As long as marketers are willing to spam and scam to make money by taking advantage of people, this type of blight will continue to find new outlets and leave a trail of victims.    These offers all rely on  automatic credit card rebilling (euphemistically called “negative option” or “reverse billing”) and the fact that users don’t take the time to read the fine print.  Dennis sums up the whole problem with a tongue-in-cheek set of recommendations on how you too can make money with this incredible opportunity.

So if you want to cash in on this totally awesome Facebook advertising bonanza—and MySpace, too, since they’re far more lenient on ads—follow these simple steps:

Find a few products of legitimate brands. The more legitimate the brand, the more trust you can suck out in parasite fashion.
Create pages for a free giveaway. Design them too look as official as possible.  If you don’t know how to write in complete sentences yet, hire an unemployed journalist on Elance or the like.
Sign up for an affiliate network. You want to create or promote something called an “email or zip submit.” In fact, you can probably skip the first two steps (which require a lot of effort) and just start promoting what’s already there—free cameras, gas cards, restaurant gift certificates, or whatever is hot right now.
Set up ads on Facebook. Tailor your ad copy so that it implies that the brand is actually sponsoring it.  Use creative copywriting skills to imply that there are only a few left and that it’s for males 50-52 in Duluth, Minnesota only (and make sure that you set your demographic targeting on Facebook to match). If you really want to juice conversions, tell the user that you’re looking for testers of the product (the new Google phone, perhaps) and that testers are allowed to keep the product when testing is done.
Sit back and collect your money. That is, of course, until you get in trouble, since the FTC will eventually catch up to you.

Of course, companies with robust fraud solution software have much less to worry about in the face of such blunt-force attacks, but sadly, not everyone has gotten on board with such innovative solutions.

Today’s report, in fairly non-technical language, comes from none other than USA Today:

Email filtering company Red Condor has been intercepting an email phishing campaign spreading faked Microsoft Outlook alerts at a phenomenal rate.

Faked Outlook updates in recent weeks have emerged as a popular vehicle to implant banking Trojans — which bad guys use to access your online account to make fraudulent transfers.

They work because the intended victim receives a personalized email message that appears to come from a techie using a return email address from the same domain as the target.

The version Red Condor began intercepting on Thursday is unique as to the frequency with which it is being blasted out across the Internet — and the efficiency with which it automatically customizes each message to improve the odds of fooling the recipient. The end game: trick the target into clicking on a link that will implant the banking Trojan.

“The attack has hit thousands of Red Condor’s customer domains,” says Red Condor researcher Brien Voorhees. “There doesn’t appear to be any discrimination. My personal domain was targeted and it looks like most of our other employees’ personal domains were hit as well.”

By noon Pacific time on Friday Red Condor had blocked well over a million of these messages, an indicator of a massive spam campaign, originating from a large botnet under control of the attackers. A botnet is a network of thousands of compromised PCs in homes and businesses used by bad guys to carry out a wide range of Internet-enabled criminal activity.

This latest Outlook attack is the most recent iteration of a distinctive type of phishing attack that took shape over the course of 2009. Earlier attacks used ruses referencing UPS shipping documents, IRS notices, Vonage account updates, H1N1 alerts and Facebook account updates to get recipients to click on a tainted Web link. Most often, the malicious link also turns the infected machine into a bot under control of the attacker.

“Throughout 2009, we saw a tremendous increase in the volume of phishing campaigns and botnet activity, as well as proliferation of banking Trojans,” says Voorhees. “If you look at the types of attacks during the past year, it is clear that many are focused on taking advantage of the casual way that people use email and the Internet today.”

Because social networks, while user-friendly and generally open to all, present unique challenges both to cybercriminals and the security industry devoted to defeating them. And keeping up with the online security stories about these networks is a big part of that.

The full article is rather long, so I’ll cut this introduction short, in order to present it all here.

Facebook and Twitter use skyrocketed in 2009, and naturally the social networking sites became magnets for hacker attacks and sparked other types of privacy concerns. CIOs have expressed doubts about the social networking sites, and these stories show there is good reason to be worried. Here, in chronological order, are the top 10 security and privacy stories concerning Facebook and Twitter from the past year.

 

Jan. 6: Hackers hijack Obama’s, Britney’s Twitter accounts

Hackers gained control of more than 30 famous Twitter accounts, including those of Barack Obama, Britney Spears and Fox News. Twitter locked the accounts down quickly and restored control to their rightful owners, but not before the hacked accounts were used to send out nasty messages.

“CNN correspondent Rick Sanchez’s account, for example, tweeted a message claiming that ‘i am high on crack right now might not be coming to work today,’ while Fox News’ Twitter update reported ‘Breaking: Bill O Riley [sic] is gay,’ referring to the network’s conservative talk show host,” the IDG News Service reported.

Twitter said the accounts were hacked into using the company’s own internal support tools. The breach was considered serious enough that Twitter took the support tools offline until they were secured.

 

April 11: Twitter wrestles with multiple worm attacks

Worm attacks kept Twitter’s security team busy for several days, as the site scrambled to identify infected accounts and delete rogue tweets. “Early on Saturday, April 11, the Mikeyy worm started to spread via Twitter posts by encouraging you to click on a link to a rival micro-blogging service StalkDaily.com,” PC World reported. “As soon as you clicked on the link your account would be infected and begin to send out similar messages encouraging your followers to visit StalkDaily. Then your followers would become infected and the worm’s infection rate would grow. You could also catch the worm by viewing infected profiles on Twitter.com.”

Four attacks were launched between April 11 and 13, but no user account information was stolen.

 

May 18: Phishers, viruses target Facebook users

This headline could probably be written any day of any year, but we’ll just pick a story from May, when identity thieves hit Facebook with phishing attacks designed to gain passwords for profit. Other examples from 2009: A password reset e-mail reported in October turns out to be a virus; again in October some hacked Facebook applications were leading users to fake antivirus programs; and in November hackers used a sexy photo of a woman to lure people to an attack Web site.

 

July 15: Twitter/Google Apps hack raises questions about cloud security

Twitter executives were victimized when a hacker obtained and distributed more than 300 confidential documents that concerned Twitter’s business affairs and were stored on the hosted Google Apps service. Insufficient password strength seemed to be the root cause, and Twitter co-founder Biz Stone said Google was not to blame. The hacker reportedly also claimed to have compromised the Twitter accounts of co-founder Evan Williams, his wife and several employees. Williams denied this, but said his wife’s e-mail account was compromised.

 

Aug. 4: High-profile organizations ban Facebook, Twitter

The U.S. Marine Corps formalized a ban on social networking sites such as Facebook and Twitter, saying “these Internet sites in general are a proven haven for malicious actors and content and are particularly high risk due to information exposure, user generated content and targeting by adversaries.” The ban applies to Marine Corps networks, but does not prevent Marines from posting to social networks on their own time.

The Marines were not alone in taking such action. More than half of CIOs have completely prohibited use of social networks during company time, according to a Robert Half Technology survey of more than 1,400 CIOs from U.S. companies with at least 100 employees.

 

Aug. 6: Twitter victimized by distributed denial-of-service attack

Twitter was taken offline for two hours by a distributed denial-of-service attack, the first Twitter outage lasting longer than five minutes since June 16. Twitter continued to battle the distributed DoS attacks for several days, experiencing several more short outages. The same attack also targeted Facebook, but merely slowed the site down rather than taking it offline. The attack was reportedly politically motivated, and may have been related to the Russia-Georgia conflict. Politics may also have contributed to another Twitter outage on Dec. 18, in which a group called the “Iranian Cyber Army” claimed to take Twitter offline.

 

Aug. 14: Twitter used to manage botnet

A security researcher at Arbor Networks found that hackers were using Twitter to organize a botnet, the name given to a network of infected computers that does the bidding of bad guys who manage it.

“Botnet owners are continuously working on finding new ways of keeping their networks up and running, and Twitter seems to be the latest trick,” the IDG News Service reported. “A now-suspended Twitter account was being used to post tweets that had links [to] new commands or executables to download and run, which would then be used by the botnet code on infected machines.”

The account was suspended and investigated by Twitter’s security team, but appeared to be one of a handful of similar malicious Twitter accounts.

 

Oct. 30: Facebook awarded $711 million in spammer case

Facebook used the legal system to fight back against a spammer who had gained access to user accounts, winning a judgment of $711 million against one Sanford Wallace. Wallace allegedly obtained login credentials for user accounts, and used those hijacked accounts to send spam that linked to phishing sites, sought to collect more Facebook account credentials, or linked to commercial Web sites that paid spammers for referrals.

“While we don’t expect to receive the vast majority of the award, we hope that this will act as a continued deterrent against these criminals,” Facebook said. Wallace may also face jail time.

 

Dec. 8: Facebook shuts down Beacon program, donates $9.5 million to settle lawsuit

Facebook found itself on the other side of the courtroom when plaintiffs filed a class action lawsuit alleging privacy violations in Facebook’s Beacon program, which let third-party Web sites — such as Blockbuster, Fandango and Overstock.com — distribute “stories” about users to Facebook. Facebook did not admit to any wrongdoing, but ultimately agreed to shut the Beacon program down and donate $9.5 million to create a nonprofit foundation to promote online privacy, safety and security. The same week, Facebook also set up a new advisory board designed to improve user safety.

 

Dec. 9: Facebook unveils controversial new privacy settings

Facebook unveiled new privacy settings that it said were designed to give users more control over what information they share, but users reacted in anger after the overhaul led many to inadvertently expose content that was previously set to private.

“Great ? job. Now everyone who isn’t even my friend can see my profile,” one user complained.

Some of the problem came down to confusion over how to apply the new settings. If used correctly, the settings do allow users to hide most of the content on their profiles. Still, the incident led to some negative attention for Facebook, and the site backtracked somewhat, making it easier for people to prevent others from seeing their friend lists. The story isn’t over, as the Electronic Privacy Information Center has asked the Federal Trade Commission to investigate the changes in Facebook’s privacy options.

All in all, a nightmare for those who combat botnets.

Security Focus has the whole sordid story:

Build-your-own-botnet kits based on a family of malicious software known as Zeus account for about one out of every ten botnets, according to data collected by security firm Damballa.

The kits, which sell for $400 to $700, allow a would-be criminal with rudimentary technical skills to bake their own custom bot software and have become so popular that a large community of developers have created plugins to further customize the software, said Gunter Ollmann, vice president of research for the Atlanta-based firm. The firm tracks a few thousand botnets, more than 200 of which are based on the Zeus code, Ollman said.

“Zeus has picked up a lot of momentum,” he said. “If you are a beginner, then you might have heard about Zeus from the press. And, if you are someone looking for specific features, the plugins allow you to do that.”

Zeus, also referred to as Prg and Zbot, has become a popular amongst cybercriminals as a way to steal victims’ financial information. Last month, a Zeus-based command-and-control server was found on a server instance hosted by Amazon cloud computing service, EC2. The discovery came a few days after one security firm warned Internet user that spammers where attempting to infect recipients with the Zeus bot.

Zeus is not the most sophisticated program out there, but it is widespread and affordable. Those considerations and the availability of a wide variety of plugins has made the software popular, said Ollmann.

“Zeus is coming to dominate the very low end of the market,” he said. “The newbies that are getting into the market want to create their botnets from scratch. There are better kits available, but they cost more money.”

Dark Reading has the full story. It is a very detailed, and rather long piece, but one well worth reading in full. Because the one conclusion which is easy to draw is that security professionals everywhere should upgrade their bot detection software, to deal with this threat — previously seen as somewhat minor, but now exposed as a major threat indeed.

In an undercover mission to learn more about the size and scope of the son of the infamous Storm botnet, Waledac, German researchers have discovered the spamming botnet is much bigger and more efficient than previously thought.

The University of Mannheim and University of Vienna team boldly infiltrated the Waledac botnet from Aug. 6 through Sept. 1 of last year using a cloned Waledac bot they built and code-named “Walowdac.” The phony bot injected the IP addresses of the researchers’ analysis systems into the botnet, and the researchers were able to collect detailed data on the botnet and its inner workings. They found Waledac runs a minimum of 55,000 bots a day, with a total of 390,000 bots — much larger than previous estimates of 20,000 or so bots.

The researchers also were able to measure success rates of various spam campaigns launched by Waledac, and were able to observe up close Waledac’s newer features, such as the ability to steal credentials from bot-infected machines. Their clone did not do any spamming, however. “We used an implementation of the bot that speaks all of the protocols and communicates like a bot would do. We had full control over it, and it didn’t send any spam…it just participated in the communications,” says Thorsten Holz, one of the researchers.

The clone appeared to Waledac as one of its “repeaters” — the nodes that sit between the infected spamming bots and the back-end servers. Getting into the botnet at that level gave the researchers a more accurate accounting of the botnet. “We were able to get an overview of what bots are out there, how many there are, [and other details],” Holz says.

Waledac has been a popular subject for researchers to study during the past year: Researchers from Symantec, Trend Micro, and ESET, for instance, have also done intensive studies of the botnet. But the University of Mannheim researchers took a more aggressive approach in their experiment. Waledac came on the scene more than a year ago after the notorious Storm botnet, which had ballooned into one of the biggest botnets ever, suddenly disappeared off the grid in 2008. It re-emerged as Waledac, with new malware and a more sustainable architecture.

The German researchers, who also include Ben Stock, Jan Gobel, Markus Engelberth, and Felix C. Freiling, calculated from their research that Waledac could theoretically send more than 1.5 billion spam messages a day. But that’s actually a conservative estimate, they said in their report on the experiment. “However, this also is only valid for 10,000 bots each hour with our monitoring showing up to 30,000 bots per hour during the daytime. Thus, this number might very well be tripled,” the report says.

Waledac changes up its malware variants about every two weeks, the researchers observed, and the U.S. is home to the majority of the bots and repeaters, with 17.34 percent of the spamming bots and 19.5 percent of the repeaters. And around 90 percent of the Waledac bots were 32-bit XP machines.

The researchers were also able to get counts of information-stealing activity by Waledac. In addition, Holz says Waledac steals FTP server credentials, so it can spam using those servers, and also FTP user credentials, so it can log into FTP servers. “They are also stealing these FTP credentials to log into FTP servers and search for HTML pages to inject iFrames [into],” Holz says. “This is part of the propagation mechanism of Waledac.”

Pierre-Marc Bureau, a senior researcher with ESET who has studied Waledac and collaborated with Holz and his team, says he thinks Waledac’s operators are gearing up for more than just spamming. “Waledac has been stealing information from infected machines, such as credentials for Websites and email addresses to spam to,” Bureau says. “But it’s also stealing information from infected machines, mostly for propagating and sending spam. But when you have a user list from a Website, you can do anything you want with it…you can sell it to someone else.”

Bureau says he thinks Waledac’s operators are gathering this stolen information to set up operations other than their bread-and-butter spamming roots. “In general, Waledac is a complete operation aimed at sending spam. But I think they are already prepared to diversify their activities…there’s more money to be made in other areas,” he says.

Meanwhile, the German researchers’ undercover operation in Waledac had a few glitches, too: Waledac’s operators were able to detect the German researchers’ IP address range from the University of Mannheim and filtered them, knocking them off. “So we changed our IP range” and got back into the botnet, Holz says.

And the researchers knew they were at risk of Waledac’s operators waging a distributed denial-of-service (DDoS) attack on the University of Mannheim’s network, where the IP addresses initially resided. “The main threat to us was DDoS,” Holz says. “In the past, we had some incidents where people were DDoSing our servers since we were also running honeypots on those IP addresses.”

PC World magazine has the best “end of the decade” list out that I’ve seen yet, which lists their “top 10 security nightmares,” and is well worth reading for those who want a look back. Remember, 10 years ago at this time, when we were all biting our knuckles over the whole Y2K bug scare?

How times have changed!

The full article is much too long to post here, and too long to even really do justice in excerpts, so I’ll just briefly list the headers they have for their top 10, and then wish everyone a happy new year!

1. Cyberwar

2. Malware Makes Strange Bedfellows

3. MySpace, Facebook, and Twitter Attacks

4. Organized Viruses and Organized Crime

5. Botnets

6. Albert Gonzales

7. Gone Phishing

8. Old Protocol, New Problem

9. Microsoft Patch Tuesdays

10. Paid Vulnerability Disclosure

For anyone who has been living under a rock for the past… oh, two or three decades… here’s a newsflash: the spam fight never ends. Fighting spam requires installing bot detection software, fraud detection services, bot prevention, click fraud tracking, click fraud auditing, click fraud monitoring, bot removal, login protection, and web fraud prevention, which can all be conveniently integrated by one single company.

But for those who have indeed been asleep for ten years or more, here is the full UPI report on the spam situation, apparently triggered off by a shocking — shocking! — press release from Lashback:

Digital bulk mail, known as spam, has a tendency to show up on U.S. computers because it is often a moneymaker, an e-mail watchdog firm said.

“The things that wind up in your in-box … are there because people buy them,” said Brandon Phillips, chief executive officer of Lashback, a firm that tracks e-mails to see if they meet federal laws, the St. Louis Post-Dispatch reported Monday.

Estimates on how much spam is flying around cyberspace run as high as 97 percent of all e-mails, an estimate made by Microsoft Corp., although others put the figure at around 85 percent.

The aggregate amount of aggravating solicitations is growing. Project Honey Pot, which monitors spam, said the number of active bots — systems that use hijacked computers to send e-mails — has quadrupled in each of the past five years and now number about 400,000 a day.

When tracking spam, Lashback found 6 percent of Internet users in surveys indicate they knowingly open spam because of an interest in the product, the newspaper said.

“People are sort of resigned to the fact they’re going to get spam. It’s just a question of how much,” said Lorrie Cranor, an associate professor of computer science at Carnegie Mellon University.

PCWorld has the full story of Atif Mushtaq, and his valiant and successful fight to kill off one of the top 10 botnets in the world. It’s a fascinating read, and well worth the time (it’s rather detailed, and runs a bit long, so I won’t waste any more time with this introduction):

For two years as a researcher with security company FireEye, Atif Mushtaq worked to keep Mega-D bot malware from infecting clients’ networks. In the process, he learned how its controllers operated it. Last June, he began publishing his findings online. In November, he suddenly switched from de–fense to offense. And Mega-D–a powerful, resilient botnet that had forced 250,000 PCs to do its bidding–went down.

Targeting Controllers

Mushtaq and two FireEye colleagues went after Mega-D’s command infrastructure. A botnet’s first wave of attack uses e-mail attachments, Web-based offensives, and other distribution methods to infect huge numbers of PCs with malicious bot programs.

The bots receive marching orders from online command and control (C&C) servers, but those servers are the botnet’s Achilles’ heel: Isolate them, and the undirected bots will sit idle. Mega-D’s controllers used a far-flung array of C&C servers, however, and every bot in its army had been assigned a list of additional destinations to try if it couldn’t reach its primary command server. So taking down Mega-D would require a carefully coordinated attack.

Synchronized Assault

Mushtaq’s team first contacted Internet service providers that unwittingly hosted Mega-D control servers; his research showed that most of the servers were based in the United States, with one in Turkey and another in Israel.

The FireEye group received positive responses except from the overseas ISPs. The domestic C&C servers went down.

Next, Mushtaq and company contacted domain-name registrars holding records for the domain names that Mega-D used for its control servers. The registrars collaborated with FireEye to point Mega-D’s existing domain names to no–where. By cutting off the botnet’s pool of domain names, the antibotnet operatives ensured that bots could not reach Mega-D-affiliated servers that the overseas ISPs had declined to take down.

Finally, FireEye and the registrars worked to claim spare domain names that Mega-D’s controllers listed in the bots’ programming. The controllers intended to register and use one or more of the spare do–mains if the existing domains went down–so FireEye picked them up and pointed them to “sinkholes” (servers it had set up to sit quietly and log efforts by Mega-D bots to check in for orders). Using those logs, FireEye estimated that the botnet consisted of about 250,000 Mega-D-infected computers.

Down Goes Mega-D

MessageLabs, a Symantec e-mail security subsidiary, reports that Mega-D had “consistently been in the top 10 spam bots” for the previous year. The botnet’s output fluctuated from day to day, but on November 1 Mega-D accounted for 11.8 percent of all spam that MessageLabs saw. Three days later, FireEye’s action had reduced Mega-D’s market share of Internet spam to less than 0.1 percent, MessageLabs says.

FireEye plans to hand off the anti-Mega-D effort to ShadowServer.org, a volunteer group that will track the IP addresses of infected machines and contact affected ISPs and businesses. Business network or ISP administrators can register for the free notification service.

Continuing the Battle

Mushtaq recognizes that FireEye’s successful offensive against Mega-D was just one battle in the war on malware. The criminals behind Mega-D may try to revive their botnet, he says, or they may abandon it and create a new one. But other botnets continue to thrive.

“FireEye did have a major victory,” says Joe Stewart, director of malware research with SecureWorks. “The question is, will it have a long-term impact?”

Like FireEye, Stewart’s security company protects client networks from botnets and other threats; and like Mushtaq, Stewart has spent years combating criminal enterprises. In 2009, Stewart outlined a proposal to create volunteer groups dedicated to making botnets unprofitable to run. But few security professionals could commit to such a time-consuming volunteer activity.

“It takes time and resources and money to do this day after day,” Stewart says. Other, under-the-radar strikes at various botnets and criminal organizations have occurred, he says, but these laudable efforts are “not going to stop the business model of the spammer.”

Mushtaq, Stewart, and other security pros agree that federal law enforcement needs to step in with full-time coordination efforts. According to Stewart, regulators haven’t begun drawing up serious plans to make that happen, but Mushtaq says that FireEye is sharing its method with domestic and international law enforcement, and he’s hopeful.

Until that happens, “we’re definitely looking to do this again,” Mushtaq says. “We want to show the bad guys that we’re not sleeping.”

Of course, banks rarely wish to draw attention to such security breaches, since what all financial institutions fear is a withdrawal frenzy by their depositors. So one wonders whether the bank doth protest too much, in this case.

Complicating the situation, the article ominously points out that the FBI has not officially commented on the subject, which might just possibly be due to the fact that the United States government now owns over a fourth of the bank itself. Meaning a steep drop in share price could be harmful to taxpayers, as well as other investors.

So it’s hard to say what is really going on over at Citibank, other than the obvious assumption that they’re probably beefing up their fraud security right about now.

The full SCMagazine article is worth reading. Here are a few key excerpts:

Citigroup representatives are refuting a published report alleging the financial services firm was the victim of tens of millions of dollars being siphoned out of customer accounts.

The Russian Business Network (RBN), a notorious gang linked to several hacking schemes, as well as various criminal activities, is cited as being behind the heist, according to a report in Tuesday’s edition of The Wall Street Journal. The FBI was said to be investigating, though a representative at the agency did not return a phone call by SCMagazineUS.com seeking comment.

But Joe Petro, managing director of Citigroup’s security and investigative services, in a release sent to SCMagazineUS.com on Tuesday, said: “We had no breach of the system and there were no losses, no customer losses, no bank losses. Any allegation that the FBI is working a case at Citigroup involving tens of millions of losses is just not true.”

According to the Journal story, the hacking activity was traced via traffic on ISPs previously used by the RBN. A hacking software program called Black Energy, credited to a Russian, enabled the attack. The program is used to command a botnet. Earlier this year, a customized iteration of the code was discovered online capable of collecting banking information, the report said.

. . .

But Citi denies an incident beyond typical probing.

“Denial-of-service attacks are directed against companies around the world,” the Citi statement said. “While there have been attempts to interfere with the availability of our systems, none of these have resulted in any breaches, compromise of customer information, or losses to Citi.”

Andrew Storms, director of security operations at vulnerability management firm nCircle, said he wonders why the FBI hasn’t commented publicly considering Citigroup already has denied that a breach occurred.

According to the Journal report, the government owns 27 percent of Citi. Shares of the firm are down more than 50 percent this year.

“You have to wonder if there isn’t some other triage being done here that has more to do with Citi’s battered stock price than fair disclosure,” Storms said.

“My analysis of this report is that we are talking about a man-in-the-browser attack,” said Imperva CTO Amichai Shulman. “That is, a trojan controlled through a botnet that operates from within the browser and inserts false transactions into a user’s sessions. In view of this, it is clear why Citibank did not report or ‘notice’ any breach. The breach is not on Citi’s side, but rather on the consumer side. It does point to the growing sophistication of attacker.”

Jacob Jegher, a senior analyst at Celent, a Boston-based financial research and consulting firm, said, “Banks are being continuously victimized by cunning and ever evolving fraudsters who will stop at nothing in order to get their hands into the cookie jar. The challenge of late is that the attacks are becoming more sophisticated and the fraudsters are taking the banks and their clients to the cleaners.”

Many banks are fearful to admit that they have been victims or targets of fraud, Jegher added. “They don’t want to draw negative attention. Banks should use these unfortunate incidents to improve security processes and customer communication and education.”

And Schmidt seems eminently qualified to take on the job. As an added bonus, this is not a position in which politics will intrude, as Schmidt’s job does not require Senate approval. So one can assume that Schmidt will exercise his duties independent of the political maelstrom currently brewing in Washington.

The Washington Post has the full story:

Seven months after President Obama vowed to “personally select” an adviser to orchestrate the government’s strategy for protecting computer systems, the White House will name a former Bush administration official to the job Tuesday.

Howard A. Schmidt, who was a cyber-adviser in President George W. Bush’s White House, will be Obama’s new cybersecurity coordinator, an administration official said Monday night.

Schmidt declined to comment.

The mission is challenging: to coordinate cybersecurity policy across the federal government, from the military to civilian agencies. Schmidt’s appointment comes as the Pentagon launches a major new “cyber-command” unit up and running and the Department of Homeland Security works to improve protection of civilian networks.

In May, Obama declared the nation’s digital networks a “strategic national asset” and said protecting them would be a “national security priority.” Creating a White House cybersecurity office, run by a senior White House official, would be key to that effort, he said. “I’ll depend on this official in all matters relating to cybersecurity, and this official will have my full support and regular access to me as we confront these challenges,” Obama said from the East Room.

But his remarks were undercut by internal tension over how much authority the “cyber-czar” would have and to whom the official would report. White House economic adviser Lawrence H. Summers insisted that the new coordinator report to him as well, arguing that cybersecurity is also a matter of national economic security, sources said. The new coordinator, who does not require Senate confirmation, will report to deputy national security adviser John O. Brennan and will “work closely with and collaborate with” the economic council on cyber-issues, the administration official said, speaking on the condition of anonymity because the choice was not yet official.

Schmidt was chosen after a long process in which dozens of people were sounded out. Many declined the post, largely out of concern that the job conferred much responsibility with little true authority, some of them said.

The cybersecurity chief at the National Security Council, Christopher Painter, has served as the de facto coordinator, trying to push ahead the 60-day cyberspace policy review plan unveiled by Obama in May. That plan’s formulation was led by Melissa Hathaway, who resigned in frustration in August after delays in naming a cyber-coordinator.

Schmidt served as special adviser for cyberspace security from 2001 to 2003 and shepherded the National Strategy to Secure Cyberspace, a plan that then was largely ignored. He left that job also frustrated, colleagues said.

The administration official lauded Schmidt’s “unique background and skill sets” as readying him for the job. Schmidt’s résumé reflects experience in the private sector, law enforcement and government.

Before he joined the Bush White House, he worked as chief security officer at Microsoft. He then became vice president and chief information security officer at eBay. He served in the Air Force from 1967 to 1983 in various roles, both active-duty and civilian, and headed the computer exploitation team at the FBI’s National Drug Intelligence Center in the 1990s.

He is now president of the Information Security Forum, a nonprofit consortium of corporations and public-sector organizations working to resolve cybercrime and cybersecurity issues.

“He has many of the qualities and connections that one would think would be good for the position,” said a colleague who spoke on the condition of anonymity in order to be candid. “He is a team player. I don’t have high expectations for that position as it is currently defined, so he’s very possibly overqualified for it.”