By Mike Wehner

Your webcam can be a powerful tool for communicating with loved ones or even having a conversation with a world-famous luminary. But when that power is put into someone else's hands, it can have dire consequences. A new exploit of Adobe's Flash media application could potentially allow websites to access your webcam without your permission, opening the door for any number of unseemly people to peer into your world.

The exploit — which only affects Macs thus far — can be performed on web surfers using Safari and Firefox web browsers. The gaping hole in Adobe's security features was discovered by a Stanford computer science major named Feross Aboukhadijeh, who brought it to the attention of Adobe. After weeks without a response, Aboukhadijeh decided to make the glitch publicly known, in an attempt to force Adobe's hand. His plan worked, and Adobe released a statement saying they were working on the problem, and the fix wouldn't require a Flash update.

»news.yahoo.com/blogs/technology-···84.html

»www.youtube.com/watch?v=-LbvglVj···embedded

By Mike Williams

Security firm BitDefender's report for Q1-2011 highlighted autorun-based exploits as one of the most exploited PC security vulnerabilities. But there's no need to panic, just yet.

by Fraser Howard

As we all know, compromised sites play an important role in web distributed malware, acting as the conduit, guiding user traffic to further malicious content. Sometimes, the attackers get lucky, and succeed in compromising a high profile, popular site. Another way to increase the number of users exposed to the attack is to compromise advertising content, thereby exposing all users of any 3rd party sites that happen to load the ads.

Late yesterday evening, we started to see evidence of such an attack - Sophos products were blocking certain ad content as Mal/Iframe-U.

Spotted here

By: Fahmida Y. Rashid

Millions of unique URLs have been infected with a rampant SQL injection attack Websense has dubbed “LizaMoon.” The SQL injection attack redirects users to a fake AV site.

Computerworld - By Gregg Keizer

October 26, 2010 07:29 PM ET

Security experts today suggested ways Firefox users can protect themselves against Firesheep, the new browser add-on that lets amateurs hijack users' access to Facebook, Twitter and other popular services.

How to protect yourself against Firesheep attacks

John E Dunn, techworld.com

Fake antivirus programs appear to be adopting some of the money-raising tactics of more threatening ransom malware, security company Fortinet's latest threat report has found.

The most prevalent malware variant during August was TotalSecurity W32/FakeAlert.LU!tr, a malicious program that masquerades as antivirus software in order to sell worthless licenses for non-existent malware.

By John Leyden

Russian police have arrested 10 suspected members of a ransomware gang who allegedly made millions via a locked computer malware scam.

PCs infected by the WinLock Trojan at the centre of the scam were rendered unusable because the malware disabled key Windows components. More embarrassingly pornographic images were displayed on compromised machines, IDG adds.

Spotted here

Earlier this week, security firm Panda Labs reported that it had discovered that 25 percent of newly created worms have been specifically designed to spread through USB storage devices. Nowadays, this means not just USB flash drives, but any device that can be attached to a computer and used as external storage, including digital cameras, external hard drives, media players, and smartphones.

by Seth Rosenblatt

Freeware antivirus Avast 5 debuts today with several new features, but longtime fans are most likely to notice that the old interface has gone to wherever interfaces go when they die. Along with the new interface, Avast Free, Avast Professional, and the new Avast Internet Security introduce an overhauled feature set that keep the suite highly competitive. Arguably, the free version provides the most complete free antivirus on the market.

»download.cnet.com/8301-2007_4-10···1_3-0-20

Health officials are warning the public about fake e-mails inviting people to sign up for swine flu vaccine registrations.
U.S.

AV-Comparatives' November 2009 report has been released and there are eight winners. The other eight products didn't do so well.

Breakthrough paper shows hackers could evade anti-virus protection by hiding malicious code in sentences that read like English language spam

Written by Robert Blincoe

A team of US security researchers has engineered a way of hiding malware in sentences that read like English language spam.

The work is a breakthrough because current network security techniques work on the assumption that the code used in code-injection attacks, where it is delivered and run on victims’ computers, has a different structure to non-executable plain data, such as English prose.

Oliver Garnham, PC Advisor

PC Tools' Malware Research Center is warning web users of another online scam that hopes to piggyback on hype surrounding the new Twilight New Moon film.

The security software developer says the latest trick tempts movie fans by promising them they can watch the film for free, before installing malware on their computer.

PC Tools said fans are baited with the text websites, chat rooms and blogs that read: "Watch New Moon Full Movie."

»www.pcworld.com/article/183296/n···ns.html

By Dan Raywood

The car accident involving golfer Tiger Woods has led to Google trends being dominated by the event.

Hon Lau, senior security response manager at Symantec, claimed that from an IT security point of view, this is just another fruit ripe for the picking as far as malware writers are concerned.

Like some other recent malware, this attack uses Google Reader to host the malware. The user sees a phony YouTube video.

by Ryan Naraine

GENEVA — In a sign that cyber-criminals are investing more time and resources into attacks against Apple’s Mac users, a new malware affiliate program has been discovered offering 43c for every infected Mac machine.

During an eye-opening presentation at the VB Conference 2009 conference here, Sophos Labs researcher Dmitry Samosseikko provided a glimpse into the “Partnerka,” a Russian network of spam and malware affiliates that have turned their attention to the Mac platform — using social engineering tricks to load fake codecs and scareware programs.

Samosseiko discussed the “codec-partnerka,” which is dedicated solely to the sale and promotion of fake Mac software.

He pointed to a site called Mac-codec.com (now offline) which was offering $0.43 for each malicious install, a price tag that suggests the Mac platform is becoming more and more lucrative to online crime gangs.

Spotted here

Chuck Miller September 30, 2009

An industry built on serving adware has become a full-fledged malware distribution channel, with a thriving underground economy, according to researchers at SecureWorks.

The business model is known as pay-per-install (PPI), and profits by recruiting “affiliates” willing to facilitate malware installation on victims' computers.

According to a new report from the SecureWorks Counter Threat Unit titled "The Underground Economy of the Pay-Per-Install Business," the method begins when an affiliate interested in building a network of infected computers signs up to a PPI site and receives files from the PPI provider.

In the past, such sites typically served as the breeding ground for adware distribution, but now criminals are recruiting opportunists so they can receive more-pernicious malicious code.

Spotted here

By Kim Zetter September 30, 2009 | 12:01 am | Categories: Cybersecurity, Hacks and Cracks

New malware being used by cybercrooks does more than let hackers loot a bank account; it hides evidence of a victim’s dwindling balance by rewriting online bank statements on the fly, according to a new report.

The sophisticated hack uses a Trojan horse program installed on the victim’s machine that alters html coding before it’s displayed in the user’s browser, to either erase evidence of a money transfer transaction entirely from a bank statement, or alter the amount of money transfers and balances.

The ruse buys the crooks time before a victim discovers the fraud, though won’t work if a victim uses an uninfected machine to check his or her bank balance.

The novel technique was employed in August by a gang who targeted customers of leading German banks and stole Euro 300,000 in three weeks, according to Yuval Ben-Itzhak, chief technology officer of computer security firm Finjan.

Spotted here

Andrew LaVallee

Looking for a Google Wave invitation? Be careful what you search for.

Google has sent some 100,000 preview invites to the new messaging and collaboration tool, and the tech-savvy or merely curious are angling for one of their own.

Friday, August 28, 2009

As many as 70,000 websites have been compromised by hackers in the last week with a malicious iframe that can redirect site visitors to other sites containing Trojan malware.

Security researchers at ScanSafe said the affected websites are mostly based in China, Canada, the UK and India. Some of the compromised sites include feedzilla.com, latindiscover.com and a number of charitable and nursing facilities, including howellcarecenter.com, sweetgrassvillagealf.com, foodsresourcebank.org and morningsideassistedliving.com.

Mass compromises of legitimate websites through an attack known as SQL injection have spiked upward as of April, according to security researchers at Google.

Spotted here