming out of the first day of the world's biggest hacker conference, taking place in Las Vegas. Consider it a running log, of sorts.

• Adobe announced this morning that it will begin sharing vulnerability details through the Microsoft Active Protections Program (MAPP).

The initiative, announced in August 2008, originally was devised so Microsoft could share flaw information with approved software security providers prior to its monthly fixes being released. Now, Adobe now will be able to do the same with MAPP's 65 members.

"By receiving vulnerability information prior to the public release of a security update, MAPP partners get an early start over exploit code writers, enabling them to offer protection to customers in a timely manner," Adobe's Brad Arkin said in a blog post.

• RFID researcher Chris Paget showed how he created equipment that allowed him to read an EPC Gen 2 RFID tag at 217 feet, believed to be a world record.

In his talk, Paget described how he replaced antennae and established a fixed frequency on the transmitter to increase range and power - all while staying in compliance with Federal Communications Commission ham radio laws.

He predicts that under the right testing conditions he could read a tag at 1,000 feet. There are ways to abuse the technology, though, Paget said. He said RFID tags should not be placed in identifying documents and retail stores should disable the tags (aka bar codes) upon customer checkout.

Best way to destroy an RFID tag? Place it in a microwave for three seconds. "Five seconds, and it will probably catch fire," Paget said.

• Judging form reaction on Twitter, the keynote from Jane Lute, deputy secretary of the U.S. Department of Homeland Security, didn't seem to go over too well with the jeans-wearing, free-speech-loving Black Hat audience.

She described how government can help secure cyberspace, partially through DHS initiatives.

The most exciting part of the discussion came when an audience member asked Lute why people should trust DHS to secure the internet without slowing down "commerce and knowledge," especially when considering how much criticism the Transportation Security Administration has absorbed since it was founded.

Lute said DHS wants to serve as the "portal" for debate on how to strike this balance.

• Open DNS founder Dave Ulevitch is unhappy that Craig Heffner, a researcher with Maryland-based security consultancy Seismic, hasn't contacted him regarding Heffner's scheduled presentation Thursday at Black Hat. Heffner plans to demonstrate how consumer routers can be exploited via DNS rebinding, a technique by which an attacker uses JavaScript embedded on a malicious web page to gain control of the victim's router.

"Since the vulnerability was first publicized, we've made several attempts to contact Craig Heffner, the    researcher, and get more detail," Ulevitch wrote in a blog post. "We've phoned. We've emailed. We've contacted reporters who've spoken to the researcher and had their help connecting to the researcher. I've even Facebook messaged his coworkers. I haven't had a single reply."

Ulevitch said OpenDNS is a free service that helps resolve "many problems system administrators and security pros face." He said the company would keep the details of the vulnerability private; its only goal is to protect users.

Heffner could not be reached for comment by SCMagazineUS.com.

But as most anyone within the security community will tell you, Google seemed to be misplacing its rationale, especially when talking about smart, sophisticated, targeted hackers who just need one weak entry point (read: a naive user who likes to click on untrusted links) to start plundering intellectual property.

But fine, Google decided to abandon Windows. It still has to hurt, regardless of the reasons.

So when an information security engineer named Tavis Ormandy, who claimed he was acting independently, went public Thursday with exploit code for a Windows Help Center vulnerability five days after reporting it to Microsoft, one can't blame Redmond for dragging Ormandy's employer into the mix.

Because his employer just so happens to be Google, Microsoft's bitter rival.

Microsoft's Mike Reavey, who directs the company's Security Response Center, posted a blog describing the vulnerability, and he used some interesting wording at one point. See if you can catch it:

One of the main reasons we and many others across the industry advocate for responsible disclosure is that the software vendor who wrote the code is in the best position to fully understand the root cause. While this was a good find by the Google researcher, it turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented. In some cases, more time is required for a comprehensive update that cannot be bypassed, and does not cause quality problems.

Notice how Reavey didn't say "the actual workaround Ormandy suggested" but instead implied that Google, as a company, was responsible for this disclosure. Sounds like fightin' words to me.

A Google spokesman reportedly denied the company's involvement and stated that Ormandy's work was independent.

Some security bloggers, such as Alan Shimel, weren't buying it.

You can tell me that Ormandy did this without Google's knowledge and consent. If that is so, they should fire him tomorrow. If it is not true, shame, shame, shame on Google.

I don't think it's fair for Microsoft to officially imply that Google was totally aware of this whole thing, but I also don't think it's fair for Ormandy to alert Microsoft about the vulnerability — as if he was prepared to act in a so-called responsible way — only to change his mind five days later and go full disclosure.

I think he'd be better served if he picked a side and stuck with it.

In Ormandy's defense, though, it sounds like he feels sorta bad: "I believe in [full disclosure], but making enemies of people I truly respect may not have been my smartest decision ever," he tweeted Thursday.

This mess also brings to light the continual challenge researchers face when they receive their paychecks from software companies that make products that have holes. After all, Google surely wouldn't want a researcher from Microsoft to discover a vulnerability in Gmail, only to go public with the exploit a few days after reporting it.

Maybe the guy and gal researchers and consultants who stay independent are on to something.

Few would argue that BP has been less than forthcoming with information related to the oil spill in the Gulf of Mexico.

The company has pinned the blame on the oil rig owner. Scientists have publicly disputed BP's projections of exactly how much oil is shooting from the underwater geyser each day. There have been repeated reports of reporters and photographers being blocked from visiting the crude-fouled beaches — some are even being threatened with arrest. Even the petroleum giant's CEO is doing his best "under embargo" impression.

BP's image is such an open target that a wryly social media enthusiast has created a fake Twitter account claiming to be the company's official public relations account. Check it out here. It's HI-LAR-IOUS.

One of my favorites: "The ocean looks just a bit slimmer today. Dressing it in black really did the trick! #bpcares"

The account has amassed some 60,000 followers (and growing), eons more than the real BP twitter account. Pretty telling of how ticked off people are at BP's response to what is now confirmed as the worst oil spill in U.S. history and one which may forever change the Gulf region's ecosystem.

But there is an information security connection here, because after all, a breach is a breach.

Let's pretend for a second that instead of tens of thousands of barrels of oil spewing in the gulf, it was tens of thousands of credit card numbers. Ears perking up? You see, public relations plays an important role into any major company incident, whether we are talking about a broken riser pipe buried deep beneath the Gulf of Mexico or a vulnerable web server.

This is what Steve Collins, the security sector lead at Text 100 Public Relations, had to say about the topic:

If you're still questioning the importance of effective breach communications, consider the reality of living in a 24-hour news cycle these days. Bad news travels fast, and with the emergence of social media, the chances of keeping a lid on such news are pretty slim. An employee's blog or tweet, or an overheard conversation at the grocery store, could let the cat out of the bag, unwittingly or not. And the more time that lapses while you're scrambling to determine how to communicate the breach, the greater the risk that news of your breach will be broken in terms you can't control, with serious implications for your brand and your ability to remain competitive. 

In the case of BP, of course, it is pretty difficult to hide oil-drenched birds washing up onshore. But you get the idea. Transparency is the name of the game. Customers, plain and simple, will turn their backs on you if you let them down and fail to properly convey what happened. Client retention and brand reputation will suffer.

Some folks, like Bob Carr, the CEO of Heartland Payment Systems, which lost an estimated 130 million credit card records, gets this. In fact, as I was typing this post, a PR rep for Carr left me a message, asking to set aside some time to meet with Carr when he visits New York City in a couple of weeks. Yes, Carr wants to promote the company's new encryption solution that it will begin marketing to the merchants for whom it processes transactions. But, knowing Carr, I bet you he won't shy away from answering questions about the breach either.

Oil spills are going to happen. Data breaches are going to happen. But you don't have to suffer any worse than you already are.

Act quickly. Be contrite. Greet the media with open arms. Tell it like it is. Americans are more forgiving than most people give them credit for.

Keep this in mind, if for no other reason than it would stink to be the butt of a viral Twitter joke.

When I typed "How do I" into Google today, the first auto response to show was "How do I delete my Facebook account?"

"Whaaat?" was my first reaction. After all, this is the most popular website in the world. Why would anyone want to leave it?

In fact, just today a friend joined the site for the first time. Apparently he was being incessantly poked (no pun) and prodded to sign up by his peers, most of whom made fun of him for still relying on things like phone calls, emails and even, gasp, face-to-face communication to interact with others. He finally gave in. He told me he held off for so long out of "principle" and ultimately caved in due to "loneliness." (We'll examine his personal demons in a later blog post).

If this guy could join, someone who was so adamantly against the concept for so long, perhaps it's time to finally admit that Facebook controls the world.

But wait, you're telling me there is now a mass push to exit Facebook. I don't believe it. But it's true. The "how do I?" test doesn't lie. (Well, No. 5 is "How do I love thee." Not even sure what that means).

The fact is, though, that in recent months, Facebook has found itself mired in an increasingly deepening sinkhole around privacy. The crisis reached a peak a few weeks ago when the site announced its "Instant Personalization" and "social plug-in" features, which automatically opt in users to share data with some third-party websites in an effort to make their total web experience a more sociable one.

Privacy advocates are calling for founder Mark Zuckerberg's head - and these recently unearthed instant messenger exchanges from six years ago haven't helped the cause. Sophos' Graham Cluley, never shy of calling out Facebook for its privacy and security shortfalls, is hosting a poll asking users if they'll quit the Book. (Many say they will). And now's there a grass-roots internet effort forming that is asking users to avoid signing into Facebook for an entire day on June 6. It better be sunny out that day.

I'm not sold that Facebook is going to lose many members because of this whole debate, but if I were keeping score, I'd have Facebook down a couple of runs right now, if from nothing else than a bruised ego.

Of course, the ultimate goal of all of these new features is so Facebook can "expand revenue streams." It wants to make money, and who can really blame it? Wouldn't you want to be well compensated too if you were responsible for creating one of the biggest sensations of modern times?

Now, has Facebook been less transparent and explanatory than it should be when it makes these, and other, privacy changes to the website? Of course.

I agree with what Slate's Farhad Manjoo says:

Facebook could and should do a lot better on privacy. In particular, I'd urge it to introduce preset privacy levels. You should be able to go to your privacy settings and see one big dial that lets you choose one of five levels between "private" and "public." This setting would govern your entire profile; the more public you set the dial, the more you'll share with more people. By default, the dial would be somewhere in the middle, but you'd be able to shift it up or down at any time. You'd still be able to adjust more specific controls—you could set your profile to "public" but allow only close friends to see pictures of your kid—but few of us would ever need to.But Facebook shouldn't stop there—besides adding one big control, it should also promise to honor those controls in the future. The most frustrating thing about Facebook's privacy policy is that it's always changing.

I'm also wondering: Can Facebook have a customer service phone number to call if you have a problem? Can it do a better job to prevent against things like spam, phishing and malware? Can it better build in secure coding to its platform to prevent vulnerabilities like this one.

Any sort of privacy outcry (and potential revenue hit) will only work to make Facebook stronger on all those fronts.

Facebook certainly has the money to invest in improvements. Even though the service is free, it's not like Zuckerberg needs to stand on any street corner with a cardboard sign.

But it should surprise nobody that when a website with an estimated 500 million members makes some change, it is going to ruffle the feathers of a good number of users (and gain the attention of the media).

Remember the numerous layout design alterations that have occurred over the past couple of years. Judging from the status updates of my friends, it was like Facebook just axed their grandmother to death. They hated them. But I bet you if you ask someone to recall what the previous design looked like, they couldn't remember.

People don't like change. Plain and simple. But is Facebook nothing more than a data warehouse out to compromise your identity? Doubtful.

Let's appreciate Facebook for all it has done for us and what it will do for us in the future. Remember, we originally joined because we kind of, sort of like sharing our private things - photos, interests, happenings - with others.

Now's not the time to suddenly turn our backs on a site still finding its way.

We're just getting started.

My friend doesn't seem to be too upset. In fact, he just posted a status, not an hour ago: "I finally joined facebook, so please be gentle on me. this is a brave new world to me."

Remember to check your privacy settings, but don't you dare leave us.

It appears as if Oracle on Thursday released an emergency fix for a severe vulnerability in Sun Java after it was revealed in two separate disclosures last week. 

The update plugs three holes in Java. Presumably the Java Web Start fix addresses the flaw in question, which involves the Java Deployment Toolkit browser plug-in failing to properly validate parameters, according to a Secunia advisory issued Monday. This can allow attackers to execute a JAR (Java Archive) file "on a network share in a privileged context."

In fact, the flaw has been leveraged in active attacks beginning this week.

However, I can't confirm the update closes the vulnerability because Oracle, which owns Sun, won't get back to me. And in its update advisory, it does not credit anyone with the flaw find.

Matter of fact, the company has made no mention of the bug at all since it was announced. One of the discovering researchers said the company told him that it didn't consider the issue enough of a big deal to warrant an out-of-cycle fix.

It appears Oracle has changed its mind. Today's update, especially considering it was distributed out of cycle, certainly looks like the patch.

But, through some casual Twitter browsing today, I've seen contradictory tweets from researchers on whether this is actually the update for the vulnerability. (The Ormandy the second tweet refers to is Tavis Ormandy, the Google researcher who went Full Disclosure with the bug last Friday).

The "for": http://twitter.com/manzuik/status/12226294385

The "against": http://twitter.com/vlna/status/12230959161

So which one is it? I don't know.

I must admit, it's very disconcerting that a software vendor would not publicly make any statements regarding a security issue that has gotten widespread coverage, both in established media outlets and across social networking channels.

There are customers to worry about...right, Oracle?

The information security industry took a step back this week with news that the CISO of the state of Pennsylvania, Bob Maley, lost his job, likely over remarks he made during a panel discussion last week at the RSA Conference.

In an industry where information sharing is widely agreed upon as one of the paramount ways to combat the world's cybercriminal element, it is truly upsetting to see a security pro lose his job over doing just that.

Although a spokesman for the Pennsylvania governor wouldn't admit it, that is exactly what appears to have caused Maley's departure from a role he held for five years.

On a panel at the RSA show last week, on which he was joined by three other state CISOs, Maley offered details into a recent intrusion affecting the state's Department of Transportation website. He didn't get too specific, but it was specific enough to surely prove instructional to the scores of conference attendees in the audience.

He described, according to a report on govinfosecurity.com, how the owner of a driving school in Philadelphia used a Russian-based proxy to hide his identity as he exploited a vulnerability so that he could schedule his students for driving exams. (The wait list to take the test usually runs up to six weeks).

Maley, an SC Magazine CSO of the Year finalist, has always been a candid, shoot-from-the-hip kind of guy. I learned this from our conversation last summer when I interviewed the former cop for a cover story on data breach response. For the story, he recounted a number of breaches that have affected the state, rarely holding back details.

I'm assuming that this particular incident touched a nerve with state officials because the hacking was relatively recent, and there was still an investigation underway.

But even so, I find the firing to be counterproductive to what the security community is attempting to accomplish. The key to winning the battle against sophisticated hackers is with details and anecdotes, exactly what Maley appears to have been doing. Speaking generally just doesn't cut it, not in this industry. And especially not at the world's premiere gathering of information security professionals — one of the few times in the year when practitioners get together to swap stories on life in the trenches.

It's a shame, too. We were only just applauding Google for its transparency over the China attacks. Many had lauded the internet giant for coming clean about being the victim of a massive intrusion.

We seemed to be turning a corner...and then this.

In 2010, remaining mum, or too close to the vest, about incidents benefits nobody. Every organization in the country is being probed on a daily basis. Vulnerabilities are going to be there. Hacks are going to happen. Data is going to be exposed. The criminals are going to be one step ahead. Let's move on from this prevailing wisdom that any one organization is immune from attack.

Once we do that, and only then, can we take back the internet.

One of the great unintended consequences of my job, having covered the IT security space for nearly four years, is my great inability to accurately gauge the awareness that mainstream America has for cyber-risks.

Because I am so immersed in the topic, covering stories on a daily basis, writing about the vast array of vulnerabilities and breaches, legislation and lawsuits, phishing and spam, arrests and prosecutions, that I often forget infosec is not your typical cocktail party material.

But while I am certain that most of my friends and family aren't aware of even a small percentage of the digital threats out there today, I do believe that they are catching on to the problem, bit by bit.

The tipping point is still not here -- just last night, for example, I was borrowing a friend's laptop and noticed it didn't have active AV protection. She didn't seem too pressed to fix the problem.

Part of the blame for this apathy could be sheer risk/reward. Why accept security advice when the rational economic move is to ignore it, as a Microsoft researcher recently wrote about? Not to mention, attacks are more targeted these days (meaning nobody notices the threats out there), and banks are pretty good at reimbursing you if you do happen to fall victim to financial fraud.

Still, each year, cognizance grows.

So, with that said, here is SC Magazine's token summation of 2010 threat predictions, compiled through the dozens of emails we received from the Nostradamus' of the IT security community.

• Social networking threats: Experts seem to be in across-the-board agreement that cybercrooks are going to increasingly target these new media platforms to push their wares. Also, organizations will have to worry that their end-users will leak sensitive information. I mean, this makes sense. And it's been happening already. After all, where else can you find 350 million people chilling out on a website?

• Windows 7: Well, that whole Vista thing didn't go over so well, but all signs seem to be pointing to much higher adoption of the next iteration of the Microsoft OS. So that means cybercrooks will begin targeting this platform.

• New platforms: No surprises here. Take your pick. Mobile devices, though, seem the likeliest candidate -- yet some experts seem unconvinced. Still, one has to believe that once people are actively using these smartphones to make transactions, the bad guys will be riding right along.

• Apple: I'll believe that the Mac OS has become a viable target when the PR folks in Cupertino start returning my phone calls. Next...

• Peer-to-peer malware/data leakage: This seems more plausible, and we saw some examples of it this year. But, with increased organizational awareness to the dangers of file-sharing networks, and a focus around this on Capitol Hill, one is foolish to expect an epidemic.

• HTML5/IPV6: Updated web language and increased address space have some believing that these new technologies are going to be abused. But adoption may not come in 2010. I'm sure this will be on the list next year, as well.

Other mentions: Continued targeted attacks via socially engineered malware, such as banking trojan Zeus (Zbot); search engine poisoning, cloud computing risks and botnet infrastructure innovations.

The news, though, is not all doom-and-gloom. One interesting prediction from McAfee suggests that the threat of rogue anti-virus will actually drop now that "the fake anti-virus market has...been saturated and the profits for cybercriminals have fallen."

With all this said, I wish you all a Happy New Year, and look forward to talking about cybercrime over a cocktail with you in 2010. Or 2011.

I find it hard to believe that Citigroup's media relations department would so adamantly deny the occurrence of a breach if it wasn't being completely genuine.

Because that is what they have done today in light of a report in The Wall Street Journal that the partially government-owned financial services firm was the victim of a hack that stole tens of millions of dollars.

When I read this story, there wasn't much meat, and I was pretty skeptical. I got even more skeptical when the FBI wouldn't comment on the story at all — not even to say that it was investigating.

So I did some searching around the blogosphere and saw that many others were equally suspicious of the story.

And then I remembered a story we wrote not too long ago, when the FBI said it was actively investigating a huge number of Automated Clearing House (ACH) fraud cases in which cybercriminals got a hold of mostly small- and mid-size corporate bank accounts to transfer large sums of money out. Attempted losses, the FBI said, have reached more than a $100 million.

This type of fraud, made possible by the data-stealing Zeus, or Zbot trojan, is arguably the biggest information security news story of the year.

So here's the FBI saying Citi, one of the world's biggest banks, has lost tens of millions of dollars due to a breach.

Well, I wouldn't call ACH a breach — it's more of an issue of a customer getting hacked than any bank — but I could see how something like this could get lost in translation.

So there you have it. This is nothing new.

Call it a scoop that wasn't.

Problem solved.

Then again, maybe this was, in fact, a well-orchestrated Russian Business Network hack, and nobody is talking because the presidential administration wants to protect one of the financial services industry's most prized assets from any additional pounding.

Can you say data breach bailout?

Happy Holidays everyone.

Time and time again, we've seen information security regulations and guidelines delayed due to the burden they might impose on small businesses.

For example, state officials, on multiple occasions, have pushed back enforcement of the Massachusetts data security regulations due to small business complaints, and most recently, the Federal Trade Commission announced it would postpone enforcement of the the Red Flags Rules until next summer.

The economy is partially to blame, and it is a decent justification. After all, many small- and mid-size businesses are having enough trouble simply surviving the worst recession in a half-decade, never mind needing to concern themselves with additional costs.

But then comes astounding alerts from the FBI that hackers have this year seriously turned their attention to smaller organizations as part of their slick, moneymaking operations. Bigger businesses may have the resources to better deal with the problem, and cybercrooks know this. So they now seem to be focusing more on the weakest link. And why not? Raiding the bank accounts of 10 mom-and-pop shops is likely just as valuable as compromising one big business. And probably much easier.

In today's threat landscape, it is incomprehensible for any size organization to consider implementing tougher security controls an unnecessary burden.

I've had discussions with experts about this. And they've told me that securing an organization does not require a great deal of investment. In fact, the basics -- updated anti-virus, patched machines, a comprehensive security policy, employee training, some web and email filtering -- should be enough to keep the bad guys out. The sad part is, many firms simply aren't doing the most fundamental stuff.

There is another side to this coin. Regulators must stiffen their enforcement agendas. Enough submitting to the concerns of business owners. It's 2009. There is no more slack that can be given. The losses are simply too large to bear any longer.

Thanksgiving is a holiday during which to cherish what we have. But the organized cybercriminal groups that always seem to be one step ahead of everyone else want to take all of that away, one phishing email or compromised PC at a time.

It's time the smaller firms fight back.