Tech Talk from BankersOnline.com

April 4, 2008
Update covering March 28 - April 3, 2008

Welcome to Tech Talk! In this edition, BOL Gurus John Burnett and Andy Zavoina write about Botnet theft, data breaches, updates and more.

Andy

John

You'll read about:

an 18-year-old bank account thief
how Hannaford happened
paying for the Hannaford breach
TJX's latest settlement
the 2008 exposed-record count -- so far
going green with e-statements
more problems with Safari
patches to QuickTime
a heads up for Patch Tuesday
April Fools' spam
a look back at CAN SPAM
the WIPO cure for cybersquatters
loose HTML code that leaves site open to malware
the threat from buggy Flash sites
Firefox's newest beta release
US-CERT's latest vulnerabilities list

Get the details below.

ID Theft Red Flags and IT -- Getting with the Program

Are you ready for your key role in implementing your bank's ID Theft Prevention Program? Time is getting short: examiners will be looking for progress before the November 1, 2008, compliance deadline. Get a good look at the rule from an IT perspective. Join Susan Orr for her important 2-hour webinar.

Change Your Game with AT&T
Change critical apps at the office to power tools at your fingertips. Change your game. With mobility solutions from AT&T.

For more information please visit att.com/business.

Kiwi Teen Admits Bank Account Thefts
Who are the individuals behind botnet scams? An article at vnunet.com reports on 18-year-old New Zealander Owen Thor Walker, who has admitted to running a 1.3 million PC botnet from his home. Walker was caught in November in the FBI's Operation Botroast II. His online gang is alleged to have stolen as much as £10 million ($19.8 million) from PC users' bank accounts. Read more about how he pulled off this scam and why Walker could avoid jail time for his misdeeds.

Details Released on Hannaford Breach
We first brought you the Hannaford story two weeks ago in Tech Talk (see "Supermarket Data Breach"). The details are now beginning to come out. Malware-infected servers in up to 300 stores exposed the magnetic strip card data to attackers. Hannaford sent a letter to Massachusetts Attorney General Martha Coakley and Governor Deval Patrick's Office of Consumer Affairs. Because Hannaford's systems had passed a recent PCI certification, the matter of who will be responsible for losses in this case may be very much in question. Read Networkworld for the details.

Who Will Pay for Hannaford?
The Hannaford breach will be touching many financial institutions, and costing them dearly for reissuing credit and debit cards, with uncertain chances for recovery. One estimate is that it costs $10 to $12 per card. So what is the final cost? We don't know yet but one institution expects to foot a $140,000 bill right away. The Insurance Journal has more.

TJX: Keeping Its Checkbook Open
TJX may not be done paying for its data breach yet. You read in last week's Tech Talk that TJX had a settlement pending with the FTC. As TJX tries to move on, they now have a $24 million settlement in the works with MasterCard. Issuers of 90 percent of the MasterCard accounts compromised must agree to the settlement before it can be become effective. The Associated Press has more information on this story.

8.3 Million Records Leaked -- So Far
San Diego-based Identity Theft Resource Center estimates that at least 8.3 million consumer personal and financial records were exposed or otherwise "potentially compromised" in 167 data breaches that the Center has tracked so far in 2008. Compare that with 448 breaches tracked in all of 2007. About half of those records were involved in the Hannaford breach disclosed last month. Brian Krebs' Washington Post Security Fix blog has more information, including where the leaks are occurring and links to the Center's detailed reports.

Okemo Mountain Resort, a ski area in Ludlow, VT, reported this week on a Hannaford-like attack on its systems, affecting about 46,000 card numbers. According to a Computerworld article, law enforcement may be investigating a significant number of similar incidents in the Northeast.

Go Green with eStatements
The average household receives approximately 19 paper bills and statements in a month. It may not seem that one person can make a significant difference in saving the environment, but every contribution helps. For each family that switches to electronic statements in lieu of paper, 24 square feet of forest could be saved annually. Read more on how promoting electronic eStatements can make a difference on Reuters. [We think it's a great idea, too. Check out Andy's recent webinar on e-Disclosures, ESIGN, UETA and Regulatory Changes in the Banker Store.]

Safari - A Hunt for Problems
In last week's Tech Talk we told you how some users objected to Apple's tactics to get Safari installed (see "A Rotten Apple"). This week we tell you that if you downloaded and used it, even just to play with it, you could have opened yourself to attack. Secunia, a software security firm, is warning of two vulnerabilities that could expose a user's machine to remotely executed commands and fraudulent web content. Read about it in InformationWeek.

QuickTime Gets 11 Fixes
Apple released 11 bug fixes for QuickTime in a 66MB download. As reported above and last week, these updates still default to install the Safari browser. If you don't want that software, you have to deselect Safari. Bugs fixed include a buffer overflow which could be used by an attacker to run other code. InfoWorld has more.

Patch Tuesday - Something for Everybody
Every month, like clockwork, Microsoft posts a "heads up" notice of its plans for the month's Security Bulletin release. The Advance Notification for next week's Patch Tuesday security bulletins alerts us to expect eight Security Bulletins, five of which will carry Microsoft's "critical" stamp. According to a Computerworld story, one of the critical bulletins will affect all of Microsoft's currently-supported operating systems, including Vista SP1 and brand-new Server 2008. There's a critical update for Internet Explorer, and changes for MS Office applications, too.

April Fools' Day Attack
If you haven't already been sucked in by the latest incarnation of the Storm attack, it's a great time to remember not to click on links in emails you weren't expecting. They may very well be part of the latest Storm-generated spam attack. With an April Fools' theme, these messages include just a link -- a link to a malicious website that tries to convince visitors to download -- you guessed it -- the Storm Trojan. For more cautionary information, read the Computerworld article.

CAN SPAM - Is it Meaty Enough?
CAN SPAM is four years old. When enacted, many predicted it would have little effect. Were they right? The FTC just entered into a large settlement with ValueClick, and spam king Robert Soloway is facing 26 years in prison. But has your spam slowed? Read the PCWorld article for more.

Heard of WIPO?
WIPO, the World Intellectual Property Organization, helps go after website cybersquatters. In 2007 they eliminated a record number of domain names that crossed the line and were too similar to trademarked names. Banks were among those complaining about the squatters. MSNBC has more.

Web Program Errors Exploited
Major websites such as Walmart.com, Target.com and USAToday.com have been victimized with a million other pages. It isn't a server vulnerability, but a flaw in the HTML code that is exploited. The victim can end up with malicious antispyware or a Trojan. How are these attacks mounted? Read more inside PCWorld.

Flash Flaw Fix Not Final
There are buggy Shockwave Flash files available that expose web surfers. Attackers could create a fake site and use this weakness for several exploits, including gaining access to an online banking session. What is the vulnerability? How and when is it expected to be fixed? PCWorld answers these questions.

750 Changes in Latest Firefox Beta Release
Mozilla released the fifth beta of its Firefox 3 browser on Wednesday. Firefox 3 Beta 5 includes 750 changes from the Beta 4 release, with emphasis on stability, website compatibility and interface improvements. Versions for Windows, Linux and Mac servers are available. You'll find more information on the CNet News.com NewsBlog.

107 Make Latest US-CERT List
The US-CERT Vulnerability Summary for the Week of March 24, 2008, lists 40 High and 65 Medium weaknesses, and 2 Low-severity flaws. High severity security faults were listed for Cisco, Computer Associates, Microsoft and Mozilla, among others.

Subscribe to Tech Talk and BOL Tech Advisories

In the Banker Store

CD ROM Training
Implementing the Red Flag Guidelines

FACTA: Responding to Identity Theft (Video)

Video Training
FACTA: Responding to Identity Theft

CD ROM Training
e-Disclosures, ESIGN, UETA and Regulatory Changes

Archived Articles on Technology and eBanking

You have access to archived Tech Talk pages and Tech Alerts on BankersOnline's Technology & eBanking Archive page.
Plus, you'll find the latest technology and eBanking articles and guru Q&As there, too. You'll find many more related articles in our InfoVault.