They’ve hired venerable rapper Snoop Dogg to be the face of a new contest that asks people to upload two-minute videos of themselves rapping about cybercrime to its new “hackiswack” website.

Yes, that’s right. A whole two minutes of rap about cybercrime.

The site claims the winner will be judged on “originality, creativity and message.” Prize? The winner gets two tickets to a Snoop concert, a Toshiba laptop, and, get this, “the chance to meet Snoop’s ‘mgmt/agent.’”

The site also encourages contestants to “have fun fo’ shizzle.”

Apparently, folks weren’t exactly lining up for their chance to rap about malware, identity theft and other cybersecurity issues. So the far the site has received an underwhelming 22 submissions.

And to make things worse, the site was recently hit by a cross-site scripting attack and had to be taken down for security maintenance.

What do cybercriminals love to see when they try to break into an organizations network? A recent survey reveals what vulnerabilities they look to exploit first.

The top security hole hackers look for: poorly configured networks.

That’s the conclusion of a recent survey conducted by Tufin Technologies at Def Con 18, the annual hackers’ convention held last month in Las Vegas.

According to the poll, 73% of data breaches are cause by bad network configurations, which 76% of the hackers in attendance said was the easiest security vulnerability to exploit.

What’s behind all those bad configurations? The main cause: IT staffer’s don’t know what to look for when monitoring and testing their networks, said 58% of the survey’s respondents. Also, many companies don’t have enough time or money for adequate security audits, according to 18% of hackers, and 11% said threats change too fast for many organizations to properly address them.

Another preferred method of gaining network access: having a user or IT staffer within the company as an ally, said 43% of the survey’s respondents.

That finding lines up with those of a recent Verizon survey, which recently published its own study on data breaches. The communications giant found that in 2009, 48% of data breaches involved insiders — that was up from 22% in 2008.

Today, even carefully chosen passwords are susceptible to brute force attacks.

The best defense is using longer passwords. A computer keyboard has 95 keys, so each extra character makes the password 95 times harder to crack.

Analysts at the Georgia Tech Research Institute recommend a password of no less than 12 characters.

Of course, users should also avoid choosing common words to prevent so-called “dictionary” attacks, in which hackers run through a list of dictionary words until the password is found.

It looks very likely that this technology will completely replace analog phones in the not-too-distant future, at least in most companies.

But with every advance comes a new threat. With analog phone message interception, the hacker has a few conventional ways of getting on the system, whether by breaking into your office and attaching a bug or by tapping the main phone trunk liens or exchanges. These are high-expertise, high-cost attacks.

But, as one analyst points out, “Unfortunately, phone calls from your computer are fundamentally different from phone calls from your telephone. Internet telephony’s threat model is much closer to the threat model for IP-networked computers than the threat model for telephony.”

A lone hacker with a. few software tools (such as a packet sniffer) can, with far less difficulty, intercept your calls at multiple points along the transmission. Digital voice data can be intercepted by establishing a spyware application on your network and the data can be sent out for monitoring to anywhere on the Internet with no wire-cutters or alligator clips required.

Experts in the business strong recommend encryption when using a VOIP system. There is a range of solid tools for making sure that voice transmissions, as they go over the Internet, are almost impossible to use if intercepted. Some are third-party programs, others are vendor-specific.

Tools for data encryption are widely available, but according to one report, they are rarely used.

Note that encrypting a phone call involves having both sides capable of encrypting and decrypting data. That means that encryption works best within the company, such as in organizations that already have a VPN (Virtual Private Network) set up to protect text-based data transfers. It is also possible to coordinate encryption with out-of-local-network people you frequently exchange calls with.

Encryption is just one part of the security issue. An even bigger threat is simply put a Trojan Horse program on a PC or a server that intercepts the call before it is encrypted or after it is decrypted. That means you must make sure that your basic antivirus protections are strong, and that you get expert in monitoring network activity.

Your VOIP provider should offer you services for setting up and monitoring security. If they don’t have that kind of expertise and are incapable of consulting with your company about t, you have a problem.

What can you do to help reverse that trend? Here are some tips provided by Michael Davis, CEO of Savid Technologies, at the recent Black Hat security conference in Las Vegas:

1. Learn from another industry

When companies invest in security, what are they really buying? Insurance, says Davis. So IT pros can take cues from insurance salesmen when making their cases. One tactic to borrow: Use concrete scenarios to illustrate your point.

Don’t focus on big-impact cases that have only a small chance of happening. Execs care more about high-probability threats. You can bring up stories about other companies, but focus on threats your particular organization has dealt with or narrowly avoided in the past.

2. Assemble a committee

While IT does the brunt of the security work, it can’t be the only group making decisions. A Savid study found that projects run by IT without input from the rest of the company were often aborted. The most successful projects were headed by a committee featuring representatives from IT, upper management, finance and other stakeholders.

3. Leverage users’ skills

When you’re ready to make your push, find an ally in marketing or sales to go over your presentation with you. They know more about persuasion than IT folks. If you find someone who cares about technology, he or she should be more than willing to help.

Infected USB hardware.

That’s the warning contained in a recent report by security firm PandaLabs. A quarter of all new worms being discovered by Panda are designed specifically to spread via USB drives.

And of the companies surveyed that had been victimized by malware in the past year, 27% said the source was an infected USB drive that was plugged into a computer on their network.

A few high-profile cases also show the dangers of USB devices:

• The U.S. Department of Defense recently announced the cause of a large 2008 data breach: A USB flash drive containing a virus created by a foreign intelligence body was plugged into a laptop at a military base.
• In May, IBM apologized after it was was discovered some of the free USB thumb drives the company handed out at a security conference in Australia contained viruses.
• Two years ago, millions of computers were infected with the Conficker worm, which spread primarily through USB devices.

To keep malware from USB drives off of your network, experts recommend:

• disabling USB ports for users who don’t need them
• disabling auto-play for USB drives
• requiring drives and other devices to be approved by IT before they’re used, and
• training users not to use drives if they don’t know where they came from, and not to open unknown files contained on drives.

In fact, 82% of those surveyed thought that “employees rarely or never consider corporate security threats in their everyday business communications.”

The biggest worry: social networking and Web 2.0 applications.

New threats are emerging due to the multitude of downloadable productivity tools, with new ones appearing all the time, including browsers extensions, widgets, and application add-ons. The problem is that while the basic program (such as the browser) might check out as relatively secure, the constant arrival of new add-ons initiated by end users expose systems to many new dangers from viruses and malware.

It’s not easy to control the use of such futures, since they are often genuine productivity aids. Plus the message of potential danger is hard to get through to end users, especially since IT departments are more prone to react to problems rather than to train employees.

Other conclusions from the survey include:

• Almost 50% see the threat from Web 2.0 usage as an urgent problem
• A key issue is finding ways to educate end users, and
• Also important is finding a way to offload at least some of the responsibility for system security with Web 2.0.

As with any sponsored survey, there is a hook: Check Point has new software (Application Control Software Blade) that helps IT departments and end users classify which downloadable add-ons and applications are present, and give help in deciding which ones might be more risky to use and blocking them. It’s an interesting concept, and you can read more about it here.

A U.S. vendor called Symbio Technologies has just released an updated product that is aimed at helping companies deal with that problem. The Symbiont Boot Stick is a USB flash drive with built-in security firmware that can be plugged into any remote computer. When the user logs in remotely, the firmware bypasses the remote computer’s operating system and hard disk drive, creating a virtual session that is run entirely from the Boot Stick itself.

The Boot Stick changes any remote computer into what Symbio calls a “stateless” terminal that carries no corporate data on its hard disk. The user boots the computer from the USB device and logs in with whatever authentication is required by the company, authentication that can be individualized with each Boot Stick. All data and applications reside at the server, and any data updates are made from the server.

So even if the remote computer is laden with malware and viruses, none of that comes in contact with the operating system that carries those problems. The computer is being used as a keyboard and a display only.

The Boot Stick is part of a set of Symbio products that can convert all personal computers, local and remote, into virtual terminals. The benefits, according to the company, are both ease-of-use (since it cuts down on the IT headaches of maintaining and constantly updating personal computers) and security (it cuts down on viruses, spyware and the danger of physical theft of data-laden portable devices).

Security holes can be opened by all network-attached peripherals, warned ICSA’s Labs’ Kevin Brown in a recent interview with Information Week. That group of devices includes, but is not limited to, printers and copiers.

Said Brown: “Any device that you attach to your network has the potential to be at risk,” including postage machines, Uninterruptible Power Supply systems, Point-of-Sales systems, digital signs, security cameras, facility management systems and alarms, among other things.

Those devices run software, and software can be vulnerable to hackers. Brown’s advice: “Treat every device on your network like you would any other PC, workstation or server, as much as you reasonably can.”

That includes factoring security into purchasing decisions, and possibly paying extra for encryption and other security features.

In a recent mid-year report, Symantec warned that there are too many threats for security software to keep up. In 2009, Symantec created 2,895,802 new virus signatures — that was a 71% increase compared to the amount of new malware that appeared in 2008 (which in turn was a 139% of what was identified in 2007).

The number of new threats is on pace to rise significantly again: In the first half of this year, Symantec created 1.8 million new malicious code signatures. So far, 124 million distinct new malicious programs have been discovered in this year alone.

Bottom line: Antivirus software can’t do enough to keep up with emerging threats. Other recent studies have offered the same warning.

What can be done? More user training, for one thing. Symantec also warns that more and more hackers are using social engineering tactics — i.e., going straight for end users to trick them into turning over passwords and other data — to steal sensitive information.

For example, almost one out of every 476 e-mails sent contains some type of phishing attack, according to Symantec.

Some other hacking trends that Symantec recommends warning users about:

• Phony antivirus programs that users are tricked into buying through pop-ups on compromised websites
• Scams and viruses hidden in third-party social networking apps
• The use of URL shortening services to hide malicious links on social networking sites
• More malware that attacks mobile devices
• Big increases in spam, and
• Spam and phishing attacks sent using instant messaging software.