Remember how the Mac OS is a fortress of security and impervious to all potential malware attacks? Well, not so much any more. Apple now officially recommends that Mac users protect their systems with antimalware protection of some sort. As noted in this CNet article though, it is not so much a matter of the operating system itself being vulnerable as it is a recognition of the reality that malware threats are trending toward being web-based and operating system agnostic.

I realize there will probably be a flurry of comments from Mac zealots letting me know that their operating system is still impervious, or at least that it is infinitely superior to the security offered by the Microsoft Windows operating system. Let me state preemptively- "don't shoot the messenger". It is the tribal elders from Cupertino who have issued the declaration. I am just relaying the news to increase awareness. If you wish to heed Apple's advice, check out the Mac Antivirus Software Reviews from About.com's Antivirus Software Guide, Mary Landesman.

I haven't verified this, but based on the media hype, the marketing, and the general buzz everywhere, I may be the last person on Earth who has not seen any of the High School Musical movies. Actually- I can vouch for my wife and kids as well. They have also managed to escape being assimiliated into the HSM 'Borg' machinery.

For those less fortunate though...those of you who have seen all three movies (multiple times). Those of you who have the soundtracks, the Wii video game, the HSM dollhouse, and the HSM messenger bag- you may fall victim to a recent computer security threat.

According to a recent press release from Panda Security, their "malware analysis and detection laboratory, has reported that numerous downloadable songs and videos related to the hit movie “High School Musical” are being used by cyber-crooks to disguise malware (viruses, worms, Trojans, etc.). The infected files are distributed through popular peer-to-peer (P2P) file sharing networks such as eMule, eDonkey, etc. and when users search for files related to “High School Musical” using these programs, some of the results include files infected with malware."

To protect your computer system and your data, use caution when downloading files (especially files of questionable ethical or legal standards) from anywhere. Pay particular attention to being safe while using peer-to-peer (P2P) networking sites, and make sure you are using an updated antimalware program, such as Norton Internet Security 2009, to identify and block malware threats.

This past Friday was Black Friday- the biggest shopping day of the year and the official launch of the holiday shopping season. That means that tomorrow is Cyber Monday. The reason there is no Cyber Friday or Cyber Saturday is that people wait to do their 'cyber' shopping until they return to work on Monday. Expect productivity to be down and network bandwidth to be up as employees return to work on surf the web in search of tremendous holiday deals.

Assuming that online shopping is approved, or condoned, or at least accepted, the loss of some productivity may be OK. But, there are still potential security implications of online shopping. The following suggestions from security vendor GFI can help administrators to secure their networks during the holiday shopping season. Many of the tips can also be applied for home networks as well.

• Educate users. Users need to know exactly what kinds of threats are out there. Uneducated computer users are often those who fall victim to viruses, spyware, and phishing attacks, all of which are designed to corrupt systems or leak personal information to a third party without the user's consent.
• Monitor user’s activity 24 x 7. Utilize web monitoring tools to control employees' web browsing activities and to ensure that any files downloaded are free of viruses and other malware.
• Implement Security Policies Implement a clearly defined, and not complicated, security policy. Back it up with clear communication. Security policies also need to be updated regularly to take into account new threats, developments within the organization and changes in processes.
• Limit access. In SMEs, it is not uncommon that there is a high level of trust between management and employees. Access to the Internet should be given only to those who need it, even it that person happens to be your cousin or the boss’s son.
• Invest in technology. Security should not be considered an expense but a cost of doing business in an online age. Vulnerability management, event logging and proper archiving software are essential tools to combat security vulnerabilities and help administrators secure their network.
• Update virus detection software. What is the use of having virus and spyware scanners if they're not updated? Up-to-date scanners ensure that the latest malicious software is detected immediately. Security holes exist in your operating system and no software is perfect. Once vulnerability is found, it's usually exploited within a very short period of time.

Symantec has long held a position as one of the major players in antivirus and PC security products. One complaint users have about computer security software, but particularly with Symantec, has been the size of the install and the way it bogs the system down. Often the trade-off of performance is not considered worth it to protect the computer and users simply disable or remove the protection.

Symantec has taken those issues to heart in creating Norton Internet Security 2009- it is smaller, and faster, and yet still offers all of the protection of its predecessors and then some. NIS 2009 includes a comprehensive suite of protection against a wide variety of computer threats, but is it worth the investment? Take a look at my review of Norton Internet Security 2009 to learn more about the product and my opinion of it.

It wasn't all that long ago that Microsoft ventured into the world of PC security suites. When Windows Live OneCare was introduced, it changed the game and raised the bar for PC protection by taking a more holistic approach. OneCare didn't just provide security features like antivirus and personal firewall capabilities, it also included tools to optimize performance and backup data. In addition, the OneCare license included protection for up to three PC's, enabling most home users to protect all of the computers in their network with a single purchase. Software vendors like Symantec and McAfee who had long led the field for home PC security were forced to play catch up and work similar holistic capabilities into their PC protection suites.

Microsoft is set to shake up the consumer PC security market once again with the announcement that they intend to stop selling Windows Live OneCare, but instead begin offering a leaner, faster antimalware protection application without the bells and whistles of current security suites. Many users have long felt that it is Microsoft's obligation to provide free security since the majority of security issues are a function of flaws in their operating systems and applications. Essentially, charging for security is like Toyota manufacturing cars with flawed braking systems and forcing car owners to pay extra for seatbelts and airbags. The new Microsoft product, currently codenamed 'Morro', is set to be available for free download in the second half of 2009.

You read that right- it's not Internet Explorer (this time). Both Firefox and Safari have released Critical updates that fix a variety of security issues in the two browsers. The Firefox patch addresses nine security flaws in the popular open source browser. According to this Washington Post article, the Safari update addresses "several Safari plug-ins, including "Concierge" bookmarks manager, "PithHelmet" ad-blocking software, and "AcidSearch" search enhancement software" as well as security issues with Safari's new anti-phishing protection.

You can get the update for the Safari web browser here, or visit the Firefox site to get the latest update for your version. You can also get more details about the Firefox update from the About.com Guide for Web Browsers, Scott Orgera.

Break out the mistletoe and the Bing Crosby / David Bowie duets- its time for the holidays! What's that you say? Your house is still awash in orange and black, you haven't come down from your Halloween sugar-high, and you still have to throw out the rotting pumpkin on your front porch?

Well, you may have noticed that part of the annual holiday ritual over the past few years has been to start the season progressively earlier. So, Walmart and Best Buy already had Black Friday caliber deals last weekend with laptops for $300, Bacardi is already running their holiday ads of "drink lots of our rum...but enjoy the holidays responsibly" on TV, and some radio stations (like WNIC in Detroit) are already running a 24/7 Christmas music format through the end of the year. With the economy in a collapse and a government that can't make up their minds how best to utilize the $700 Billion blank check they were given to fix it, vendors and retailers are starting even earlier to try and grab their share of the limited holiday shopping pie.

Well, a survey of 3,100 IT professionals conducted by ISACA (Information Systems Auditing and Control Association) shows that a majority of users intend to do holiday shopping from work. 63% plan to shop from company computers on work time, 40% of those say they will probably spend up to 5 hours doing so. That is a double financial hit to employers- they lose the productivity of the workers while they surf and shop, as well as the investment in hardware, software, and network resources being abused for purposes other than conducting company business. Of course, most companies have some sort of AUP (acceptable use policy) that defines how employees can use company resources, and many of those actually allow or condone some amount of personal activity. So, that part is not necessarily the end of the world.

The bigger threat to the employer comes from unsuspecting employees visiting unscrupulous sites and possibly exposing the network to malware, bots, or other threats. Many employees also use their company email accounts which could result in an increase in spam flooding the company email server, or even expose sensitive information. An article about this study from Dark Reading ends with this: "In a parallel survey of IT professionals, ISACA found that nearly half (46 percent) believe that their companies will lose an average of $3,000 or more in productivity per employee from online holiday shopping at work. More than half (55 percent) also reported that their company permits workers to shop online, but has no strategy for educating them about the risks."

The holidays must be approaching, because I swear time is accelerating. Here we are and Patch Tuesday already arrived...again. Only one more Patch Tuesday and 2008 will be over (don't blink).

Only two patches from Microsoft for November. Well, sort of two and a half if you count MS08-067 which was released out of cycle. For November though, Microsoft has one Important Security Bulletin related to a vulnerability with the SMB protocol. SMB is a commonly used protocol for file and printer sharing on a network.

The other vulnerability this month is rated as Critical. This one addresses various flaws in the core functionality of XML in Windows. Experts say that some of the flaws addressed have been present for years. Left unpatched, an attacker could compromise a vulnerable system and execute malicious code remotely. Take a look at the summary of November 2008 Microsoft Security Bulletins and make sure you apply the appropriate patches to protect your PC and your network.

The User Account Control (UAC) feature of Windows Vista has been one of the least understood and most maligned components of the operating system since it was released. It is there to protect the operating system and to enforce the concept of least privileged access. Users should not run as Administrator unless they truly need to, and software should not rely on administrative privileges when they aren't really necessary to execute the given application. UAC helps to enforce that concept, and to let users know when they are crossing the line and might be doing things which could damage or compromise the operating system.

That said, many users are annoyed by the UAC pop-up windows, or even prefer convenience to tighter security. It is possible to turn off UAC, but highly discouraged. There is also a setting which basically leaves UAC on, but automatically elevates privileges without the consent prompts. A vendor has developed an application though which may help straddle the line for some users. UAC Snooze temporarily switches the state of UAC to automatically elevating privileges and allows the user to control or 'snooze' UAC at will by clicking on an icon in the System Tray. It is not free, but there is a 30-day free trial version, and the $5 price tag is pretty close to free for those who want more control over UAC.

Remember when you got the phishing scam email claiming that your Wells Fargo account data needed to be updated, but you just deleted it because you don't even have an account with Wells Fargo? Or, how about when Bank of America contacted you to let you know that your account may have been compromised in a recent security breach, but you were too smart for that one as well because you don't do business with Bank of America? Well, the water is a little muddier now and the phishing attacks are seeking to exploit that.

You may not have heard, but recently there was somewhat of a financial catastrophe that struck the United States. Then Bank of America bought Merrill Lynch. Washington Mutual was snatched up by J.P. Morgan - Chase. Wells Fargo is taking over Wachovia. Banks are collapsing. Investment firms are folding. All of this cna be confusing and difficult to keep track of, and offers attackers an opportunity to exploit that confusion. Now, when you get an email from Wells Fargo you have to stop and think "Did they buy the bank I use? Maybe I *am* a Wells Fargo customer now?"

For more about the threat, take a look at this Microsoft MSDN blog post. In addition, check out my article on protecting yourself from phishing scams.