ReadWriteWeb

According to this report from HP, more than half of the Web apps they tested contained SQL Injection and Cross-Site Scripting flaws. Now, neither of these exploits is new. What is news is how both of these chestnuts still keep hackers plenty busy.

US Senate lawmakers will introduce a bill next Thursday that would fine big companies that lose consumer data in a security breach due to poor security measures.

The Personal Data Protection and Breach Accountability Act, sponsored by Democrat Richard Blumenthal of Connecticut, would enable the Justice Department to fine businesses with more than 10,000 customers $5,000 per violation per day, with a maximum of $20 million per violation, according to The Hill.

Jason Lackey runs the @CiscoSecurity Twitter feed and managed to get an interview with @SparkyBlaze, or else someone who has access to his/her Twitter account, for his latest blog post here. Sparky used to be a member of the hacking group Anonymous, who has been responsible for break ins to a variety of sites, most recently run by the Syrian government and the BART transit agency.

In 2009, security company Symantec noticed a particularly complex malware code infecting users' computers. At first the company did not think much of it outside of the fact that is was unusually complicated. The company wrote detection and repair codes for it. Once detected, malware usually shrivels and dies. Yet, the malicious code, known as W32.Xpaj.B, did not go away. It morphed and evolved, allowing one group of cyber criminals to use it for years to perpetrate a search engine click-fraud scheme that netted the hackers an easy $62,000 from unwitting advertisers.

Symantec was able to track down the command and control servers that were running W32.Xpaj.B and did a full breakdown on how the scam worked. The results were surprising - a complex code working on top of a simple infrastructure - and showed how easy it is for criminals to set up malware workshops and watch the money roll in.

Hackers are turning on each other in droves. One in four hackers will snitch on their hacker buddies when pressured by the United States Secret Service or Federal Bureau of Investigation, according to an investigation done by The Guardian.

Apparently there is no omerta between hackers. The Guardian says that the FBI has so thoroughly infiltrated the hacker community "that it is now riddle with paranoia and mistrust." Arrested hackers often turn into moles for the FBI, acting on behalf of the agency as informants in underground chat rooms and forums to sniff out other hackers susceptible to arrest. Hackers of the world: how likely are you to become a snitch for the U.S. government if you are arrested?

By Tomer Bitton, security researcher, Imperva

PDFs are widely used business file format, which makes them a common target for malware attacks. Because PDFs have so many "features," hackers have learned how to hide attacks deep under the surface. By using a number of utilities, we are able to reverse engineer the techniques in malicious PDFs, providing insight that we can ultimately use to better protect our systems. We'll take you through the process that a hacker uses to insert a piece of malware into a sample PDF.

A delightful book that should be on your summer reading list, or a potential gift for your favorite geek, is a new offering from MIT Press called
Nightwork: A History of Hack and Pranks at MIT. (updated link) For those of us that went to lesser engineering schools (or perhaps greater, depending on our metrics), it is a joyful experience. The author, school historian TF Peterson, has copiously illustrated some of the more fantastic and amusing things that students have cooked up over the years, including nailing someone's dorm furniture to the underside of the Media Lab archway, putting various objects on top of the two domes at the school, playing Al Gore buzzword bingo at commencement, and more.

Facebook is launching a new security measure that is clearly a response to the recent threats caused by numerous rogue applications that have spread virally across the social network. According to news from the Facebook Developers blog, all application developers must now verify their Facebook account by either confirming a mobile phone number or adding a credit card to their account.

The new procedure aims to cut down on the number of rogue applications created by hackers and spammers by forcing developers to share personally identifiable information. Unfortunately, say multiple security researchers, verification alone is not enough to stop these malicious apps.

We've all heard security nerds complain about the vulnerabilities of cloud computing; here's the news they've been waiting for.

Black-hat hackers got into an unnamed website hosted on Amazon's servers then proceeded to install an illegal command and control infrastructure. Named America's number one most wanted botnet, Zeus was discovered on Amazon's Elastic Compute Cloud (EC2) by security researchers yesterday.

Earlier this week, the news of the first iPhone worm made its way around the net. Since the worm only targeted jailbroken devices and then only those which had the SSH program installed, there wasn't a need for concern on the part of most iPhone users. However, a second hacker tool which uses the same security hole as the so-called iKee worm has reared its head and this one is far more dangerous. According to security firm Intego, the new hacker tool goes after personal data stored on the device including email, contacts, SMS messages, calendars, photos, music files, videos and any other data recorded by any iPhone app.

In other words, if you're the owner of a jailbroken phone, you should now be concerned.