In a new blog posting, the firm urged users to patch a critical vulnerability in the popular software which was discovered last month and is being actively exploited in the wild.

"Our sample was submitted by a European financial organisation and the file name includes a reference to the G20," the blog posting explained.

"The exploit drops a downloader and attempts to make a connection to tiantian.ninth.biz. We detect this attack as Exploit:W32/PDFExploit.G. It doesn't surprise us to see this Adobe Reader vulnerability utilised so quickly."

According to F-Secure's research, targeted attacks exploiting Adobe Reader grew from around 49 per cent last year to over 60 per cent in the first two months of this year.

By comparison, Microsoft Word accounted for around 39 per cent of targeted attacks so far this year, slightly up from 34 per cent in 2009. Excel and PowerPoint attacks stood at around seven per cent.

The study, entitled, Privacy & Data Protection Practices: a Benchmark Study of the Financial Services Industry, was conducted by the Ponemon Institute and included interviews with chief information security officers, chief privacy officers and others with equivalent responsibilities from 80 multinational financial services organisations.

Three quarters rated negligent insiders as the top reason for a breach, while 42 per cent said outsourcing and a quarter lay the blame on malicious insiders.

While these headline stats may not come as a surprise to most working in the information security industry, what is more worrying is the wide open areas of vulnerability that the report highlights.

Just 56 per cent said they implemented some form of identity compliance procedures, 47 per cent said they used intrusion detection systems, and data loss prevention technology was used by just 41 per cent, according to the report.

"One of the most important things a company can do to assure their future success is to plug the holes in their security policies that were demonstrated in this study," said Larry Ponemon. "While there is a great deal of progress being made, there is still a long way to go."

Very true Larry, very true.

The two politicians sent their followers corrupt links, along with a message that reads:

"Hhey, i've been having better sex and longer with this here."

Miliband was quick to respond to the scam earlier today. "Oh dear it seems like I've fallen victim to twitter's latest 'phishing' scam," he tweeted.

He then used the publicity to his advantage. "Now I've got your attention - I want your ideas for the manifesto," he wrote.

According to STV News, Rennie's Twitter account was linked to all his social networking accounts and so the message was sent to thousands of his followers.

Rennie told the broadcaster that he assumed most of his followers would know the link is a scam and not a genuine tweet. Unlike Miliband, he has chosen not to post any Tweets about the scam in his feed.

Graham Cluley from security firm Sophos warned that unless Miliband has "a strong and different password for every web site" he uses, he may have allowed hackers to access other more sensitive accounts. "Basically, his entire online life could be handed over to hackers," he wrote.

The news of the phishing scam comes as the Lord Chancellor is reportedly investigating fake Twitter accounts that have been set up for all of the Merseyside and NorthWest MPs.

Phishing scams are becoming increasingly popular via social networking sites, as they try to tap the implicit trust users have in their friends' or followers' messages.

By hacking users' accounts, sending out messages to their friends and using social engineering techniques to get them to click on malicious links in these messages, cyber criminals have been able to harvest a rich bounty of user credentials - many of which can then be exploited on other sites such as online banking.

According to ScanSafe senior security researcher Mary Landesman, there should be an ABC of proper etiquette after suffering one of these scams: acknowledge the attack to anyone affected; be detailed in telling them what might have happened as a result; use the attack as an opportunity to caution friends/followers in case it happens again.

If sending out an apology to their followers after their account has been hacked and malicious messages sent out, users should never stick another link in the message, she advised.

"Using as few words as possible, try to include enough details about the message sent so folks can identify it, ended with a brief 'I'm sorry'," said Landesman.

Another best practice tip Landesman gave was that when sending legitimate links, users steer clear of generic messages, which are usually used by cyber criminals.

"Get in the habit of including some identifying info so that the recipient can tell that the human you really did intend to send it," she said. "For example, instead of sending 'check out this funny video', always include more specifics like, 'funny video - reminds me of that crazy guy we saw on the beach in the Bahamas.'

"If enough folks adopted this habit, it would become much easier to distinguish the really generic messages as being likely phishing/malware attacks."

All good advice, although some stronger content filtering technology from the likes of Twitter would also help matters no doubt.

In a new blog posting the security firm released the results of research conducted with 800 IT professionals in the UK, UK and Australia, in which it found that over three quarters of them think that Web 2.0 malware will be the biggest issue they face this year.

"Eighty per cent of those who responded anticipate Web 2.0-based malware threats will be among their biggest challenges, and 73 per cent said these types of malware are much harder to manage than email-based threats", wrote the firm.

Those firms that are confident they are sufficiently protected seem to be living under an illusion, according to the survey. These firms also admitted to a number of security problems, including attacks from viruses (60 per cent), spyware (57 per cent), phishing attacks (47 per cent), hacking attacks (35 per cent), and SQL injections of their Web sites (32 per cent).

None of which really tally with any "sufficiently protected" claims, although it is kind of in Webroot's interests to paint this rather depressing picture, given that such a strategy is likely to shift a few more units.

A court in Pittsburgh said that Max Ray Vision - nee Butler - pleaded guilty to charges last year and had now been sentenced to the jail time, fined almost £20m in repayments to his victims and will face an extra five years of supervised release.

When Vision, who went by the psuedonym Iceman, was arrested he had the details of almost two million card holders on his home computer; card details which he was using on his trading site cardmarket.com.

We do not know how much money he made through the site, but the size of the fine suggests that it was a significant ammount. Court reports say that the fine was based on the $25 cost card companies faced with replacing a lost or stolen number, adding that it was estimated that the Iceman has personally stolen some 1.1m IDs himself.

This is not the first time Vision has been arrested. Having started his career in crime early by writing a backdoor program that could be used to access federal machines, he was sent to jail for 18 months. And this after doing volunteer work at the FBI.

Having served this time he was unable to find any other work and was, he said in a memo to the court, unable to pursue any other career than that of a life of crime. His punishment will be a lesson to some, although the rewards that Iceman clearly enjoyed before his arrest will be enough to persuade the rest that cyber crime is worth the risk.

A new blog posting from network security firm eSoft explains that adware pushers are trying to capitalise on the success of Firefox 3.6 in order to extend their reach.

The fake Firefox download site uncovered by the firm has been designed to fool users hoping to upgrade, but contains the spelling errors which are often a tell-tale sign of a scam site, said the blog posting.

"Victims of this scam install the 'Hotbar' toolbar by Pinball Corp, formerly Zango," the post noted.

"Not only are users subject to the annoying toolbar, they're also barraged with pop-up ads and host to a new Hotbar weather application running in the system tray."

ESoft warned users only to download software directly from the publisher, where possible.

Since then, both the French and German authorities have urged their citizens to use another browser until the flaw is patched.

But Microsoft UK's chief security officer Cliff Evans was keen to stress to V3.co.uk yesterday that although the vulnerability technically affects IE6, IE7 and IE8, "the exploits we're seeing out there at the moment only affect IE6", which is the smallest group of IE users in the UK.

The message was loud and clear - upgrade to IE8, whose advanced security features which include the SmartScreen filter and Data Execution Protection, will make it extremely difficult for hackers to implement the exploit code effectively on this browser.

As to whether Redmond will implement a security fix as part of the next scheduled patch Tuesday or an out-of-band release, Evans argued the team will need to take a considered view.

"The actual risk is minimal - you'd need to be using IE6 on XP and to visit these [malicious] sites," he added. "We'll have to balance the perceived risk with getting people to roll out yet another update."

First the 419 scammers. According to a new blog posting by Symantec Hosted Service, aka MessageLabs, the classic advance fee fraud scammers are exploiting the news to part well-meaners with their cash, sending emails purporting to be from charities such as the British Red Cross, requesting donations.

"Exploiting tragic world events for personal gain unfortunately seems perfectly acceptable for some cyber criminals, and the Haiti Earthquake 419 advance fee fraud example highlights that there are no boundaries on what they'll attempt to profit from," wrote malware data analyst, Matt Nisbet.

"The public needs to be aware of such scams so that they can be more vigilant when visiting donation websites, ensuring vital donations arrive at the intended locations, rather than lining the scammers pockets."

The other main strategy taken by the cyber-criminals has been blackhat SEO-ing, or SEO poisoning. This is when the crims piggy-back upon a news story of widespread interest to promote their own malicious sites into the top of the search rankings, by cramming the sites full of keywords. F-Secure and Websense both warned users to ensure their AV tools are kept up-to-date and they have real-time content scanning capabilities.

"Websense Security Labs ThreatSeeker Network has discovered that searches on terms related to the recent earthquake in Haiti return results leading to a rogue antivirus program," read a posting on the Websense Security Labs blog.

"Unfortunately, the bad guys use major crises and events like this to spread their malicious code."

In a blog posting, Sophos senior security consultant Graham Cluley highlighted a recent Spanish-language spam email he noticed, which claims to point to an update for the Adobe Flash Player.

Clicking on the link in the email would take a user to a page requesting they download an "update" to Adobe Flash, which is actually malware. However, as Cluley points out, the email is littered with spelling mistakes, such as "Adoble" instead of "Adobe",

"So how do these tiny clues and mistakes manage to sprinkle themselves into a hacker's attack? Is there some divine intervention that is ensuring that so many cyber criminals keep making daft errors, putting a spanner in the works, and helping to tip off potential victims? Whatever the reason, I hope it continues for as long as there's a malwre problem," wrote Cluley.

Apart from regarding any unsolicited emails with suspicion, users should always visit the vendor's own site for any updates, he advised.

But while some cyber criminals are continuing to leave obvious errors in their emails or malicious sites, which should tip off wary users, the general trend appears to be towards greater professionalism in the cyber criminal world. If it's one thing criminals do well, it's that they learn quickly and stay agile.

So while it's obviously important to keep an eye out for any grammatical or other errors that could set alarm bells ringing, users can no longer be guaranteed that e-mail and web threats will be as easy to spot in future. Comprehensive real-time content scanning tools are an essential addition for any computer user today.

Firefox 3.5.6 and 3.0.16 suffered from crashes due to memory corruption, according to the Mozilla security advisory.

"Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products," the advisory noted.

"Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code."

There are a total of 62 fixes for bugs in the new version of Firefox.

"We strongly recommend that all Firefox users upgrade to this latest release," noted a posting on the Mozilla Developer Center blog.

"If you already have Firefox 3.5 or Firefox 3, you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting 'Check for Updates...' from the Help menu."

The report found that most (19 per cent) of breaches are caused by keyloggers and spyware, closely followed by backdoor/command and control and SQL injection attacks.

Abuse of systems access comes swiftly behind and unauthorised access via default credentials is in fifth place.

So having detailed what are the most common threats to guard against, Verizon helpfully then lists each in detail, including how to spot an attack, how to mitigate one, and a useful case study to provide more background info.

The information may seem like basic stuff to many CISOs, but is likely to go down well among those organisations at the smaller end of SME which are struggling to keep their heads above water with limited IT, and even more limited information security, resources at their disposal.

That is, at least, according to security giant Symantec, which has commissioned a new survey into the upgrade habits of enterprise customers, either with alarming speed or uncanny foresight.

The vendor interviewed nearly 1,500 IT managers in UK, France, Germany and Italy and found that just over a third had major concerns over hackers targeting newer desktop software to find vulnerabilities.

A quarter said they would hold off on upgrading for at least another 12 months, while two-thirds said negative press coverage played a role in influencing their decisions to upgrade.

Which is all very well, but are IT decision makers really that easily swayed by so-called 'negative press coverage'? The letters and comments we get here at V3 would seem to suggest not.

Surely the level-headed IT manager would be wise enough to realise that any new operating system or desktop software is likely to receive an unduly large amount of media scrutiny, including how safe or otherwise it is.

We all know that bigger security risks lie with systems remaining unpatched against known flaws, whether those systems are fresh from the factory or not.

The security giant said that Microsoft would be using its Secure Sockets Layer (SSL) certificates, and Code Signing Certificates, to create a layer of security for its Azure platform of cloud based services and applications.

Doug Hauger, general manager of Windows Azure at Microsoft, said: "With VeriSign SSL and Code Signing Certificates, VeriSign is providing proven safeguards that help ensure a trusted experience on the Windows Azure platform."

VeriSign's security tools will be use to protect services and applications delivered over the cloud. Currently Azure comprises a mixture of services including an operating system and developer and deployment tools. Microsoft said that by adopting it firms could reduce their costs and system complexity.

The researchers apparently did what they do best, and studied Mega-D and its behaviour. By doing this they were able to to identify its control structure and other features, and the bot herders back where it hurts. Late last week they brushed some dirt off their white coats, starting ringing around ISPs, disabling control servers, de-registering any of the bots' used domains, and registering any unused fallback ones. In short they threw a whopping great spanner directly into Mega-D's works.

According to M86 Security labs Mega-D was responsible for almost a third of all spam last year, while over the weekend it slowed to just a trickle, and yesterday had stopped altogether. Current suggestions are that before it was taken down, Mega-D was pumping out some 15,000 messages per hour, which is a lot of junk emails

The actions also let them get a better understanding of the bots, such as the fact that they used hard-coded DNS servers, domain generation algorithms and fallover domains. Regardless of this, anyone with an inbox should be glad that it is over, at least for now.