In case you didn’t already hate spam, here are two more reasons.

McAfee Avert Labs has spotted “how to become a money launderer spam,” which are literally job ads recruiting people who have some extra time on their hands and would like to earn some money, albeit illegally.

At Sunbelt Software, the researchers have the skinny on oxymoronic image spam, or “imageless image spam.” This new find arrives in email boxes as a short, message promising to detail the latest news from Wall Street. The link, however, leads to an photo detailing the latest stock scam.

It seems like every week there’s a new IT security blog. We at SC Magazine know all about this, since last week it was us.

But Microsoft’s new Security Development Lifecycle team blog is especially noteworthy. Michael Howard, senior security program manager in the Security Engineering Group, kicked off this week by explaining what the company has learned from the ANI cursor vulnerability.

Howard, who’s been penning his own blog for a few years now, gives a better explanation of the situation in Redmond than I can, so please check it out for yourself.

It’s no secret that Microsoft is everyone’s favorite punching bag, whether the software empire deserves it or not. But give them credit for adding another layer of disclosure with this blog.

It’s not unusual for an IT security story to have twists and turns. With the ever-changing technology on both sides of the good guy/bad guy divide, that’s inevitable.

The story of the CanSecWest “hack-a-Mac” contest is a good example. It started as two researchers exploiting a MacBook Pro vulnerability to win a contest at a Vancouver conference.

It became an assumed flaw in Apple’s Safari web browser.

After some information from TippingPoint, which sponsored the contests, it was clarified to be a flaw in QuickTime that affects all Java-based browsers, which evolved later in the week into a flaw affecting Internet Explorer on Windows operating systems, including Vista.

But today’s big question was, “Did the exploit become public through the wireless network at CanSecWest?” The answer now looks like, “probably not.”

Thomas Ptacek at Matasano Security’s blog followed the reports, closing with an ominous hunch that the vulnerability could turn into something big and a conclusion that blogs may not be the best place for exploit disclosure.

The Roundup came across a thoughtful take on the QuickTime flaw revealed at CanSecWest last week, now found to affect numerous web browsers.

Information Security Sell Out brought up a lightning rod topic this week: vulnerability management ethics.

The Sell Out questions whether a firm, in this case TippingPoint, is engaging in bad business by allegedly using the discovery of a flaw as a marketing opportunity. Did TippingPoint put Mac users at risk by offering $10,000 for discovery of a Mac flaw, thus practically ensuring one would be disclosed? And what if TippingPoint mishandles the newly purchased vulnerability?

Scroll down to the discussion section; a back-and-forth ensues.

Vancouver, British Columbia is a bit off the beaten path for many IT security vendors, but for Mac aficionados, it might’ve been worth the trip to CanSecWest.

To make a long story short, the show offered two MacBook Pros to researchers who could use a fresh zero-day flaw to hack into the Apple laptop.

Researcher Shane Macaulay did, with a little legal help from Dino Dai Zovi, and the team took home both a $10,000 prize provided by TippingPoint and a MacBook.

But what appeared to be the winning vulnerability in Safari is actually much more. The QuickTime flaw actually exists in any Java-enabled browser, meaning Firefox users on Macs are vulnerable, and Firefox users on Windows are most likely vulnerable, as long as QuickTime is installed.

The Matasano Chargen blog has an interesting take on the developing story, if for no other reason because Dai Zovi, like Mozilla security bigwig Window Snyder, is a Matasano emeritus.

Opinions on Alec Baldwin aren’t hard to come by. Especially not now, after humiliating voicemail messages he left for his daughter were leaked to entertainment gossip website TMZ.com.

Mine are pretty simple: Glengarry Glen Ross –good; The Hunt for Red October – very good, a much better Jack Ryan than Ben Affleck, not as good as Firewall star Harrison Ford; parenting skills – the jury’s still out, to be kind.

But one Baldwin role that doesn’t immediately come to mind is data breach.

Kenneth F. Belva at bloginfosec.com pointed out today that while voicemails are not generally considered information security “data,” the leak has quantitative and non-quantitative financial consequences, including potential loss in job opportunities, as well as considerable reputational damage.

It’s tough to believe that it’s been a week since the tragic deaths of 32 students and professors at Virginia Tech.

In that time, we’ve followed the story’s numerous information security angles, and we’ve found a lot of what we expected to find: Scammers and spammers will use just about any tragic story that’s received mainstream media coverage as a lure for malware or malicious websites.

So why bring it up again? Handler Tom Liston of the SANS Internet Storm Center posted today that spammers are sending messages across Europe claiming an “Asian national” has gone on a copycat shooting spree, and, of course, urging the reader to click on a malicious link for more information.

Liston sums up his (and most individuals’) feelings on the issue, complete with a fitting description of such scam artists.

Technology news is sort of like food; if you leave it out too long, it’s only a matter of time until it goes bad.

If breaking news isn’t covered within a few days, it’s going to be passed over for the next juicy steak of a story to come along. And with ever-changing technology, and bad guys who never seem to sleep, nowhere in the media is this as clear as than with tech news.

So with that in mind, here are a few blog items to much on over the weekend.

As if they don’t have enough to worry about…
When doing business overseas, a road warrior is likely to check his or her bank account information via the web instead of running up an expensive phone bill or strolling the streets of Tokyo or London looking for a Chase Bank ATM.

So imagine being stationed in a foreign country for months on end, with few urban centers nearby to check account balances.

That’s the rationale behind a new man-in-the-middle phishing scheme that traps members of the U.S. Armed Forces into visiting a website that logs their keystrokes. F-Secure’s research team has a good description on its blog.

Warning: The scam websites, which pretend to be official Bank of America pages and require check card numbers, expiration dates and PIN numbers, look quite real.

Keep it classified
Here’s an another scary item.
Privacy blog PogoWasRight.org, named after a cartoon character famous for saying, “We have met the enemy and he is us,” (must’ve been before my time) has picked up an Associated Press story on Los Alamos workers being warned about identity theft.

Moving towards disclosure
Finally, patch distribution is a tricky business. Most months, Microsoft can’t seem to make anyone happy, no matter what it fixes or how many patches it releases.

With Oracle’s latest patch release just in the rearview mirror, Eric Maurice, the company’s manager for security in the Business Technology Unit, blogged about the latest distribution.

It’s worth reading because public disclosure about patch distributions is an even trickier business than releasing the fixes. It’s a tightrope walk above malicious users and IT pros, and both groups want as much information as possible.

It’s also worth noting that Oracle has made strides in recent months to release patches on a more selective basis and rank vulnerabilities on a clearer scale.

It’s the one word that proves that Bill Gates, for all his admirable charitable work and innovative intellect, does not know everything.

Spam.

In early 2004, Gates famously predicted that spam would be a thing of the past by 2006, reduced to the dustbin of messaging history alongside carrier pigeons and smoke signals.

But four months into 2007, most of our email boxes are still peppered with foreign-language messages or unwanted medical offers (that’s the PG-rated description).

And the spammers seem to get more clever every day.

We’ve kept readers up to date on image spam. And the researchers at Sunbelt Software have the latest variation: multi-colored memo images and a cartoon of an average-looking boardroom dweller with a chart with positive results.

Whenever I sit down for an in-depth interview, I always resist asking the subject how he or she got involved in information security. Working in information security isn’t something that most professionals have in their genes after all.

With some, the answer is expected: “I like to hack into things. I’m good at it. Why not make a living doing it?” And on the businesses end, executives often trace their security roots back to the late 1990s, when the world was learning to love the internet – and some opportunistic (I mean this as a complement) individuals were seeing the web as one-stop shopping, with that stop being the bedroom, back porch or however far a customer can stretch a laptop.

Detailed biographies, however, are few and far between; that’s why I’m pointing this one out.

Ironically, Jeremiah Grossman’s interest in computers began the same place mine did – in front of a Commodore 64. But it looks like he had a deeper interest in the technology than just using it to play Spy Hunter.