Not surprisingly, malware authors have jumped on the Barack Obama presidential election win to spread their evil code. Sophos says Obama-related malware is accounting for 60% of the traffic they're seeing at various sensor stations throughout the Internet. Most of the messages are trying to direct users to a doctored election results page that when visited prompts the user to install a fake Adobe Flash plug-in to view Obama's acceptance speech. The application is really a new Trojan dubbed Mal/Behav-027.

Read more

Whoops, a dentist office down the street from my house seems to have lost the personal data of 60 or so patients. Faulty data security? Open wireless access point exploited? Nope, something a little more simple: A failure to shred paper records.

Read more

Not surprisingly, scammers and spammers (or are they one in the same?) are jumping on the bleak economic news as a means delivering their wares.

ScanSafe is reporting a number of hackers using the Bank of America brand in a phishing attack that uses the bad economy as a lure. The messages contain a link for more information, but really download malicious code to the targeted user's machine. Always be wary of e-mail from a bank. Best to go to the bank's main URL and access your account data from there.

Barracuda Networks saw a big uptick in pump-and-dump stock spam messages that claim entertainment companies are benefiting from the falling economy. The messages claim the companies being touted are "recession proof." Obviously, if you're getting stock tips from unsolicited e-mails, you've got issues. On the bright side, there doesn't seem to be any malware associated with the Spam.

Hopefully, we'll soon have news of spammers using the booming economy as a lure. That would be a nice change of pace.

According to a CA advisory, "CA Service Desk contains multiple vulnerabilities that can allow a remote attacker to conduct cross-site scripting attacks. The vulnerabilities are due to insecure handling of passed variables in multiple web forms. An attacker, who can convince a user to click on a specially crafted link, can potentially conduct cross-site scripting attacks." Updates are available.

Tom Rusin, President of Affinion Security Center, has me scared that hackers are trading my personal and credit card information all over the Web. His company uses monitoring of underground chat rooms and other sources to help keep customers credit safe and he recently gave me a live look at the hacker underground in action:

Last week's DEMOFall soiree in San Diego was touted by conference host Chris Shipley as all about the "distributed Web." And while a number of demonstrators that fell into this category, there were also a few security demonstrators with some cool technology to show off.

Read more

Like the dread of getting a ding in that new car, Google experienced its first ding with its much hyped Chrome browser. While the new Internet surfing tool does a good job of sandboxing applications running in tabs and tries to keep a lid on memory use, researchers have found a flaw in the WebKit engine Chrome uses. The WebKit is vulnerable to a carpet bombing attack that could land a malicious Java JAR file on a victim's machine in two seemingly harmless clicks.

Read more

Microsoft is re-issuing one of its advisories from this week's Patch Tuesday after some ZoneAlarm users complained they had dead Internet connections after installing the fix. Tuesday's MS08-37 update, which fixed a major DNS bug, now has an updated FAQ section that points ZoneAlarm and CheckPoint Endpoint Security customers to their respective Web sites for updates on how to fix the lossed Internet connection. Microsoft itself is not updating the actual patch.

Read more

Symantec circulated a message to the press that it stopped some 3.5 million spams over the 4th of July weekend that were using the holiday as a lure. 3.5 million seemed like quite a bit, so I inquired: Is this the largest Spam haul they've had for a holiday?

According their spokesperson, they don't officially track by holiday, but that 3.5 million is actually lower than some previous holiday-related Spam loads. Christmas, the granddaddy of commercial holidays, generates the most Spam.

Why go after the 4th of July though at all? I would think most people are offline and not looking at e-mail, making the spam attack much less effective. Will be interesting to see what Labor Day brings, but no need to rush the summer.

Microsoft Patch Tuesday is upon us with four "important" fixes for SQL, Windows Explorer, DNS and Outlook Web Access for Exchange Server. But there's no fix for a critical bug in Access that is currently being exploited by hackers.

Microsoft isn't saying much about the specific flaw, only that it affects "all supported versions of Microsoft Office Access except Microsoft Access 2007" and lies in the Snapshot Viewer ActiveX control. Attackers are exploiting the vulnerability by luring targets to a malicious Web site, where visitors using Internet Explorer will pick up malicious code that exploits the flaw.

Read more

My local paper's Web site was hit by the Mal/Badsrc-C virus yesterday, which had some visitors' anti-virus software flashing a warning when the visited the site.

Read more

In a post to the Bugtraq mailing list, Craig Wright says he's hacked his Jura F90 Coffee maker with the Jura Internet Connection Kit. Not sure if this hack has been fully verified by a third party, but someone definitely has a lot of time on their hands.

Turns out, the machine's operating system contains a few vulnerabilities that don't appear to be patchable, according to Wright's post. So what can you do with a hacked machine?

Read more

Yesterday, a number of US-based ISPs thought they were under a distributed denial-of-service (DDoS) attack between noon and 1:30p EST as 'net traffic spiked 15% to 25% during that period. Another China-based attack?

Nope, it was Tiger Woods and his march toward a 14th major championship at the U.S. Open at Torrey Pines in California. An 18-hole playoff scheduled for Monday left many golf fans scrambling to watch while at work - either through Web site scoreboard updates, streaming media or other means (say, Slingbox). According to Arbor Networks Security to the Core blog, the interest in Tiger's quest created "one of the larger Internet-wide flash crowds in recent months."

Read more

It's been nearly a week since Microsoft's June Patch Tuesday security updates were released, but some corporate users are still waiting for updates because of a bug in Microsoft's patch distribution tools for enterprises. A fix is in the works and Microsoft is offering a workaround for those that want to push patches out ASAP. While workarounds are not always the preferred method, it's a good idea to investigate this one as hackers are on the lookout for unpatched Microsoft systems.

If you haven't guessed already, it's a scam. 419 Scammers have turned to text messaging as their next fraud-inducing medium.

F-Secure is reporting that a number of people have gotten an SMS messages claiming the recipient has won 170,000 Euros and that they just need to reply to find out how to collect. Those that have responded get an official looking e-mail claiming that all they need to do to collect is pay for some rather pricey shipping charges for receiving the check. What, no direct deposit? What about the photo opp with the big fake check?

It looks like the scam is mainly targeting those in Europe at the moment, but is sure to come stateside anytime.

A flaw in many implementations of SNMPv3 could be exploited to bypass the authentication mechanism of affected systems. Simply put, attackers could read SNMP packets to find system credentials, then used forged packets to gain access to the system. US-CERT is urging users to check with their vendors for an update.

Cisco has released an update that is available here.

A new study by Verizon Communications shows that of 500 data breaches since 2004, 87% of them could have been prevented through simple security practices. The study, which looked at cases that resulted in some 230 million records being compromised, shows that hackers maybe aren't as crafty as first thought when infiltrating corporate data systems. Rather, they're just scanning systems for known vulnerabilities and hoping for a hit.

Reminds me of "War Games" when Matthew Broderick's character was war dialing looking for modems that would pick up. Hackers are essentially doing the same thing, probing for softspots in a data network, such as an unpatched system.

Read more

A high risk flaw in CA's Secure Content Manager's HTTP Gateway could be exploited by attackers in a denial-of-service attack or to run malicious code on a non-patched system. CA rates the flaw high and is urging users to download the available patch.

Corporate IT folks already nervous about Smartphone security may have more to worry about than executives failing to use passwords. Jailbreak applications - tools for unlocking phones so any application can be installed - are becoming more popular and easy to use.

Read more

Lottery scammers are going the old-fashioned route with a new "Skype World Wide Lottery 2008" ploy: They're mailing letters to would be targets. Actual mail, not e-mail.

First, reported in the Skype forums and followed up on the FaceTime Security Labs blog, the mailed letter claims the recipient won 1.7 million Euros in a lottery sponsored by Skype, Adidas, MasterCard, McDonald's, Coca-Cola and British Telecom. Of course, to claim the prize one must fill out a dubious form and e-mail it to the lottery manager. Once verified, the winner will be directed to a bank where the money is deposited.

Read more