You may have heard that researcher Charlie Miller has released details about a vulnerability that allows an attacker to take over an iPhone remotely with a SMS message. Now everyone is rushing to offer homegrown advice on how to fix the problem. But I'm going to offer a different point of view.

Self-confessed hacker Gary McKinnon has lost a judicial review in London that he hoped would have lead to a British investigation into his case, rather than extradition to the United States.

The third annual Pwnie Awards at Black Hat in Las Vegas, hosted by Alex Sotirov, Dino Dai Zovi, HD Moore, Halvar Flake, and Rich, celebrated the highs and lows in the security industry. As Dino said, "First we reward for great work, then we shame."

When I arrived in Las Vegas, I already smoldered and grumbled about the facts that online trust mechanisms are untrustworthy, and that browsers' fundamental weaknesses persist despite the fact that better browsers would make an incalculable impact on overall Web security. Yesterday's sessions simply added more kindling to the fire.

Meterpreter is by far one of the most powerful and most advanced payloads included in the Metasploit Framework. It's been the joy of penetration testers and the bane of incident responders and until now, it's only been a payload targeted at Windows systems, while Mac users have dodged a bullet. But that won't be the case for much longer, as demonstrated by Dino Dai Zovi in a 20-minute breakout session at Black Hat today titled "Macsploitation with Meterpreter."

The rumor here is that the attacks did indeed happen, but the significance of it is actually quite small--not worth paying attention to, since attention is clearly what the attackers are seeking. More info to come... BlackHat, Kinda: Yesterday a hacking group released details (http://r00tsecurity.org/files/zf05.txt) of a number of successful attacks they conducted, apparently with the principal purpose of embarrassing some of the security industry's most well-known experts. The group claims that they collected about 75,000 passwords, including those of a few security experts speaking at the BlackHat Briefings today and tomorrow. "Welcome one and all to the real Black Hat Briefings," reads the site. "Live from the underground, coming right at you free of charge."

The Dilbert comic strip is loved around the world for its satirical look at life in the corporate office. But now identity thieves and scammers are exploiting the popular Dilbert.com Website in their hunt for potential victims.

Viruses, botnets with international botmasters, denial-of-service attacks on government properties, cyberbullying, and the increasing threat of identity theft plague every resident, from child to adult, regardless of whether they are actually ever online -- U.S. cybersecurity has been little more than a bad joke.

Research In Motion's announcement that users in the United Arab Emirates (UAE) who installed an update on their BlackBerrys ended up with a surveillance application raises some key questions.

Things that make us say "hmmm" include these stats: The percentage of respondents to our 2009 Strategic Security Survey who rated encrytion as effective in reducing risk dropped from 57% in 2008 to 48% in 2009. Use of disk, file, and backup media encryption ALL fell year over year by at least five percentage points. Backup encryption usage is down 10 points.

Huh? That's the exact reaction I had when I first read the title for the blog entry "Pentest Evolution: Malware Under Control."

It was early Sunday morning British time when I first heard the name "Erin Andrews." I didn't have a clue who she was -- I don't follow the American sports scene -- but one thing was certain: She was creating an enormous buzz on the Internet.

Fellow Dark Reading blogger Gadi Evron had an interesting take on the relationship between incident response and forensics in his post "Incident Response Is Not Forensics." I agree with him for the most part, but I don't think forensics is the most common course of action depending on who is responding to the incident.

In my last blog, I talked about how incident response is more than just preparing your first responders by training them and providing them with the tools. Your network and systems need to set up in preparation, too, so that you have the information you need when handling an incident. It wasn't until yesterday that I remembered what I think is one of the best models of network design that fits the mold of what I mean by having your environment ready for an incident.

Professionals who handle computer security incident response traditionally have also been charged with forensics. They find the evidence of wrongdoing, and preserve it in a court-approved fashion. This best practice is a good one, even when saving data for law enforcement is not a necessity or a priority.

Hell hath no fury like an IT support administrator scorned. At least that's the message being heard loud and clear by firms that are finding their networks at risk of attack from former employees.

Whenever you read information on how to perform forensics and incident response, there is a preparation phase that comes before anything else. Preparation steps cover how to prepare for dealing with an incident in your environment -- but what about making sure your environment is ready for an incident?

Most of the security action happening later this month will be in Vegas' Caesars Palace and the Riviera Hotel, where Black Hat USA and Defcon will convene. But at a rented house at a thus-far undisclosed location a few miles off of the Las Vegas Strip, a handful of hackers will host SecurityBSides, a homegrown "unconference" alternative to the more structured format of Black Hat.

It's Monday: Do you know what Web browser your users are running? If it's Internet Explorer, don't look now, but for two weeks in a row, IE has taken two jabs straight to the face with ActiveX zero-day exploits that let attackers stomp all over users who are tricked into clicking on a malicious link or get redirected from a compromised site. Browser alternatives starting to look a little more enticing?

A distributed denial of service (DDoS) attack has been in the news in recent days due to attacks against the U.S. government -- with fingers pointed at North Korea. But people forget a few basic truths people when it comes to information warfare (or cyberwarfare) and DDoS attacks.

Milw0rm is by far one of the best-known public sites to get the latest proof-of-concept exploit code. Or at least it was until it closed its doors today. The closing comes as a shock to the security community given that milw0rm had become a valuable resource for proof-of-concept and weaponized exploit code, demonstration videos, and papers on all areas of information security.

We've been saying for a while now that better identity management -- more so than secure Web app coding or even more secure browsers -- could fuel a quantum leap in Web security. The "Identity 2.0" community can be credited with wonderful research and truly significant advancements in identity management technology. In many ways, we're poised for an identity revolution. However, the efforts have been hampered by a lack of public awareness, a lack of interoperable standards, usability concerns, and a fundamental chicken/egg problem.

Military leaders would never send their troops into war without preparing them for the threats they'd be facing on the battleground. Likewise, you shouldn't let your users go about their daily activities without educating them about the dangers they face when opening an e-mail or clicking on a link returned from a seemingly innocuous Google query.

Hackers are taking advantage of American Independence Day celebrations by spamming out what pretends to be a link to a Fourth of July fireworks show, but is really an attempt to infect computers.

It seems that we in the information technology profession are just as fickle as the fashionistas strutting around Milan or New York. While we aren't quite as locked to a seasonal schedule, we do have a tendency to fawn over the latest technology advances as if they were changing colors or hem lengths. Some are new, some are old, some are incredibly useful, and others are completely frivolous, but we can't deny their ability to enter and steer our collective consciousness -- at least until the next spring. Take cloud computing.

When professionals without security awareness plan a project, security is often left out. The result costs money in the long run. What can we do to make it better?

The soapbox is a place I hate to be, but sometimes a topic just rubs me raw enough that I climb up to try and get my point across. The topic of bots, botnets, and their impact on corporate data is one of those issues.