Technology in your hands.

Apple Inc. yesterday patched 40 security vulnerabilities in more than 25 different components and applications bundled with Mac OS X, including Flash Player, iCal and Apache.

The year’s third update fixed fewer than half as many flaws as the previous collection, which Apple issued two months ago to plug nearly 90 holes.

Apple tagged 16 of the 40 patches in Wednesday’s update with its “arbitrary code execution” phrasing, putting them into the category most other vendors would label “critical.”

According to the Security Update 2008-003 advisory, the most-patched components by vulnerability count were Apple’s version of the Apache open-source Web server (eight bugs fixed) and the version of Adobe’s Flash Player that Apple tucks into Mac OS X (seven flaws patched)…

Read Full Article

Adware pushers have found a new way to trick you into downloading their annoying products: fake MP3 files.

On Tuesday, security vendor McAfee reported that it’s seen a huge spike in fake MP3 files spreading on peer-to-peer networks. Although the files have names that make them look like audio recordings, they’re really Trojan horse programs that try to install a shoddy media player and adware on your computer, said Craig Schmugar, a researcher with McAfee.

“Once you run it, there is no content. You’re taken to this site to install this player which you don’t really need,” he said…

Read Full Article

Huge spikes in automated password guessing attacks against Australian computer servers show geographical isolation offers no protection against internet-borne threats.

Data compiled for Next by security vendor Arbor Networks also shows the US remains the largest single source of malicious internet background noise targeting Australian computers.

China ranks as the second-largest source of the noise, generated by virus-infected PCs pseudo-randomly scanning for other systems to attack.

“Some countries have better infrastructure than others or are better able to patch their systems,” says Robert Malan, the founder and chief technology officer of Arbor Networks.

Often networks of thousands of compromised computers are controlled centrally by virus writers. These so-called “bot networks” can send spam, infect other systems and launch denial-of-service attacks against legitimate and grey-market businesses such as online casinos.

Read Full Article

Hackers are paying top dollar on international blackmarkets for computers from Australia that have been unknowingly hijacked and infected with spyware.

A Russian malware distribution site offers $US100 for a haul of 1000 spyware-infected Australian machines, double the price offered for US machines and 30 times more than those from Asia.

Philip Routley, product marketing manager at internet security firm MessageLabs, said he believed the high price tag on Australian machines was due to the fact that Australians were more ignorant about computer security threats than people from other parts of the world…

Read Full Article

Social network Facebook will roll out more extensive privacy controls Tuesday night or Wednesday morning, as well as an instant-messaging service soon after, representatives from the company announced during a press briefing at the company’s headquarters in Palo Alto, Calif.

Most notable about the new privacy controls is the fact that Facebook members will now be able to choose how much of their profiles are visible to those on their friends list.

Naomi Gleit, Facebook’s product manager for privacy and internationalization, previewed the updated options, which include a new “Friend of Friends” option based on social proximity–not unlike LinkedIn profiles, in which profile information is visible to second- and third-degree contacts rather than the site’s members as a whole. Facebook members will also be able to include or exclude certain friends from having access to information…

Read Full Article

Security vendor Trend Micro has fallen victim to a widespread Web attack that splashed malicious software onto hundreds of legitimate Web sites in recent days.

A Trend Micro spokesman confirmed that the company’s site had been hacked Thursday, saying that the attack took place earlier in the week. “A portion of our site– some pages were attacked,” said Mike Sweeny, a Trend Micro spokesman. “We took the pages down overnight Tuesday night– and took corrective action.”

On Thursday security vendor McAfee reported that more than 20,000 Web pages have been affected by the attack. The pages are infected with malicious code that tries to install password-stealing software on the PCs of people who visit the sites.

Read Full Article

Spammers have cracked the captcha mechanism Gmail uses to make sure you are a human before you can open an e-mail account, leading to a huge increase in the amount of spam sent from Gmail last month, security firm MessageLabs says.

We’ve all been subjected to captcha programs when signing up for Web services. They typically consist of a box with some characters, either distorted or displayed against some noisy background, and you have to type the letters and numerals in exactly as you see them before the system will accept your sign-in.

They are designed to catch, or stop, automated programs called bots that are written to create new accounts for spammers to use. Annoying as the captcha systems are, they have been successful in keeping bots out, until recently.

Yahoo Mail and Hotmail captcha mechanisms were broken in July 2007, according to MessageLabs. And now, Gmail has succumbed…

Read Full Article

A security consultant based in New Zealand has released a tool that can unlock Windows computers in seconds without the need for a password.

Adam Boileau first demonstrated the hack, which affects Windows XP computers but has not yet been tested with Windows Vista, at a security conference in Sydney in 2006, but Microsoft has yet to develop a fix.

Interviewed in ITRadio’s Risky Business podcast, Boileau said the tool, released to the public today, could “unlock locked Windows machines or login without a password … merely by plugging in your Firewire cable and running a command”.

Boileau, a consultant with Immunity Inc., said he did not release the tool publicly in 2006 because “Microsoft was a little cagey about exactly whether Firewire memory access was a real security issue or not and we didn’t want to cause any real trouble”.

But now that a couple of years have passed and the issue has not resolved, Boileau decided to release the tool on his website…

Read Full Article

At 4 in the morning of May 1, 2005, deputies from the El Paso County Sheriff’s Office converged on the suburban Colorado Springs home of Richard Gasper, a TSA screener at the local Colorado Springs Municipal Airport. They were expecting to find a desperate, suicidal gunman holding Gasper and his daughter hostage.

“I will shoot,” the gravely voice had warned, in a phone call to police minutes earlier. “I’m not afraid. I will shoot, and then I will kill myself, because I don’t care.”

“I will shoot.” Listen to the Colorado Springs hostage hoax.

But instead of a gunman, it was Gasper himself who stepped into the glare of police floodlights. Deputies ordered Gasper’s hands up and held him for 90 minutes while searching the house. They found no armed intruder, no hostages bound in duct tape. Just Gasper’s 18-year-old daughter and his baffled parents.

A federal Joint Terrorism Task Force would later conclude that Gasper had been the victim of a new type of nasty hoax, called “swatting,” that was spreading across the United States. Pranksters were phoning police with fake murders and hostage crises, spoofing their caller IDs so the calls appear to be coming from inside the target’s home. The result: police SWAT teams rolling to the scene, sometimes bursting into homes, guns drawn.

Now the FBI thinks it has identified the culprit in the Colorado swatting as a 17-year-old East Boston phone phreak known as “Li’l Hacker.” Because he’s underage, Wired.com is not reporting Li’l Hacker’s last name. His first name is Matthew, and he poses a unique challenge to the federal justice system, because he is blind from birth…

Read Full Story

Malware writers are increasingly tailoring attacks to specific regions, languages and applications..

Security firm McAfee warned that locally targeted malware comprises up to half of all attacks in some areas.

Dave Marcus, security research and communications manager at McAfee Avert Labs, said: “You have the guys that are local for their region, and then you’ve got the bigger organisations.

“The situation is still developing, but we could not have had this conversation two years ago.”

An example of localised malware can be found in Japan. Financially motivated malware throughout the rest of the world is overshadowed in Japan by malware which focuses on destruction and data theft via peer-to-peer applications.

Read Full Article here