Ryan Naraine

Microsoft today released its April batch of security patches:  8 bulletins with patches for at least 20 documented holes in popular software products.  The most serious of the flaws could lead to remote code execution attacks that give a malicious hacker complete ownership of a vulnerable machine. 

From Orlando Sentinel (Richard Burnett)
With unemployment soaring, identity thieves are increasingly preying on unsuspecting job seekers by stealing personal information and trying to cash in on it.

The scams run the gamut from fake help-wanted ads and job-search services to bogus resume-posting Web sites, part of a new arsenal of weapons targeting millions of recently unemployed people.  Read the full story [sunsentinel.com]

By Roel Schouwenberg
Over the weekend, we’ve seen a number of Cross Site Scripting worms for Twitter.
 
Now, with all the recent security problems at Twitter,  these worms [networkworld.com] come as little surprise.  The most virulent worm is not particularly complex in the vulnerability it is exploiting. The original author? A bored 17-year-old who had nothing better to do over the Easter weekend.

From DarkReading (Kelly Jackson Higgins)
Internet Explorer 7 and 8’s default security settings can be unsafe for internal, intranet-based Web applications, according to newly published research.
Cesar Cerrudo, founder and CEO of Argennis, a security consulting firm in Argentina, has demonstrated that IE’s default features for intranet “zones” can be abused to wage attacks on internal Web applications both from the outside and from within the organization. Cerrudo has released his findings [argeniss.com, PDF], which show how default settings can be used both to detect and exploit vulnerabilities in intranet applications. Read the full story [darkreading.com]

From Computerworld (Gregg Keizer)
Although the media blitz about the Conficker worm prompted a significant number of enterprise users to finally fix a six-month-old Windows bug, about one in five business computers still lack the patch [computerworld.com], a security company said today.
Scans of more than 300,000 Windows PCs owned by customers of Qualys Inc. show that patching of the MS08-067 vulnerability — a bug that Microsoft fixed with an emergency update issued in October 2008 — picked up dramatically two weeks ago. Read the full story. Also see our previous coverage of the Conficker threat.

From the Industry Standard (Robert McMillan)
Flaws in popular Internet-based telephony systems could be exploited to create a network of hacked phone accounts, somewhat like the botnets that have been wreaking havoc with PCs for the past few years.
Researchers at Secure Science recently discovered ways to make unauthorized calls from both Skype [securescience.net] and the new Google Voice communications systems, according to Lance James, the company’s cofounder.  Read the full story [thestandard.com]  Here’s the paper [pdf] explaining the Google Voice attack.

From internetnews.com (Alex Goldman)
Valentine’s Day is a the season for social engineering, as many people hope for a note from a mysterious and fascinating someone and are therefore more willing to open suspicious messages and attachments than at any other time.
Unfortunately, it is now the season for data theft. It’s at tax time that the highest quantity of valuable data crosses the Internet and data thieves are surely hoping for a feast. Tax data is valuable not just because it contains financial information but also for the personal information it contains. Read the full story [internetnews.com]