SANS is reporting that some of the leaked copies of IE7 beta 1 floating around may be bugged with spyware. Now, seriously, is anyone surprised by this? That’s always a risk with warez. I’m reluctant to grab any program, even one that allows free redistribution like Firefox, via P2P, unless there’s a way to verify it. (BitTorrent handles this internally—assuming you trust the torrent site.)

If you’re not getting a program directly from the supplier or a distributor that you trust, you should always check it before installing. Even if you are getting it from a trusted source, it’s worth checking, since servers do occasionally get hacked. Most open-source programs distribute either a PGP/GPG signature or a checksum using an MD5 or SHA1 hash along with their downloads. Assuming you get the checksum from a trusted source, you can verify that the package hasn’t been altered.

For IE7, if you have to try out beta 1, go through proper channels (MSDN or the beta program) or get it from someone you trust…who went through channels. Otherwise, you’re better off waiting for beta 2.

Talk about convoluted. Someone has developed a Java applet that will use one browser to install spyware on another. The applet runs in any browser using the Sun Java Runtime Environment—Firefox, Opera, Mozilla, etc.—and if it can convince you to run the installer, it will install spyware on Internet Explorer. And since you can’t remove Internet Explorer from Windows (you can hide it, but it’s always there…waiting), just using an alternative browser isn’t enough to protect you.

Of course, the obvious solution here is don’t let it install anything. That’s what the Java sandbox is for, after all: applets run in their own little world and can’t touch the rest of your system unless you let them (or they find a hole in the sandbox, which is why you need to keep Java up to date—just like everything else).

Time to emphasize the fact that while Firefox is still safer than IE, it’s not a magic bullet. There is no magic bullet. You can minimize risk, but never eliminate it.

(via SANS Internet Storm Center)

CAN-SPAM one year later: more spam than ever. Spam has more than doubled from 15 billion messages in 2003 to an estimated 35 billion in 2004. Is anyone really surprised? From the article: “The FTC says the goal of the act was never to cut down on spam but to give recipients control via the opt-out component.” Hmm, that might be part of why groups like Spamhaus were calling it the “You Can Spam” act. (via The War on Spam)

Webroot identifies the Top 10 “Most Unwanted” Spyware programs, using the “P-I Index…. P is for prevalence, I is for insidiousness.” The “winners” include pop-up generators, keystroke loggers, autodialers and the like. (via Aunty Spam’s Net Patrol)

Finally, there are several fixes and work-arounds for the pop-up window spoofing vulnerability I wrote about last week. There’s the all-inclusive method: close all other browser windows. Netcraft reports that Opera has issued a fix (7.54u1) and Safari is safe if pop-up blocking is enabled. I just got an email indicating that KDE has released a fix for Konqueror (expect that to start hitting distributions this week). No word yet on Firefox or IE, and while Microsoft has its monthly patch day tomorrow, I wouldn’t expect this to show up quite that soon.

This has got to be a typo:

About 91 percent of PCs today are infected with spyware programs that send information from your PC to an unauthorized third party.

NCSA (National Cyber Security Alliance, not the National Center for Supercomputing Applications of Mosaic fame) Chairman Ken Watson quoted by CNET in Study: Consumers take cyberattacks lightly.

That’s a staggering number, and I hope it’s supposed to be 19. Even so, considering how many computers there are in the world, it’s still a staggering number.

Spyware, viruses and worse are out there, and they’re all over both business and home computers. It’s worth checking out the NCSA’s website,, as well as others like CERT‘s page on Home Network Security, the US-CERT website, or the FTC‘s guide to Consumer Information Security (though I can’t quite get past the turtle logo on that one).