ReadWriteWeb

Germany's Federal Office for Information Security issued a warning today that iPhones, iPads and the iPod Touch have "critical weaknesses," the Associated Press reports. The malware is delivered by an infected PDF that can affect the user's device without them knowing. The same result would occur when a user visits a website with an infected PDF.

This is one of the first malware weaknesses discovered for iOS. Android has an increasing problem with malware and rootkits but so far there has not been a significant weakness exploited on iOS (not counting the 120,000 iPads that were hacked last year which was really more the fault of AT&T than iOS). Is this just the first drip of a coming wave of mobile malware?

Search engine poisoning is the most prevalent form of malware delivery on the Web, according to the security researchers at Blue Coat. In its 2011 Mid-Year Security Report Blue Coat outlined the biggest threats to Web security and the attack vectors that malware providers are using to infiltrate users' computers.

Search engine poisoning (SEP) makes up 40% of malware delivery vectors on the Web. The practice is when malware and spam attackers inundate search results with links to bait pages that will take users to malicious websites that will download malware to a computer. Spammers reach higher in search rankings by creating link farms that drive their poisoned pages further up search results. People want to be able to trust that what they search for in Google, Bing or Yahoo is safe to click on. Users are not conditioned to think that search results could be harmful to the health of their computers. The other leading attack vectors on the Web all pale in comparison to SEP, with malvertising, email, porn and social networking all 10% of malware delivery.

The most well-known trick criminal hackers have in their bag is the distributed denial of service (DDoS) attack. To create a DDoS attack, hackers use a botnet to send mass amounts of traffic at a website server, bringing the site down. Recent attacks targeted CIA's public website, Wordpress and credit card companies. The "hacks" make big news and it seems like almost every other day another large commercial website is taken down.

The most important thing to know about a DDos attack is that it is really not a hack at all. The purpose of DDoS attacks are not to steal information but rather to prove a point. "We control massive botnets and can make life very difficult for you" is the message that hackers are sending. A DDoS is what many would call a "dumb" attack because it is sheer force, a giant hammer aimed at a Web server. Yet, large-scale dumb attacks are often the most difficult to stop. What can companies do to protect themselves against a DDoS attack on their doorstep?

In case you hadn't noticed, spam and phishing attacks through the social networks has been on the rise. Security company Symantec released a report yesterday detailing socially-engineered attacks to determine where they are coming from and what techniques malware criminals are using to lure victims into their traps.

One of the most interesting trends that Symantec has noticed is that social spam and phishing has been cyclical, moving from network to network (see above graph). For instance, attacks will focus on Facebook for a period of time before falling off, then focus on Twitter or YouTube before coming back to Facebook. In the cat-and-mouse game that is malware verse security, these trends make sense as exploits are closed on one network and found another.

Every time a botnet is taken down, another is waiting in the wings to take its place. Each successive iteration of malware infected networked computers is more sophisticated than the last. Security research company Kaspersky believes it has found one that is almost indestructible.

The TDL-4 botnet is 4.5 million PCs strong. It has some unique features that make it difficult to remove such as a powerful rootlet exploitation and the ability to disable other malware that is installed on a computer. Those features make it difficult to detect and remove the malware, but that is not what makes the botnet indestructible. The way TDL-4 communicates with its command-and-control center and other infected computers is what makes it unique.

A new report of security company Symantec says that global spam is at its lowest levels since 2008. The geographic center of spammed accounts has also shifted from Russia to Saudi Arabia. Worldwide spam is now down to one in every 1.37 emails. In the United States, spam accounts for 73.7% of all emails.

Spam levels are now the lowest they have been since McColo, a California-based ISP spam control center, was taken down in 2008. That is, in part, due to the shutdown of the spam-sending botnet Rustock in March 2011. Spam, phishing, viruses and other types of malware are all still major problems in the Internet ecosystem but it looks like progress is being made against the botnets and those that control them.

The Department of Homeland Security will release a new guidance document today intended to make the software that runs the Web less susceptible to malicious hacks.

DHS has teamed with security and technology experts at the SANS Institute and Mitre to create a list of the top 25 programming errors that lead to the most serious hacks, according to The New York Times. The idea is to educate companies and organizations about the channels that criminal hackers use to gain access to confidential information and servers. These are often common software errors that can lead to "zero day" exploits.

Apple released Mac OS X 10.6.8 yesterday in preparation for its Lion release. There are several things to like about the new update, including changes to Final Cut Pro X as well as enhancements to the Mac App Store ahead of the release of Lion.

Overlooked in the update is the fact that Apple has included a fair amount of security updates in the software. When it comes to Apple, people always want to talk about what is cool and sleek and fun to use. Yet, as the fake anti-virus malware Mac Defender has shown us, Apple is becoming more of a target for malicious hacks. Apple releases security updates with each version of Mac OS X. Let's take a look at what is significant in version 10.6.8.

The Lulz keep on coming.

Ryan Cleary, the 19-year-old alleged criminal hacker arrested in Britain yesterday, has formally been charged with offenses under the United Kingdom's Criminal Law Act and Computer Misuse Act. The accusations are for a purported Distributed Denial of Service attack against the Serious Organised Crime Agency (SOCA) along with several industry groups. In other News Of The Lulz, the group apparently now has a Brazilian arm that has taken down two government websites, according to PCMag.

New Scotland Yard has caught a black hat hacker believed to be of the Lulz Security hacker group, or so it thought. The British law enforcement agency is reporting that a 19-year-old male has been arrested in Essex, England by the "e-Crime" unit following an investigation into network intrusions and distributed denial of service attacks.

LulzSec is not claiming the suspect as one of its own. In a tweet, LulzSec wrote, "Seems the glorious leader of LulzSec got arrested, it's all over now... wait... we're all still here! Which poor bastard did they take down?"