The issue appears to affect all major browsers, though results vary between browsers and operating systems. The remediation for this issue would be to completely disable Javascript in the browser. The Raff demo is notable in that it can work against Firefox, even with the popular Noscript add-on installed. We do suggest readers familiarize themselves with this issue.
http://krebsonsecurity.com/2010/05/devious-new-phishing-tactic-targets-tabs/
http://avivraff.com/research/phish/article.php?406707075

Wardriving and Open Wireless Networks
Stories about the number of unprotected wireless networks used to be common place but it has been some years now since WPA and then WPA2 have become prevalent. WPA2 is relatively easy to setup and provides a good level of encryption and authentication. So, we were somewhat surprised to read the results of a wardriving exercise conducted by the state police in various regional centers across Queensland, Australia. The results have led to the police estimating that some fifty percent of the wireless internet connections in Queensland of having no or minimal security settings enabled, no password, or still have the default password on their wireless device. Perhaps more disturbing is a comment from Detective Superintendent Brian Hay of the Queensland state police, “We know that the crooks are out there, scanning the environment and identifying these vulnerable networks, plotting them and then selling the information.”

Open wireless systems present many dangers and while we consider the results of the wardriving exercise would reflect largely on domestic wireless systems, these same systems may well be used by corporate employees when working from home. While we would expect most remote access systems to be encrypted or utilize a VPN for access, corporate resources or information might still be exposed. We suggest that at the business level, staff are made aware of the dangers of using open wireless systems and we urge all people who have wireless access points in their homes or businesses to verify that their systems are configured to operate in a secure manner.
http://www.couriermail.com.au/news/technology/half-of-wireless-networks-unsecured-in-queensland/story-e6frep1o-1225870268562

Browser vulnerabilities
A proof of concept exploit has been posted for a vulnerability in the iPhone browser. The exploit sends a malformed CSS style tag which causes a denial of service. It’s possible that a remote attacker could execute arbitrary code if the victim is tricked into visiting a malicious website. The same vulnerability is reported to also affect Apple’s Safari browser and Google’s Chrome browser.
http://www.packetstormsecurity.nl/1002-exploits/iphone_crash.py.txt
http://www.packetstormsecurity.nl/1002-exploits/safarichrome-dos.txt

Olympic themed SEO
Last week we highlighted the use of Search Engine Optimization (SEO) techniques where an attacker modifies the optimized search results of search engines to direct users to malicious sites. Currently, many search results for Olympic-themed queries lead to malicious sites. Upcoming events like the St. Patrick’s Day holiday and Spring Break in March may be the next campaigns that are abused. We encourage our customers to be cautious when clicking on links from search results and to visit official Web sites when possible.
http://www.avertlabs.com/research/blog/index.php/2010/02/23/on-olympics-st-patricks-day-screensavers-and-wallpaper/
http://twitter.com/mikkohypponen/status/9628022758

When asked why she had such a long password, she said she was told that it had to be at least 8 characters long and include at least one capital…

Pay attention to what you post and upload. Social networking is public.

• Consider images, videos, and information you publish
• You shouldn’t publish your address, date of birth, etc.
• Use a nick-name that only your friends know.

Choose your friends with care.

• Do not accept friend requests from people you do not know
• Verify all your contacts

Protect your work and environment and avoid reputation risk

• When joining a social networking site use your personal e-mail address
• Be careful how you portray your company online
• Do not mix your business contacts with your friend contacts

Protect your mobile phone and the information saved on it from any physical intrusion

• Do not let anyone see your profile or personal information without consent
• Do not leave your phone unattended
• Do not save your passwords on your mobile phone
• Use the security features available on your mobile phone

Turn off Location Aware Services

• Twitter, Google Buzz, Foursquare and new Smart-phones will publish your location when you post an announcement. Letting the entire world know you aren’t home. See the website http://pleaserobme.com/
• Instead of using a GPS to mark your home location, have your GPS set home to a familiar landmark near your home, such as a corner store. If a thief breaks into your car, not only do they know you aren’t home, but they will have access to your garage door opener and turn by turn directions to your front door.

When Planning Vacation

• Do not post dates and times you will be away, rather write posts as a journal of events that have happened so it’s a surprise that you were gone for a period of time.

Please see the following flowchart for procedures on anti-phishing for email.

A hacker found a personal email account. Similar to the Sarah Palin Yahoo! account hack, the hacker researched social networking sites to find the answers to the “secret question” required to reset the account’s password. In going through the emails in the account, the hacker apparently found the password used for Twitter which was linked to Google.

Therefore, when you are asked secret questions while setting up an account, do not use your mother’s maiden name when asked for your mother’s maiden name. Use nicknames for your mother’s maiden name or question if you really need to have that account created.

The safety of our information at work requires us all to have separate passwords from those in our personal lives. If you have separate passwords for your MySpace and your Online Banking, then great! If your logon to Yahoo! email and your work account are different, then congratulations! You are practicing safe computing!

Identity Theft – Protect Yourselves
Here is a list of ways you can stop identity theft from happening to you:

• Destroy private records and statements. Tear up — or, if you prefer, shred — credit card statements, solicitations and other documents that contain private financial information.
• Secure your mail. Empty your mailbox quickly, lock it or get a P.O. box so criminals do not have a chance to snatch credit card pitches. Never mail outgoing bill payments and checks from home. They can be stolen from your mailbox and the payee’s name erased with solvents. Mail them from the post office or another secure location.
• Safeguard your social security number. Never carry your card with you, or any other card that may have your number, like a health insurance card. And do not put your number on your checks. It’s the primary target for identity thieves because it gives them access to your credit report and bank accounts.
• Don’t leave a paper trail. Never leave ATM, credit card or gas station receipts behind.
• Never let your credit card out of your sight. Worried about credit card skimming? Always keep an eye on your card or, when that’s not possible, pay with cash.
• Know who you’re dealing with. Whenever anyone contacts you asking for private identity or financial information, make no response other than to find out who they are, what company they represent and the reason for the call. If you think the request is legitimate, contact the company yourself and confirm what you were told before revealing any of your personal data.
• Take your name off the marketers’ hit lists. In addition to the national Do-Not-Call registry (1-888-382-1222), you can also cut down on junk mail and opt out of credit card solicitations.
• Be more defensive with personal information. Ask salespeople and others if information such as a Social Security or driver license number is absolutely necessary. Ask anyone who does require your Social Security number — for instance, your insurance company — what their privacy policy is and whether you can arrange for the organization not to share your information with anyone else.
• Monitor your credit report. Obtain and thoroughly review your credit report, now available for free at Annualcreditreport.com or by calling (877) 322-8228, at least once a year to look for suspicious activity. If you spot something, alert your card company or the creditor immediately. You may also want to subscribe to a credit protection service, like Experian’s CreditCheck, which alerts you any time a change takes place with your credit report.
• Review your credit card statements carefully. Make sure you recognize the merchants, locations and purchases listed before paying the bill. If you don’t need or use department-store or bank-issued credit cards, consider closing the accounts.

The open source library YaSSL was found to have a security vulnerability related to the negotiation of SSL certificates. The possibility of a buffer overflow exists under these conditions. There has been a patch released to address this vulnerability.
http://secunia.com/advisories/38344/
http://osvdb.org/show/osvdb/61956
http://yassl.com/news.html#yassl199

A overflow vulnerability was found in the 1.3.xx Apache open source web server. This issue leaves the server open to remote unauthenticated access and denial of service attacks. Upgrading to version 1.3.42 resolves this issue.
http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0589.html
http://secunia.com/advisories/38319/2/