The notification will include links for self-help or “professional assistance” which will cost you.

Stop – Think – Connect is a website put together by a coalition led by the Anti-phishing Work Group and National Cyber Security Alliance. The website offers tips and advice related to online security.

Macworld provides a quick article on how to encrypt a folder on OS X, no additional software needed.

Ars Technica reports that advertisers have announced a program to allow users to opt-out of behavioral advertising tracking. The program is voluntary on the part of advertisers.

Hotmail has enhanced their security, making it harder to hijack your account.

This doesn’t have to be viewed as an evil attempt to expand power. It’s realistic to view this as a way to keep the same abilities as they have with the old technology. Just like businesses that see their market fad away as technology advances, legislate rather than compete.

Let’s assume there’s zero abuse and it’s used as described, after getting a legally obtained warrant for legitimate criminal investigations. How long before those backdoors make it out into the world? It can only be a matter of time.

From the article, an event in Greece was mentioned:

In 2005, it was discovered that hackers had taken advantage of a legally mandated wiretap function to spy on top officials’ phones, including the prime minister’s.

Unfortunately, unlike telephones, modern communication travels the internet, out there for anyone to pull in the bits.

Let’s face it, the bad guys will still have their own backdoor-free encryption but gain access to the legal stuff. That is, those who were already smart enough to use strong encryption today. It’s not like the U.S. has the market on programmers cornered. There’s also those who say the new law wouldn’t force open source development to include the backdoors.

Others have pointed out there’s other ways to get the information, such as sneaking in a key logger. Granted, probably not a effective as having a ready-made door, but a lot fewer problems. With the backdoor they’ll still only catch the stupid criminals, and the smart criminals will have another way to rip off the honest folks.

The world moves forward, legislation is not going to stop it.

Microsoft will be releasing a security patch to address a vulnerability in ASP.NET documented in security advisory 2416728, “Vulnerability in ASP.NET Could Allow Information Disclosure.” The bulletin lists just about every still supported desktop and server OS along with what appears to be every still supported .NET version.

Initially the patch will only be available for manual download on Tuesday and will then make it to Windows Update in the next few days.

So head on over to The OS Quest for future updates. This week we have:

Security Quest 1a: Recent Security News and Getting Caught Up

Security Quest 1b: Microsoft Patch Tuesday info

Rather than repeating all the patches I’ll direct you to news.com which has a good summary of the patches along with links to the individual bulletins. The patches are available through automatic updates or individual downloads.

Happy patching and good luck.

Google Mistakes Own Blog For Spam, Deletes It (via Yahoo News) – Google thought one of its own blogs was a spam blog so turned it over to someone else. Oops. Google does usually send a notification but they say the bloggers “overlooked” it.

The Storm Worm has been spreading to alarming levels according to several articles around the net. The jist of the article that the botnet (Storm installs bots on it’s targets) has grown so big there’s probably plans to change it from use as a spam sender (which is a common use). Some speculate it may be rented out to launch denial of service (Dos) attacks. The story made it to the Slashdot from page.

Slashdot also has a posting about a popup that can’t be stopped. It circumvents popup blockers, they can be sized to fill the entire screen, and cannot be closed by the user. Oh joy.

Techdirt has the story of a guy who sued a spammer being told to pay the legal fees of the company he sued. The CAN-SPAM act limited who could sue spammers to ISPs. So some people found a loophole (they thought) to become ISPs and they sued. The judge ruled the business was set up for the sole purpose of suing. Part of me is happy he has to pay because he did manipulate things to sue. On the other hand he probably *should* be able to sue but that’s the fault of our Congress which defined legal spam in the CAN SPAM law and gave spammers legal cover.

Security Fix is reporting about scam tax rebate sites. They’re popping up even though it’s not April 15th. October 15th is the deadline for people who filed for an extension. If you get an unsolicited email saying you’re due a refund but need to supply a credit card number to get it your probably (is there any doubt?) getting scammed. Another scam promotes the site as part of the IRS e-File program. Sometimes they submit the return but the refund goes to them.

Thirteen components are updated. Click the thumbnail to see the component list or visit the Apple Support Page for the complete details. Of special note is the Samba vulnerability that Apple has finally patched. Samba is an open source windows file sharing application that is bundled with OS X. A critical vulnerability was found in late may and almost immediately patched by the Samba team. Apple has released several security updates since then but none have included the Samba patch, until now. Samba is off by default but is enabled when turning on Windows sharing in System Preference -> Sharing.

The update is for both Intel and PPC based Macs running OS X 10.3.9 or OS X 10.4.10 including the standard OS and the Server OS. It’s available through Apple’s built-in software update service or as a standalone download. A computer restart is needed after applying the patch.

Apple also released Airport Extreme Update 2007-004. Details are lacking and Apple’s only comment is:

This update is recommended for all Intel-based MacBook, MacBook Pro, and Mac mini computers and improves the reliability of AirPort connections.

The WordPress Stats plugin by Automattic (Andy Skelton ) had a critical SQL injection vulnerability that could allow admin credentials to be stolen. The vulnerability was patched in version 1.1.1 and was released July 27th.

I typically turn off (deactivate) plugins before updating them and in this case I had to re-enter the API key when activating the updated plugin.

One “critical” and one “moderate” vulnerabilities are patched in this update. The critical update is “Unescaped URIs passed to external programs” which is similar to the vulnerability that was found when IE 7 passed a malformed URI to Firefox.

The moderate vulnerability is “Privilege escalation through chrome-loaded about:blank windows”. This was dependant on add-ons creating about:blank windows.

Two other vulnerabilities were rated as “critical” by the Firefox team. A critical rating means:

Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.

Two vulnerabilities were rated as “high” which means:

Vulnerability can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.

The remaining three vulnerabilities where rated as moderate (1) or low(2).

The update will be installed through Firefox’s auto-update feature. You can force an update check by going to the Help on the menu and selecting “Check for Updates…”. You can also download the full version from the website and run the installation over your current installation. The update is for all languages on all operating systems.