Lately, it seems everything’s (and everyone’s) been going rogue.

You might be most familiar with claims by an aide of Sen. John McCain that GOP vice presidential candidate Sarah Palin is going rogue and instead concentrating on her own run for the president in 2012.

But, when faithful readers of SC Magazine hear the word “rogue” - especially of late - they likely immediately think of rogue anti-virus software, the au courant way to steal money off unsuspecting victims.

It seems many of the recent malicious payloads are fake pop-up warnings alerting users their computer is infected with viruses. To fix the “problem,” they must pay - usually $40 or so - to purchase the attacker’s rogue AV solution.

Except it fixes nothing.

Cybercrooks appear to be dropping traditional keylogging and phishing attacks in favor of preying on the fear factor. After all, fear is in the air.

The way they figure, why not have the victim send money directly to them instead of going through the often challenging process of stealing it from them.

Makes sense to me. So until users catch on to this growing trend, the criminals are going to keep doing it.

Protect yourself by protecting yourself. If you know you’ve got the latest real anti-virus product running, then you can safely ignore any pop-ups telling you otherwise.

(BTW, we’re going to host a podcast Monday with researcher Joe Stewart of SecureWorks on this very topic, so please be sure to listen starting next week).

WIth that said, it’s getting near 5 p.m. EST on Friday. Almost time for me to go Rogue.

Actually, that’s go to Rogue - this publishing company’s favorite watering hole on 6th Avenue between 25 and 26th streets in New York.

Talk to you next week. And remember to vote!

It wasn’t too long ago that Microsoft bore constant criticism for its lack of transparency regarding security vulnerabilities and subsequent fixes.

One cannot objectively still accuse the software giant of similar evasiveness.

Nowhere has this change in approach been more evident than Thursday’s unexpected out-of-cycle patch for a Windows Server service vulnerability. Immediately following the issuance of the fix, Microsoft staff wrote posts on not one, not two, not three, but four different Microsoft blogs. You can find them here.

That’s not to mention the webcasts — Microsoft added two on Friday because of popular demand – where end-users could hear specifics about the major flaw.

Certainly this was an urgent matter that companies across the globe needed to be aware of and act on quickly to prevent the possibility of a major internet worm a la Nimda, Code Red and Blaster.

And Microsoft realized that corporations would have a lot of questions - why did Microsoft rush this fix? How did this one get past the secure code team? Which Windows versions are most affected? What do the active attacks look like - and the software giant did its best to provide answers.

They should be commended, especially on the heels of the first-ever round of Patch Tuesday bulletins that included an Exploitability Index, by which users can measure the likelihood of the vulnerability in question being exploited.

Needless to say, Thursday’s out-of-cycle fix aimed to correct a gaping hole that could have been consistently exploited.

And thanks to Microsoft’s candor, not only are businesses patching before anything got out of hand but they are patching with an understanding of what and why they’re patching.

And information is power, after all.

H4ck3rs Are People Too is a recently released documentary that gives an enlightening and comical glimpse into the hacker community. Not just the cybercriminal launching attacks from the dark shadows of their basement, the film proves that hackers are fun, passionate, beer-drinking, normal people. 

The film dispels the notion that all hackers are out to steal your credit card info and replaces it with the reality that many hackers are IT security professionals, computer analysts and researchers. The message that comes through, for me, is that a lot of hackers are just normal people trying to break things to make them better.

The film was edited and directed by Ashley Schwartau, a 23 year-old University of Central Florida digital media student.  Daughter of Winn Schwartau, CEO of The Security Awareness Company, Schwartau has been going to hacker conventions since the age of 16. The documentary was shot at a recent Defcon conference where Schwartau interviewed some prominent names in the IT security community.

In a few hours at a press conference in California, Apple is expected to announce two new MacBook laptops priced at around $1,200 and $1,500. Considering the downturn, let’s call it, in the economy, their strategy of offering more affordable laptops seems to be particularly well-timed.

Rumor sites are touting pumped up functionality – faster processing speed, faster wireless connectivity, better screen resolution, longer battery life – all the improvements one would expect with a new product line.

Our concern, however, is the security angle. As the price point of laptops continue to lower and they become more easily procurable to larger segments of the marketplace, their function broadens as well. No longer are they simply a hard drive on which road warriors can keep their accounts up to date. Laptops are quickly evolving into mobile devices. Anyone with one of these tools can flip it open and easily connect to a wireless network to send email or check their stocks or Facebook page. Witness the scene at any Starbucks or park.

In the old days, a year or so ago, laptops were generally checked out of the office, presumably with some security oversight. Nowadays, as they become more of a consumer buy, laptops are functioning in much the same manner as a smart phone or PDA. They’re not quite down to the size of a Dick Tracy wrist phone, but are certainly more ubiquitous.

Apple is not immune to vulnerabilities. In fact, just last week, in its latest software update, Apple fixed a security vulnerability which could have led to cross site request forgery. Sophos recently released a whitepaper offering 10 steps to better protect Macs from data theft.

But, while the Apple OS has been less of a target for malware writers than Microsoft’s Windows and Vista, that luxury may be waning. The popularity of the iPhone, and now the introduction of near-$1,000 laptops, while benefitting Apple shareholders by increasing the Cupertino, Calif-based company’s slice of the computer pie, is certain to invite assaults by virus writers, spear phishers, trojan spreaders and all the other n’er-do-wells who feed off the success of others.

Fox News, in an exclusive, says yes.

Citing some unnamed sources, Fox reported Friday that the World Bank, which provides financial assistance to developing countries, has had some 40 servers compromised and an unknown amount of personal data stolen.

The bank, however, denies this, saying no sensitive information has been hijacked and that most businesses suffer attempted hacks, so this is nothing out of the ordinary.

I think the truth lies somewhere in the middle. Sounds as if attackers may have been targeting the venerable organization in much more sustained ways that your average business might see. But it also is likely that no major breach has occurred.

We’ll have to see what comes of this.

But a general takeaway: Monitor your network for suspicious activity. Whenever we hear about a mega breach, the attackers, it seems, were able to go about their business without disturbing a soul.

When I wrote this week about the breach at the University of Indianapolis, in which the personal data of some 11,000 students, faculty and staff was potentially compromised by hackers, I couldn’t help but think about that SNL Weekend Update skit called “Really?!“ 

It’s a hilarious segment where Amy Poehler and Seth Meyers make fun of famous people for lacking common sense.

Well in the case of this breach, I was just shaking my head when I read a quote from University President Beverley Pitts:

Our investigation leaves no doubt that this was a professional job from outside, and it was well beyond our control.

Really, Beverley!?! Beyond your control.

OK, first of all, the University of Indianapolis should be lauded for no longer using Social Security numbers as identifiers, something the federal government is currently evaluating itself. (It appears, in this case, the hackers lifted old credentials that were still floating around in some database).

And yes, colleges face bigger IT security challenges than a lot of verticals, due to their open environments, limited budgets and sometimes inexperienced staff.

But - to say it was beyond your control, in 2008, considering all the awareness and all the headlines and all the security solutions, is just plain senseless.

Maybe it was a poor choice of words, Beverley. But if you get breached, admit that there was a shortfall somewhere in your baseline and then immediately work on rectifying it so that it never happens again.

Don’t proclaim helplessness.

Really!?!