Mac users are often smug about security because there are so few exploits against Macintosh that reach the news. But the reason for this has more to do with the fact that Macs have historically been attacked less, than it has to do with the inherent security of the Mac platform. Hackers 'go with the flow', that is, they attack the most 'popular' target, not necessarily the easiest. Hacking today is done for money in most instances, and for profit seeking computer criminals there is much more money to be made attacking the dominant computing platforms, than the niche products. The great popularity of Adobe Flash and Acrobat are great examples of powerful magnets for malware. Acrobat and Flash on Windows are far and away the most successfully hacked products today. If a hacker wants to make a pile of money, it only makes sense that they will go where the potential yield is greatest. With the phenomenal success of Apple's iPhones, iPads, and Mac laptops, users of these products should take heed; times are changing. Complacency is an extremely dangerous posture for users of any 'popular' computer product.

I frequently tell readers and audiences that the most widely used software in a particular category is successfully exploited the most. ...As the popular saying goes, bank robbers rob banks because that's where the money is.

Read the whole story at InforWorld

Pure and simple. Macs contain no special, secret security sauce that makes them more attack-resistant than Windows Vista (which was released in November 2006). Macs and OS X do not contain a single computer defense mechanism that the competitors do not already have or haven't had longer.

Read about Mac security here

Finally we have a decisive take down of a criminal botnet. This was a highly orchestrated action that involved Micorsoft and leading researchers operating under the auspices of a court order. The botnet in question is now completely eliminated, and we have a marvelous technique for doing it again with a different offender. We should see more of this.

Four days ago, top-notch computer security researchers launched an assault on Waledac, a highly sophisticated botnet responsible for spreading spam and malicious software.

As of Thursday, more than 60,000 PCs worldwide that have been infected with malicious code are now under the control of researchers, marking the effort one of the most highly successful coordinated against organized cybercrime.

Read the whole story at InfoWorld

This is some of the best news we've seen on the security front in a long time. Security developers have created a system that that can map the physical location of computers infected with the malicious software, or malware, used to run botnets. Additionally it can identify the type of bot software on the infected machine and even pre-empt the next moves of the bot.

A TELESCOPE that can peer into the depths of the net to spot the gathering threat of a botnet could help combat cyber-attacks.

Botnets - networks of compromised computers that are controlled by someone with malicious intent - are an increasingly common feature of the internet. They can be used to flood a target website with useless data to bring it down, launch spam, or spy on computer users by looking for their banking logins and passwords.

To combat this threat, Endgame Systems of Atlanta, Georgia, has come up with a system, called the internet telescope, that can map the physical location of computers infected with the malicious software, or malware, used to run botnets. It can even identify the type of malware on the machine and pre-empt its next moves.

Read more at New Scientist

The amazing thing about internet security is that while passwords are something that individuals have complete control over, they are, too often, treated completely casually. It tuns out that 20% of the time it is actually very easy to 'guess' your 'weak' password.

Let's see... here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I'll probably get into all of them.

Your partner, child, or pet's name, possibly followed by a 0 or 1 (because they're always making you use a number, aren't they?)
The last 4 digits of your social security number.
123 or 1234 or 123456.
"password"
Your city, or college, football team name.
Date of birth - yours, your partner's or your child's.
"god"
"letmein"
"money"
"love"

Read more at OneMansBlog

I've been accused of beating the issue of 'password security' to death over the years, but it continues to be a very serious problem, so I have to bring it up again. What is so hard to understand about this issue?

Despite all the reports of Internet security breaches over the years, including the recent attacks on Google's e-mail service, many people have reacted to the break-ins with a shrug...

Imperva found that nearly 1 percent of the 32 million people it studied had used "123456" as a password. The second-most-popular password was "12345." Others in the top 20 included "qwerty," "abc123" and "princess."

More disturbing, said Mr. Shulman, was that about 20 percent of people on the RockYou list picked from the same, relatively small pool of 5,000 passwords.

That suggests that hackers could easily break into many accounts just by trying the most common passwords. Because of the prevalence of fast computers and speedy networks, hackers can fire off thousands of password guesses per minute.

"We tend to think of password guessing as a very time-consuming attack in which I take each account and try a large number of name-and-password combinations," Mr. Shulman said. "The reality is that you can be very effective by choosing a small number of common passwords."

Read more at the NYTimes

Just as Microsoft get's its security sorted out, the bad guys shift to the next most widely distributed software vendor - Adobe.

Adobe Systems' Flash and Acrobat Reader products will become the preferred targets for criminal hackers in 2010, surpassing Microsoft Office applications, a security vendor predicted this week.

"Cybercriminals have long picked on Microsoft products due to their popularity. In 2010, we anticipate Adobe software, especially Acrobat Reader and Flash, will take the top spot," security vendor McAfee said in its "2010 Threat Predictions" report

Read the rest of the story at ComputerWorld.

Just as Microsoft get's its security sorted out, the bad guys shift to the next most widely distributed software vendor - Adobe.

Adobe Systems' Flash and Acrobat Reader products will become the preferred targets for criminal hackers in 2010, surpassing Microsoft Office applications, a security vendor predicted this week.

"Cybercriminals have long picked on Microsoft products due to their popularity. In 2010, we anticipate Adobe software, especially Acrobat Reader and Flash, will take the top spot," security vendor McAfee said in its "2010 Threat Predictions" report

Read the rest of the story at ComputerWorld.

The inverse of the 'strong' password is when you get tricked into 'voluntarily' giving away your password. The practice of extracting this information from unwilling victims has come to be known as "phishing", and it is a rampant problem on the net today. We've all seen these phishing attempts. But it's not just consumers that are falling for these tricks, it's major corporations and government organizations that are naively giving away their private information to 'phishers'. As many as 4 billion phishing e-mails are sent on the net every day.

The massive phishing scam broken up by federal authorities this week is only a hint at what many say is an insidious and growing problem on the Internet.

Federal authorities on Wednesday indicted 53 people in the U.S on various charges related to a phishing scheme that victimized thousands of customers of two major U.S. banks. Authorities in Egypt arrested another 47 people there on the same charges.

The bust, dubbed "Operation Phish Phry," was described by the FBI as the largest ever cyber-crime investigation and they held it up as a shining example of international cooperation in the realm of cybersecurity.

Read the whole story at ComputerWorld

Password security is a tremendously problematic area; it is without question the weakest link in your chain of defense against criminal access to your computer, your email, and your online assets. But it is really pretty easy to defend yourself on this front. See my earlier post about how to create really strong passwords - "Your weakest link", Oct 5th. Passwords are the one thing we each have very good control of; we should be able to make this an area where the bad guys are decisively blocked. Unfortunately many people completely dismiss their responsibility in this area and leave themselves wide open to the most trivial attacks.

1234567 may not be a very secure password, but it's popular on Hotmail.

That's according to Bogdan Calin, a security researcher who got hold of10,000 stolen Windows Live Hotmail usernames and passwords that were posted to the Web site PasteBin late last week.

Other Web mail providers such as Gmail, Yahoo Mail, and AOL have also been hit by the phishers, according to the BBC, which reported that it had seen a total of 20,000 accounts, half of which were the same ones that Calin analyzed.

After taking a look at the passwords, the security researcher found that two very weak passwords -- 123456 and 123456789 -- were the most common ones used by the victims. Of the 9,843 valid passwords he found, 82 of them used one of these two combinations. 12345678, 1234567 and 111111 also made the top 10 most common passwords.

Read the whole article at ComputerWorld

Think you're secure? Think again. Have you tested your important passwords to see if they pass minimum security standards? The likely hood is that your passwords are not as good as they could be, or should be, to protect your data. Here's a great little tool that will guide you to better passwords:

The Password Meter

I tested my current set of passwords and was surprised to learn that they were far from good enough for today's security environment. Minimum security standards are changing fast. The passwords I used to use, only a couple of years ago, are now judged by "The Password Meter" to be completely worthless against a determined attacker.

Let's be honest, passwords are annoying. These days, we need a password or PIN everywhere. We have so many that we can't keep track of them all. We forget to update them; and when we do, it's difficult to come up with effective ones that we can still remember, so we procrastinate changing them for months, even years. We all know this is bad, but the alternative - the painful, irritating password creation and memorization process - is sometimes more than we can tolerate. There is hope! Passwords don't have to be complex cryptograms. A few simple methods can help make living with passwords a little easier.

Read the rest of this article at SecurityFocus.com

This is comforting, now we learn that the "Downadup" worm is a beautiful piece of craftsmanship. The people who created this disaster-waiting-to-happen are expert programmers with a great deal of experience writing malware. We can see the detail of their skill in the code they have turned loose on the web, but we still don't know what this thing is supposed to do. And apparently these criminals are looking over their shoulders for other bad guys who would like to steal their wonderful new botnet.

The worm that has infected millions of Windows PCs is a "very well-engineered" piece of malware, according to one security expert. But researchers still have no clear idea what the hackers plan to do with the collection of computers they've compromised with "Downadup."

"This is a very well-engineered piece of software," said Alfred Huger, vice president of development at Symantec Corp.'s security response group. "It's very well thought out. Whoever wrote it, it's not their first time writing malware. It looks as if the author has had a great deal of experience writing software, and is fully versed in writing network-level code."

Read more at Computerworld

Showing their intense awareness of the need to control and leverage the internet presence of the President and the White House, the Obama team took control of Whitehouse.gov within seconds of the swearing in ceremony. Whitehouse.gov will provide information for Americans who are hungry for information about the new administration's plans. And as we might expect, the White House site is already the theme of a multitude of malicious pretender web sites that will take visitors to virtual replicas of the official site where they will be quickly infected with malware.

Obama Quickly Takes Over White House Site

President Barack Obama's transition team wasted little time taking over the White House Web site, switching over from former President Bush's site within seconds of Obama's swearing in. The first post to the site was from Macon Phillips, the director of New Media for the White House, who wrote, "Change has come to WhiteHouse.gov."

Read the whole article at Eweek.com

Visit the official White House web site

Malicious Sites with Fake Obama News Infect Users with Malware

Spammers are luring victims to a malicious site with false reports by President-elect Barack Obama. The spam is being sent out by the Waledac botnet, which security researchers say is a reincarnation of the infamous Storm botnet.
It should come as little surprise that spammers are taking advantage of interest in Barack Obama, who is slated to be officially sworn in as the United State's 44th president today.

In the past few days, security vendors have reported spam with links to malicious Web sites. Clicking on the link will take users to a virtual replica of Obama's official site, except this one tries to infect visitors with variants of the Waledac Trojan.

Read the whole article at Eweek

It's been nearly two months since the Downadup worm hit the streets and the number of infected computers is growing rapidly. While there is no way of knowing for sure, some members of the security community are claiming that 9 million computers have been compromised. This is definitely a botnet ploy but no one seems to know what the botnet is for. Once again, this threat only applies to Windows computers, but it infects virtually ALL Windows computers, and it does so by spreading via a wide variety of mechanisms. This is a very nasty threat that should be a concern to all Windows users and to all system administrators.

Downadup is downright nasty. And that's even before it does much more than just spread.

But as analysts argue about how the compromised computers will be used -- to build a massive, new botnet, perhaps -- or how much information hackers will steal from infected machines, users like you have a more immediate concern: "How do I keep my PC from joining the ranks of the hacked?"

That's a simple question. Unfortunately, because of this worm's flexibility, the answers aren't.

What's the worm again? Thanks to the lack of an industry-wide labeling system, the worm goes by more than one name. Some companies dub it "Downadup," others call it "Conficker."

No matter the name, it's the same threat.

Read the whole story at ComputerWorld

While the relief may only be temporary, this incident nicely illustrates the nature of the criminal spam business. It only take s few of these bot hosting networks to generate significant fractions of the total volume of spam on the net.

Spam plummets after Calif. hosting service shuttered. Despite 41% drop, respite likely just temporary.

Spam volumes plunged by more than 40% after a major bot hosting network was shut down, researchers at IronPort Systems Inc. said today. On Tuesday, McColo Corp. was kicked offline when its primary Internet providers severed its connection to the Web, reported The Washington Post, which led an investigation of the San Jose-based hosting service. According to the newspaper, McColo's clients included cybercriminal groups that ran some of the biggest spam-spewing and malware-spreading botnets.

Read the whole story

With no end to the overall Botnet threat in sight, industry and government agents say that they are making some progress in identifying and prosecuting criminal Botnet Herders. Microsoft says they are tracking 1000 botnets at any given time, each of which can have literally tens of thousands of compromised computers in its nefarious control. It takes about 30 seconds for a brand new 'unprotected' Windows computer to become compromised after it is attached to the internet for the first time.

Botnet attacks now come with their own antivirus software, permitting the programs to take over a computer and then effectively remove other malware competitors. Mr. Campana said the Microsoft investigators were amazed recently to find a botnet that turned on the Microsoft Windows Update feature after taking over a computer, to defend its host from an invasion of competing infections.

Botnets have evolved quickly to make detection more difficult. During the last year botnets began using a technique called fast-flux, which involved generating a rapidly changing set of Internet addresses to make the botnet more difficult to locate and disrupt.

Read the whole article

Observing the CAN SPAM law and getting "delivered" are not the same thing. This article in Direct Magazine highlights some of the enormous difficulties that honest list mailers are having sending list mail to legitimate opt-in mailing lists. High performance senders need to do a lot more today to get their messages delivered, opened, read, and hopefully acted on.

A recent court ruling in Illinois has vast implications for direct marketers. And if there's one lesson DMers must take from the decision it's this: Rightly or wrongly, simply complying with Can Spam is not enough to get e-mail delivered. It doesn't matter if the sender's list is triple-verified-we-even-called-just-to-make-sure opt-in, if an Internet service provider decides a mailer's e-mail is spam and blocks it, the ISP has every legal right to do so.

Read the whole article in Direct Magazine

The security landscape is becoming more dangerous by the minute. Readers of this blog have seen multiple articles here about the growing security threat that we all face (see: security archives). I think that most of you have taken the warnings to heart and checked that your web browsers, and your mail clients, are up to date, and properly patched against the latest threats. However, the study referenced below suggests that over 40% of the machines on the web are not properly patched and thus represent a serious problem for their owners and ultimately for all of us on the web. If your computer is not patched and fully up to date, then you need to do something about this today. Check your browser status

Study: Unpatched Web Browsers Prevalent on the Internet

Only 59.1 percent of people use up-to-date, fully patched Web browsers, putting the remainder at risk from growing threats from diligent hackers, according to a new study published by researchers in Switzerland.

The study, published Tuesday, is one of the most comprehensive analyses of what versions of Web browsers people are using on the Internet. The study was conducted by researchers at The Swiss Federal Institute of Technology,Google and IBM Internet Security Services.

Read the rest of the story in PC World

Here's an excellent tutorial from our friends at EBay that could save you a whole lot of time, money and grief. Make no mistake, the spoofers are getting trickier than you can imagine, and they are more persistent than ever. This is serious stuff... pay attention.

Spoof emails can be a major problem for unsuspecting Internet users. Claiming to be sent by well-known companies, these emails ask consumers to reply with personal information, such as their credit card number, social security number or account password.

These deceptive emails are called "Spoof Emails" because they fake the appearance of a popular Web site or company in an attempt to commit identity theft. Also known as "hoax" or "phishing" emails, this practice is occurring more and more frequently throughout the online world.

Read the whole tutorial

Are you seeing a lot of messages in your in box that are titled "Undelivered Mail Returned to Sender"?

You're not alone. The global mail system is awash with these messages. But what you probably find most alarming about this situation, is the fact that all of these "bounce" messages, that keep coming to your mailbox, say that they were originally 'sent' by YOU! And you know this is impossible.

These "bounce" messages are an artifact of a massive on-going spam attack that involves literally millions of people all over the internet. The Signal mail system is sending this mail "back" to you because it thinks you sent it, and it has no way of knowing that you did not.

Read the whole release

This is the reason you are seeing such an increase in the amount of spam you are receiving. The botnets are getting bigger and more effective with each passing month.

The prodigious Srizbi botnet has continued to grow and now accounts for up to 50% of the spam being filtered by one security company... Srizbi is now the biggest single menace on the Internet, dwarfing even the feared and mysterious Storm... Having compromised 300,000 PCs around the world, it was now sending out an estimated 60 billion spam e-mails per day on "watches, pens, male enlargement pills"... Srizbi is the single greatest spam threat we have ever seen. At its peak, the highly publicized Storm botnet only accounted for 20% of spam. Srizbi now produces more spam than all the other botnets combined.

Read the whole article

Are you infected with Srizbi?

Identity theft is a hot topic these days. If we are to believe the special reports on the evening news, Identity theft is reaching epidemic proportions. So companies that offer "Credit Monitoring Services" have become all the rage. After watching too many of their TV commercials, I tried going to the FreeCreditReport.com site, only to find that they only provide a free credit report if you sign up for Experian's (not free) monitoring service. The FTC is currently investigating this company's practices, and the fact that their well promoted site is uncomfortably close to AnnualCreditReport.com, which actually does provide free credit reports. It never fails, there's always a scammer trying to "help" us in our hour of need.

All of which begs the question: Are these services worth the cost, and more to the point, do they actually protect you from identity theft? "Our position is that for most consumers -- and by most, we mean well over 99.9% of the people in the country -- they are not," says PRC's Stephens. "If you're talking about spending upwards of $100 per year, we don't think that the typical benefit a consumer is going to derive is worth the cost."

Read the whole article

This report explores the ethical dilemma encountered by researchers who successfully cracked one of the largest and most prolific robot spam networks on the internet. What do you do when you successfully manage to take over an evil spam empire; do you just turn it off? What do you become liable for if your "good deeds" have unintended consequences?

Researchers seize control of one of the world's largest spam-spewing botnets, but there is disagreement about what should happen next. Researchers at TippingPoint Technologies' Digital Vaccine Laboratories have found a way to infiltrate and seize control of one of the world's largest spam-spewing botnets, a breakthrough that has ignited an intense debate over the ethics of "cleaning" infected computers.

Read the whole article

In a sure sign that they have achieved success in the marketplace, Firefox and Safari have finally become the target focused hacker exploits. After years of flying under the radar this is a new and unwelcome note of celebrity for browsers that were previously touted as safe alternatives to MS Explorer.

Many people are switching from Internet Explorer to alternative browsers such as Firefox and Safari. Though that might make them feel more secure, the shift has also opened new doors for bad guys.

Case in point: We have no IE bugs to report this month, but both Firefox and Safari have been hit hard.

So forget the idea that just because you've switched to a new browser, you're magically safer. You may be for a time, but to stay safe with any software, you need to keep current with fixes.

Read the Article in Inforworld

The massive attacks against hundreds of thousands of Web pages that started earlier this month has spread to some of the Internet's most prominent sites, including those for USA Today, ABC News, Target and Wal-Mart, researchers said today.

Dancho Danchev, the Bulgarian security researcher who first reported the attacks two weeks ago, said that the attacks had spread to a long list of high-profile sites, which have had their search results poisoned with malicious IFrame code. "The attack's been ongoing for almost a month now," Danchev said in an e-mail.

There is a misperception among much of the security community that Mac users don't care about security. Since joining TidBITS I've learned that Mac users are just as concerned about their security as their Windows brethren, but they aren't really sure what they need to know. Even the most naive Windows user understands that their system is under a constant barrage of attacks, but the Mac user rarely encounters much beyond the occasional pop-under browser ad and, of course, their fair share of spam.

Rich Mogull on Macintosh security

Google: Spam, Virus Attacks to Get More Clever - Google's Postini team recommends enterprises guard against socially generated spam and virus attacks in 2008. Spam and virus threats to enterprise messaging security and compliance may level off this year compared to 2007, but social engineering techniques are evolving to challenge businesses and security software providers, according to a new report released by Google's Postini team. The report, released March 6 after Google's Postini team commissioned the study to survey 575 IT professionals, found that Postini data centers recorded 57 percent more spam and virus attacks in 2007 compared to 2006.

Clint Boulton on Socially Generated Spam