Round here, we're more than a little concerned about fake/rogue antivirus (and other fake security software). It's an ugly form of ransomware that hurts its victims in many ways. It scares them by threatening dire consequences and damage from malware that doesn't exist (except in the sense that the fake AV is itself malware), in

There's a news item out at the moment about how a French man has been arrested for a host of Twitter account attacks including the accounts of US President Obama and Britney Spears. It seems the hacks were carried out in April last year and the arrest came about after collaboration between the US FBI

Inevitably, CanSecWest  2010 kicked off with the promised and eagerly-awaited Pwn2Own hacking contest, in which a number of effective protection strategies (DEP, code signing, ASLR [1]) failed to prevent determined vulnerability researchers making loadsamoney by circumventing them with attacks on Firefox and IE8 on Windows 7, Safari, and the iPhone. For details and extensive comment see: http://macviruscom.wordpress.com/2010/03/25/and-the-firewalls-came-tumbling-down/ http://kevtownsend.wordpress.com/2010/03/25/sacred-cows-fall-at-pwn2own/

A flurry of long-overdue government initiatives designed to address cybercrime has begun to actually develop some momentum. When I consider that it took a year to just get a cybersecurity bill through committee, I think of Nero fiddling while Rome burns, especially when everyone on the committee appears to believe it’s critical legislation. The CyberSecurity

Two weeks ago I acted as a panelist in a panel discussion at an IT Security conference in Kuala Lumpur. I was asked a question about global cybercrime laws. And I've just read Randy Abrams' blog that he posted here today about the proposed new US legislation that is ultimately aimed at driving other nations

Engineers are really smart people who often know how to make something with no real world effectiveness work really well without effect. In a glaring example of marketing hype, very limited effectiveness, and a lesson in teaching users to fall for phishing attacks, Pavni Diwanji, Engineering Director at Google published a blog post http://googleonlinesecurity.blogspot.com/2010/03/detecting-suspicious-account-activity.html The

Carrots, Sticks and Cyber-spies The US legislature is proposing international cybercrime laws according to an article on Dark Reading . The idea is to provide incentives to cooperate on fighting cybercrime, as well as penalties for countries that do not cooperate. Part of the plan calls for a “Cyber-Security Ambassador” . There is an interesting

Unfortunately, I'm not able to attend the CanSecWest 2010 conference in Vancouver this week, though I think Pierre-Marc will be there. I would have been more than a little interested in Charlie Miller's presentation on fuzzing Mac applications: that is, “…a method for discovering faults in software by providing unexpected input and monitoring for exceptions.” 

I've been having a few conversations lately with friend and colleague Aryeh Goretsky, who's been in this industry "before it was an industry" about auld lang syne. (More about that further down the line.) So it was kind of amusing to find a news article on the BBC web site about wildlife found in the

Back on the 22nd of February, I wrote an entry on this blog called "Does Anybody Know WHOIS Out There?". This entry was about the very slack or even non-existent verification of identification information (sheesh, try saying THAT with a few beers under your belt!) provided by individuals and organizations registering domain names on the