Update for August 25, 2006 to August 31, 2006
 Welcome to Tech Talk! First phishing, then vishing, and now SMiShing? One hundred and forty-two new vulnerabilities announced by US-CERT, along with a warning about an increase in phishing sites. Sun admits there is a major flaw in the method that Java updates are installed, and a serious security hole is found in Cisco firewalls. Ten open source companies and products to watch, and a new study shows attacks that use stolen login credentials are much more damaging than other types of attacks. These stories and more in this week's Tech Talk.
-- Jeff Patterson, BOL GURU
US-CERT Lists 142 New Vulnerabilities
The US-CERT Vulnerability Summary for the Week of August 21, 2006 announced eighty-five High severity vulnerabilities this week in products ranging from Microsoft's Internet Explorer and Mozilla's Firefox to Sun Solaris, FreeBSD, IBM AIX, the Linux Kernel and AOL's AOL Security Edition. An additional sixteen Medium severity and forty-two Low severity vulnerabilities were included in this report.
Storm Warnings
US-CERT is advising Internet users that there is a marked increase in phishing sites during hurricane season. These sites often appear as legitimate charitable organizations seeking donations. They ask the user to provide personal information which may then be used to steal the user's identity. Advise your customers about this trend and what they can do to protect themselves.
Information Systems Security Policy
The Information Systems Security Policy template in the BOL Banker Store has been completely revised and greatly expanded. You'll find uniformity with the flow of the new FFIEC guidance. The template also includes guidance from the FFIEC’s IT Audit Examination Handbook.
For a complete list of policy templates available, see the BOL Banker Store.
|
What Are They Waiting For?
TrippingPoint has published its most recent Zero Day Initiative list of discovered vulnerabilities which have yet to be patched. The list contains vulnerabilities reported as many as 309 days ago. While details of the exploits are not publicly available, what one person can find, so can others.
RSA Consumer Solutions
RSA Consumer Solutions
provides online security and anti-fraud solutions for financial institutions. Its portfolio includes risk-based and segment-based authentication, anti-Phishing/Pharming services and Transaction Monitoring. For more information, visit www.rsasecurity.com/consumer .
|
An Open-Source Watch List
Network World has published an article on ten start-up companies which utilize and market open-source software that every IT professional should watch. The ten solutions range from open-source backup solutions to network management solutions to VoIP solutions.
Tell Us They're Kidding, Cisco!
A serious flaw exists in Cisco Firewall products that could allow passwords to be changed without any user interaction, reports eWeek. The exploit may cause the EXEC and locally defined user passwords to be changed without any user intervention. This effectively prevents administrators from logging in. Additional flaws were found in several Cisco concentrators that could allow unauthenticated attackers to delete files on the concentrator. Read the article to determine if any of your systems are affected.
Protect Those IDs and Passwords
A new study shows that attacks which use stolen user IDs and passwords cause far more damage than other types of attacks. Businesses that were subject to attacks where the login credentials of a privileged account were stolen and used resulted in damage up to $1.5 million. Virus attacks only cost an average of $2,400. Read the entire story on TechWeb.
Java Patch Troubles
Sun has acknowledged that there is a security hole in its patch process for the Java Runtime Environment. The flaw involves the patch process not removing older versions of Java and the ability of malicious website providers to specify the use of the older versions when a user visits that site. The Washington Post has complete details of the vulnerability.
Phishing, Vishing, SMiShing. What's Next?
First there was phishing, embedding links to fraudulent web sites in emails trying to get the recipient to give up personal information. Then came vishing, using an email or phone call to get the recipient to call a VoIP phone number and give up their personal information. Now there is SMiShing, where attackers send out SMS alerts to users' mobile phones with a web site link that may contain malware or attempt to get the user to divulge their personal information. Read more about this new form of attack on CSOOnline.
Bank Buys List, Pays Twice
Fidelity Federal Bank & Trust has been ordered to pay a $50 million dollar settlement for buying more than 650,000 names and addresses from the Florida Department of Highway Safety and Motor Vehicles. The purchase was for use in direct marketing but violated the Drivers Privacy Protection Act. Additional information is available on TechWeb.
Get Up To Speed on Multi-Factor Authentication
Join Jeff Patterson and Mary Beth Guard for a BOL Learning Connect Webinar on September 20, 2006: Last Minute Guide to Multi-Factor Authentication. They'll help you prepare for the end-of-year deadline by which you must have your risk assessment completed and a multi-factor authentication solution implemented, if your risk assessment indicates it's necessary. You'll hear about available options and vendors, how to do the risk assessment and more. Register now!
Subscribe to TechTalk and BOL Tech Advisories.
|
Print Friendly Version!
Email This Article!
Discuss NOW!
