BANKERSONLINE.COM MAIN PAGE             Print Friendly Version!    Email This Article!    Discuss NOW!
March 28, 2008
Update covering March 21 - 27, 2008

Welcome to Tech Talk! In this edition, BOL Gurus John Burnett and Andy Zavoina write about a crooked programmer, hacks from China, monitoring and more.


You'll read about:
  • a jail sentence for data theft
  • hacker attacks on backup software
  • weaknesses found in brand new servers
  • another warning on malicious attachments
  • five questions to ask yourself
  • the limits of anti-virus software
  • Firefox's latest security update
  • Cisco's security alerts
  • a reminder about Excel patches
  • complaints about Apple's Safari maneuver
  • the road to Windows XP SP3
  • TJX's FTC settlement
  • terror sites on U.S. ISPs
  • monitoring employee web use
  • US-CERT's latest vulnerabilities list
Get the details below.
Order your 2008 ID Checking Guide NOW
Do the Crime, Do the Time
A Compass Bank (Birmingham, AL) programmer stole a hard drive with a million customer records. Some of the data was used to create debit cards and make fraudulent transfers from about 250 customer accounts. The programmer and his accomplice were caught. James Real, the programmer, was sentenced to jail and restitution. For the details, read InfoWorld.

Backup Software Attacked
If your shop uses CA's BrightStor ARCServe Backup, you'll want to read an article in Computerworld that discusses an attack focusing on that software from a .cn (China) domain website. Symantec has provided a workaround, but it requires editing a bit of Windows Registry code -- something that most end-users aren't equipped to handle safely.

Sun Ships Wrecked Servers
Sun Microsystems shipped servers that, as configured, were exposed to attack. The settings would allow a hacker to execute commands remotely with root user level authority. The vulnerable servers were shipped before mid-February. For more details, including the model numbers, read Computerworld.

Dust Off that Attachments Staff Alert
The warning is the same, the reason is new. Microsoft is warning Office users not to open email attachments from untrusted sources or attachments they didn't expect, especially Word files. There have been targeted attacks taking advantage of a bug in Microsoft's Jet Database Engine. If you want to know what versions of Word are vulnerable and what operating systems are not, read the story in Network World.

Five IT Security Questions
Here are five security questions to help develop your corporate mindset and affirm or redirect your security mission statement. These simple questions focus on philosophy, business, and political savvy. The five questions, with explanations on your responses, are at Network World. This short Q&A article links to a master article on "How to fashion a 'security first' enterprise."

AV Software Isn't a Cure-All
As an IT administrator or experienced internet user, you already know this. But here is an article worth passing along to other computer users, especially those who believe IT security is IT's job. In the Security Fix blog, Brian Krebs reminds us of some basic tenets of computer use, such as "Anti-virus software is no substitute for common sense." Read more at the Washington Post.

Firefox Updated
Mozilla released version 2.0.0.13 of its Firefox web browser this week. According to a Computerworld article, ten vulnerabilties are targeted by the update, and at least half of them are viewed by Mozilla as "critical." Firefox users should have automatically received a download of the latest version, unless they have unchecked the auto-update option (Tools/ Options/ Advanced/ Update). A related story in PC World reports that Mozilla plans to release Firefox 3.0 in June, with a release of the final beta version due in the next few days.

Cisco Vulnerability Alerts
Cisco has released five security advisories this week in the first of its regularly scheduled biennial security update bundles. Learn more about the most recent advisories, all of which involve Cisco IOS, on the Cisco Security Advisories page.

Are Your Excel Patches Current?
Security researchers at Symantec have identified a malicious website that is attempting to exploit unpatched security gaps in Microsoft Excel. The Excel weaknesses were addressed in Microsoft's March 2008 Patch Tuesday collection. If you haven't already applied those patches, you should put them on your high-level To-Do list. You can read more in InfoWorld's article.

A Rotten Apple?
Do you have QuickTime on any of your computers? Do you want to use the Apple Safari browser? The last QuickTime update defaulted to allow a Safari install and that included a 50MB download. It can easily expand to chew up almost 65MB of your hard drive real estate. Neil McAllister writes about the browser wars heating up and Apple's arm-twisting in this PCW Business Center article.

Another Step Toward XP SP3
A "refresh" version of the Release Candidate for Windows XP SP3 is now available. According to a Network World article, Microsoft released the incremental tweak so it could check out improvements to Windows Update's ability to deliver the final SP3 product. Users who want to obtain the updated release candidate will need to do some front-end work, starting by uninstalling any earlier release candidates for SP3.

TJX Avoids Fed Fines
It has been more than a year since we first heard of the data breach at TJX Companies. To avoid federal fines they have settled with the FTC, as have data broker Reed Elsevier PLC and its Seisint subsidiary. They are all agreeing to many years of data security audits, but first there will be a 30-day comment period. Details are on boston.com.

U.S. ISPs Host Terror Sites
Should U.S.-based ISPs be held to the same standards as banks when it comes to doing business with known terrorist groups? Network Solutions just announced it had suspended Hizbollah.org, an official website of Hezbollah. Brian Krebs, in his Security Fix blog, also lists three sites controlled by Hamas that are hosted by the Herndon, Virginia-based ISP. Network Solutions isn't alone. Read Krebs' Washington Post blog to get details.

Internet: More Use Means More Monitoring
For many years employers have monitored where their employees surfed on the web. But monitoring is reaching a new level. Managers are watching not only where employees surf, but also how long employees linger at a site and what was done while they were there. Employees are using bandwidth on social networking sites, March Madness and YouTube, and can expose their employers to liability. It's estimated that 45 percent of companies now monitor usage. For details on what is being watched and why, read this MSNBC article.

125 Make Latest US-CERT List
The US-CERT Vulnerability Summary for the Week of March 17, 2008, lists 43 High and 71 Medium weaknesses, and 11 Low-severity flaws. High severity security faults were listed for Apple OS X and OS X Server, IBM Informix, and VMWare, among others.


Subscribe to Tech Talk and BOL Tech Advisories

In the Banker Store
ORDER TODAY
CD ROM Training
Implementing the Red Flag Guidelines
FACTA: Responding to Identity Theft (Video)
Video Training
FACTA: Responding to Identity Theft
ORDER TODAY
CD ROM Training
Patch & Vulnerability Management
Archived Articles on Technology and eBanking
You have access to archived Tech Talk pages and Tech Alerts on BankersOnline's Technology & eBanking Archive page.
Plus, you'll find the latest technology and eBanking articles and guru Q&As there, too. You'll find many more related articles in our InfoVault.