Blizzard’s announcement of two-factor authentication for World of Warcraft is more significant than people realize.

Passwords are obsolete. They are broken. We all recognize this, yet we aren’t quite ready to give up on passwords because we haven’t an easy alternative.

World of Warcraft (WoW) is a good test case. It is the biggest online game and has the largest “black market” where people buy in-game money (“gold”) for real-world dollars. User accounts, protected only by passwords, have real-world value. Hackers first strip the accounts for gold, then use the accounts as mules to sell gold and spam others with messages advertising their gold. Blizzard eventually bans the account, by which point the hackers have moved onto the next hacked account.

This is a huge cost. It costs Blizzard a lot of money (I would guess in the range of $100) to help a user recover from a hacked account. That assumes the user still wants to play and doesn’t cancel their $15-a-month subscription, which costs Blizzard even more money.

Today’s “viruses” usually contain keyloggers that specifically look for people logging into games like WoW. Phishing attacks likewise target gamers. However, there is an even easier way to getting people’s account names. People choose the same username/password for multiple sites. Therefore, if you want to steal somebody’s account, you simply set up a site that requires a username/password and encourage players to log in. You then test all the accounts on your own site in order to see if they are also legitimate WoW accounts. Likewise, when hackers break into online sites, they can crack the password file and test how many are legitimate WoW accounts.

Sophos announced today that it has published a new white paper describing how businesses can tackle the growing challenge of data leaking by enforcing an acceptable use policy, by applying appropriate controls already available in existing security solutions.

The white paper, entitled “Stopping data leakage: Exploiting your existing security investment”, examines recent high-profile data leaks and the roadblocks that many data leakage prevention (DLP) solutions run up against at the point of implementation.

The paper argues that, with the exception of the largest enterprises with the most stringent security requirements, most organizations simply do not have the funds, staff resources, and need to implement large-scale DLP efforts.

So you’re thinking, “Hey, I want to be totally irresponsible with my computer and load it up with crapware!” Really, isn’t everyone getting tired of having to be so stinking responsible on the Internet all the time? We certainly are. We’re ready for system protection that isn’t afraid of our reckless browsing, indiscriminate downloading, and general apathy towards good computer usage habits.

…Which is why we love Windows Steady State. It creates a cache file in which your operating system operates, meaning any harmful changes can be undone by simply emptying the cache. After downloading it’s a snap to install – just a few obligatory clicks and the usual EULA mumbo-jubmo and you’re set.

Our first test was pretty a pretty low-intensity workout. We surfed, bookmarked, set up a POP account and downloaded a few messages, and cluttered up the desktop with a dozen or so hilariously named folders. After issuing the old Windows – U – R we waited anxiously for the system to reboot.

There it was, just as it had been before – no trace of any of our activity. The desktop was still tidy, no favorites or emails were anywhere to be seen. So far so good, but let’s try some real abuse!Do your worst! Fire up Internet Explorer and go on a malicious web-surfing bender. Download rogue applications! Install 16 browser toolbars! Download obviously fake songs with Limwire! When you’re spent, reboot and check the results. To the dismay of Trojans everywhere, not a shred of your misdeeds will remain.

Our research team has identified a web-based attack technique that exploits the growing number of applications that require a web server being run on a local machine. Cross-Environment Hopping (CEH) is a result of this trend combined with the current limitations in browsers’ same-origin policy access restrictions.

The CEH technique enables an attacker to exploit a local XSS vulnerability in order to “hop” to a different environment, such as another locally installed server. Under certain circumstances it may even be possible for an attacker to access remote network services such as network share drives, remote procedure calls, intranet mail, SQL servers, and so on.

This write-up will prove that the current implementation of same origin policy on the localhost in up-to-date Web browsers, combined with the presence of an XSS vulnerability, creates a special set of circumstances that enable environment hopping, and that the resulting malicious activity can be performed on any server running on a designated port.

We would like to credit Rob Carter for his great work in describing the problematic nature of exploiting XSS vulnerabilities in local web servers by taking advantage of the promiscuous security behavior of Internet Explorer 6.

Experts at SophosLabs™, Sophos’s global network of virus, spyware and spam analysis centers, have welcomed news that a teenager has confessed to controlling thousands of computers in an illegal botnet.

19-year-old Jason Michael Milmont, of Cheyenne, Wyoming, has admitted to being the programmer of the Nugache malware which infected Windows computers, turning them into a sophisticated botnet for illegal purposes such as identity theft.

Milmont operated the botnet between March and September 2007, having set up a bogus website which claimed to offer a free installation of the peer-to-peer filesharing program Limewire. However, the program was secretly infected by Milmont with the Nugache malware. He also took over infected computers to send AOL instant messages to victims’ “buddies”, directing them to websites hosting malware.

Milmont used stolen bank information to take over victims’ accounts, and order goods to be sent to vacant addresses in the Cheyenne, Wyoming area.

Nugache was one of the first botnets to be controlled via P2P technology, making it harder to identify and shutdown the network’s controller. On average, Milmont controlled between 5,000 and 15,000 compromised PCs at any one time.