Claudia Rast, a privacy attorney at Butzel Long, says the move may gain the search giant public relations benefits. But FISA is not likely to amend the standing gag order, she says.

The legal filing cites the First Amendment’s guarantee of free speech. Among the nine tech companies shown by whistleblower Edward Snowden to have been handing over consumer data to the government , Google has been the most aggressive in attempts to cast itself as co-operating the least.

“We have long pushed for transparency so users can better understand the extent to which governments request their data — and Google was the first company to release numbers for National Security Letters,” the company said in a statement.

Google emailed the statement to USA TODAY.

“However, greater transparency is needed, so today we have petitioned the Foreign Intelligence Surveillance Court to allow us to publish aggregate numbers of national security requests, including FISA disclosures, separately,” Google said in a statement.

“Lumping national security requests together with criminal requests — as some companies have been permitted to do — would be a backward step for our users,” Google said.

Snowden was a low-level consultant who admitted to stealing documentation of NSA anti-terrorism programs that involved monitoring of phone records and Internet behaviors of consumers.

Last week, both Facebook and Microsoft released details on the number of legal orders made to them by the NSA. But Google wants to disclose even more details, such as time frames of requests. Under federal law, the NSA is permitted to issue such requests under complete secrecy.

Rast says FISA is not in a position to declassify any information the NSA wants to keep secret, including presumably innocuous information Google wants permission to divulge. It probably will take a policy decision by the Obama Administration or an act of Congress to compel NSA to relax the gag order, as Google wants.

“This is a PR issue,” Rast says. “Basically the companies are held to not disclose any aspect of it (PRISM) at all. And they’re struggling to come up with a way to defend the privacy of their customers within the context of the FISA court issue.”

Now that the existence of PRISM is public knowledge, the companies have a big incentive to disclose the precise nature of what’s being handed over to the government.

“Google is now bending over backwards every chance it can in order to paint a public perception of itself as standing up to the U.S. Government,” says Scott Cleland, president of Precursor, a research consultancy for Fortune 500 companies, some of whom are Google competitors. “That’s a tough sell because before this NSA spying revelation, Google portrayed itself publicly as having exceptionally close ties to the U.S. Government at the highest levels.”

At stake are billions in profits the companies anticipate from products and services tied into the Internet cloud. Consumer trust is required for that projected commerce to fully mature.

Google has by far the most to protect.The search giant is expected to make more from mobile ads than all other companies combined for the second straight year, totaling nearly $8.9 billion in mobile ad revenue in 2013, according to projections from research firm eMarketer. That would give Google 56% of the total mobile ad market. And that’s only a fraction of what Google earns from its dominant, bread-and-butter search term advertising business. Google’s revenue topped $50 billion in 2012.

“Google’s court filing is a step in the right direction,” says Josh Bell, media strategist at the American Civil Liberties Union. “The public has a right to know more about the government’s sweeping surveillance programs so that it can judge for itself whether they are necessary and legal.”

(EDITOR’S NOTE: This is the inaugural CyberTruth column, which explores trends and breaking news in the cybersecurity field.)

SEATTLE – If you use an Internet-connected smartphone, touch tablet, e-reader, notebook, laptop or desktop computer you ought to care about cybersecurity and online privacy. Here you’ll find information you can use to live your digital life more securely — and on terms of your choosing.

So let’s drill down on a particularly nasty form of fraudently spam that’s on the rise: SMS text messaging spam.

Spam is most familiar as obnoxious pitches for dubious products that most of us are used to ignoring. But cybercriminals have figured out that they can trigger any number of lucrative scams if they can get us, via a text message, to do something, such as click on a link, send a text or make a phone call.

The immersive Internet cloud and our love affair with mobile devices combine to make a perfect platform for clever spammers. Text messages are cheap, anonymous and scalable. And we haven’t learned to be as wary as we should be of messages that arrive on our phone screens.

So spam gangs are increasingly supplementing their e-mail campaigns with SMS spam. Their singular goal is to get more of us to click on more of their messages.

The elite spam gangs are making high use of tracking techniques, pioneered by the likes of Google and Facebook, to infuse more efficiency into their scam campaigns. Each time you type your phone number into a web form, such as your Facebook profile page or a web survey, that data gets compiled, stored and sold to marketers, including spammers.

The best-and-brightest spammers are obtaining and using these lists of active numbers. Anyone can go online and buy lists of 100,000 numbers, broken down by carrier, for as little as $400.

One particular gang has begun sending messages to active numbers in certain area codes — after first correlating smaller local banks to phone numbers, says Gareth Maclachlan, chief operating officer of AdaptiveMobile, a British firm that supplies telcos with traffic monitoring systems.

In early April, AdaptiveMobile recorded spammers targeting an exact location in Tennessee with 11,738 spam messages in a single attack. This was part of a much larger scheme to reach patrons of smaller financial firms in several states with SMS text messages advising each recipient that his or her bank card had been deactivated, and supplying a phone number to call.

“If you target a particular message to individuals living in a particular town, and you know the local bank there, you’re likely to get a better hit rate than if you mass marketed the whole of the U.S. with a well-known bank,” Maclachlan says.

On the other end of the line: a con artist poised to trick the victim into divulging access information. The spammers wouldn’t do this, if they couldn’t cash in quickly. They likely are collaborating with other gangs who recruit and manage “money mules” assigned to instantly transfer funds through several online accounts and, finally, extract cash from an ATM machine.

The lesson: each tidbit of information you divulge about yourself on line is valuable – to legit marketers and shady spammers. So be savvy, and be safe.

By Dave Jevans

USB thumb drives, or flash drives, are back in the news as a security threat. Recent NSA secrets leaker, Edward Snowden, allegedly used a USB thumb drive to copy secrets about the PRISM spy program from the US National Security Agency (NSA), and disclose those to the world’s media.

Hundreds of millions of thumb drives (aka flash drives) are sold every year. In addition to backing up data, these little devices are extremely useful for sharing large files between computers. I speak at cyber security conferences around the world on a regular basis, and my flash drive is the best and most reliable way for me to copy large PowerPoint presentations and photos between my computer and the computers at conferences that display the presentations to my audiences. It’s more convenient and secure than using an Internet file sharing service.

But there are dangers to using USB storage devices. The first is the risk of storing your private data on a thumb drive, and then losing it in a taxi or airport, or having the device stolen. This risk can easily be mitigated by using a secure USB thumb drive that requires a password to unlock it, such as an IronKey. Malicious viruses can also be spread through thumb drives. Secure thumb drives often include anti-virus capabilities that prevent portable viruses like Confiker from spreading to your computers. You should also disable auto-run on your Windows computers to prevent malicious code on thumb drives from infecting your computers.

An even bigger risk is that most employees walk in every day with devices that can steal company information. It’s their iPhones, iPads, Androids and any other smartphone. These are all storage devices that can be used to copy gigabytes of company information and walk right out the door, or share that data over the Internet.

Requiring Mobile Device Security software on any device that is allowed to connect to your computers is a great way to enforce the same level of security as that provided by secure thumb drives to protect your data. The remote wipe capability can also allow you to remotely delete data if you or an employee loses their smartphone or tablet.

About the Author

David Jevans is the founder, Chairman and Chief Technology Officer of Marble Security, provider of security software and services for mobile devices. He was was previously the founder of IronKey,which makes secure thumb drives. Jevans is also chairman of the Anti-Phishing Working Group.

By Vladimir Eremeev

Video surveillance has become an extension of society, reaching far beyond the days of parking garage security cameras and well into the open streets of major cities

The video surveillance system of today is a remarkably fast-growing industry with an estimated worth of over $5 billion that is slated to reach over $25 billion by 2016.

The use of the technology has steadily grown over the past decade or so as new technology has been introduced, making the access and storage of data more practical for both private and government sectors.

Pointed advances in the technology have given rise to wider use of sophisticated surveillance systems such as facial recognition and digital imaging.

This type of data collecting is perhaps the most poignant aspect responsible for the concept of the provincial big brother, Orwellian society so many rightfully fear.

Far from the fabled dystopian society of Orwell’s 1984, public surveillance has taken more of an active approach in deterring or assisting in criminal activity investigations within communities.

Even with the apparent intent of good, the idea surrounding video surveillance of public areas continues to tote privacy issues and is easily seen as an infringement on guaranteed constitutional freedoms.

As vast numbers of cities have installed, or are in the process of installing cameras in public areas, the almost tangible distrust amongst society toward video surveillance only increases with talks of unmanned drones policing foreign streets, bringing the possibility of implementing drone technology closer to the US.

Although government and private surveillance use intersect, most of the video surveillance systems installed in the US differ greatly from the type of surveillance military sectors use.

Home camera systems in the private sector are the fastest growing type of surveillance components in the U.S. These installs are intended to, at best, prevent crime or at the very least, assist in identifying the perpetrator of a suspected crime, both of which prove to be helpful in the eye of the law.

Large chain retailers are the main users of this type of surveillance, with public areas receiving government funding to install a similar type of surveillance.

The technology used in these particular systems utilizes cloud-based configuring, which allows for continuous access to a specific video stream from any remote location.

Although the motives behind installing surveillance may differ greatly, home systems are not perceived as a violation to privacy in relation to a government entity whose motivation may be less transparent to the public.

With an eye on future development, the technology will continue to improve and advance using cloud-based surveillance as its primary technological component.

Despite the vast public demand to limit the infringement of privacy rights for all entities that utilize video surveillance systems, privacy debates will continue to converge with the advancement of this technology for years to come.

Whether private or government operated, the technology behind video surveillance is undoubtedly here to stay as it steadily trickles further into the everyday world.

So are Microsoft, Yahoo, Facebook, Apple, AOL, Skype (now part of Microsoft) and Paltalk — the other tech companies mentioned in PowerPoint slides depicting the Prism program, slides that were leaked by whistleblower Edward Snowden.

A lot is at stake. The tech giants are all hustling to swell profits derived from products and services tied into the Internet cloud. A necessary ingredient to accomplish that — consumer trust – has been put under another kind of cloud by the Prism disclosures.

“It’s no secret that the tech companies are in damage control right now trying to regain their users’ trust,” says Jonathan Mayer, fellow at Stanford University’s Center for Internet and Society.

CONTEXT: Why online tracking is a privacy time bomb

VIDEO:Data mining pits national security vs. individual privacy

At the moment, there is a gap in the facts between what the PowerPoint slides leaked by Snowden appear to depict – and Google’s flat denials; in particular, the company insists that its senior executives, at least, never heard of Prism before it splashed into global headlines last week. Even so, Google disclosed today that it did hand over consumer data to the feds, but only using rudimentary technologies.

Google’s corporate spokesman, Chris Gaither, issued this statement: “We refuse to participate in any program — for national security or other reasons — that requires us to provide governments with access to our systems or to install their equipment on our networks. When required to comply with these requests, we deliver that information to the US government–generally through secure FTP transfers and in person. The US government does not have the ability to pull that data directly from our servers or network.”

Claudia Rast, a privacy attorney at Butzel Long, says the company’s assertions that it resorted to use of simple File Transfer Protocal, or FTP, data transferring technology, and even simpler hand deliveries, to honor very narrow data requests from the feds rings true.

By contrast, the PowerPoint slides published by The Guardian clearly identify the tech companies as supplying data to Prism. Yet the slide graphics really don’t specify the technology used, nor the frequency of the requests, nor the scope of the data transferred.

Rast said it would be just plain good legal sense for Google and the other tech companies to treat data requests from the feds very conservatively.

“Legally, a company’s not going to allow wide open access to their data,” Rast says. “They’re going to want specific time frame and scope of the search.”

Gaither’s statement today is probably air tight, says Scott Cleland, president of consultancy Precursor. That’s because corporations routinely take steps to keep its executives in a position to deny knowledge of anything potentially controversial.

“The companies are smart. They would have broadly delegated authority for their company’s NSA compliance to a very small number of individuals supervised by a company legal official of some kind; and only those few people would get the security clearances necessary to know what is transpiring,” says Cleland.

This compartmentalization, he says, keeps sensitive information in the hands of a few. “The leadership wants and needs to have reasonable and plausible deniability for times exactly like this,” says Cleland, who has testified before Congress on several occasions criticizing Google’s business practices.

“Google’s whole business model depends on people exercising minimal privacy limits on Google’s world-leading collection of their private data,” Cleland says. “They understand they must change the conversation from Google being perceived as a complicit bad guy holding the world’s largest trove of intimate private info on the most people, to a champion of user privacy and security demonizing government for not allowing more openness and transparency of secret activities.”

Gary Steele, CEO of cloud security company Proofpoint, says that a complex data collection program, like Prism, involving multiple companies, could easily be handled differently with each vendor.

“It’s entirely plausible that some of the government’s described capabilities only apply to some providers, thus causing an apparent gap between what some providers say publicly and what it’s alleged the government is doing,” observes Steele.

Google has by far the most to protect.The search giant is expected to make more from mobile ads than all other companies combined for the second straight year, totaling nearly $8.9 billion in mobile ad revenue in 2013, according to projections from research firm eMarketer. That would give Google 56% of the total mobile ad market. And that’s only a fraction of what Google earns from its dominant, bread-and-butter search term advertising business. Google’s revenue topped $50 billion in 2012.

What could come out of the revelations about Prism is a push by U.S. companies to follow Google’s lead and petition the NSA for permission to be more transparent about government data mining of consumers’ Internet behaviors than has been the practice thus far under the Patriot Act.

“A notable aspect is the number of service providers who have come forward to petition the government for more transparency.” Steele says. “It shows the providers understand their business relies on trust–trust that is at risk if customers believe their data privacy isn’t being protected. There may be companies willing to cooperate with the US government on cyber security issues, as long as their business doesn’t suffer competitively against firms in jurisdictions with stronger privacy safeguards.”

Rob D’Ovidio, associate professor of criminal justice at Drexel University, says he gets why Google is striving for plausible deniability.

Any involvement, whether voluntarily or compelled through a judicial order, in handing over its customers’ data to government surveillance officials “will not sit well with its users and likely cause mass migration to other service providers,” D’Ovidio says.

Indeed, Prism could be the tripwire that finally grabs the attention of convenience-minded U.S. consumers, who have been largely oblivious to exhaustive tracking of their every online move by tech companies chasing online advertising revenue. And it’s sure to add fuel to the fire in Europe, where the preservation of individual privacy has long been – and continues to be – a touchstone issue.

John Simpson, Consumer Watchdog’s privacy project director, says it’s crucial for Google and the tech companies to do everything possible to restore the public’s confidence in the wake of the revelations about Prism.

“The massive database that Google has is a honeypot for the NSA, and the snoops wouldn’t be using unconstitutional overreaching surveillance tactics if Google didn’t have this data and retain for so long,” says Simpson. “Google perhaps wasn’t as cooperative as some of the others, but the Internet giant clearly turned over massive amounts of user data.”

Though IT departments continue to concentrate their resources on external threats, there is a new attack vector that is emanating from the inside, from none other than organizations’ very own employees.

We’ve recently seen the risks associated with disgruntled employees and uneducated users. But there is one other employee type that’s often overlooked – and perhaps the most dangerous of all.

Fresh statistics from Cisco prove the dangers of organizations’ resident “techies” – mostly Gen Y, technologically-savvy individuals who are often touted for their IT expertise and technical know-how. This is a generation that grew up in an online world, accustomed to its freedom of access.

As they graduate college and enter the workforce, they bring with them those same expectations of access and availability. Patterns have shown that it’s these very Gen Y workers who are most likely to demand elevated privileges when it comes to IT systems and network usage.

And the profiling of these “risky” employees can be narrowed further still – in a survey of 1,500 IT professionals, 80 percent pointed to male employees between the ages of 20 to 35-years-old, as those most likely to demand elevated rights.

IT heads are now faced with the mounting demands of these younger employees. Of course, when you consider the nature of the techie’s role, granting administrative rights seems merited. For example, these employees might take the function of break-fix engineers who need the access permissions to log onto machines and servers in order to remedy glitches.

Or, they might require the administrative rights to update systems, configure settings or install software. Restrictive policies that only allow them to do A, B and C actually hinder their workflow, slowing them down and potentially costing the organization in terms of efficiency and resources. As such, these employees do have a legitimate need for flexibility in terms of their technology use in the workplace. Plus, given their expertise, they are often trusted with this flexibility.

However, there is an inherent danger in granting these excessive IT privileges. For one, unauthorized application downloads might invade the system, opening the entire corporate network up to vulnerability. Without stern policy controls in place, an employee could unwittingly run an infected html link or simply open a malware-ridden email attachment.

As a result, they’re opening the door for cyber intrusion from within the confines of the corporate firewall. What make these unmanaged downloads even more dangerous is the fact that once they are embedded in the system, they are able to cloak themselves and burrow even deeper within the system’s infrastructure, going undetected for long periods of time.

Still, work place trends demonstrate that there remains a clear disconnect between IT departments’ awareness of these dangers and their initiative to rectify them. In fact, most IT professionals admit that unauthorized application downloads are often the culprit of infections, but the majority of them still don’t know how many unfettered applications are currently running on their corporate network. Some IT decision makers have tried to defend their stance by adding application control as a safety net, but the reality is, there are always ways around this. In fact, when you couple administrative rights with the skills and expertise of today’s savvy employees, antivirus and application controls can be disabled in seconds.

As a baseline approach, the solution is simple: limit admin rights to only few key administrators, and no more. No matter how experienced and tech-savvy your employees are, organizations cannot afford to let malware slip through the cracks – particularly in today’s tumultuous IT landscape where malware is sophisticated enough to do so easily, and unnoticeably.

Of course, there will be a number of different instances like system tweaks and configurations that require the elevation of rights. In these cases, IT departments might rethink how they are granting rights. By assigning permissions to the applications themselves, instead of their users, the potential for human error is removed from the equation completely.

While investing in security against external threats is absolutely necessary, organizations must consider other threatening factors lying within the perimeter of their external defense. As the next-generation workforce adapts to the ever-evolving technological landscape, IT departments will have to be increasingly conscious of how this might impact their security posture, and ultimately their entire corporate well-being.

Snowden — the low-level contract analyst turned whistleblower who outed the National Security Agency’s PRISM data mining program – makes a lot of claims in his 12 minute video interview with The Guardian.

As a Booz Allen Hamilton network analyst based in Hawaii, Snowden clearly had the technical savvy to take full advantage of known ways for anyone inside the network of a large organization to roam deeper.

Snowden claimed he could wiretap anyone’s phone and had access to information showing wide ranging “abuses ” by the agency. He publicly released PowerPoint slides depicting PRISM, a secret NSA program for data mining information on individuals’ online behavior contributed by Google, Microsoft, Facebook, Apple and PalTalk.

He also claimed to possess the “full rosters of everyone working at the NSA, the entire intelligence community and undercover assets all around the world, the locations of every station we have, what their missions are and so forth.”

Snowden claimed to have the ability to “shut down the surveillance system in an afternoon. But that’s not my intention.”

Agency investigators now should be able to trace Snowden’s internet activities and determine the true extent of his infiltration of sensitive material, says Wade Williamson, senior security analyst at firewall company Palo Alto Networks.

It’s a big leap from stealing classified PowerPoint slides to wire tapping phones and accessing dossiers for spies and other agency personal. And the NSA presumably segmented access to very sensitive data says Williamson.

“I have access to lots and lots of confidential documents here at my company, but I’m not allowed to change how the network runs,” Williamson says. “He (Snowden) may have had access to PowerPoint slides, but not necessarily have control of all those other systems.

“What we don’t know is how broad that leak really was. From a national security point of view, that’s where I would want to go back and take a hard look at the veracity of his statements.”

Dr. Mike Lloyd, chief technology officer of Red Seal Networks, notes that unverified claims are just that – unverified.

“Hackers have always had a strong tendency to brag, and since so much of the activity is hard to trace, they also tend to exaggerate,” Lloyd says.

Lloyd concedes that the PowerPoint slides leak seems very credible.

“In studies of all infrastructures, including those used by the intelligence and defense communities, there are weaknesses all over the place,” Lloyd says. “People at the NSA understand what it means to say, ‘Red Team always wins.’ This translates to the point that a dedicated, persistent attacker will eventually find a gap you missed when you built your defenses.”

Jason Mical, vice president at AccessData Group, says there could any number of reasons why Snowden only disclosed PowerPoint slides. “For example, perhaps he was only interested in exposing enough information to get the message out and was not interested in releasing information that would more directly expose this nation and its intel community to risk,” Mical observes.

Scott Hazdra, principal security consultant, Neohapsis: Every organization has to strike a balance between granting access and protecting their information assets. Employees, contractors, consultants and vendors all require some level of access to perform their jobs. Information should be classified as to whether it’s public, internal only or classified.

There should be rules in place as to who can access the different categories of information. And there should be proper controls around the information itself. In the end, it’s also entirely possible that an organization does everything right, but someone with access and authority makes a decision at odds with that of the organization.

Eric Chiu, founder and president, HyTrust: Insiders by definition are already inside or within your organization and generally have access to corporate and sensitive information. Systems administrators in particular, although low level, typically have the highest access to systems and data, given that they manage those systems.

Without implementing adequate role-based access, companies and organizations are giving god-like access to their systems administrators with those privileged accounts.

Andy Hubbard, senior security consultant at Neohapsis: Organizations, even today, make the mistake of assuming that internal systems are safe from tampering and access. Insiders are often provisioned with access to shares, applications, and data storage locations without any review. In order to ease administrative burden, users are provided access to system resources based on generalized access requirements, which may overlook or disregard data access controls that should be in place.

Users within many environments are indiscrete with where and how they store data that they are working with. This is the case even in highly regulated environments or environments with specific policies around data management. It is often quite possible to find multiple copies of confidential data in unprotected locations.

Edward Snowden’s ability to extract sensitive data from the NSA, working as a low-level contract consultant, comes as no surprise to the security community.

Security experts say Snowden, a Booz Allen Hamilton network analyst based in Hawaii, had the technical savvy to take full advantage of two major security challenges all organizations face: managing privileged accounts and keeping PCs, databases and applications updated with the lastest security patches.

While details of how he did it aren’t yet clear, Snowden’s escapades highlight a complex challenge all large organizations face in securing sprawling networks increasingly reliant on Internet cloud connections and use of mobile devices.

“Digital assets are all plugged into an amazingly complex infrastructure,” says Mike Lloyd, chief technology officer at network security firm Red Seal Networks. “Even diligent defenders struggle to keep up with all the latest weaknesses, and the dizzying interactions between interdependent systems and layers. We cannot defend what we cannot understand.”

Snowden claims to have a long history of working as an IT specialist, including stints as a systems engineer, systems administrator, a senior adviser for the CIA, and a telecommunications systems information officer.

As Snowden told The Guardian in a videotaped interview: “When you’re in positions of privileged access, like a systems administrator, for these sort of intelligence community agencies, you’re exposed to a lot more information on a broader scale than the average employee … Anybody in the positions of access with the technical capabilities that I had could, you know, suck out secrets.”

“I’m no different from anybody else,” he said. “I don’t have special skills.”

Snowden would have been well-aware of so-called privileged accounts, the logons that give administrative access to any device with a microprocessor, including PCs, servers, databases and copiers.

By identifying and accessing privileged accounts, an unscrupulous insider can easily roam far and wide inside an organization’s network. Such accounts function, in effect, as master keys to the deepest, most sensitive parts of an organization’s digital assets.

A recent survey by Cyber-Ark Software found that 86% of large enterprise organizations either do not know or underestimate the number of privileged accounts incorporated into their networks. Most have three or four times as many privileges accounts as actual employees.

Snowden claimed that he could wiretap anyone’s phone and had access to information showing wide ranging “abuses ” by the agency. He publicly released PowerPoint slides depicting PRISM, a secret NSA program for data mining information on individuals’ online behavior contributed by Google, Microsoft, Facebook, Apple and PalTalk.

He also claimed to possess the “full rosters of everyone working at the NSA, the entire intelligence community and undercover assets all around the world, the locations of every station we have, what their missions are and so forth.”

Snowden claimed to have the ability to “shut down the surveillance system in an afternoon. But that’s not my intention.”

Agency investigators now should be able to trace Snowden’s Internet activities and determine the true extent of his infiltration of sensitive material, says Wade Williamson, senior security analyst at firewall company Palo Alto Networks.

It’s a big leap from stealing classified PowerPoint slides to wire-tapping phones and accessing dossiers for spies and other agency personnel. And the NSA presumably segmented access to very sensitive data, Williamson says.

“I have access to lots and lots of confidential documents here at my company, but I’m not allowed to change how the network runs,” Williamson says. “He (Snowden) may have had access to PowerPoint slides, but not necessarily have control of all those other systems.

“What we don’t know is how broad that leak really was,” he added. “From a national security point of view, that’s where I would want to go back and take a hard look at the veracity of his statements.”

Another way Snowden could have accessed material is to take advantage of the agency’s process for installing security patches.

Corporations and big agencies continue to struggle with installing patches for computer operating systems and applications, which are issued constantly. The ideal — rarely met in corporate settings — is to install all critical security patches within 48 hours, says Wolfgang Kandek, chief technology officer at patch management firm Qualys.

A savvy insider would be familiar with the lags, and could move to “gain administrative privileges on an unpatched machine and then begin to look around the network to see what else you can find,” Kandek says.

Udi Mokady, CEO of Cyber-Ark, which supplies technology to manage privileged accounts, says he was not surprised that a contracted analyst working from Hawaii was able to take advantage of known network weaknesses.

A similar incident made headlines in Europe last December, when a senior IT employee of Switzerland’s state intelligence service reportedly pilfered data shared with the Swiss from the United States’ Central Intelligence Agency (CIA) and the U.K.’s Secret Intelligence Agency (MI6).

The Swiss intelligence service, NDB, has not named the employee, who reportedly had administrator-level rights to large stores of classified data.

“It’s a dirty secret in IT that you can have thousands of people in the IT layer with the ability to survey all of your data,” Mokady says. Based on what Snowden said in his video interview, “it makes full sense that he abused his administrative rights,” Mokady says.

The NSA should have done a more thorough job screening Snowden before giving him network access and had more effective systems in place to monitor his network activities, says Joelle Scott, director of business intelligence at Corporate Resolutions, a consultancy that does security checks and investigates corporate crime.

“What’s most shocking is that there was a lack of proper internal controls,” Scott says. “There is no reason why this should have happened to the NSA.”

Last week, McAfee released a threat report showing samples of Koobface, the Facebook spreading worm, spiking in the Internet wild all through the first three months of 2013.

But on Friday, the anti-virus giant that’s now part of Intel did a complete reversal.

In a cryptically-worded blog post , researcher Craig Schmugar notes that sample counts can be “influenced by repacking of the same underlying code . . . and other forms of server or client polymorphisms.”

Schmugar confesses that “these factors led to our Koobface statisitcs being off by a large margin.”

Facebook issued no public statement. But the company’s PR agency contacted all the publications that ran with McAfee’s initial, alarming, survey results.

Cyberattacks are real and pose tangible risks to consumers and businesses. And public awareness is not what it should be. McAfee is not alone when it comes to competitive vendors walking — and sometimes stepping over – the thin line between building public awareness and fear mongering to gin up sales. Schmugar’s post, titled “Koobface Count Correction,” did not include an apology.