The Flashback malware threat that recently plagued Mac computers opened a lot of eyes to the fact that Apple's computers may not be secure as their users have always believed. The Flashback malware attacked users' Macs by means of a flaw in Java that allowed it to install on users' computers without their knowledge. Apple ultimately dealt with the problem by releasing a tool that would remove it from infected computers, but not before the malware netted its creators as much as $10,000 per day in stolen ad revenue.Apple Hires Kapersky Labs To Test Mac Security The result of the Flashback threat has been to draw increased attention to the security situation of Mac computers. One recent study found that as many as 20% of Macs are carriers for Window-targeted malware, while security firm Kapersky Labs recently claimed that Apple was a decade behind Microsoft in terms of security. The situation apparently got Apple's attention, as well. According to Computing, Apple has asked Kapersky to analyze the security of OS X and make recommendations to improve it. Nikolai Grebennikov, Kapersky's CTO, said that OS X is "really vulnerable," and that Apple "doesn't pay enough attention to security," noting that the Java vulnerability that allowed Flashback to infect Macs had been patched by Oracle months before the outbreak, and Apple hadn't bothered to release an update for OS X. For the moment, Kapersky will only be working on OS X, though Grebennikov foresees similar security issues with iOS in the next year or so, unless Apple takes further steps to secure the platform.

Hackers appear to have successfully exposed the passwords of as many as 55,000 Twitter accounts yesterday, sparking the website to conduct an investigation into just how the security breach occurred.The hack was first reported on the blog Airdemon.net where it was said that "anonymous hackers" - note that it's not the proper Anonymous, as in the hackivist collective, but it's not clear whether that punctuation difference was intentional or not - gained access to the the accounts, some of which are said to belong to celebrities. The account information was so enormous that it took five pages on Pastebin to share all of the information. 55,000 Twitter Accounts Hacked, Passwords Exposed According to CNET, Twitter is looking into the breach and have notified the affected accounts with notices to reset their password. Yesterday evening, Twitter, via the @twittercomms account, said that many of the accounts affected were duplicates or spam-ish. .ditto200019315779571712{background: #69665F url(http://a0.twimg.com/profile_background_images/197210693/xbbc821ec9ad76ca2852865ce8acbb16.jpg) no-repeat;padding: 20px;} .ditto200019315779571712 a { color: #58A4BB;} p.dittoTweet{background: #fff;padding: 10px 12px 10px 50px;margin: 0;min-height: 48px;color: #000;font-size: 18px !important;line-height: 22px;-moz-border-radius: 5px;-webkit-border-radius: 5px;} p.dittoTweet span.metadata {display: block;width: 100%;clear: both;margin-top: 8px;padding-top: 12px;height: 65px;} p.dittoTweet span.metadata span.author {line-height: 22px;color: #666;font-family: Arial, Helvetica, sans-serif;} .mainlink {font-family: Arial, Helvetica, sans-serif;font-size: 26px;color: #1F98C7;text-decoration: none;} .mainlink: hover {color: #1F98C7;text-decoration: underline;} .tweet {font-size: 24px;} p.dittoTweet span.metadata span.author img {float: left; margin: 0px 7px 0px 0px;} p.dittoTweet a:hover {text-decoration: underline;} p.dittoTweet span.timestamp {font-size: 12px;display: block;color: #999;} p.dittoTweet span.timestamp a {color: #999;text-decoration: none;} p.dittoTweet span.timestamp a > span {display: inline-block;width: 16px;background-image:url(http://images.ientrymail.com/socialditto/everything-spritev2.png);background-repeat: no-repeat;} p.dittoTweet span.timestamp a.reply > span {background-position: 0px 3px;} p.dittoTweet span.timestamp a.reply:hover > span {background-position: -16px 3px;} p.dittoTweet span.timestamp a.retweet > span {background-position: -80px 3px;} p.dittoTweet span.timestamp a.retweet:hover > span {background-position: -96px 3px;} p.dittoTweet span.timestamp a.favorite > span {background-position: -32px 2px;} p.dittoTweet span.timestamp a.favorite:hover > span {background-position: -48px 2px;}@twittercommsTwitter CommsThe list of alleged accounts & passwords consists of more than 20,000 duplicates. Also suspended spam accounts & incorrect login credentials 12 hours ago via Twitter for Mac ·  Reply ·  Retweet ·  Favorite · powered by @socialditto After crunching the numbers and identifying the duplicate accounts shared on Pastebin, Anders Nilsson at Säkerhetsbloggen determined that the total amount of actual accounts is 34,062 and, of those, only 25,068 appear to be legit. He also postulates that a majority of the accounts appear to be associated with email accounts from Brazil, which would make sense since when I looked at the list of account info on Pastebin my browser offered to translate the webpage into Portuguese. More interesting, Nilsson also points out that the list of yesterday's hacked accounts appear to be accounts that were hacked last summer. So maybe Twitter's right to downplay this security breach and it's not really as threatening or legitimate as it first appeared to be. Do you think Twitter's responded appropriately, or should it be taking the matter a little more seriously? Think this situation is more hoax than actual hack? Update: Even though the sentiment is pretty much summarized above, here is the official Twitter statement a spokesperson provided to WPN: We are currently looking into the situation. In the meantime, we have pushed out password resets to accounts that may have been affected. For those who are concerned that their account may have been compromised, we suggest resetting your passwords and more in our Help Center. It's worth noting that, so far, we've discovered that the list of alleged accounts and passwords found on Pastebin consists of more than 20,000 duplicates, many spam accounts that have already been suspended and many login credentials that do not appear to be linked (that is, the password and username are not actually associated with each other).

Many software developers offer bounty programs for their products. The concept is that someone finds an vulnerability and notifies the developers of the software for a reward. The point is to dissuade hackers from using the vulnerabilities by offering them something "better"(?). Of course one would think that, after the vulnerability is turned in and the reward given, the developer would scramble to correct the issue. Oracle seems to have a different process in place.Oracle Offers Workaround After Confusion Leads To Zero-Day Disclosure The vulnerability, rated a 7.5 on the CVSS scale (0-10, 10 being severe), was found by Joxean Koret four years ago. Acting as a man-in-the-middle, the vulnerability allowed remote access to Oracle's 10g and 11g database versions without authentication. Obviously a rather large issue. Oracle seemingly sat on this until it's quarterly security update (2 weeks ago) where it seemingly fixed the bug, even crediting Koret in the "Security-in-Depth" program. Assuming the vulnerability corrected, Koret published a proof of concept, detailing the methods to using the flaw. After a few follow up emails, however, it turned out that Oracle's intention was to correct the flaw in future versions of it's software. The now published solution can be found here.

The latest Microsoft Security Intelligence Report (SIR) has complied new data taken from over 600 million systems worldwide, and has found that iterations of the Conficker worm have appeared on roughly 220 million computers over the past 2.5 years. This makes Conficker one of the most substantial ongoing, broad-based threats to enterprises.Microsoft Warns Of Conficker Worm Threat According to Wikipedia - Conficker, also known as Downup, Downadup and Kido, is a computer worm that surfaced in October 2008 and targets the Microsoft Windows operating system. The worm exploits a previously patched vulnerability in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, Windows 7 Beta, and Windows Server 2008 R2 Beta. The worm has been unusually difficult for network operators and law enforcement to counter because of its combined use of advanced malware techniques. Conficker was set to launch on April Fool's Day in 2009, but nothing really happened - though not to say the malicious code didn't get around, and still broadly exists. Data from Microsoft's SIRv12 shows detections of Conficker have gone up 225% since early 2009, and was traced to 1.7 million systems in Q4 2011. Research also shows that 92% of Conficker infections are instances of compromised passwords, and the other 8% are due to systems lacking the latest security updates. Commenting on a a lack of Windows security, Tim Rains, Director of Microsoft Trustworthy Computing, states, "Conficker is one of the biggest security problems we face, yet it is well within our power to defend against - It is critically important that organizations focus on the security fundamentals to help protect against the most common threats." Microsoft recommends users take the following measures to promote better system security: Use strong passwords and educate employees on their importance Keep systems up to date by regularly applying available updates for all products Use antivirus software from a trusted source Invest in newer products with a higher quality of software protection Consider the cloud as a business resource Again, the two primary measures to be taken are to use and protect solid passwords and to frequently access Windows Update. Also, Microsoft plans to launch an updated version of its SkyDrive cloud system in tandem with the introduction of Windows 8, which is rumored to be sometime in October. It's noted that the cloud can also improve security for businesses.

We all know about threats to the valuable data we store everyday, we hear about them all the time. There's always some anonymous hacker shutting down a website, or publishing someones private data. It's just something that has become part of living in the age of information. After all, you can't have so much information so readily available and not have it fall into the wrong hands once in awhile.The State Of IT Security [Infographic] Unfortunately, there's a lot more to data breaches than just the hacks we hear about in the press. Verizon has taken a particular interest in tracking breaches of data and has been doing so since 2004. You might not be surprised to learn that last year, 2011, was the second highest year for breaches ever. The breaches occurred in all kinds of industry including; banking, healthcare, retail, information management, food service, and probably just about any field you can think of. They also happened all over the world. So what can be done? This next infographic from Backgroundcheck.org gives us the lowdown on where these breaches are happening, what we can do to better protect ourselves, and what these breaches are costing us. Everybody should take a look at this one, it's packed with useful data management information. Check it out:

I remember just a few years ago when Internet Explorer was the laughing stock of the browser community. It lacked the functionality that other browsers had while lacking even basic security functions. It's what led to the impression that IE was a virus haven, but Microsoft has made great strides in making IE a more attractive and secure browser. The new update today only reaffirms that.Internet Explorer 9.0.6 Now Available, Fixes Security Flaws Microsoft today announced the release of Internet Explorer 9.0.6. It fixes "five privately reported vulnerabilities in Internet Explorer." The worst vulnerability would allow "remote code execution" if a user visited an infected Web site. This would allow somebody to gain control of the PC in question with the same user rights as the local user. These are the kind of vulnerabilities that can lead to the creation of a botnet. People visit a Web site and get their computer hijacked by a foreign party. Their computer then becomes part of the botnet collective which usually goes unnoticed by the user if the creator of the botnet is good at their job. Microsoft says that this updated is rated critical for IE6, IE7, IE8 and IE9 on Windows clients. It's rated moderate for the same versions of IE on Windows servers. You can check out the full security bulletin for all the information including which operating systems are affected. If you have automatic updating turned on, the update should have already been applied. If you're like me and have automatic updates turned off, you can apply it the usual way through Windows Update. While I don't use Internet Explorer and many Windows users reading this now probably don't either, it's still suggested that you install the update. There's always that small chance of a friend using your computer and browsing with Internet Explorer. It's better to be safe than sorry.

A new variant of the Flashback trojan has appeared, exploiting a Java vulnerability found in Macs. Cyber security firm F-secure announced this discovery via its blog today.New Variant of Flashback Malware Exploits Unpatched Java Vulnerability in Macs Flashback is a trojan that was originally distributed in the guise of erotic images or politically offensive material. It was later updated to be distributed in a fake installer application for the Adobe Flash Player plug-in. The malware works by downloading its payload from remote sites and creating a backdoor in users' browsers through which the users' information is transmitted to remote servers. Previous versions of the malware targeted older Java vulnerabilities (CVE-2011-3544 and CVE-2008-5353, according to F-secure) which were repaired in updated versions of Java. But the most recent variant of Flashback, called Flashback.K, exploits a newly discovered vulnerability (CVE-2012-0507) and is capable of "infecting systems without user interaction" [F-secure]. Originally this variant of Flashback targeted both Mac and Windows systems, but a patch released by Oracle in February as part of a Windows Java update has rendered up-to-date Windows machines safe from the attack. Apple has yet to release the update for OS X. F-secure also warns of yet another available Java exploit that is currently on sale in the computer underworld. At least until Apple releases a patch for the newly targeted exploit, F-secure urges users to disable the Java client on their Macs. As a rule, the company recommends that users keep Java disabled on their browsers, enabling it only when necessary and with caution, and then disabling it again immediately when it is no longer needed. The company also provides instructions on detecting and removing Flashback from your Mac. [F-secure, Photo Source: ThinkStock]

Microsoft's stepping up its effort against online crime lately by sending its own employees to accompany U.S. marshals in federal raids of facilities that are suspected of participating in one of the nastier methods of cybercrime: botnets.Microsoft: Internet Crimefighter & Bane Of Botnets A profile in the New York Times today on Richard Boscovich, Microsoft's senior lawyer in the company's digital crimes unit, offers a glimpse into the company's increased vigilance in policing the online world by taking the fight offline. Boscovich is credited with creating Microsoft's branch of law enforcement as an effort to watch over "fraud that could affect the company's products and reputation." In what sounds more like Law & Order: The Microsoft Unit than something you'd expect from the maker of Windows operating systems, the Times describes a recent government raid in Pennsylvania aimed at taking down botnets: With a warrant in hand from a federal judge authorizing the sweep, the Microsoft lawyers and technical personnel gathered evidence and deactivated Web servers ostensibly used by criminals in a scheme to infect computers and steal personal data. At the same time, Microsoft seized control of hundreds of Web addresses that it says were used as part of the same scheme. Although companies like Google and Apple tend to dominate most tech headlines these days, Microsoft's Windows is still the most used operating system around the world among internet users, which has the unfortunate side effect of making it the most likely target for botnets. While Microsoft continues to offer up patches and security upgrades for its users, the company has also endorsed recent legislation like the Anti-Bot Code of Conduct for Internet Service Providers. Taking on cyber criminals in the first-life world suggests Microsoft doesn't feel like waiting around for the law's delay to start hindering botnets and bot-herders, criminals that utilize botnets. In what I imagine sounded like a Batman growl unintentionally slipping into a press interview with Bruce Wayne, Boscovich said that the purpose of the raids was to send a message to cyber criminals. "We're letting them know we're looking at them," said Mr. Boscovich.

So you've been breached. You've shored up your system and are, once again, secure. But the damage has already been done. That damage, however, may not be as costly as it used to be. According to Symantec's 2011 Cost of Data Breach Study the costs associated with a data breach have gone down in recent months.Symantec Releases Latest in Annual Cost of Data Breach Studies The study, conducted by the Ponemon Institute, the cost associated with a breach, broken down to a per record cost, was $194 in 2011. This is the lowest it has been since 2006. This equates to a drop from $7.2M organizational cost in 2010 to $5.5M in 2011. So why have these costs gone down? We know the number of breaches hasn't declined. According to Ponemon analysts businesses are more prepared. The average size of a data breach has decreased 16%. In addition, customers are more loyal. A large factor in figuring breach costs is considering the lost revenue from the loss of current customers and new customers who are unwilling to take the risk. But, despite the breaches, abnormal turnover of customers following a breach dropped 17%. The study also uncovered other factors that could help control costs. Centralizing the management of data protection is a big factor. Companies that appointed a C-level security professional had a per capita cost of $149 while those without paid $228. When appointing a data protection czar is not reasonable, don't be afraid of third-party support. Companies that contracted with their parties had per capita costs of $168 compared to $209 paid by those that did not.

"J.P. Morgan reports that worldwide e-commerce sales are expected to increase from $573 Billion in 2010 to nearly $1 Trillion in 2013. Each year, cybercriminals and thieves steal terrabytes of data, intellectual property worth billions, expose an average of 260,000 personal identities per data breach, and cost organizations approximately $7.2M per data breach event. Symantec reported that this past summer, 29 chemical companies, including multiple Fortune 100 companies, were subject to computer attacks that sought to extract data on formulas and manufacturing processes." Dr. Regina E. Dugan brought these unfortunate statistics to the attention of the DARPA Cyber Colloquium in November of last year. At the same time she reminded them of several attacks tracing back to government organizations in Russian and China. It would appear they listened. DARPA reported, Monday, that they are increasing they cyber research budget by $88M in FY2012 and intend to increase the amount another 4% of it's top line budget over the next 5 years.FBI Tells Corporate Execs To Defend While DARPA Prepares To Attack While DARPA contends it is not abandoning the concept of defense, they admit it is "easier to play offense than defense in cyber." Their evidence is convincing as well, pointing out that security software can consist of nearly 10 million lines of code while the average malware contains 125 lines. The FBI has it's fingers on the security pulse as well, but rather than switching gears, it's chiding corporate leaders. A top cyber intrusion expert at the FBI, Shawn Henry, told infosecurity that corporate leaders are not involved enough in their cyber risk management: We are knocking on the door of the organization, and we are telling them that they've been breached. In some cases, they have been breached for many months and in some instances years, and they didn't even know it. When we have to tell them they've been breached, that's bad. While he stands firm on the FBI's role in the private sector of mitigating threats, raising awareness and sharing the intelligence they have, he also believes that the leaders of the companies need to take some of the responsibility. You own this, you are leader of the organization, you are in charge of the success or failure of the organization. You need to take a personal interest in it.