BANKERSONLINE.COM MAIN PAGE             Print Friendly Version!    Email This Article!    Discuss NOW!
April 18, 2008
Update covering April 11 - April 17, 2008

Welcome to Tech Talk! In this edition, BOL Gurus John Burnett and Andy Zavoina write about "whaling" attacks, a big update, Vista and more.


You'll read about:
  • Phony subpoena emails to execs
  • major updates from Oracle
  • cybercrime as big business
  • acceptance of online banking
  • getting results from security training
  • a tool used in a huge hack
  • getting control of flash drives
  • updates to Firefox and Safari
  • an argument for Vista
  • struggling with Vista's SP1 upgrade
  • payback for keylogging
  • assessing the IT security skill set
  • US-CERT's latest vulnerabilities list
Get the details below.



Are you ready for your key role in implementing your bank's ID Theft Prevention Program? Time is getting short: examiners will be looking for progress before the November 1, 2008, compliance deadline. Get a good look at the rule from an IT perspective. Join Susan Orr for this important 2-hour webinar.


Change Your Game with AT&T
Change critical apps at the office to power tools at your fingertips. Change your game. With mobility solutions from AT&T.

For more information please visit att.com/business.

Fake Subpoena Emails Speared Execs
Spearphishing -- sending personalized phishing emails to smaller, selected lists of targets -- can dupe even successful business professionals. About 2,000 "C-level" executives have fallen for a recent spearphishing attack involving phony federal court subpoenas. The emails included specific information about the recipients -- company names and telephone numbers, for example -- that camouflaged their purpose. The messages directed the executives to download court documents from a phony website, where they were informed they needed a browser plug-in to view the documents. The "plug-in," of course, was malware designed to provide remote access to the executive's computer. According to the Security Fix article, about half the targets in the scam were executives in major financial institutions.

In her CNet News NewsBlog, Elinor Mills refers to these emails as "whaling" attacks; they're aimed at the "big fish" at companies.

Oracle Critical Patch: 41 Vulnerabilities
In its quarterly Critical Patch Update, Oracle addressed 41 vulnerabilities across several of its products. Several of those security gaps could be exploited without user authentication. Oracle Database and Oracle E-Business Suite have the most fixes in the update list. For more information, see the NetworkWorld article and Oracle's April 2008 Update Advisory.

Cybercrime Rivals Drug Trafficking
Cybercrime is estimated to be a $200 billion a year business, on par with drug trafficking and money laundering. What is the most commonly advertised item for sale on underground servers? Bank account information, of course. Almost 60 percent of Americans fear their online banking passwords will be stolen. For more on how the growing fear of data theft is affecting consumer confidence in e-commerce, read this USAToday article.

Higher Satisfaction with Online Banking
ForSee Results released a recent survey and found that the customer satisfaction index for online banking is rising. In fact, online banking rated an 82 out of 100 while banks overall scored only a 78. Is online banking preferred over the brick and mortar branch? For more on the survey results, read this Associated Press story.

Customizing Security Training for Results
You need to make data security training relevant to employees' job responsibilities to make it effective. References to "critical data security" don't mean as much to an HR employee as "confidential personnel information." That can mean that you need to know more about who in your organization handles which types of data -- and where -- before you can impress the importance of data security on them. InfoWorld has more.

How Hackers Hit 20,000 Websites in Four Months
Security experts at the SANS Institute have uncovered a nasty software tool that leverages the Google search engine to identify websites running vulnerable applications. SANS reports that the tool has been used since January to insert a script into 20,000 vulnerable web pages. That script uses JavaScript to attack visitors to the polluted pages, and downloads malware to their computers. PCWorld has more information.

Flash Stats
Flash drives can cause security headaches and IT managers seem to underestimate the magnitude of the problem. A recent survey revealed that while corporate IT managers estimate that only 35 percent of workers use personal flash drives, 77 percent of the work force admitted to it. Commonly stored information includes customer records, financial data, business plans, employee records, marketing plans and more. For more on the data and ways to monitor and control devices connected to your PCs, read the PCWBusiness Center article.

Browser Updates
Mozilla updated its Firefox web browser to version 2.0.0.14 this week. The change, which tweaked a JavaScript weakness, is discussed in a Computerworld article. Safari's handling of JavaScript commands was also patched. The Safari weakness was the key to a $10,000 prize paid for a hack of a MacBook Air computer a few weeks ago. A CIO article has details on Apple's Safari update.

Are You Tempted to Skip Vista?
Forrester Research is recommending that you reconsider if you are thinking about skipping over Vista to wait for Microsoft's release of Windows 7. Forrester's report includes five reasons you should go ahead and upgrade to Vista, in most cases. To find out more about this controversial suggestion, read the NetworkWorld article.

Installing Vista SP1 Takes Patience
If you already have Vista installed, have you upgraded to SP1? Washingtonpost.com's Security Fix blog is a "must read" if you haven't undertaken that daunting task yet. Great care and a large dose of patience are required to install the service pack correctly, and you'll find plenty of help in Brian Krebs' blog entry.

Keylogging Gets Him Nine Years
Mario Simbaqueba Bonilla was sentenced to nine years in prison and was ordered to repay $347,000. Between 2004 and 2007 he and a co-conspirator planted keyloggers in hotel business-center computers and in internet lounges. They stole passwords and other data so they could access accounts. PCWBusiness Center has more details on this case.

Some Say Security Skill Set Short
Data breach and security procedures need to be in place and updated on a continual basis. A special skill set is required to manage the process, but a recent Computing Technology Industry Association survey of more than 3,500 IT managers indicates that many believe the skill set has not risen to the task. Read Industry Week for more.

67 Make Latest US-CERT List
The US-CERT Vulnerability Summary for the Week of April 7, 2008, lists 37 High and 30 Medium weaknesses. High severity security faults were listed for Lotus Notes, and multiple Adobe, Symantec (Norton) and Microsoft products, among others.


Subscribe to Tech Talk and BOL Tech Advisories

In the Banker Store
ORDER TODAY
CD ROM Training
Implementing the Red Flag Guidelines
FACTA: Responding to Identity Theft (Video)
Video Training
FACTA: Responding to Identity Theft
ORDER TODAY
CD ROM Training
e-Disclosures, ESIGN, UETA and Regulatory Changes
Archived Articles on Technology and eBanking
You have access to archived Tech Talk pages and Tech Alerts on BankersOnline's Technology & eBanking Archive page.
Plus, you'll find the latest technology and eBanking articles and guru Q&As there, too. You'll find many more related articles in our InfoVault.