Short post today, since New Year’s is upon us. PC World magazine has the best “end of the decade” list out that I’ve seen yet, which lists their “top 10 security nightmares,” and is well worth reading for those who want a look back. Remember, 10 years ago at this time, when we were all biting our knuckles over the whole Y2K bug scare? How times have changed! The full article is much too long to post here, and too long to even really do justice in excerpts, so I’ll just briefly list the headers they have for their top 10, and then wish everyone a happy new year! 1. Cyberwar 2. Malware Makes Strange Bedfellows 3. MySpace, Facebook, and Twitter Attacks 4. Organized Viruses and Organized Crime 5. Botnets 6. Albert Gonzales 7. Gone Phishing 8. Old Protocol, New Problem 9. Microsoft Patch Tuesdays 10. Paid Vulnerability Disclosure

A shocking — shocking! — story is making the rounds of the media currently, to the tune of: “spam actually works.” What a surprise! The notion that email scammers are actually making money at what they do, instead of clogging the pipeline of the world’s email just for fun (or for nefarious purposes, in the same way James Bond villains will occasionally hold the world hostage), is an absolute revelation in some circles, it appears. For anyone who has been living under a rock for the past… oh, two or three decades… here’s a newsflash: the spam fight ... more

The Mega-D botnet, at one point, was responsible for almost 12% of all spam, and infected over 250,000 computers worldwide. When it was taken down at the beginning of last month, MessageLabs reported it had shrunk to “less than 0.1 percent” of spam. This amazing feat was pulled off in the space of a few days, by a man who had prepared this botnet takedown for two years. PCWorld has the full story of Atif Mushtaq, and his valiant and successful fight to kill off one of the top 10 botnets in the world. It’s a fascinating ... more

The Wall Street Journal is reporting that Citigroup was the victim of a botnet attack this year which resulted in the theft of “tens of millions of dollars,” but SCMagazine is already refuting this with a vigorous denial by the bank. Of course, banks rarely wish to draw attention to such security breaches, since what all financial institutions fear is a withdrawal frenzy by their depositors. So one wonders whether the bank doth protest too much, in this case. Complicating the situation, the article ominously points out that the FBI has not officially commented on the subject, which might ... more

The Obama Administration has just announced the appointment of a “cyber-czar” to oversee federal cybersecurity across the entire national government, and his name is Howard A. Schmidt — who previously worked for the Bush Administration in a similar capacity. This is not entirely surprising, since combatting cyber-criminals is not exactly what you would call a “partisan” goal. No matter what party you hew towards, I think we can all agree that the protection of the American parts of the internet is a paramount federal concern — it’s just not a right/left sticking point, nor should it be. And ... more

As 2009 draws to a close, network security specialists are taking a look at what can be expected in the never-ending battle against botnets. On the rise next year, PC World predicts, will be attacks on file-sharing networks and partner programs. That last one is insidious, because the scam artists are finding new ways to almost legitimize the profits they are making online, by entering into some very grey areas which may not actually run afoul of the law. Of course, all good IT girls and boys should have already asked Santa to leave some robust bot detection ... more

Project Honey Pot has put out a new report to mark capturing their one billionth spam message. The project is a grassroots effort to track spam and malware on the net, and the report has some stark numbers to show the increase in growth rates of infected computers hijacked by botnets. They are reporting an astounding average of 378% growth annually in the number of botnet-infected computers. This is a strong argument for security professionals everywhere to beef up their bot detection software, because the avalanche of botnets is only going to get worse over time. Infosecurity has ... more

The sophisticated Gumblar botnet is spreading again, amongst PHP-based websites such as blogs. The botnet has successfully attacked sites running on Joomla, Drupal, and Wordpress, popular blogging software. The insidious part of the attack is that Gumblar seems to be completely automated, which puts it a step above the normal botnet tactics. Spam Fighter has the story, although it is a little light on actual details on the actual attacks themselves, and what can be done to prevent them: According to the Internet security company Kaspersky Labs, Gumblar, a gigantic botnet, is steadily resurging again and has collapsed ... more

Amazon’s EC2 cloud computing infrastructure has been infiltrated by the Zeus botnet, which installed a command and control center within the cloud. It gained access through an unnamed website which was hosted on the Amazon servers. While the botnet has been caught and neutralized (I wonder what bot detection software caught it…), this points out vulnerabilities within the cloud computing framework which should be a cause for concern in the network security business. PC Word has the story: Security researchers have spotted the Zeus botnet running an unauthorized command and control center on Amazon’s EC2 cloud computing infrastructure. This ... more

In a rather terse warning, today Ohio cell phone users were told to ignore text messages which purport to be from the state’s unemployment agency. The scam apparently targeted people who are on unemployment, with a message telling them that their benefits had been suspended — and that they (naturally) had to make a call to verify all their personal data, in order to reactive their benefits. Of course, the state agency had nothing to do with the messages, or the answering service; which would take the personal data provided, and then go on to steal money from ... more