Security roundup: Stealing from the military; persistent threats; mammoth security problems; bot armies

What does it take to build a culture of network security?

Sometimes the difference between selfless valor and selfish cowardice is stark. On the same week that 21-year-old Marine Sgt. Dakota Meyer is awarded the Medal of Honor for heroism in saving his compatriots in Afghanistan, we hear that Rene Quimby, 42, is sentenced to prison for stealing 16,000 identities of U.S. military service members and using that information to steal from 650 victims.

In his scam, Quimby went on online shopping sprees for computers, cameras, iPods, even washing machines, through accounts at the website of the Army and Air Force Exchange Services, the organization that does about $10 billion in business annually on military bases. Security lapses and data leakage problems gave Quimby his opening -- but last week he was sentenced to 75 months in federal prison and must pay $210,000 in restitution to AAFES.

MORE ON SECURITY: Oracle: Security flaw could bring down app servers

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Sometimes the difference between selfless valor and selfish cowardice is stark. On the same week that 21-year-old Marine Sgt. Dakota Meyer is awarded the Medal of Honor for heroism in saving his compatriots in Afghanistan, we hear that Rene Quimby, 42, is sentenced to prison for stealing 16,000 identities of U.S. military service members and using that information to steal from 650 victims.

In his scam, Quimby went on online shopping sprees for computers, cameras, iPods, even washing machines, through accounts at the website of the Army and Air Force Exchange Services, the organization that does about $10 billion in business annually on military bases. Security lapses and data leakage problems gave Quimby his opening -- but last week he was sentenced to 75 months in federal prison and must pay $210,000 in restitution to AAFES.

MORE ON SECURITY: Oracle: Security flaw could bring down app servers

Getting ripped off via stealthy network intrusions was the theme for the Summit on Advanced Persistent Threats, which was organized by trade group TechAmerica and RSA. As you probably know, RSA is the security company that acknowledged earlier this year that an intruder got into its network and stole sensitive information related to its SecurID product. Later, that information was used to attack Lockheed Martin.

RSA has since taken to organizing the equivalent of high-tech group therapy, and about 100 chief information security officers, CIOs and CEOs attended the APT Summit, which took place in July in Washington. A report about its main findings is forthcoming. One problem is that CISOs are understandably nervous about the legal ramifications of even talking about APTs.

The need to discretely share intelligence was also the theme with the Department of Homeland Security (DHS) last week. At a congressional hearing, DHS Acting Deputy Under Secretary Greg Schaffer of the National Protection and Programs Directorate said DHS does work directly with financial institutions to thwart cyberattacks and plans to do so more in the future. Schaffer said top secret/sensitive compartmentalized information clearance to key banking and financial information systems managers so US-CERT can share more sensitive intelligence with the private institutions. To broaden that collaboration, DHS is seeking laws that would make that sharing less problematic. "Some institutions have concerns about the privacy implications of sharing information with the government or about brand damager that nay result from reporting an incident," he said.

Are mammoth cyberattacks imminent? Gen. Keith Alexander, director of the National Security Agency and commander of the U.S. Cyber Command, says to get ready for something big. A destructive attack from cyberspace "is coming, in my opinion. It is a question of time. What we can't know for sure is how far out it is," and whether it will target commercial infrastructure, government networks or mobile platforms, the general said during his remarks during last week's Maneuvering in CyberSpace Symposium.