Dennis Fisher

From CSO (Robert McMillan)
In the face of increased attacks by its citzens against Chinese networks, China is stepping up the severity and enforcement of its computer crime laws. China often is cited as one of the major havens for hackers and malware authors, but as this IDG News Service report shows, the country is beginning to crack down on its own citizens for computer crimes in an effort to change that image.

Dennis Fisher talks with Charlie Miller of Independent Security Evaluators about Mac OS X security, winning the Pwn2Own contest again and the real market for selling vulnerabilities. Read Miller’s paper on selling 0-day vulnerabilities (.pdf).

Botnets have become one of the more insidious threats on the Internet in the last few years. Large-scale botnets such as the Storm, Asprox and Nugache networks have caused tremendous problems by serving as platforms for spamming operations, DDoS attacks and other mischief. In this podcast from SearchSecurity.com, Rob Westervelt talks with Brian Rexroad of AT&T Labs about the company’s botnet research program.

Little, if anything, gets Mac users more exercised than a mention of their favorite machine’s security problems. Despite the fact that security experts believe Macs to be much easier to exploit than Windows machines, Mac users simply trot out the old saw about there not being any virus attacks on Macs. Not only is that assertion demonstrably false, but it misses the point entirely: Virus attacks are not an indicator of the security of an operating system.

From SC Magazine (Chuck Miller)
Attackers have discovered that spreading their malware is a much easier task on social networking sites than it is on the rest of the Web. The success rate for malware on social networking sites such as Twitter and Facebook is 10 percent, compared with less than one tenth of that on normal sites and through email.

The back-and-forth in Washington over who should run the cybersecurity program for the federal government has reached a fever pitch, as lawmakers, federal agencies and other interested parties jockey for position and budget dollars in the run-up to the release of the results of the Obama administration’s review of cybersecurity operations in the federal government. But perhaps the question isn’t which agency or office should have ultimate authority over cybersecurity, but whether any of them should.

From The New York Times (John Markoff)

The small cadre of experts who spend their time doing the meticulous, painstaking work of tracing cyber attacks is increasingly relying on a combination of advanced technical tools and old-fashioned intelligence-gathering techniques to track down the people and organizations responsible for the attacks. These investigators for years have been relying almost exclusively on custom software programs to do their work, but the changing nature and increased sophistication of the attacks has forced a change in these tactics.