Coming from a modest background, the boy wanted to live lavishly with a fine haircut and brand-name clothes, and he found he could achieve that by committing fraud from names and credit card information purchased on international hacking forums.

“His knowledge of the codes and payment gateways is as good as that of a professional hacker,” said a senior crime branch official who has been interrogating this teenager picked up from Mulund in Mumbai, involved in an online payment scam on eBay. Three other persons who were arrested in Ahmedabad for their involvement in the scam are in police custody.

Now, when I was a kid, I learned that education was the road to making money. If I was a good student and got through college, I could get a good job, live comfortably, maybe achieve something good for the world. There’s a problem when college is seen as a “useless” alternative for this. Don’t get me wrong, I think it’s great if students take the initiative and learn how to teach themselves new skills — but not when it comes to using their knowledge for fraud and theft.

The center will have the capacity to handle 10,000 computers a year, and the machines that are salvageable will be resold for the local equivalent of $175, about a third of the cost of new computers there. When a computer is deemed past the point of rescue, the centers are capable of recycling the components. RAM chips will be reused, metal and other valuable components recycled, and toxic substances handled safely.

Neat, this sounds like a good alternative and supplement to programs like the OLPC. There is a lot of toxic waste out there, but a lot of computers that we get rid of because they’re no longer good enough for our datacenters can still be useful to others, especially in the third world.

• Application/Service layer -39%
• OS/Platform layer - 23%
• Exploit known vulnerability -18%
• Exploit unknown vulnerability - 5%
• Use of back door -15%

That is over half - 62% of hacks — targeting the OS and App layers. Breaches have been moving up the OSI stack in recent years.

Here are some details about what’s collected and the implications:

Each site has come up with its own policies on the data that developers are allowed to see. MySpace, the largest social network, with 110 million members, said developers can see users’ public details — name, profile picture and friend lists — when they download a program. When a user installs one on Facebook, which has 70 million members, the developer can see everything in a profile except contact information, as well as friends’ profiles. Members can limit what is seen by changing privacy controls, and both companies say developers are allowed to keep those data for only 24 hours.

Developers can collect other data from members once they’ve download the applications.

Ben Ling, director of Facebook’s platform, said that developers are not allowed to share data with advertisers but that they can use it to tailor features to users. Facebook now removes applications that abuse user data by, for example, forcing members to invite all of their friends before they can use it.

Read the entire article at Washington Post.

Tests by heise Security show that four of the six services tested were vulnerable to attack.

While all of the tested systems encrypt communication with the backup server using SSL, external attackers can sniff the access code as plain text by acting as a man-in-the-middle (MITM) if the locally installed backup software does not perform sufficiently rigorous checks on the authenticity of the server’s certificates. In the vulnerable systems, we were able to hijack the connection from the client software to the backup servers.

Four of six may not be a large test sample, but it does raise concerns about trust between customers and their service providers. If you’re providing or purchasing this kind of service, you might want to look into it closely to make sure your data is secure.

The Safari bug, originally disclosed on May 15 by security researcher Nitesh Dhanjani, allows attackers to litter a victim’s desktop with executable files, an attack known as “carpet bombing.”

Two weeks later, security researcher Aviv Raff said that if this flaw is exploited in combination with bugs in Windows and Internet Explorer, attackers can run unauthorized software on a victim’s computer.

Windows XP and Vista users might want to rely on Firefox for a while, and read here for the full advisory.

Nearly 40% of U.S. information technology workers would accept a reduced salary to have the ability to telecommute, a Dice Holding survey revealed Tuesday.

In a poll of more than 1,500 IT workers, 37% of respondents said they would be willing to take “slightly less” pay to telecommute full time. The survey defined “slightly less” as up to a 10% reduction in salary.

The article does mention that workers can save some costs at the gas pump — but there are a lot more savings from telecommuting too. Workers who commute have to pay not just for gas or bus fees, but also for parking, the cost of lunch from eating out often, and the time they spend in the commute. In the end, the amount that workers might save by telecommuting might make up for the potential pay cut.

Of course, there are other costs to working remotely — getting a good business phone line and Internet connection, setting up a home office that you can stand to sit in all day and the costs of coffee for renting a table at your local coffee shop. But those are certainly worthwhile for the convenience and flexibility of working remotely.

• An increase in the number of NDR (Non Delivery Report) bounce messages sent in response to spam with forged headers.
• Google AdWords phishing samples emerged
• Spear phishing attack stating it’s from the US District Court, installs a keylogger
• A scam email supposedly from the IRS sends users to a vampire game
• Spammers are offering a supposed chance to become a movie extra, and collecting mailing addresses
• New forms of Instant Message scams

Also, spam is broken down by category with the following percentages:

• Products 23%
• Financial 17%
• Internet 16%
• Scams 12%
• Leisure 10%
• Health 9%
• Fraud 7%
• Adult 6%

That’s interesting, I would have expected a different breakdown.

The update patches eight vulnerabilities in the open-source Apache Web server and seven vulnerabilities in Adobe’s Flash Player plug-in. While the Apache flaws amount to, at most, cross-site scripting attacks, the Flash Player flaws could allow a malicious Flash file (SWF) to execute on the victim’s system, Apple stated in its security advisory.

The company also fixed five vulnerabilities in its ImageIO component that could allow denial-of-service attacks, information leakage, and in one case, possible code execution. The update also patches two flaws in the kernel that allow both local and remote users the ability to shutdown the system. A flaw in the way that the Mac’s Mail program handles the Internet’s next-generation addressing scheme, IP version 6, could allow remote code execution, Apple stated.

Attackers insert SCRIPT and IFRAME tags into the content of trusted, legitimate web sites via a known SQL injection attack. Those tags redirect the user to the attacker’s server which hosts the Flash exploit. Tens of thousands of web sites are vulnerable to the SQL injection attack, meaning the distribution potential is high.

The vulnerability is not “zero-day”; however, these are the first known public exploits targeting it. The SecureWorks Counter Threat Unit (CTU) has analyzed 18 variants of the exploit, and all attempt to leverage the integer overflow vulnerability originally discovered by Mark Dowd (CVE-2007-0071), which was patched by Adobe with release of version 9.0.124.0 of the Flash Player. While some have reported that the latest version is vulnerable, the CTU was unable to duplicate these results with samples taken from known exploit sites. The only confirmed vulnerable version is (pre-patch) 9.0.115.0.