Security researchers have discovered you can crash an iPhone through the medium of a cleverly crafted webpage.

Add embassy websites to the growing list of hacked internet destinations trying to infect visitor PCs with malware.

Earlier this week, the site for the Netherlands Embassy in Russia was caught serving a script that tried to dupe people into installing software that made their machines part of a botnet, according to Ofer Elzam, director of product management for eSafe, a business unit of Aladdin that blocks malicious web content from its customers' networks. In November the Ministry of Foreign Affairs of Georgia and Ukraine Embassy Web site in Lithuania were found to be launching similar attacks, he says.

Macrovision has published a patch defending against a security vulnerability in its SafeDisc copy protection software that has become the target of a hacker attack.

The Macrovision update comes 20 days after the security vulnerability was discussed in non-specific terms on Symantec's Security Response Weblog. The flaw, though Symantec wasn't specific on this, involves a privilege elevation bug in Macrovision secdrv.sys driver that comes bundled with Windows XP and 2003 (though not Windows Vista).

A New Jersey Hospital has suspended more than two dozen workers suspected of accessing the medical records of George Clooney. The Palisades Medical Centre took the action after the former ER star was taken to the hospital following a motorcycle accident last month.

Botnets are fulfilling law enforcement fears that online casinos could prove fertile ground for money laundering, according to a recent, little-noticed report by risk compliance firm Fortent.

Some are engaging in variations of an old casino scam, in which preprogrammed-to-lose bots transfer dirty money - obtained through stolen credit cards, illicit drug sales or whatnot - to a chosen winner. Others flood a room and conspire to defraud a legitimate player by leveraging the mathematical advantage inherent in knowing more of the cards. Another scam involves spamming a known player in the hopes of stealing password and account information, and then bleeding the account dry through the fraudulent games described above.

Fulltiltpoker.com apparently got hit by a botnet attack recently and refunded money to the defrauded customers. A USA Today tally last month estimated that $2.5 mil to $3.5 mil per year are laundered this way.

"We are definitely seeing activity by bot-herders in online casino games, which is something we hadn't seen before," Symantec security analyst Zulfikar Ramzan noted.

We've generally been skeptical of allegations that the online casino industry would make a good platform for widespread money laundering, primarily due to the ready-made trail left by the transactions. However, the use of botnets is more problematic, due to the fact that until recently botmasters had not been targeted by the FBI, and the actual computers involved belong to innocent third parties.

Money laundering can theoretically be accomplished through many types of transactions - for example, by selling phony merchandise on eBay and transferring the money without delivering anything at all. It's therefore questionable just how much more susceptible cybercasinos are than other online businesses to money laundering. Risk compliance companies like Fortent or AccuitySolutions have products to push, after all. However, the fact that the US authorities have driven much of the online gambling and payment processing activity underground raises serious concerns about just how secure some of these sites are.

Not that gamblers are a risk-averse group, of course.®

Burke Hansen, attorney at large, heads a San Francisco law office

Highly-sensitive documents that disclosed secret information about the inner workings of the technical strategies adopted by rival Formula One (F1) teams were exposed for all to see on the internet.

Facebook users may no longer be able to hide after the website announced it is launching a service that enables anyone to view member profiles.

Players in the World of Warcraft discovered an exploit that crashes the game's servers late Sunday, causing massive outages throughout the night.

The bug reportedly crashes the game's main world as well as all instances associated with the server, including its dungeons and battlegrounds.

Officially, Blizzard - the company behind WoW - has kept pretty mum on the exploit. From the WoW forum:

"We're aware of stability issues affecting select realms and are investigating. We'll provide an update to the situation as soon as additional information becomes available."

Blizzard spokesman Shon Damron gave us a little more dirt:

"Last night several realms did experience technical issues in regard to an exploit. This exploit was hot fixed within a couple of hours after it was discovered and the problem no longer exists."

Damron wouldn't specify what caused the bug, but we have since heard it may involve a problem with the user logging mechanism in the game's arena mode. We won't go into more detail because the internet already suffers enough entropy, thank you very much.

It's unknown whether Blizzard can track down those who took advantage of the exploit, but Damron suggested the company will investigate and might dole out punishments including suspensions and permanent bans if necessary.

While gamers certainly have attempted to exploit the massively popular game before, this appears to be the first time users could maliciously shut down the servers using an exploit. Such flaws hold a serious risk of frustrating users to the point of leaving the protection of their house and burning their skin in the harmful rays of the sun. ®

Nigerian comedian and actor Nkem Owoh was one of the 111 suspected 419 scammers arrested in Amsterdam recently as part of a seven month investigation, dubbed Operation Apollo.

Yahoo! has plugged a site-wide coding error that made it possible for miscreants to gain complete access to a user's account simply by convincing the holder to click on a booby-trapped link.

VXers have developed a strain of malware capable of logging keystrokes as well as snooping on encrypted SSL streams originating from compromised PCs.

The hybrid variant of the Gozi Trojan was discovered by Don Jackson, a researcher with SecureWorks who discovered the original Gozi malware earlier this year. In its original form, Gozi spread using IE exploits. It used advanced Winsock2 functionality to snoop on traffic.

Malware miscreants have crafted a cross-platform worm targeted at OpenOffice users that's capable of infecting Windows, Mac, and Linux computers.

The OpenOffice/StarBasic macro worm, dubbed BadBunny, is a proof-of-concept worm that's not been seen outside the lab. Most anti-virus firms describe it as a low-risk threat.

MySpace has refused to act on demands from eight US states that it hand over user data which they say will help catch predatory paedophiles.

Citing federal privacy laws, MySpace said the attorneys general who made the demand had not followed proper legal process. Security chief Hemanshu Nigam told AP: "We're truly disheartened that the attorney generals chose to send out a letter...when there was an existing legal process that could have been followed."

In the letter on Monday, North Carolina, Connecticut, Georgia, Idaho, Mississippi, New Hampshire, Ohio, and Pennsylvania asked MySpace to provide information about registered sex offenders who use the site.

MySpace's legal department said a letter won't cut it, and under the Electronic Communications Privacy Act the attorney generals need to pony up with subpoenas, court orders, or search warrants if they want data.

Nigam said a recent trawl meant MySpace had "removed every registered sex offender that we identified out of our more than 175 million profiles". In December, it hired Sentinel Tech Holding to track its sex offender users, after a run of bad press over incidents involving the site.

"Everybody needs to get together and delete online predators," Nigam said. "The attorneys general's concerns and our concerns are exactly the same." ®

The universe has an odd tendency to absorb certain objects into the oblivion of un-existence. Television remotes, single socks, car keys, lighters, external hard drives containing 100,000 employee records, pen caps; they all come and go like tiny dimensional travelers.

Microsoft has released a major update to Windows Server 2003 to make the enterprise software package more stable and easier to manage.

The low-key debut of Win 2003 SP2 on Monday, which took some sys admins by surprise, contrasts with the high profile launch of Win XP SP2 in August 2004. So stealthy was the release that it's yet to be noted on Microsoft's product update blog.

Apple has released a security update to its Mac OS X operating systems to plug multiple security holes. Bugs in third-party components have also been addressed by the security update.

Insurance company Axa yesterday released an intriguing survey of business claims by region, which has been widely reported.

According to the survey, the UK's arson capital is Glasgow, accounting for nearly 11 per cent of all small and medium enterprise (SME) arson claims, while Edinburgh reportedly leads the nation in malicious damage.

EU laws that mean service providers will need to retain communications data for the purposes of possible criminal investigation will place a huge burden on carriers, market watchers warn.

Cisco says it has doubled its European channel partners in the last year to more than 2,300. It announced plans to improve the training it offers resellers, adding that many lack VoIP expertise.

Enthusiasts have succeeded in rebuiling a Nazi code cracking device, signaling the culmination of a 10-year project.

The replica Turing Bombe, a recreation of an electromagnetic machine used by British codebreakers to help decipher Nazi codes used during World War Two, was unveiled on Wednesday at Bletchley Park, the centre of British code-breaking efforts during the war.

Bombes automated the process of cracking the Nazi's Enigma code. Enigma devices had three rotors, each with 26 possible positions, creating 17,576 possible combinations for each letter. The devices tried every possible rotor position and applied test to weed out a much smaller number of possible solutions, which were then checked by hand. The whole process relied on using a small section of ciphertext, to which cryptographers had guessed corresponding plain text in order to extract the likely settings used to produce a much longer message.

The Bombe was the brainchild of mathematical geniuses Alan Turing and Gordon Welchman, combined with the engineering efforts of the British Tabulating Machine Company in Hertfordshire. Its design was based in part on earlier Polish code-breaking devices.

The machines enabled Bletchley Park's cryptographers to decode over 3,000 enemy messages a day, giving the allies a vital edge in military intelligence that helped turn the course of World War Two. Without this information the Battle of Britain and the Battle of the North Atlantic could have been lost. Turing's work helped pave the way for later development of mainstream computer technology. It was only in the 1970s that the veil of secrecy surrounding the devices was lifted.

The Bombes used 108 electromagnetic spinning drums to test combinations of letters and reveal the likely keys to the Enigma code used in a particular message. By the end of the war, boffins at Bletchley had built 200 Bombes. Churchill ordered the devices to be taken apart after the war. Simply acquiring blueprints for the devices took two years, according to retired computer engineer John Harper, 69, the leader of the restoration project.

"We were fortunate in having copies of most of the blueprints of the individual parts returned to Bletchley Park by the GCHQ [Britain's signal intelligence agency]," Harper told Reuters. "But there were no assembly drawings...and the blueprints covered more than one model, so it was a bit of a paperchase to work out which drawings applied to which model."

More than 60 volunteers worked on the restoration project, which was backed by the British Computer Society.

Wednesday's media event marked the first time in 60 years it has been possible to re-create the way the supposedly unbreakable Enigma code was cracked using functioning World War Two equipment.

The commissioning phase of the recreation Bombe will be opened to the public on the weekend of 23 and 24 September 2006, an event that will also mark the reunion of Bletchley Park's World War Two veterans. Special demonstrations by re-enactors in period dress will also be taking place. ®

Parents cannot prevent schools from taking their children's fingerprints, according to the Department for Education and Skills and the Information Commissioner.

London is the UK capital of credit card fraud, according to a study by online fraud prevention firm Early Warning.

Early Warning's latest figures for Cardholder Not Present (CNP) fraud show that Greater London clocked up largest number of fraudulent transactions in the past year, followed by Manchester and Kilmarnock.

Early Warning has produced a map (PDF) that identifies the postcode areas from which the fraudsters operate, put together by tracking the delivery addresses for fraudulently obtained goods – typically accommodation addresses and "dead letter boxes".

It reckons the technique represents the only reliable method for mapping credit card fraud. The areas with the biggest fraud problems are the Central London postcodes, together with Romford and Ilford in Essex, and Twickenham in Middlesex.

Outside the capital, cities and towns where CNP fraud is on the increase include Bournemouth, Northampton, Portsmouth, and Stockport.

Nationwide, CNP fraud last year cost £183.2m, according to figures from banking organisation APACS. Stats from Early Warning say CNP fraud has shot up by 38 per cent in the past 12 months.

Using Early Warning's CardAware fraud detection systems, retailers and other online traders can check credit card orders against a database of known frauds. The firm has added a postcode-based risk assessment tool. It reports that the geographical spread of CNP fraud changes rapidly.

"Some postcode areas both inside and outside the Capital that last year recorded only negligible numbers of frauds are now reporting 'low' or 'medium' numbers," said Andrew Goodwill, managing director of Early Warning. "No single area of the UK is untouched by this problem."

The introduction of Chip and PIN systems on credit and debit cards in the UK to validate purchases as an alternative to signatures has pushed fraud onto the internet, Goodwill added. ®

Hackers are exploiting vulnerabilities in wiki software packages to establish networks of compromised computers.

Software bugs in Pmwiki and Tikiwiki software applications are being actively used to create botnets, the SANS Institute's Internet Storm Centre reports.

It reckons the exploits in Tikiwiki 1.9 (and below) and Pmwiki version 2.1.19 (and below) are the work of the same virus writer. Both Tikiwiki and Pmwiki are software packages that allow the creation of wikis - web applications that allow surfers to easily add, remove, or edit the content of collaborative websites.

The Pmwiki exploit can only be exploited where the "Register_globals" attribute is enabled. However, the Tikiwiki exploit can be exploited regardless of this setting.

As well as loading an IRC bot that connects to different channels to access to Undernet IRC servers, attackers are also loading a variety of other exploits and attack tools on the compromised machines. Alongside Perl flood scripts, useful for launching denial of service attacks, exploits for both 2.4 and 2.6 Linux kernels are also being loaded onto vulnerable machines.

Pmwiki users are advised to upgrade to guard against attack. Tikiwiki has published an advisory explaining a workaround designed to guard against attack, pending the availability of software patches. ®

Pump-and-dump spammers are refining their tactics and marketing techniques in an attempt to drum up new business.

Junk mail scumbags are now targeting companies with offers to boost their stock prices in return for payment.

Pump-and-dump scams are email campaigns that seek to encourage armchair investors to sink their cash into particular firms' stock.

The goal is to quickly inflate interest in low-value stock with bogus insider info in order to ramp up share prices and sell at a profit before the inevitable crash and burn. Meanwhile those duped are left holding possibly worthless shares.

Most of these scams are thought to take place without the knowledge of firms that are the subject of the scams.

However, in a new twist seen in a junk mail campaign discovered by net security firm Sophos, scammers are telling companies that they can boost their own stock prices by up to 250 per cent within two to three weeks using junk mail.

The bogus offers even promise a one day free trial. Spam emails sent out as part of the campaign claim that the scammers will offer advice on future share price movements to investors, for a 30 per cent slice of supposed profits.

Sophos reports that pump-and-dump stock campaigns currently account for approximately 15 per cent of all spam, up from 0.8 percent in January 2005.

In related news, security experts have identified a "pump-and-dump" stock spam campaign that features an animated graphic to display a "subliminal" message to potential investors.

Spam messages seeking to pump up interest in a firm called Trimax display the animated message "Buy" every 15 seconds. By using images instead of text, junk mail messages might avoid detection by anti-spam filters that rely on the analysis of textual content alone.

The percentage of spam containing embedded images has risen sharply from 18.2 per cent in January to over 35 per cent last month, according to Sophos. ®

A mass mailing worm that attempts to trick users into downloading malware in response to bogus text messages is spreading in Spain.

Anti-virus firm McAfee said the Eliles-A worm is among the first malware samples to automate a so-called phishing via SMS (SMiShing) attack.

Eliles-A worm initially spreads as a conventional mass mailing worm whose infectious payload is contained in attachment to email messages, which poses as a CV from a supposed job applicant.

Compromised PCs are used to send SMS messages free of charge via email sent through the SMS Gateways of two Spanish operators.

The worm has two routines in it that calculate random phone numbers to target for attack.

Targeted users receive an SMS claiming to be from the mobile operator and advising them to download "free antivirus software" for their phone. Users that download and install the software from the link would have found themselves infected with malware.

The link is now inactive but pointed towards a Symbian SIS file, indicating that the malware is targeting Symbian phones for infection. Its unclear what malware payload hackers intended to deposit on the shiny Nokia Series 60 phones of their intended marks.

McAfee said evidence within the code of the Eliles-A worm suggests it was cobbled together from from a variety of disparate sources by script kiddies. Most of the code is in Spanish with some German comments. ®

Yahoo! and Microsoft introduced new versions of their IM chat clients last month, and while flaky, show the first results of last October's interoperability agreement.

Yahoo! chat users can now send messages to MSN chat users and vice versa. Or at least, it works if you're using Yahoo's Mac beta software and Microsoft's Messenger Live.

The interoperability agreement pits AOL, with its AIM and ICQ services, squarely against the Yahoo! and Microsoft alliance. But even this limited level of interoperability is somewhat grudging, and doesn't provide full service features IM users expect.

File sharing, let alone voice or video chat, are unlikely ever to be supported by either Microsoft or Yahoo!. Microsoft told IDG that: "We need to assure that the costs of interoperation are in line with the business benefits." Which translates as: "You must be joking."

Not much incentive for users on Windows and the Mac to give up on Trillian or Adium, then. ®

OpenOffice.org has released a security update to its alternative office productivity suite following the discovery of three potentially serious security vulnerabilities during an internal audit.

Both 1.1.x and the newer 2.0.x releases of the software are affected. Users are advised to update to version 2.0.3 or to wait for an upcoming patch to version 1.1.5 of the code.

The first of the three flaws means that Java applets can break out of a secure 'sandbox' in which they are designed to execute. Next up there's a security bug in the processing of macros which means macros might be invoked even when a user has disabled the function. Finally, flaws in the parsing of XML file formats mean that maliciously constructed files could be used to trigger a buffer overflow thereby potentially allowing a hacker to inject hostile code onto vulnerable systems. Users are able to disable Java applets as a workaround against the first flaw, but the other security bugs require patching.

A security bulleting from OpenOffice.org can be found here.

StarOffice, the commercial office productivity software based on the code used in OpenOffice, is affected by the equivalent three security bugs. Patches to StarOffice/StarSuite 8.x and 7.x (and StarOffice 6.x) are available to address the problem.

A notice from security notification firm Secunia provides a summary of the issue along with links to the relevant advisories. ®

Infosec Gary McKinnon, the British hacker who's due to hear whether he will be extradited to the US on 10 May, rates his chances of avoiding trial in the States as only "50/50".

Infosec blog The last day of Infosec brought nostalgia for the old days of hacking. Robert Schifreen, the ex-hacker and author famous for breaking into Prince Phillips' Prestel account 20 odd years ago, recalled a more innocent age during his stint chairing a hackers panel.