IBM Internet Security Systems' X-Force has released its annual report outlining the malicious software threat and trending landscape. In a nutshell, things are getting more complicated (landscape-wise) and the impact is becoming more technically complex. Read the report and you can directly glean as well as infer certain facts.

As malware becomes harder and harder to catch in real-time using currently-available technology (a trend that has become quite clear over the past year or more) and as the intent of the malicious software becomes more and more geared toward complete remote system control and access, the potential situation looks - I'll just say it - pretty darned bleak.

It's important to stay up-to-date if you're an IT or Security professional (or hard-core geek). Here are your links:

• The ars technica article: Annual IBM security report paints worrisome picture for 2008 (includes some good side-bar thoughts)
• The full IBM report download (PDF, about 3MB): IBM Internet Security Systems X-Force 2007 Trends Statistics

Quiz in the morning. :)

I have a set of Kenmore HE3 appliances for washing clothing, the matching washer and the dryer of course. I like them a lot and have had them for five years. They've served me well. However, ever since installing a drawer pedestal under both, the washer had taken to frequently hopping and jumping around on the floor while in the spin cycle. It's not a good thing, and I needed a fix.

Luckily after some creative Google work I found this web site: Fixitnow.com, Samurai Appliance Repair Man. It's a blog with lots and lots of entries describing how to resolve common issues with various appliances, including mine. It gave me the information I needed to fix the problem. So I'm bookmarking it here on my blog for the benefit of others and - undoubtedly - for my own future reference.

Thanks, Samurai Repair Guy!

It's not like we didn't already know the malware (short for "malicious software") infection rate is increasing, but Google's security folks posted a technical paper and blog entry on Monday that illustrates the prevalence of "drive-by" malware distribution and just how big the problem has become.

Excerpt:

“During that time we have investigated billions of URLs and found more than three million unique URLs on over 180,000 web sites automatically installing malware” … “In the past few months, more than 1% of all search results contained at least one result that we believe to point to malicious content and the trend seems to be increasing.”

Add to that the fact that a significant and growing amount of newer malware recompiles itself into new forms each time it redistributes, making it virtually undetectable by current means, and the situation potentially becomes even scarier.

The technical paper is a very interesting read and explains some of the distribution techniques and designs. It also points out one piece of browser technology that has resurfaced to plague the security world many, many times: the iFrame.

The problem is most deeply rooted in China, where 67% of all malware distribution servers are located, and 64.4% of all landing sites (sites that point to a distribution site) are located. The next closest offending country is the United States, which accounts for about 15% of the distribution and landing sites. So, one can easily see where a significant portion of the problem lies. With the increases in business and trade taking place in China now, one has to worry about the future if computer systems are in such bad shape. Clearly, something needs to change.

If you're a security person, an IT server admin, work with web applications, develop web apps, or are for any reason interested in scary figures (such as the fact that "38.1% of the Apache servers and 39.9% of servers with PHP scripting support reported a version with security vulnerabilities."), read the report. It's worth the time you'll spend.

It looks like the Live Search team has announced they've released their MSN Bot v1.1 (and changed the user agent string to "msnbot/1.1"). They've noted two significant (and welcome) features.

• HTTP compression
• Conditional GETs

What does this mean for server owners and operators? Just a more-efficient way of crawling your sites for indexing, assuming your servers support the features. Most servers support HTTP compression, and links to instructions for configuring it are provided in the Live Search team's blog entry.

If you're interested in knowing whether your site/server supports these two features, the Live Search team has also put up a page where you can run a quick test.

Of course, depending on how they detect search indexing bots, some apps may need to add the new user agent string to their configurations.

Firefox, that other awesome web browser, is now available in a v3 B3 release for those who are willing and wanting to test the latest and greatest before it's all fully baked.

Here is the link to get to the download page and other pertinent information. Expect performance improvements, security improvements, usability enhancement and more. But, keep in mind it's a Beta release, which means it will likely be flaky and do things you might not like. In the words of the Firefox team:

Please note: We do not recommend that anyone other than developers and testers download the Firefox 3 Beta 3 milestone release. It is intended for testing purposes only.

Firefox 3 Beta 3 is now available for download. This is the eleventh developer milestone focused on testing the core functionality provided by many new features and changes to the platform scheduled for Firefox 3. Ongoing planning for Firefox 3 can be followed at the Firefox 3 Planning Center, as well as in mozilla.dev.planning and on irc.mozilla.org in #granparadiso.

Richard and I had a good conversation with Scott Kveton, OpenID personality extraordinaire, on the RunAs Radio podcast this week. Scott is chairman of the OpenID Foundation.

OpenID is a cool and upcoming technology and has seen significant attention in the past few weeks especially as Yahoo! became an OpenID provider, immediately followed by an announcement that Microsoft, Google, Yahoo!, IBM and Verisign had joined the board of the OpenID Foundation.

It's time to get on-board and know what OpenID is, how it might play with other technologies in the identity and access management space, and how you can learn more. That's what this show is all about.

Scott Kveton Shares His OpenID (MP3 link)
from the RunAs Radio podcast

Richard and Greg talk to Scott Kveton about OpenID. OpenID is a single sign-on solution that could very well make the classic username and password obsolete. This is a fast half hour - you'll find yourself wanting to listen again!