McAfee's recent report on malware has staggering numbers that are simply hard to believe, yet because I've been battling daily the very bots, Trojans, and scareware they researchers are talking about, I can't help but agree.

I believe that anyone who uses the Internet on a regular basis has to know that most e-mail messages are spam, and possibly part of a fraud scheme. I also realize that some people are more aware than others, and that some criminals are clever. But the current spread of an email message that claims to be from the IRS accusing a person of fraud demonstrates that naivete that runs deep on the Internet.

Netherlands ISPs last month launched a joint effort to fight malware-infected computers and botnets -- fondly described by locals as a "treaty."

The upcoming stable release of Metasploit Framework version 3.3 is brimming with awesome new features that will make a lot of penetration testers happy. New features include the ability to take screenshots of exploited systems, while others add raw power, like being able to exploit the unpatched SMBv2 vulnerability in Windows Vista and Server 2008.

As I'm finishing another successful Web application penetration test, I'm kicking myself for not noticing a new release of one of my all-time favorite Web hacking tools, the Browser Exploitation Framework (BeEF). BeEFis a fantastic tool for getting across to developers and Web admins the seriousness of vulnerabilities like cross-site scripting (XSS).

I stopped using my debit card altogether a couple of years ago out of an intense fear that I would never recoup the losses if my card were skimmed in the grocery-store line or compromised at TJ Maxx. Now I casually slide my checkbook onto the card reader stand and perform that rare act of putting pen to paper while trying to avoid the annoyed stares of shoppers behind me in line who may lose a few seconds off of their shopping time because I didn't use plastic.

Defense in depth is not a new idea in security, but the importance of taking a layered approach is more important than ever. The current rise in infections by bots and scareware, along with recent reports on anti-malware endpoint protection, demonstrate how we need to be doing more at every layer.

The recent New York Times malvertisement attack helped bring mainstream media attention to the problem of popular, legitimate Websites being compromised and used as the source of Web-based malware attacks. What would probably shock those same people is how often Websites are attacked.

There's a little trick -- or basic security measure -- you can use to help protect your WordPress blog and other Web applications against the never-ending bombardment of new vulnerabilities and exploits.

A new report from the SANS Institute sheds light on some important attack trends that security professionals need to take action on immediately.

The New York Times Website became the victim of a malicious Internet-based advertisement over the weekend. Users of certain sections of NYTimes.com encountered notifications that they were infected with malware and needed to install the antivirus software linked from the notification. And if you've dealt with a user, friend, or family member who's fallen for this sort of ruse, then you know the AV software is really just malware posing as AV.

Scareware attacks, in which hackers try to frighten innocent users into believing that their computers areinfected with viruses, are on the rise, and the cybercriminals behind them are exploiting hot news stories like never before.

A client recently asked us to gain access to its facility and attend a meeting of the board and executive management. Here at Secure Network we've been asked to gain access to numerous networks via social engineering techniques, but this job seemed rather unachievable at first. Turns out it was easier than we expected.

I've always had a predilection toward incident response and forensics. For some reason, I just like digging through a compromised system, network flow data, and unknown binaries to figure out what happened -- it gives me a rush.

A majority of systems around the world use Internet blacklists as lists of IP addresses that are most likely compromised -- by bots -- and used by these systems to block or otherwise filter email. However, these lists can sometimes be used beyond the blacklist's design intent for increased security, but only after careful consideration.

Many security professionals who think they know anything about penetration testing also think they know enough to perform social engineering. After all, they are successful time and time again, so they think they know what they are doing. However, what follows is a textbook example of how a little knowledge in the wrong hands can be very dangerous.

I think most people would agree that Windows Millennium Edition (ME) was the bastard child Microsoft wanted to turn its back on. After yesterday's Patch Tuesday, I'm starting to think Windows XP and Windows 2000 have joined the ME ranks.

I have met many people online during the past two decades, and I have many stories to tell. The latest is about a girl who decided I was her future husband.

It's not easy being Kevin Mitnick: The reformed black hat hacker may sue AT&T after it kicked him off its wireless network, and his Web hosting provider dropped him after his Website suffered a nasty hack last month. Seems he has become too big a target for some network and hosting providers.

If you upgraded your Mac to run Snow Leopard, then you would be wise to double-check that it's still protected against security vulnerabilities.

I was talking with someone about incident handling, and one of the points that came up was whether some standard sort of incident response questionnaire existed.

Vulnerability assessment is a relatively older technology in the information security professional's arsenal -- so does it still make sense to use it as you plan your security strategy for the coming year?

Imagine a world in which you can do all manner of smooth, rich, user-friendly online commerce with mighty security. You can have complete faith in the validity of customers' login credentials and payment data (thereby reducing fraud costs, for starters). You can protect users' privacy...and never need to worry about securely storing -- or even seeing -- customers' credit card data or other legally protected personally identifiable information. Wait 12 to 18 months, and you might just have that.