Online transactions with credit cards or debit cards are increasingly verified using the 3D Secure system, which is branded as “Verified by VISA” and “MasterCard SecureCode”. This is now the most widely-used single sign-on scheme ever, with over 200 million cardholders registered. It’s getting hard to shop online without being forced to use it. From the engineering point of view, it does just about everything wrong, and it’s becoming a fat target for phishing. So why did it succeed in the marketplace? Quite simply, it has strong incentives for adoption. Merchants who use it push liability for fraud back to banks, who in turn push it on to cardholders.

Microsoft has issued Security Advisory (980088) to address a publicly disclosed vulnerability in Internet Explorer that may allow information disclosure for Windows XP users or for users who have disabled Internet Explorer Protected Mode. The advisory explains that content can be forced to render incorrectly from local files in such a way that information can be exposed to malicious websites Users running a version of Internet Explorer that does not have Protected Mode, or users who have decided to disable Protected Mode, are exposed to an attacker who can access files with an already known filename and location. Versions affected include Internet Explorer 5.01 and IE6 SP1 on Windows 2000 SP4, as well as IE6, IE7, and IE8 on supported editions of Windows XP and Windows Server 2003. Microsoft made sure to note that Protected Mode prevents exploitation of this vulnerability and is running by default for IE7 and IE8 on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

Microsoft outlined three workarounds in the security advisory.
The first is to modify Internet Explorer’s settings: set the Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting in these zones. The second suggests configuring Internet Explorer to prompt before running Active Scripting or disabling Active Scripting completely in the Internet and local intranet security zone.
The third one is to enable Internet Explorer Network Protocol Lockdown for Windows XP. It requires editing the Windows registry, but thankfully Microsoft has created a “Fix it for me” for this workaround, available at KB 980088. Just click the “Fix this problem” link and you’re good to go. The Fix It automates Network Protocol Lockdown and can be run on individual systems and deployed by enterprises through their automated systems.

Apple has just patched 5 vulnerabilities related to the iphone password
http://www.infoworld.com/d/mac/apple-patches-critical-flaws-in-iphone-ipod-touch-800

Well-funded U.S. lobbyists or a foreign intelligence agency may have been behind the theft of climate e-mails from the University of East Anglia last year, the former chief scientific adviser to the British government said Monday. David King was quoted in The Independent newspaper as saying the theft of more than 1,000 e-mails and other documents from a server at the university’s climate research center last year seemed too professional to be the result of a lone hacker.

“I know there’s a possibility they had a good hacker working for these people, but it was an extraordinarily sophisticated operation,” King told the paper. “There are several bodies of people who could do this sort of work. There are national intelligence agencies and it seems to me that it was such a group of people.”

Twitter passwords were reset after the discovery that phishers sold fake BitTorrent sites with backdoor access. Since many users employ the same logins for multiple web sites, patient phishers harvested usernames and passwords that could work on Twitter. All the fake sites may not be found, but Twitter advised users to change passwords. Twitter foiled the plan as part of its ongoing monitoring for odd activity. Twitter noticed a sudden surge in followers for a couple of accounts in the last five days. When Twitter technicians started digging, they discovered a plot that compelled immediate action. This patient cybercriminal pushed out the torrents, waited for the forums and sites to get popular, and then used those exploits to get access to the username, e-mail address, and password of every person who signed up.

The problem is that too many people use the same password for multiple web sites,” Cluley said. “You should not only choose non-dictionary, hard-to-crack, passwords to secure your web accounts, but you should also choose different passwords for different sites.”

Hackers can crack nearly any dictionary-based password. If you want a secure password to ensure your data security, try dreaming up a long sentence and using the first letters of each word. Studies show that dictionary words or letter combinations are susceptible to “brute-force” hacking attacks, where patient hackers try out password after password