Buying and selling stock online is big business. It also carries it’s own risks. And we don’t mean the risk of doing bad investments; we mean loosing access to your trading account because your computer got infected by a keylogger.

Read more:
Online stock trading is risky

This relates to my last post where Boaz Gelbord ( Security Scoreboard ), cited something very interesting about the Massachusetts data security regulation going into effect March 1. Their listed “Computer System Security Requirements” of their “risk-based approach” is pasted below. While I can’t say any one of these security controls is a bad idea, but can someone please tell me how any of this stuff is going to thwart Web-based attacks!?

Read more:
Hey Massachusetts, where is your application security requirement?

We saw a pretty PDF file today (md5: 116d92f036f68d325068f3c7bbf1d535). It looks like this: Nice flowers. Unfortunately, when viewing the file, it uses an exploit against Adobe Reader and drops and runs a file called 1.exe

More:
Watch out for flower-show.org

A new spam campaign gives the phrase “too good to be true” a whole new spin: spammed messages purporting to come from Google in response to job applications. While most spammed messages take advantage of a specific special occasion , holiday , or even a currently newsworthy item , spammers have hit a new low with their latest scheme.

See original here:
Spammers Fake Responses from Google Job Applications

Every year the Web security community produces dozens of new hacking techniques documented in white papers, blog posts, magazine articles, mailing list emails, etc. Not to be confused with individual vulnerability instances brandishing CVE numbers, nor intrusions / incidents, but actual new methods of Web attack. Some techniques target websites, others Web browsers, and the rest somewhere in between.

More:
Top Ten Web Hacking Techniques of 2009 (Official)

Ten of Application Security industry’s coolest, most interesting, important, and entertaining links from the past week — in no particular order. Regularly released until year end. Then the Best of Application Security 2009 will be selected! Another fine method to exploit SQL Injection and bypass WAF Security and Facebook Platform When Is More Important Than Where in Web Application Security Apple - XSS Attack Cross-subdomain Cookie Attacks PILOT: Production in lieu of testing (AgoraCart FAIL) Facebook and MySpace security: backdoor wide open, millions of accounts exploitable SSL and TLS Authentication Gap vulnerability discovered Using Blended Browser Threats involving Chrome to steal files on your computer LinkedIN With ‘Bill Gates’ WhiteHat Security is a leading provider of website security services

View post:
Best of Application Security (Friday, Nov. 6)

Our blog has been nominated in the 2009 ComputerWeekly.com IT blog awards. We’re in the IT Security category. If you like us, you can vote at ComputerWeekly.com .

Visit link:
Vote 4 Us

Over the past few days a sustained email spam campaign has been running to distribute new Zeusbot variants.

Continued here:
Personalized Patch/Update Spam Delivering Malware

It seems SEO poisoning is the current “trend” for directing users to rogue antivirus software. These SEO poisoning attacks usually exploit major news topics, the latest of which is the September 29th earthquake off Samoa, which triggered a tsunami warning for numerous South Pacific islands, as well as Hawaii

Go here to see the original:
Samoa Earthquake News Leads To Rogue AV