Here's a post on Flash banner ads that hijack your clipboard, and won't let go until you've restarted your browser (or your OS, depending on who's talking...): http://blogs.zdnet.com/security/?p=1733

And here's the thread on Apple's support boards - seems the first user to publicize this was on a Mac:
http://discussions.apple.com/thread.jspa?messageID=7768848

Penn State researchers have announced an upgraded CAPTCHA approach, based on images.

First, you have to figure out where the overlapping images' borders are, so you can find the center of one of them and click near it. The images have been distorted and pixillated somewhat.
The fact that this is difficult speaks to how hard it is to track photo usage in layered composite images, which we see a lot of every day.


Having done that, you now must associate another image with a term that would logically apply to it. The example shown is a garlic bulb, in case you can't tell - so the term from the list that's most applicable is "vegetable".
Now, this bears a striking resemblance to keywording, which is a workflow challenge for all of us in the graphics industry. So if anyone cracks this (and frankly I hope they can't because I need a working CAPTCHA more than I need automated keywording) I have work for them...

Link

via Slashdot Post

Background on the project and team here

As computing becomes more cloud-like, so security becomes more difficult...


Here's a great bit from thebadapples.info:


Apparently if you use a browser to access your iDisk, there's no way to log out. That means the next user on that system can just go to your browser's History section and get right into your account. (Personally I just mount the iDisk on the local desktop, then dismount it when I'm done, but I wonder if there's an issue with that as well...)

So this is just a friendly reminder to anyone with a .mac account to be careful when checking your account on someone else's computer, especially a public one! If you do check it on someone's non-Mac, then make sure you have the ability to successfully clear the browser's history and cache. And go to apple.com/feedback and tell them that a company advertising above-average security should have simple security devices like "log out" in place!

Most disturbingly, Apple seem to have deleted discussion of this from their forums: according to this Slashdot post,

[P]odcaster Klaatu (of thebadapples.info) posted this on the discussion.apple.com site, only to have his post removed by Apple.

thebadapples.info

Court TV is touting a new series, apparently following a group of penetration testers around as they try to test organizations' security using social engineering, wired/wireless penetration testing, and physically defeating security mechanisms (lock picking, dumpster diving, going through air vents/windows).
(via Slashdot)

Quote:

This vérité action series follows Tiger Team – a group of elite professionals hired to infiltrate major business and corporate interests with the objective of exposing weaknesses in the world’s most sophisticated security systems, defeating criminals at their own game.

Slashdot post

Court TV site

Quote:

More than 1 million computers were infected with botnets when the FBI announced Bot Roast in June, and roughly 1.5 million more have been identified since then, the FBI said. Industry numbers suggest there are as many as 5 million infected computers.

On the one hand I'm glad the FBI is taking this to heart. Certainly people need to go to jail for this sort of thing.

But I'm abashed by statements like this:

Protecting your computer is as easy as "putting locks on your doors and windows," according to an FBI news release. Make sure your anti-virus software is up to date, install a firewall, use complicated passwords and be careful opening e-mail attachments and advertisers' links on Web sites, the bureau advised.

I've had servers rootkitted, a style of attack that's becoming increasingly sophisticated and hard to detect; and now the botnets are attacking the machines of security researchers who try to find out more about them.

Is this really what the FBI considers "simple"?
I have a creepy feeling the Feebs are asking for trouble with this sort of talk...


CNN Piece

Attention Marketers: Consumer trust is highly vulnerable to erosion

Ars Technica has this report on a survey by YouGov that shows the damage that can be done to a brand's reputation by phishing attacks.

Even though some users seem to recognize their responsibility to secure their accounts, still consumer confidence, carefully fostered, can be lost so easily by this sort of thing.

Quote:

42 percent of adults in the UK feel that their trust in a brand would be greatly reduced by receiving a phishing e-mail claiming to be from that brand, according to an online survey conducted by research firm YouGov.

Link

Another article covering this same material is here.
Cloudmark's press release here. This is the closest thing to the actual survey data that I can find. Cloudmark are the sponsors.

The apparently notorious UK tax people have now gone and lost 25 MILLION (yes, that's MILLION) records. Apparently everyone in the UK who claims their kids on their taxes could be affected.

Seems some dolt burned the records on a couple of CDs... and when those went missing in the post, burned them to two MORE CDs - which did get there. Nice example of learning from your mistakes, that. Details.

From the BBC piece:

“Two password protected discs containing a full copy of HMRC’s entire data in relation to the payment of child benefit was sent to the NAO, by HMRC’s internal post system operated by the courier TNT.

The package was not recorded or registered. It appears the data has failed to reach the addressee in the NAO.”

According to ZDNet, this sort of thing has happened in that department before, though never on this scale. ZDNet Link

BBC Article

Marketers beware - RFID can provoke powerful emotions.

Some bright bulb at this UK school (the Dickensian-sounding "Hungerhill" - you can't make this stuff up) has decided that tracking pupils like household pets is a good idea:

Under the Radio Frequency Identification (RFID) surveillance system the Hungerhill pupils have a memory microchip discreetly embedded onto their school badge which produces a radio signal. It means the pupils can be identified the moment that they step into a classroom. Its inventor, Trevor Darnborough, says the technology has many advantages including; offering accurate and speedy registration of pupils, ensuring child security, providing visual confirmation of attendance to help cover teachers and easy data input for the school's behavioural and reporting system.

Link
This opposition group, while mostly focused on fingerprinting, has plenty to say about the tagging exercise as well.

But the system, which is believed to be the first of its kind in the country, has been slammed by civil liberty campaigners who believe radio surveillance should only be used on criminals and not on schoolchildren.
David Clouter, a parent who founded the "Leave them kids alone" organisation to oppose the fingerprinting of children in school, said: "To put this in a school badge is complete and utter surveillance of the children. Tagging is what we do to criminals we let out of prison early. With pupils being fingerprinted and now this it seems we are treating children in a way that we have traditionally treated criminals. It's the first time I've ever heard of this happening and I think it's appalling. I'm not sure how it will support personalised learning to track a pupil. You need to know the pupils individually and develop a relationship with them to find out what their needs really are rather than simply chipping them."

I dunno - when I was in school, this would have been a great way to cut class: just stash your chipped blazer in your locker, and it looks like you've been in the building all day.

This guy looks like he had a couple hundred thousand machines in his net - if the story's at all accurate.


Link

And on a scarier note... bigger botnets than we heretofore imagined.
Seriously, kiddies, this is some scary stuff. One of these is estimated at over 200,000 zombie machines, and they say bigger and scarier ones are on the way.

From the article:

Botnets are no longer just annoying, spam-pumping factories -- they're big business for criminals. This shift has even awakened enterprises, which historically have either looked the other way or been in denial about bots infiltrating their organizations. (See Bots Rise in the Enterprise.)

"A year ago, the traditional method for bot infections was through malware. But now you're getting compromised servers, with drive-by downloads so prevalent that people are getting infected without realizing it," says Paul Ferguson, network architect for Trend Micro. "No one is immune."

If you don't know what a botnet is, go here.


Link