StopBadware.org staff security researcher Oliver Day has a guest blog post at SecurityFocus that explores the relationship between Microsoft’s anti-piracy measures and the number of vulnerable Windows machines around the world. His conclusion:

The simple answer is that the current WGA policies from Microsoft significantly extend the lifetimes of vulnerabilities, sometimes indefinitely.

Follow the link above to read his full, thoughtful post.

McColo, a web hosting company, was taken offline by its network peer, Hosting Electric, after reports by Jart Armin of HostExploit and Brian Krebs of the Washington Post implicated McColo as a major host of spam.

As you can see, there has been a significant drop in spam reported to SpamCop since McColo was taken down. While likely temporary, it does indicate that the reports were accurate in their assessment.

Even as I applaud the efforts of journalists and security researchers to cut off spammers and malware purveyors at the source, I wonder about who else is negatively affected by these takedowns. Surely McColo and previously-taken-down Intercage had legitimate customers, owners of websites and/or domain names that they used for their personal blogs, their small businesses, their family photo albums, and so on. What happened to those users when their providers and their sites suddenly became unavailable? This doesn’t necessarily make it wrong to shut down the providers, as the disease (spam, malware, etc., affecting potentially millions of people) is almost certainly worse than the cure. But it does raise the question of whether we can find ways to hit the bad guys where it hurts, without also hurting innocent bystanders.

If you have thoughts on this, please let us know in the comments.

This comes after reports released—and pressure applied to ICANN by—Jart Armin and KnujOn, among others.

A little more information can be found here and here. If you are a Windows user and you do not use Automatic Updates (which you probably should), or if you are a Windows sysadmin, you may want to go out of your way tomorrow morning to download and install the new patch. Home and small office users can do so via Windows Update, which can be found in the Start menu and/or in the Tools menu of Internet Explorer.

The U.S. Federal Trade Commission (FTC) issued an alert this week about an uptick in phishing attacks preying on people whose banks have recently failed or been purchased:

Phishers (pronounced “fishers’) may send attention-getting emails that look like they’re coming from the financial institution that recently acquired your bank, savings and loan, or mortgage. Their intent is to collect or capture your personal information, like your credit card numbers, bank account information, Social Security number, passwords, or other sensitive information. Their messages may ask you to “update,” “validate,” or “confirm” your account information.

The alert contains a bit more information, along with a number of tips to help users avoid these attacks.

Dancho Danchev at the Zero Day ZDNet blog reports that Asus has accidentally shipped new desktop PCs with malware on the hard drives:

Asus has confirmed and apologized to customers (press release in Japanese; translated version) for shipping malware on the recently introduced Eee Box desktop computer.

As Dancho notes, this is not the first time that a mass-market hardware product has been sold with malware pre-installed:

In addition to last month’s Asus fiasco when they accidentally shipped cracking tools and confidential documents on recovery DVDs, the company is among the increasing number of companies that have shipped malware on their products during the last couple of years – Apple (2006), TomTom (2007), Seagate (2007), and HP (2008).

Fortunately, these are still relatively small-volume, isolated incidents, not a mass threat. Web and e-mail are still much easier and more widespread attack vectors for malware distributors.

The National Cyber Security Alliance, which is coordinating the effort designating October as National Cyber Security Awareness Month, has a list of the "Top 8 Cyber Security Practices." This list, although not new to many in the StopBadware community, is a great resource for educating users about the key concepts for staying safe online.

Here’s the list:

1. Protect your personal information. It’s valuable.
2. Know who you’re dealing with online.
3. Use anti-virus software, a firewall, and anti-spyware software to help keep your computer safe and secure.
4. Be sure to set up your operating system and web browser software properly, and update them regularly.
5. Use strong passwords or strong authentication technology to help protect your personal information.
6. Back up important files.
7. Learn what to do if something goes wrong.
8. Protect your children online.

Later this month, StopBadware will be giving a webinar on website & computer security for nonprofits, hosted by NTEN – the Nonprofit Technology Education Network. If you’re involved in technology for a nonprofit, and want to learn more about security, find out more about the webinar and register here.