Tech Talk from BankersOnline.com

May 2, 2008
Update covering April 25 - May 1, 2008

Welcome to Tech Talk! In this edition, BOL Gurus John Burnett and Andy Zavoina write about timed attacks, monitoring users, Lending Tree and more.

Andy

John

You'll read about:

hacks timed for increased vulnerability
what motivates your security vendors
lenders sued for a data breach
the easiest targets for data theft
risks of remote laptop use
the importance of surfing vigilance
another wrinkle on XP's future
a delay in the release of XP SP3
a dangerous QuickTime bug
vulnerable ISP error pages
jail time for copyright violations
browser popularity at a cost
malware "copyright" enforcement
US-CERT's latest vulnerabilities list

Get the details below.

ID Theft Red Flags and IT -- Getting with the Program

WEDNESDAY
MAY 7

Are you ready for your key role in implementing your bank's ID Theft Prevention Program? Time is getting short: examiners will be looking for progress before the November 1, 2008, compliance deadline. Get a good look at the rule from an IT perspective. Join Susan Orr for this important 2-hour webinar.

Change Your Game with AT&T
Change critical apps at the office to power tools at your fingertips. Change your game. With mobility solutions from AT&T.

For more information please visit att.com/business.

Hackers Know Your Hours
We have long known that many website and phishing attacks happen on weekends, when a bank's response to mitigate the problem might be delayed. The Bank of Israel took down its website after it was hacked in an attack timed to coincide with Passover. Bankers should ensure their response plans include weekends, holidays and times when executives may be away. NDTV.com has this story.

Do Vendors Protect You, or Sell to You?
Speaking at Interop in Las Vegas, Joshua Corman, the principal security strategist for IBM Internet Security Systems, said that IT security vendors are there to sell. Yes, they want you to be protected, but are you getting the full picture, or what they want you to hear? What are the tricks of the trade? "Unsafe at any speed: Seven dirty secrets of the security industry" was the title of his presentation. You can read more at SC Magazine.

Lenders Sued Over Breach
We reported in Tech Talk previously that Lending Tree suffered a data breach facilitated primarily by former executives who allegedly divulged restricted logon information. Lending Tree is now suing the five home loan lenders who accessed confidential data as well as the two executives. The washingtonpost.com has the story.

Are you meeting application service levels?
Register now for Managing Application Service Levels in Retail Banking, a free Webinar with DataSynapse and international banking expert John Hasson. John will provide an overview of DASM and show you how it will help retail banking IT teams deliver application service level commitments. Register here.

Mom-and-Pops Are Data Breach Targets
Trustwave, a Chicago-based Payment Card Industry Data Security Standard assessor, reviewed 350 data breaches in which payment card information was compromised during 2006 and 2007. The study reveals that 70 percent of breaches happen in brick-and-mortar stores, more than 50 percent involve the food industry and 92 percent are lower volume merchants. So online merchants are not a higher risk. For more stats and common mistakes, read the article at SearchSecurity.com.

When Laptops Leave the Corporate Nest
Do you really know how your company's laptops are used outside your walls? ScanSafe has found that employees who leave their offices and surf on a company machine are more likely to fileshare, visit pornographic sites and view extremely graphic content. Why should you be concerned? For starters, illegal music files or unsavory images on your machines could create liability for your company and malware picked up outside your firewalls can spread when those laptops are reconnected. How much more likely is it that roaming workers will visit risky sites? Read the story at ConnectIT.

Where Do Your Employees Surf?
Attempting to download child pornography is a federal offense punishable by up to ten years in prison. Well before defendants see a courtroom, however, their systems can be confiscated and reviewed by computer forensics specialists. Consider how loss of your company's systems would affect you if members of your staff were targeted by such an investigation. That makes internet use agreements that much more important, and you should demonstrate that employee web use will be monitored. But there is more to worry about: Simply attempting to pre-cache web pages that are linked on a viewed page may be enough to bring the FBI to your door. PCWorld has this story.

Editor's Note: BOL offers free tools addressing internet use and risk management issues on the BOL Banker Tools page.

Jargon Watch: Pre-caching
Pre-caching is a technique available in some web-browser add-ons that downloads the contents of links on a page currently being viewed, to make web-surfing more time-efficient. Because pre-caching occurs in the background, the user is not aware of the content that is being accessed.

XP - On Again, Off Again, On Again
We've covered the Windows XP news several times in Tech Talk. It is supposed to no longer be available by the end of June, 2008, with minor exceptions for machines like low-powered laptops on which Vista won't operate. But Dell plans to utilize its full contractual rights and invoke a "downgrade" clause so that XP may still be installed on machines they sell after June. Read the story at PCW Business Center.

XP SP3 Postponed
If you were expecting to see Windows XP SP3 Wednesday morning, you were disappointed. At the last minute, Microsoft announced it was postponing its release of SP3 to Microsoft Update and the MS Download Center to add a filter. Get the details in Brian Krebs' Security Fix.

GNUs: QuickTime Bug
GNUCitizen's blog is reporting an Apple QuickTime bug that allows PC operating systems such as Vista SP1 and XP SP2 to be completely compromised if a malicious file is played. The blog entry is actually a video clip demonstration (not in QuickTime) by Petko D. Petkrov, who brings the bug to light. While there aren't currently known exploits, that could change now that the problem is being discussed openly. Networkworld has the details.

ISP Error Pages Can Be Hazardous
Some ISPs, including major providers, redirect users who have entered invalid URLs to a page filled with advertisements and potential security flaws. Brian Krebs is expanding on this continuing story with new information about ISPs that use this risky technique. Read the story in the Security Fix.

"Warez" Operator Gets 30 Months
David Fish of Woodbury CT operated a "warez" site that illegally made available thousands of copyright-protected movies, music and software titles. Fish was sentenced to 30 months in prison, three years of probation and forfeiture of computer and other equipment used in the copyright offenses. You can read more at PCW Business Center.

Jargon Watch: Warez
(Pronounced "wares") Slang term derived from "software" used to describe pirated software distributed over the internet. Warez sites often provide tips and tools for breaking into networks and systems, or to cheat at online games.

Risk Rises with Popularity
Firefox and Safari are gaining web-browser market share. While they were still bit players, these browsers were safer, but that was because they weren't focused on by hackers. As their popularity increases, they are becoming bigger targets for hackers and malware. In his current "Bugs and Fixes" column, Stuart J. Johnston reveals the new holes in Firefox, Safari and Office. PCWorld has the story.

Pay Me or Else
Is there truly "no honor among thieves"? Perhaps that's the case. Professional virus writers are creating their own "copyright" rules to protect their malicious software from being resold or shared without compensation to the authors. Read about their novel plan for enforcing these agreements -- and their apparent lack of success -- at MSNBC.

51 Make Latest US-CERT List
The US-CERT Vulnerability Summary for the Week of April 21, 2008, lists 24 High and 26 Medium weaknesses, and one Low security gap. High severity security faults were listed for Adobe Photoshop, Borland Interbase, ICQ and Joomla, among others.

Subscribe to Tech Talk and BOL Tech Advisories

In the Banker Store

CD ROM Training
Implementing the Red Flag Guidelines

FACTA: Responding to Identity Theft (Video)

Video Training
FACTA: Responding to Identity Theft

CD ROM Training
e-Disclosures, ESIGN, UETA and Regulatory Changes

Archived Articles on Technology and eBanking

You have access to archived Tech Talk pages and Tech Alerts on BankersOnline's Technology & eBanking Archive page.
Plus, you'll find the latest technology and eBanking articles and guru Q&As there, too. You'll find many more related articles in our InfoVault.