This morning, StopBadware released the results of a recent poll we commissioned through Zogby on internet users’ attitudes about their safety online.

From our release:

... 88 percent of Internet users feel safe when using personal computers to access the Internet. Furthermore, 84 percent agree that they have the information and tools needed to make good decisions to protect their privacy and security online.

This confidence in online safety is unfortunately not borne out by other research, such as a recent study by McAfee and the National Cyber Security Alliance that just 24 percent of Americans are adequately protected by firewalls and updated anti-virus and anti-spyware software.

StopBadware manager Maxim Weinstein calls the results an “internet security paradox.” Weinstein will be testifying about this and related issues tomorrow, at a Federal Trade Commission hearing on consumer education about internet threats.

American McGee, noted video gaming renaissance man, recently had a run-in with badware. (details here)

Like many people who are flagged by Google about badware, McGee blogged “My initial (useless) response to this knowledge was indignation. “How could my site be infected?” StopBadware.org sympathizes completely. Badware on your website is often a little like getting mugged: you really didn’t deserve it, and you really didn’t do anything to cause it. Unfortunately, it is there and you need to deal with it, which is exactly what American did. “Next I requested ‘review’ from StopBadWare – and received a note informing me of certain evil residing on ’/page/2’ of my blog.” Evil was found in the form of some iframes that could have automatically infected visitors with badware without their knowledge.

McGee removed the pox from his website and soon the Google flag disappeared and his site was removed from our clearinghouse. Case solved, good triumphs over evil and the internet is a better place for it.

I wish American the best and look forward to his excellent blogging and more of his beautifully dark vision of the world.

According to the Mac Observer, a MacBook Air was compromised via what sounds like a drive-by download style attack in a hacking competition:

On the first day of the event, contestants unsuccessfully attempted to remotely hack into the Mac, a Windows PC, and a Linux PC. On the second day, however, Mr. Miller was able to gain control over the MacBook Air in only two minutes by directing a contest organizer to visit a specially crafted Web site with the laptop.

Although the exploit code is not “in the wild” as the security industry likes to say, this still sends the message that the Mac is not immune to such attacks, even if Windows is the more commonly-exploited platform.

Craig Schmugar over at McAfee has an interesting blog post today discussing what constitutes a “targeted attack” in the realm of cybersecurity.

So what does the word targeted in targeted attack really mean? One could argue that anyone hit with an attack that was sent to him or her specifically (as in: the email message containing the virus was sent to your address) was a victim of a targeted attack, but that definition is way too broad, as the vast majority of all attacks would then be considered targeted. I pondered the definition of targeted attacks for a bit, trying to think of a simple yet concrete definition. I landed on the work [sic] discrimination. For me the key aspect of any targeted attack is that it must discriminate, otherwise the attack is either random, or one of opportunity.

I agree, and it’s an important distinction. With plenty of money to be made and mischief to be caused without specific targeting, the effort of a targeted attack may indicate another agenda for the attacker. Schmugar lists a few:

• To keep a low profile for the malicious code (an effort to evade/delay malcode detection by flying under the radar)
• To keep a low profile for the entity behind the attack (an effort to evade prosecution)
• To minimize “casualties of war” (most attackers don’t really care if innocent bystanders get infected, but some small segment likely does).

• To capture specific data or to disrupt the work or life of a specific person or process
• To cause fear or provoke a reaction from a specific individual or group
• To make a political statement

Last week, I mentioned attacks that appear to be targeted (by Schmugar’s definition) at supporters of Tibet. That might be just a crime of opportunity (i.e., “If I send infected documents about Tibet to pro-Tibet activists, they’re likely to open them”), but it’s also possible that these attacks are politically motivated to disrupt the work of these groups.

Today we are releasing a badware alert about XP Antivirus 2008. Here’s the summary from the alert:

We find that XP Antivirus 2008 (Unregistered Version) is badware because it makes deceptive claims of system vulnerabilities in order to induce users to purchase the full version of the software, because it interferes with normal computer use by automatically running a background process which repeatedly prompts the user to take a previously declined action, and because the software cannot be uninstalled using the Windows Add/Remove Programs tool, or without downloading an additional uninstaller.

In trying to contact the producer, Innovagest 2000, we noted that the support address for XP Antivirus 2008, support@xpantivirus.com, bounced as “user unknown.” (We did find another address for the company, support@innovagest2000.com, that worked, but we did not receive a response.)