This will be the last post for the Security Fix blog. Dec. 31 marks my final day at The Washington Post Company. Over the last 15 years, I've reported hundreds of stories for washingtonpost.com and the paper edition. I have authored more than 1,300 blog posts since we launched Security Fix back in March 2005. Dozens of investigative reports that first appeared online later were "reverse published" in the newspaper, including eight front-page stories and a Post Magazine cover. Through it all, you - the reader - have been my most valuable source, most reliable critic, and most persistent muse. Loyal readers are the reason Security Fix has consistently been among the most-visited blogs on washingtonpost.com. Thank you. I will continue to remain engaged in this increasingly vital news beat. Please stay in touch for updates in the New Year. I can be reached directly at this e-mail address.

Hackers broke into an online comic strip syndication service Thursday, embedding malicious code that sought to exploit a newly discovered security flaw in Adobe Reader and Acrobat, Security Fix has learned. On Monday, Adobe Systems Inc. said it was investigating reports that criminals were attacking Internet users via a previously unknown security flaw in its Adobe Reader and Acrobat software. Experts warned that the flaw could be used to foist software on unsuspecting users who visit a hacked or booby-trapped Web site. Albany, N.Y.-based Hearst publication Timesunion.com now reports that on Thursday readers of its comics section began complaining of being prompted to download malicious software. In an update posted to its site, Timesunion.com said the attack took advantage of the recently disclosed Adobe flaw. The news outlet said it had traced the attack back to a problem at King Features, which serves comics on its Web site, and that

Hackers hijacked the Web site of micro-blogging community Twitter.com early Friday, briefly redirecting users to a Web page for a group calling itself the "Iranian Cyber Army." The attackers apparently were able to redirect Twitter users by stealing the credentials needed to administer the domain name system (DNS) records for Twitter.com. DNS servers act as a kind of phone book for Internet traffic, translating human-friendly Web site names like "Twitter.com" into numeric Internet addresses that are easier for computers to handle. "Twitter's DNS records were temporarily compromised but have now been fixed," the company said in a brief statement on its Web site. "We are looking into the underlying cause and will update with more information soon." Twitter's DNS service is provided by Manchester, N.H. based Dyn Inc. Tom Daly, chief technology officer at Dyn, said the incident was not the result of a security failure on its services. Daly

Internet service providers in Russia and Ukraine are home to some of the highest concentrations of customers whose machines are infected with the Conficker worm, new data suggests. The report comes from the Shadowserver Foundation, a nonprofit that tracks global botnet infections. Shadowserver tracks networks and nations most impacted by Conficker, a computer worm that has infected more than 7 million Microsoft Windows PCs since it first surfaced last November. "Conficker has managed to infect, and maintain infections on more systems than any other malicious vector that has been seen before now," Shadowserver stated on its Web site. Shadowserver's numbers indicate that the largest numbers of Conficker-infested PCs are in the East, more specifically China, India and Vietnam. For example, Chinanet, among the nation's largest ISPs, has about 92 million routable Internet addresses, and roughly 950,000 -- or about 1 percent of those addresses -- appear to be sickened with

Adobe Systems Inc. said Monday it is investigating reports that attackers are exploiting a previously unidentified security hole in its Acrobat and PDF Reader software to break into vulnerable computers. The acknowledgment coincided with an alert published by the Shadowserver Foundation, a nonprofit group that tracks the spread of malicious programs that criminals use to control infected systems remotely. Shadowserver member Steven Adair said the flaw is present in the most recent versions of Adobe Acrobat and Reader. Adair warned that security experts have observed cyber crooks using the vulnerability in targeted attacks since at least Dec. 11, but that more widespread attacks are likely to emerge over the next few weeks. In addition, few anti-virus vendors currently detect malicious PDF files harboring this exploit. At the moment, there is no patch available for this flaw, and Adobe's brief advisory offers little in the way of mitigation advice. However, Internet

If you use Facebook and care about your privacy, take a moment to read this blog entry. Facebook has made some major changes that may allow a great deal more people to see your personal photos and videos, date of birth, family relationships, and other sensitive information. While logged in to Facebook, click the "Settings" link and you should see a box that looks like the one pictured below. You may see that Facebook has reset your privacy settings, so that the everyone can now see the information on your "About Me" page, as well as your "Family and Relationships" data; "Work and Education"; and most importantly "Posts I Create," which includes status updates, links, photos, videos and notes. Below is a screen shot of what my privacy settings looked like when I recently logged in. The new privacy settings instituted across the Facebook network may also expose your birthday,

More than one quarter of data breaches so far this year involved consumer records that were jeopardized when organizations lost control over sensitive paper documents. Experts say those incidents came to light in large part due to a proliferation of state data breach notification laws, yet current federal proposals to preempt those state measures would allow paper-based breaches to go unreported. According to the Identity Theft Resource Center, a San Diego based nonprofit, at least 27 percent of the data breaches disclosed publicly in 2009 stemmed from collections of sensitive consumer information printed on paper that were lost, stolen, inadvertently distributed or improperly disposed of. Some 45 states and the District of Columbia have enacted laws requiring companies that lose control over sensitive consumer data such as Social Security or bank account numbers to alert affected consumers, and in some cases state authorities. Concerned about the mounting costs of complying

Microsoft released six software updates on Tuesday to fix at least a dozen security vulnerabilities in Windows, Internet Explorer, Windows Server and Microsoft Office. More than half of the flaws earned a "critical" rating, meaning criminals could exploit them to break into vulnerable systems without any help from users. Separately, Adobe Systems Inc. issued critical security updates to its Flash Player and AIR Web-browser plugins. The updates are available from the Windows Update Web site, or via the Automatic Update feature in Windows. Probably the most important update for most users is the one for Internet Explorer, which corrects five critical flaws in IE 6, 7 and 8. These are vulnerabilities that attackers could exploit to quietly install malicious software on your machine if you browse with IE to a hacked or booby-trapped site. A description of the rest of the vulnerabilities patched in this month's release from Microsoft is

Networking equipment maker Cisco Systems Inc this week bestowed a generous honor on the Security Fix author. In its 2009 annual security report released Tuesday, Cisco names Yours Truly as a "cybercrime hero," citing an ongoing investigative series detailing the plight of small businesses that have lost hundreds of thousands of dollars at the hands of malicious software. The mention comes in a section announcing Cisco's first-ever "Cybercrime Showcase," which the company said aims to "shine a spotlight on individuals and entities who have made significant positive contributions during the past year toward helping make the Internet a safer place for all users." Clearly, I am long overdue to design a decent superhero costume. In all seriousness, I am grateful for the mention, and for the recognition of my work. Interestingly, the two families of malicious software also mentioned as "winners" of Cisco's 2009 "Cybercrime Showcase" are malware families whose

An electronics testing firm in Louisiana is suing its bank, Capital One, alleging that the financial institution was negligent when it failed to stop hackers from transferring nearly $100,000 out of its account earlier this year. In August, Security Fix wrote about the plight of Baton Rouge-based JM Test Systems, an electronics testing firm that in February lost more than $97,000 from two separate unauthorized bank transfers a week apart. According to JM Test, Capital One has denied any responsibility for the losses. On Friday, JM Test filed suit in a Louisiana district court, alleging breach of contract and negligence by the bank. The firm says it is still out a total of $89,000, and that it has spent roughly $70,000 investigating and responding to the breaches. "Capital One was not willing to make good on our losses or attempt any type of settlement," said Happy McKnight, JM Test's controller.

Scam e-mail artists have launched a massive campaign to trick webmasters into giving up the credentials needed to administer their Web sites, targeting site owners at more than 90 online hosting providers. Experts say the attackers are attempting to build a distributed network of hacked sites through which to distribute their malicious software. The spam e-mails arrive addressed to users of some of the top Web hosting firms, from hostgator.com to yahoo.com and 50webs.com, and bear the same basic message: "Due to the system maintenance, we kindly ask you to take a few minutes to confirm your FTP details." Recipients who click the included link are brought to a Web site made to look like a cPanel page (cPanel is a widely used Web site administration software package). People who fall for the scam and provide their credentials are then forwarded on to the actual site of the Web hosting

Apple this week pushed an update for Leopard and Snow Leopard systems that plugs a large number of security holes in Apple's version of Java, a package installed by default on those Mac OS X systems that enables a number of multimedia Web applications. The new Java version fixes at least 14 vulnerabilities in the version designed for OS X 10.6 systems; the package put together for 10.5 Macs corrects more than two dozen security flaws. Mac users can grab the patches via Software Update or from Apple Downloads. The patch fun continues into Tuesday of next week, when both Microsoft and Adobe are scheduled to issue updates to plug security vulnerabilities of their own. Microsoft said Thursday that it plans to issue at least six security patches (each patch fixes at least one -- but often multiple -- security flaws). Half of those updates will carry a "critical" rating,

---

Scammers and spammers soon will have a tougher time masking links to their malicious Web sites using bit.ly, one of the more popular link-shortening services out there: The company said this week it is teaming with three security firms to warn users when a shortened link looks like it leads to badness. Criminals increasingly are abusing URL-shortening services to disguise the true destination of both phishing Web sites and those that host malicious software. Some of the most prolific and automated of these attacks take place on social media sites like Facebook and Twitter, networks that are far less useful and fun if users can't feel relatively comfortable clicking links. In response, bit.ly will by the end of the year be working with Sophos, Verisign and Websense to scrub some 40 million shortened links each day for those linking to malware, spam and phishing Web sites, the company said this

Pay-per-click revenue in the online advertising business may be diminishing for traditional media publishers, but thieves increasingly are earning five- to seven-digit returns when victims click on a booby-trapped link or attachment sent via e-mail. The latest victim to learn this was Nigel Parkinson, president of D.C.-based Parkinson Construction, a firm with an estimated $20 million in annual revenue that has worked on some of Washington's top gathering places, including the new D.C. Convention Center and the Nationals baseball stadium. Parkinson said he had an expensive crash course in computer security, when on Nov. 24, he clicked a link in an e-mail purporting to be from the Social Security Administration warning him about potential errors on his Social Security statement. Parkinson fell for the ruse and ended up downloading a copy of the Zeus Trojan, a prolific family of malicious software that criminal gangs have used to great effect to

E-mail scam artists are impersonating the Centers for Disease Control with a bogus e-mail that claims to offer information about a state-run vaccination program for the H1N1 "Swine Flu" contagion. This highly topical and plausible e-mail message directs recipients to a fake CDC Web site that tries to foist malicious software. Recipients who fall for the ruse and click the link are brought to a counterfeit CDC site that showcases a "Personal H1N1 Vaccination Profile" as an electronic document that supposedly contains the reader's name, contact details and medical data. Visitors are instructed to download their profile, which according to multiple sources is a malicious program (almost certainly a password stealer) that is hard to detect by the vast majority of anti-virus products on the market today.

A recent spam run that tries to distribute malicious software disguised as a DHL package tracking number contains a poorly hidden message that insults the Security Fix author by name. According to an analysis by security firm Sophos, the messages arrive as a "Dear Customer" notification stating that the courier company was unable to deliver a parcel to the recipient's address. The message urges recipients to click the attached "shipping label" for more information, and of course the attachment is a malicious program designed to steal the curious victim's passwords. Sophos said the tracking number cited in the messages appears to be a jumbled mush of letters, but closer inspection reveals an insult aimed at this author. (Suffice it to say, it is off-color enough that it cannot be repeated here.) Sophos's Graham Cluely writes: "I find it hard to believe that the hackers' choice of tracking reference number

It has been a while since I've written about online banking fraud against small to mid-sized businesses, but I assure you the criminals perpetrating these attacks have been busier than ever. In fact, from more than a dozen incidents I've been investigating lately, the attackers for whatever reason now appear to be focusing heavily on property management and real estate firms, and title companies. On Nov. 12, I was contacted by a woman in Washington, D.C. who runs a large property management firm. The woman said her company had just been the victim of online banking fraud, but that her board of directors would not let her discuss the incident on the record. Per her request, I am omitting her name and the name of her firm. The woman said hackers had tried to transfer more than $1.3 million out of her firm's account, but that all three transactions had

Shopping online is a great way to save time and money, but those efficiencies quickly vanish for people who lack basic online shopping smarts. Take a few minutes to review these safe shopping tips: They may just save you a world of headache and financial pain. 1. Shop with a credit card, not a debit card. The banks are pushing more consumers toward debit cards with a bevy of awards programs because they can charge merchants higher fees than on credit card-based transactions, said Avivah Litan, a fraud analyst with Gartner Inc. But if your debit card number gets stolen, it might be somewhat more complicated to sort things out, especially if fraud causes overdrafts and bounced checks. 2. Keep track of your receipts. Some experts advise online shoppers to print out all receipts. That's fine, but a simpler and more "green" alternative to this important tip is to simply

These past few days have seen some notable cyber justice cases: Late Monday, Alan M. Ralsky -- a man dubbed the "Godfather of Spam" -- was sentenced to 51 months in prison. And on Friday, a California man pleaded guilty in a case involving the sale of counterfeit high-tech computer parts to the U.S. military. Ralsky, 64, of West Bloomfield, Mich., joined two co-conspirators in earning stiff prison sentences for long careers of blasting junk e-mail. Following more than four years in prison, Ralsky will be subject to five years of supervised release and will forfeit $250,000 the government seized from him in December 2007, the Justice Department said. According to the government, Ralsky was a top promoter of so-called pump-and-dump scams, schemes in which fraudsters buy up a bunch of low-priced microcap stock, blast out millions of spam e-mails touting it as a hot buy and then dump their