Tech Alert Briefing for 7/13/2007

July 13, 2007
Update covering July 6 - July 12, 2007

Welcome to Friday the 13th's Tech Talk! A power failure affected Tech Talk author Jeff Patterson today, so John Burnett and Andy Zavoina are filling in.In today's edition, they tell you about:

• new code that instantly sets up a phishing site
• an auction site where hackers can purchase software vulnerability information
• finger-pointing by Microsoft and Mozilla
• a warning about internet calendars
• how a spam filter resulted in a missed hearing and bad consequences
• a handy security self-assessment tool
• US-CERT's most recent list of security vulnerabilities
• a QuickTime update from Apple

Get the details below.

Beware of Phishing and Pharming
According to the Anti-Phishing Working Group, phishing attacks reached an all-time high last year. Designed specifically to educate and assist financial institutions, Harland Financial Solutions? Phishing Response Kit provides a detailed checklist and directives to help institutions respond in the event of a phishing scam. Download the complete kit here.


Phishing Made Easy
RSA Security analysts uncovered a single piece of PHP code that can install a phishing site on a compromised server in about two seconds. The code included all the HTML and graphics required to set up a spoofed financial institution site, making the creation of new phishing sites incredibly efficient. Get the details in CSOOnline.

Software Weaknesses Offered for Sale
The Washington Post describes a new Swiss internet start-up with plans to auction software weaknesses to the highest bidder. The operators of WabiSabiLabi.com claim that their motives are pure - to present a "legitimate alternative for security researchers who might otherwise be tempted to sell their discoveries to criminals." Security professionals are concerned that criminals may become WabiSabiLabi.com's best customers.

The Blame Game
PC World reveals a bizarre finger-pointing exercise between Microsoft and Mozilla over which company is to blame for a bug that allows users with both IE and Mozilla's Firefox installed to be attacked. As the two vendors continued exchanging barbs over the issue of blame, Mozilla promised a fix for Firefox to "prevent IE from sending Firefox malicious data."

Do You Know What's in Your Google Calendar?
SecurityFix warns users of Google's beta calendar service about unwittingly posting personal and confidential information for all to read. Syncing a personal calendar with the Google Calendar can put sensitive records under public scrutiny. Would you want the world to know you're away on vacation or on jury duty?

No More Spam, But in Trouble I am
A law firm, Franklin D. Azar & Associates PC, increased the sensitivity of its spam filters to help thwart ever-increasing unwanted email and the new techniques spammers are using to get their "messages" through. But this stopped some valid messages, like a U.S. District Court notice advising Azar of a hearing in a civil lawsuit. Azar missed the court date. The judge not only said Azar has to pay the attorney fees and expenses for the lawyers who did show up for the other side, but he criticized the firm for not white-listing email from the court so it would get through. Perhaps it's time to see what your spam filters are blocking. Read the story at PCWorld.

Security Self-Assessment Tool
CSOOnline offers a revealing Security Vulnerability Self-Assessment tool developed by the leader of the Vulnerability Assessment Team at Los Alamos National Laboratory. This online quiz identifies 28 common attributes of a flawed security system. Careful, you'll see the results at the end of the quiz. So, how do you rate?

93 Vulnerabilities Listed
The US-CERT Vulnerability Summary for the Week of July 2, 2007,lists 46 High, 43 Medium and 2 Low severity vulnerabilities. Weaknesses were announced in the AMX NetLinx VNC ActiveX Control, Apple's Safari, IBM OS-400, Microsoft IE 6.0 and 7.0, Arcade Builder, HP Instant Support, and three Intel Core 2 processors.

Apple Mends QuickTime Flaws
The latest version of Apple's QuickTime player for Mac OS X and MS Windows computers plugs at least eight security gaps in earlier versions. Given the widespread installation of QuickTime (it's nearly always installed with iTunes on PCs, and is a default installation on all Apple machines), a lot of users should be downloading the new version to avoid having their systems attacked. Read more in SecurityFix.

A Genuine iPhone Giveaway
Get details of BOL Learning Connect's iPhone Giveaway. This is the iReal deal, not one of the exploits reported in last week's Tech Talk.




P.S. from the BOL Team:Have you downloaded the free financial institution phishing attack response kit from Harland Financial Solutions yet?It's excellent!See the link above.


Subscribe to Tech Talk and BOL Tech Advisories.
CD ROM Training & Information Security Supplies
CD ROM Training
CD ROM Training
CD ROM TrainingPolicies/Job Descriptions & Video Training
Video Training:
Safeguarding Customer Information
Policy:
Information Systems Security
Policy:
Electronic Mail (Email)Archived Articles on Technology and eBankingYou have access to archived Tech Talk pages and Tech Alerts on BankersOnline's Technology & eBanking page.
Plus, you'll find the latest technology and eBanking articles and guru Q&As there, too.You'll find many more related articles in our InfoVault.