Wow, busy week for feds and hackers alike!

Mariposa Botnet netted and doused in formaldehyde

UPDATE: New details have emerged about the size and complexity of the Mariposa botnet. Apparently Mariposa dwarfed the attacks from Estonia and Georgia, and contained details on over 800,000 people.

Investigators in Spain shut down the Mariposa botnet, finding out the perps weren’t the sophisticated geniuses they expected.

“They’re not like these people from the Russian mafia or Eastern European mafia who like to have sports cars and good watches and good suits — the most frightening thing is they are normal people who are earning a lot of money with cybercrime,” said Cesar Lorenza, a captain with Spain’s Guardia Civil.

Blippy = TMI

For the life of me, I cannot figure out why anyone would use this service. Blippy allows you to post your purchases—in real time—to credit cards, ecommerce sites, etc., publicly and let your friends like or comment on your purchases. Seriously. Dancho Danchev’s post, Does Blippy really pose a security risk? is a must-read wake-up call for anyone using or planning to use this service. Hint: Don’t. Even Web Celebs like Leo LaPorte post rather sizable purchases on Blippy, making question whether or not he realizes what a target he is making himself into.

Botnets are ruining your inbox

Good lord. As if Mariposa wasn’t causing enough mischief, two other botnets, Grum and Rustock are accounting for nearly half of all spam, most of it Canadian pharma scams.

iPhones users targeted for scams

This scam is pretty ingenious in an evil way. According to the MarkMonitor blog,

“This recent attack also stands out because it utilizes some advanced technologies and suggests possible directions of future cybercriminal activity. First, the attack uses server-side logic that hides the phishing site unless it is accessed through the browser produced by the smartphone company. Second, the attack uses additional protective technology in the form of a fast-flux network, which hides the phishing site behind a dynamic network of ever-changing proxies. These two smart technologies demonstrate how cybercriminals continue to focus their efforts on making their attacks targeted, stealthy, and resilient.”

Choosy hackers choose PDF

According to a recent report of more than a trillion Web requests, PDFs were responsible for a staggering 80% of all exploits targeted at Adobe Reader vulnerabilities. The report (ironically itself a PDF) mentions that Flash-based attacks actually dipped from 40% to 18% in Q4 2009 while malicious PDFs rose from 56% to 80%.

More stories tomorrow. Lots going on! What do you think of Blippy? Too much info? Let us know!

Something Dave and I have been talking about a lot is trust.  This is an old topic that is coming into sharper focus as the years go on.  In simple terms, a trusted environment is one in which other members can be assumed to be who and what they appear to be:  that email from your Mom’s Facebook account, is legit, right?  The problem is that the Internet is not a trusted environment and requires validation.  How far we validate and require people to authenticate depends on the amount of risk we want to accept.  Reading a text based email from a long lost friend is probably ok but opening an attachment … probably not.

I’ve been reading some great work by Daniel Solove about the history of some of the issues we’re experiencing on the Internet.  (Props to David Mortman for making me aware of this guy)  Solove talks at length about how some social dynamics are distorted on the Internet in ways they aren’t in the physical world.  An ill-advised comment on Twitter could haunt you forEVER!

When we started using the Internet it was an insulated place and although true authentication was difficult, there were so few people using it, a phishing email would have seemed absurd.  Many people who are using the Web today, see it in terms of social media;  the friendly screens of Facebook or Twitter.  This is a confusing mix of real world friends and family and typical Internet ‘friends’.  Though even our relationships with some of these remote acquaintances is that of close friends.  Seen through the lens of Davezilla (click image for larger, downloadable version):

Part of the problem is that we’ve lost the healthy fear we once had of the Internet.  One of the results is that bad things are becoming more frequent.  Symantec’s Threat Report tells part of the story:  Between 2002 and 2008, new malware reported each year is exploding.

To be clear:  I think the benefits of all of the technology far outweigh the problems.  We just need to make sure we’re following some basic rules for this bad neighborhood.  We’ll never be able to eliminate all of the risks of using the Internet.  But you can reduce it to a manageable level making it much less likely that you’ll have problems.

Commonsense Media has a some great resources for Internet safety.

What are your thoughts about how we should be approaching this issue?

If you mark yourself as a fan of McAfee on Facebook, you can have a free six month trial of of McAfee Security Software for your PC. This is possible because of an agreement between McAfee and Facebook. According to McAfee:

“Research has shown that up to 78 percent of consumers do not have updated anti-virus, an enabled firewall and anti-spyware, and 48 percent of them have expired anti-virus, the most fundamental protection. So many people without even the most basic protection for their computers are an obvious risk to themselves, but also to people with whom they interact online. The agreement between McAfee and Facebook is designed to address this problem.”

To take advantage of this offer, head over to the Facebook Security page and click the tab titled, “Protect Your PC.”

I read a news story last night about high school privacy invasions that irritated me to no end. Apparently, Harriton High School in the Philadelphia area supplied its students with laptops with built-in webcams (Macbooks), and then allegedly turned them on randomly to spy on kids in their own bedrooms! According to the report from Philly.com:

In a lawsuit filed Tuesday in federal court, the family said the school’s assistant principal had confronted their son, told him he had “engaged in improper behavior in [his] home, and cited as evidence a photograph from the webcam embedded in [his] personal laptop issued by the school district.”

This is way too much like Big Brother for my taste. I understand (and approve of) schools knowing what is on their laptops, but to turn on cameras remotely and spy on kids off school property? No way.

“My first thought was that my daughter has her computer open almost around the clock in her bedroom. Has she been spied on?” —Parent, Candace Chacona

According to Philly.com, Lillie Coney, (Associate Director of the Electronic Privacy Information Center), had not heard of any other case in which school officials were accused of spying on students at home through a webcam. If the allegations are true, she said, “this is an outrageous invasion of individual privacy.”

We all know that Generation Y shares too much. They post all kinds of photos to social sites that are better left unseen by parents and potential bosses. Their optimistic, yet naïve view of the world seems to have no shame in showing everyone their sexuality, their partying, their embarrassing moments. At the same time, these posted photos are their choice, and no one has the right to invade their personal space.

What are your thoughts?

Here’s another good take on the Twitter “Is this you lol” Phishing scam. I really like that author, Graham Cluley reminds readers to use better passwords. People. This is basic and yet 33% of you use the same password everywhere. This is ludicrous.

Would you pin your child’s social security number to their jacket and send them to school? Of course not! But you’ll use the same password because you can’t be bothered to spend 30 seconds to think of a new one. I mean, that’s 30 seconds less you would get to play Farmville, god forbid.

But I digress… Let’s be constructive here. Passwords. There is nothing more critical to the security of your basic identity than having a set of good passwords to use. I know what’s running through your head right now. “I know, I know should do that, but I just can’t remember more than one and I know enough not to tape it under my keyboard.” Congratulations. You’re half way to recovery. Now you just need some tools.

Unless you have a truly random brain, you need to use a password generator. There are several free ones. Go use these ones now.

1. Strong Password Generator is one of my favorites. You can choose the number of password characters (please don’t choose fewer than 12), whether or not to include symbols (yes, please!) and it even gives mnemonic hints to help you recall the password, despite it being quite random.
2. From Bytes Interactive comes two password generators. One creates passwords similar to Strong Password Generator with several options, the other generator creates 1337 passwords (LEET) which are based on a phrase you can recall. They also have a secure server.
3. RandPass has been online forever and generates very good passwords. What I like about them is the ability to generate large batches of passwords at once.

You also need some place to store passwords, but no, written down on paper is for chumps who deserve to be robbed blind. Do it right. Use a password database. Here are some of my favorites:

1. 1Password. This costs $40, but isn’t your identity worth it? 1Password can also generate them for you and has a 100% moneyback guarantee. It also comes as an iPhone app. Mac only
2. OnePassword is free. It integrates into Internet Explorer as a toolbar and has many of the features of 1Password.
3. How about your blog? A great plugin by Marcel Bokhorst exists for WordPress, called One-Time Password. As the name implies, it generates password logins for WordPress that can only be used one time, preventing password theft. Outstanding plugin.

Hope these tips help! Do you know of any good password generators or password databases I didn’t mention? Let us know in the comments.