The F1 key vulnerability exists because of an un-patched vulnerability in Internet Explorer that would allow hackers to hijack the source PC.

Microsoft is investigating new public reports of a vulnerability in VBScript that is exposed on supported versions of Microsoft Windows 2000, Windows XP, and Windows Server 2003 through the use of Internet Explorer. Our investigation has shown that the vulnerability cannot be exploited on Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008. The main impact of the vulnerability is remote code execution. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.

Microsoft may supply a security patch for this vulnerability in an upcoming patch release. No date or confirmation of this patch is available.

Via network world

• Eric Geier writes for InformIT some “Tips to Secure your Home Wi-Fi Network“
• Bruce Schneier also has a new article out about securing your data while traveling that’s worth some consideration: “Protect Your Laptop Data From Everyone, Even Yourself“.
• Another thoughtful article on SafeKids.com by Larry Magid: “How to stop cyberbullying.“
• Forbes.com’s Amanda Berlin puts together an article on “How to Protect Your Online Reputation.“
• NetworkWorld continues their IT Best Practices series with this article by Linda Musthaler and Brian Musthaler: “The notification chain when a breach is suspected“

If you find any articles you think would interest the readers here, let me know!

Image: Clipart

The SIR indicates that malicious software infected different versions of Windows at different rates. Vista was less infected than other service packs, all versions of Windows XP having higher infection rates. The data, which is based on millions of Windows users, indicates that total vulnerability disclosures was on the decline while the number of high severity disclosures was increasing each quarter. More than 90% of vulnerabilities disclosed affected applications or browsers (vs the Operating System).

In the second half of 2008, there was a rise in rogue security software, which is software that poses as being anti-malware or anti-spyware, when indeed may do nothing or be malware itself. Be sure to download your software just from trusted sources!

The report looks at data breach incidents from the OSF Data Loss database, indicating that the second half of 2008 could blame 33.5% of all data loss incidents on equipment theft, including that of laptops. Adding in equipment loss, and that total goes up to 50%. Be sure to secure your laptops and be able to see if computers have the latest software updates with our Computrace laptop security solution.

SIR Volume 6, which tracks data between July and December 2008, can be downloaded here.

Via technet

Laptop Security Is a Three-Legged Stool – Intel

This list fits in snugly with our own motto of “mutli-layered laptop security” at Absolute, which we talk about here. For now, check out the “3 legs” of laptop security:

1. Physical Security
2. Data Protection
3. Protection Solution

9 Dirty Tricks: Social Engineers’ Favorite Pick-Up Lines – CSO Online

These are tactics employed by criminals (cyber and otherwise) to scam you out of personal information or money or to gain access. The list had 8 tricks, not 9, but who’s counting? ;)

1. “I’m traveling in London and I’ve lost my wallet. Can you wire some money?”
2. “Someone has a secret crush on you! Download this application to find who it is!”
3. “Did you see this video of you? Check out this link!”
4. “This is Chris from tech services. I’ve been notified of an infection on your computer.”
5. “Hi, I’m from the rep from Cisco and I’m here to see Nancy.”
6. “Can you hold the door for me? I don’t have my key/access card on me.”
7. “You have not paid for the item you recently won on eBay. Please click here to pay.”
8. “You’ve been let go. Click here to register for severance pay. “

5 Tips for Managing Security in a Recession – CSO Online

Another great look at how to prioritize your security spending and planning this year.

1. Prioritize based on risk/reward
2. Have the right mix of people on your team
3. Build repeatable processes
4. Create an optimal shared cost strategy
5. Automate and outsource wisely

Top 5 Security Resolutions for New PCs – InformIT

If you’ve just bought a new computer, take some quick security steps before you start using it! Here are 5 resolutions to take:

1. I Will Patch My Systems
2. I Will Use Common Security Tools
3. I Will Back Up My Data
4. I Will Secure My Wireless Router
5. I Won’t Write Down My Passwords

And to end off the great tips offered in these articles, walk the lighter side with this ID-theft-themed Dilbert comic.

The group has jointly released a consensus list of the 25 most dangerous programming errors – and how to fix them. These programming errors lead to security bugs and can enable cyber espionage and cyber crime – most errors are not well understood, nor is their avoidance taught by computer science programs. The press release also indicates that these errors are not frequently tested by organizations developing software for sale. This list is, therefore, a big step forward in making software more secure.

“There appears to be broad agreement on the programming errors. Now it is time to fix them. First we need to make sure every programmer knows how to write code that is free of the Top 25 errors, and then we need to make sure every programming team has processes in place to find, fix, or avoid these problems and has the tools needed to verify their code is as free of these errors as automated tools can verify.” – SANS Director, Mason Brown

According to the release, just 2 out of these 25 programming errors led to more than 1.5 million website security breaches in 2008. The 25 errors represent the worst things that can happen when software is being written – and will give a minimum set of coding errors that should be eradicated before software gets to the consumer.

The programming errors include sending sensitive information in clear text and hard-coding security passwords into programs. The errors fall into three categories: insecure interaction between components, risky resource management and porous defenses. You can read more here or here.

Via PC World ; Clipart via Microsoft / Presentation Pro

The Center for Strategic & International Studies (CSIS) Commission on Cybersecurity for the 44th Presidency has released its final report, “Securing Cyberspace for the 44th Presidency.” The report indicates the importance of Cybersecurity as a national security issue, that privacy and civil liberties should be reflected in cubersecurity issues, and that a national security strategy is necessary.

Control Risks has released its annual RiskMap report for 2009. The RiskMap provides an assessment of global and regional political and security risks that businesses are likely to face in the upcoming year. Read more about that here and here.

Roger Grimes at InfoWorld sets out the two primary things you need to know in order to secure your home computer (or home business computer). Although he talks about anti-virus programs, his two main pieces of advice involve being smart (don’t download it if you don’t trust it) and to patch your system regularly – he does recommend the commercial version of Secunia’s Software Inspector for this. Keep reading here.

There’s an interesting article by Tom Olzak at Tech Republic asking if state and federal breach notification mandates are unreasonable. I’ve always been a huge proponent of national legislation as key; I believe consumers need to be informed of breaches in order to mitigate their risk and choose which companies they choose to trust. Tom agrees with this, and argues against statements to the contrary made by Chris Wolf, an attorney and head of the Proskauer Rose (Washington, D.C.) law firm’s privacy and security group. You can read the article here.

Also an interesting read from informIT, an article entitled “Software [In]security: Software Security Top 10 Surprises“.

Have you found any security reports or news to be an interesting read of late? If so, do share the link in the comments!

Image anitapatterson @morguefile