Microsoft has tried to combat the problem by building a variety of safeguards into its operating systems and its Internet Explorer browser, with mixed success. The User Account Control feature of Windows Vista, which popped up an endless stream of warnings that irritated users, proved to be one of the key factors in the poor reception for Vista. Last week in Los Angeles, the company said it had entirely reworked the user interface of its new Windows 7 operating system to minimize user frustration.

A zero-day patch is a security alert that's been issued for some major, Internet-threatening bug, one that's so serious that they give people zero days of warning. It means the bad guys know about it. It's so bad that it needs to be fixed right away, I get that. But do you think IT departments are staffed for one zero-day patch over another?

Of course not. Your infrastructure doesn't scale, but who cares? And why pay for all that automation? We have people here. Or in Bangalore, or somewhere. But when an operation takes 10 minutes per machine, multiplied by hundreds of servers and thousands of workstations for millions of customers ... well, I'll get complaints about the overtime charges, but my managers already told me they didn't want to pay to configure the automated solution. See? I can't win, even if Arista replaces every Cisco box on the network.

The bright side: This morning, I worried I'd be out of a job by noon. Thanks to Microsoft, I now have another life-or-death upgrade to install. I'll do it this weekend. I may not have a family life, but I have a job.

Sources inside the bank confirm that servers in the institution's highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank's network for nearly a month in June and July.

In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month.

So why did the HP execs and investigators get off scot-free (or with a 96-hours-of-community-service slap-on-the-wrist), while Kernell is having FBI agents raid his apartment? Ahhh, yes, money walks. Kernell may not.

(Photo by AP)

I happened to be in Tel Aviv when Tenenbaum turned himself in to Israeli authorities on the day he was set to report for compulsory military service — he was treated as something of a national hero, a symbol of Israel's technology prowess, with even then Prime Minister Bibi Netanyahu praising him as "damn good." Tenenbaum ended up with probation and community service instead of jail time. So it wasn't with much surprise when I read Tenenbaum's mother calling the arrest a frame-up by the FBI.

The truth? The prepaid credit card scam described is a classic modus operandi in Canadian tweaker circles, at least as described in Zero Day Threat. And Tenenbaum certainly had to chops to pull it off, with the cast of fellow suspects who've been released probably participating as mules to make transactions. So once again, I'm betting Canadian dollars to donuts from Tim Horton's on meth.

The authorities won't say, but consensus has it the Tennessee college student under investigation is one David Kernell, a 20-year-old whose father, Mike Kernell, is a Democrat in the Tennessee state legislature. His email address is rubicon10@yahoo.com, which matches the name of a 4chan user — Rubico — who posted a detailed confession of the hack on the site last week. Also, whoever broke into Palin's account first changed the password to "popcorn," which could be a pun on Kernell's last name.

Sarah Palin never thought of herself as an investigator. Yet there she was, hacking uncomfortably into Randy Ruedrich's computer, looking for evidence that the state Republican Party boss had broken the state ethics law while a member of the Alaska Oil & Gas Conservation Commission.

The next week, when Palin went back to work at the AOGCC, she noticed that Ruedrich had removed his pictures from the walls and the personal effects from his desk. But as she and an AOGCC technician worked their way around his computer password at the behest of an assistant attorney general in Fairbanks, they found his cleanup had not extended to his electronic files.

The technician "said it looked like he tried to delete this, but she knew a way to go around and get some of the deleted stuff," Palin said in an interview. "I didn't know what I was looking for, but I was there."

Palin found dozens of e-mail messages and documents stacked up in trash folders, many showing work Ruedrich had been doing for the Republican Party and others showing how closely he worked with at least one company he was supposed to be regulating.

According to a fresh eWeek report:

By rejecting the appeal, the human rights court paved the way for McKinnon to come to the United States, where he faces up to 70 years if convicted. He is accused of hacking his way into computers at the Pentagon, NASA and the U.S. Army and Navy in 2001 and 2002, causing a reported $700,000 worth of damage.

Attorney Karen Todner, who is representing McKinnon, said her client would now appeal to Home Secretary Jacqui Smith to try to persuade her to reconsider an earlier decision and prosecute her client in the United Kingdom.

"Failing that he will be extradited...probably within the next three weeks," Todner added.

She said her client had recently been diagnosed with Asperger's Syndrome and hoped Smith would take this information into account. McKinnon told Reuters in 2006 he was just a computer nerd who wanted to find out whether aliens really existed and became obsessed with trawling large military networks for proof.

His lawyers have argued that sending him to the United States would breach his human rights because he could be prosecuted on account of his nationality or political opinions.

Not surprisingly, McKinnon has a lot of support among technical people:

Graham Cluley, senior technology consultant with Sophos, said a poll of IT professionals conducted in 2006 found that more than half were against extraditing him, mostly because they did not feel he had malicious intent.

“There is a feeling in much of the IT community that McKinnon is being treated as a scapegoat by the U.S. authorities, that because he was arrested shortly after 9/11 that the U.S. agencies felt that they had to send out a strong message that hacking was not going to be tolerated."

(Photo by AP/Lefteris Pitarakis)

The solution to the problem is the same one you would use for your grandma who refuses to get off of her 56K connection. Pack a free version of AVG and their update files onto a flash drive and talk them through the installation and cleaning process. Don't forget the part where they owe you a beer or dinner for helping them out. You have plenty of time to plan — the next supply run is due to leave on or about November 10 from Launch Pad 39A at Kennedy Space Center.

(Virus-protein image by Allen Portner and Gopal Murti)

If you need the joke explained, Moskovitz is making fun of a common tactic used by hackers: Sending fake messages which appear to come from an authority, in an effort to get people to give up their passwords. But he's got a backhanded point. If Facebook insists on using its own software to make major announcements, a fake Mark Zuckerberg has a decent chance of fooling a lot of the people, a lot of the time.

2.0.2 gives almost full access to the iPhone even while under password protection...

Steps to Reproduce

Set iPhone to use passcode lock, have contacts marked as Favorites with links, phone numbers, addresses, etc in address book entry.

Tap "Emergency Call" keypad from passcode entry screen.

Double-tap home button.

Tap blue arrow next to contact's name. You now have full access to applications such as Safari, complete Contacts list, SMS, Maps, "full" Phone access, and Mail by accessing various entries on the Favorite's page, i.e. tapping their home page brings up a full, unrestricted Safari.

(Photo by Getty Images/Sean Gallup)

You get a Facebook message from a friend, urging you to check out this video. You go there, and it's a YouTube phishing site (with your friend's facebook profile picture and name on it), which then urges you to update your Flash player. Don't do it — it fucks up your computer and then spams all your Facebook contacts (not sure exactly how it does that). But it's interesting that hackers are now using a supposedly "trusted" messaging platform such as Facebook to launch attacks

If the hackers' method sounds familiar — a third party attempts to get a user to click based on what looks to be the endorsement of a friend — that's because Facebook tried the same idea with Beacon last year. And it's trying it again with Engagement Ads, a new format coming this fall.

Most security scare stories are about potential problems. This was a real, successful break-in at the open source movement's most high-profile brand. So here's the big question: Why did it take Red Hat a week to acknowledge the problem? Because I can imagine the reaction if Microsoft did that.

(Photo by Eric Skiff)

To combat this problem, Google released a new feature for Gmail that lets users login and use Secure Sockets Layer (SSL), but it's not automatic. Here's how to set it up:

1. Log in to Gmail and click "Settings."
   
2. In the General tab scroll down to "Browser connection."
   
3. Make sure "Always use https" is selected and save changes.

Seems kind of odd that Google wouldn't set this up automatically but, hey, at least you can access your email — unlike those Apple dorks, right?

First, a company wall would remind employees daily that their private details are available to anyone on the network who's installed Kismet and Wireshark. It's not the whiz kids from Black Hat you should worry about. It's the coworker looking to sell a list of sales leads to pay off a gambling debt.

A company Wall of Sheep would be run by one or two in-house sysadmins. They would use network-snooping tools to check for unprotected data on the network. They'd publish carefully redacted versions of anything they caught onto an in-house webpage. If you neglect to set the SSL options on your mail client, just the fact that you've sent 37 emails to Carolyne at the front desk will be the day's watercooler talk. What could be more motivational?

Second, a Wall of Sheep forgives no one. Not the CEO, not the star salesman, not the hotshot in Professional Services. Showing up on the wall because you didn't follow company security rules is like showing up late for work: Everyone sees it, even if they don't dare call you on it. When it comes to changing human behavior, embarrassment is far more effective than an error message. (Photo by RobotSkirts)

That's an understatement. The Russian Business Network is infamous for operating botnets, distributing malware, and stealing private information. But its usual targets are businesses, not nation-states. A year ago, Brian Krebs wrote in the Washington Post about RBN's exploits, which included an attack on the Bank of India. The Estonian government blamed the RBN for three days of attacks on its Web sites in April.

Armin, the security researcher says Georgia's hacked sites are now routed them through servers in Russia and Turkey that are "well known to be under the control of Russian Business Network and influenced by the Russian Government." The Ministry of Foreign Affairs of Georgia has moved its website to Google's Blogger — itself a notorious hotbed of spam, but at least one that's hosted on a theoretically more secure network.

Hackers write software that automatically designs “phishing” websites — those sites that look like a bank’s site but are really controlled by a hacker. Rather than operate the sites themselves, they sell the software to a newbie, who runs the scam. But the software is programmed to send a copy of whatever information it collects back to the author.

John Heasman, vice president of research at Next Generation Security Software, claims to have made "Java applets that for all intents and purposes is an image," and calls them GIFAR files, a combination of GIF, an image format, and JAR, an archive of Java code. Heasman says users would have be logged into the website in order for the malicious code to work and that "the attack is going to work best wherever you leave yourself logged in for long periods of time" — just about any social network, in other words.

To defend against attacks, researchers notes that websites could implement filtering tools to sniff out suspicious files. Sun Microsystems, makers of Java, could also update the Java runtime environment to prevent attacks. Researchers are expecting Sun to release a fix soon after the Black Hat conference.

Using his own computer at home in London, McKinnon hacked into 97 computers belonging to and used by the U.S. government between February 2001 and March 2002.

McKinnon is accused of causing the entire U.S. Army's Military District of Washington network of more than 2,000 computers to be shut down for 24 hours.

Using a limited 56-kbps dialup modem and the hacking name "Solo" he found many U.S. security systems used an insecure Microsoft Windows program with no password protection.

He then bought off-the-shelf software and scanned military networks, saying he found expert testimonies from senior figures reporting that technology obtained from extra-terrestrials did exist.

At the time of his indictment, Paul McNulty, U.S. Attorney for the Eastern District of Virginia, said: "Mr. McKinnon is charged with the biggest military computer hack of all time."

If found guilty, McKinnon could be jailed for 70 years and fined as much as $1.75 million.