Microsoft Releases Free Security Software

Let's face it, we all lurveeeee FREE stuffs. So, good news for you people out there!

Microsoft has released its free security suite for consumers today, dubbed Microsoft Security Essentials.

The anti-malware services helps to protect users against viruses, spyware and other malicious software. It requires no registration, trials or renewals and is available for download directly from Microsoft.

Microsoft Security Essentials is designed to run quietly in the background alerting users only when there is an action for them to take. It limits CPU and memory usage and has less impact on tasks users perform such as opening documents or browser windows or loading search results, even on older less powerful PCs.

Microsoft Security Essentials is available for Windows XP SP2 or SP3, Windows Vista and Windows 7 including Windows XP mode on both x32 and x64 PCs.

Microsoft Security Essentials is available in eight languages and 19 countries including Australia, Austria, Belgium, Brazil, Canada, France, Germany, Ireland, Israel, Italy, Japan, Mexico, the Netherlands, New Zealand, Singapore, Spain, Switzerland, the United Kingdom and the United States.

Source

Twitter warns of direct-messaging worm

Social-networking service Twitter warned users on Wednesday that a link sent by direct message redirects users to a malicious site that attempts to steal their account credentials.

It's unclear how many users of the microblogging service had fallen prey to the phishing scheme, which sends victims to a replica of the Twitter logon page. Accounts compromised by the attack will send out messages, which resembles "rofl this you on here? http:// videos.twitter.*****-logins01.com," to their followers, according to reports.

"A bit o'phishing going on -- if you get a weird direct message, don't click on it and certainly don't give your login creds!" Twitter warned users through its spam channel.

Source

Serious security bug found in Windows Vista

An independent security consultant publicized this week the details to a critical flaw in the server message block version 2 (SMB2) component of Microsoft's Windows Vista, Windows Server 2008, and the release candidate for Windows 7.

The researcher, Laurent Gaffié, claimed in his advisory that the vulnerability causes a Blue Screen of Death, a pernicious crash on Windows system, but other researchers have subsequently concluded that the flaw is actually remotely exploitable, a more serious issue.

Microsoft acknowledged the flaw on Tuesday in an advisory. The flaw does not affect the latest version of Windows 7, Windows Server 2008 R2, nor Windows XP, the company stated. Microsoft took the researcher to task for disclosing the information before it fixed the security issue.

While Microsoft has not released a fix for the issue, the software giant recommended that administrators disable SMB version 2 or block the specific TCP ports (139 and 445) used by the file-sharing feature.

Detailed report here.

Twitter spam protection tips

With the popularity of social networking platforms such as Twitter on the rise, cyber criminals have found an easy target among unsuspecting users.

One of the biggest security problems facing Twitter as it relates to the spread of spam and malware are the many link-shortening services utilized for hyperlink posting. Users are limited to 140 characters per tweet so these URL-shortening services allow tweeters to post a longer link under such tight character limitations. Attackers use link-shortening services to disguise malicious links. Some infections could be easily prevented by allowing users to see the real URL before clicking on it.

Some of the common types of Twitter spam include:

* Tweet spam: Tweet spam comes from someone a user is currently following and everyone following that user will see the tweet

* Direct message: A direct message comes from someone a user is currently following and only the user will see the message

* ReTweet spam: ReTweet spam searches for legitimate tweets and reposts them in the system but with a different, malicious URL

* Trending subjects spam: Trending subjects spam searches for hot topics on twitter (like Michael Jackson's death) and posts similar tweets with different, malicious URLs

* Following spam: Following spam happens when a user's profile receives a lot of followers he/she doesn't know. If the user does not start following them back within a week, they stop following the user. Statistics show that one in two users will follow back. Usually these profiles are bots which are programmed to acquire as many followers as possible before they can start broadcasting spam.

Twitter users can protect themselves from falling into spam traps by following five tips, courtesy of BitDefender:

* Install a comprehensive security solution on your computer - preferably a suite containing antivirus, firewall and a phishing filter

* Follow the spam profile on Twitter: http://twitter.com/spam. Users can find good advice here. For example, a recent post states: "If you gave your login and password info to TwitViewer, we strongly suggest you change your password now. Thanks!"

* Don't click on all the links you receive

* Disable the "auto followback" option. This will allow you to pick and chose who you want to follow

* Make sure you know who you are following.

Researcher Launches Facebook Bug Project For September

First Twitter and now Facebook: A researcher today began a round of daily disclosures of serious vulnerabilities in popular Facebook applications.

The researcher, who goes by "theharmonyguy," plans to disclose multiple cross-site scripting (XSS) flaws he discovered in various third-party Facebook applications this month, though he may not do so every day. He says he found major security holes in several of Facebook's top 10 most popular applications.

Today's bugs include XSSes in FunSpace, which has more than 8 million users; SuperPoke, which has 2 million users; SocialToo, which has nearly 2,000 users; and YellowPages.ca, which has nearly 1,200 users. FunSpace, SuperPoke, and SocialToo have been patched, but YellowPages.ca has not.

The problem, he says, lays in Facebook's API -- problem that has been well-documented by other researchers, as well. The API gives the application developer full access to a Facebook member's profile when a user runs that application.

Full report here.