I sat down to write an article on Virtual Machine security / insecurity (coming soon), but there was just too much interesting news to pass up.
Charlie Miller – hacking genius, good guy, or bad guy? Charlie Miller, perhaps the best-known white-hat hacker, took the $10,000 prize for the fastest compromise of OS X 10.6 for the third year in a row. Charlie says he is fed up with the poor security practices from Apple, Microsoft , and Adobe. He is declining to reveal the flaws he has uncovered, but will tell the vendors how to find the vulnerabilities. He thinks they will benefit more from this than they would if he simply told them what the flaws are.
Charlie found most of these flaws by using a “dumb fuzzer” that he wrote. Vendors use fuzzers as well, but apparently Charlie’s is better.
We are always telling clients to update their applications, as well as their operating systems. The bad news is that there is now malware that overwrites software updaters. This is doubly bad news – people will be infected by doing the “right thing” and updating. Worse, they will be afraid to update in the future because of the experience. Let’s hope that software vendors find a way to solve this problem quickly.
Mozilla Plugin Check is a place where you can go to check Firefox for the latest versions of plugins. Mozilla is going to take this service one step further and check other browsers as well.
Spam pays. Why? Because even savvy users can’t resist the temptation to CLICK THOSE LINKS, OPEN THOSE ATTACHMENTS, AND FORWARD THAT MESSAGE ON TO INFECT OTHERS! People just won’t learn.
Another threat warn clients about: Rogue toolbars. Sheesh!
What are the biggest scams on the internet? Fake anti-virus popups are one of them, but I was shocked to see that “hitman” “pay me or I will kill you” scams are also on the list. Double sheesh!
If you want to read the sick stats on SPAM, here is an article for you. What is the probability that a .rar email attachment is infected with malware? Almost 97%. Go figure. It not one of the most common malware-laced attachments, though. Those would be .xls, .doc, .zip, .pdf, .exe, .jpg, and .ppt.
I am looking for GOOD NEWS in the security world to match the title of the post, but not seeing much. I guess the Good News is that YOU are there to HELP your clients be the ones who STAY SAFE. Come to think of it, that really is Good News.
Dennis H in West Virginia, US
March 29, 2010