Skip to content
Tips for Tech

Tech Alert Briefing for 11/30/2007

November 30, 2007
Update covering November 16 - November 29, 2007

Welcome to Tech Talk! In this two-week edition, BOL Gurus John Burnett and Andy Zavoina write about cracked Windows, a huge botnet, anti-virus flaws and more.



You'll read about:

  • cracked Windows encryption
  • malware targeting online bank customers
  • penny debits in card scams
  • retailers with weak data security
  • a million infected botnet machines
  • BSA and software licenses
  • the year's "Top 20" web security threats
  • a flaw in Lotus Notes
  • threats in anti-virus programs
  • bad search engine results
  • keeping customers scam-savvy
  • forecasts of Vista weaknesses
  • Mozilla's Firefox update
  • exploits of a QuickTime flaw
  • dealing with increasing complexity
  • higher IT hiring costs
  • running out of room on the internet
  • expected improvements from XP SP3
  • increasing costs of data breaches
  • more reports of exploding cell phones
  • US-CERT's latest vulnerabilities lists

Get the details below.

Beware of Phishing and Pharming
According to the Anti-Phishing Working Group, phishing attacks reached an all-time high last year. Designed specifically to educate and assist financial institutions, Harland Financial Solutions? Phishing Response Kit provides a detailed checklist and directives to help institutions respond in the event of a phishing scam. Download the complete kit here.

Internet Gambling:
The Proposed Regulations

December 6, 2007
You'll want to attend this special one-hour webinar discussing the proposed regs for the Prohibition on Funding of Unlawful Internet Gambling if your bank --

  • receives ACH credits
  • originates ACH debits
  • sends or receives wire transfers
  • issues credit or debit cards
  • acquires card transactions from merchant customers
  • deals in cross-border transactions
  • has customers that offer internet gambling

    Join BOL Guru John Burnett to get a "heads up" on what Treasury and the Fed have proposed to implement this controversial 2006 law.
    More information. Windows Encryption Cracked
    Using reverse engineering, Microsoft's Windows encryption is said to have been cracked. According to a paper published by Israeli researchers, cracking this code would also open the Secure Socket Layer encryption technology.Microsoft doesn't see it as having an impact yet. The hacker would need access to the targeted PC to see thepseudo-random number generator's current state. You can read more on this threat at ComputerWorld.

    Malware Targets Online Bank Users
    An article in Computerworld (UK) covers a report from security software supplier F-Secure warning about "man in the browser" attacks. According to the F-Secure alert, malware is targeted at users of specific bank online services, and is activated only when visiting those sites. That makes detection difficult, and allows the capture and compromise of online logon and password keystrokes.

    Are You Scanning for 1¢ Debits?
    The Wikimedia Foundation is reporting a recent spate of one-cent credit and debit card contributions that suggest that card thiefs may be testing stolen cards for validity. Scanning card transactions for patterns of such extremely low-value charges could help detect stolen or lost cards before your customers are aware of the problem. Get more information in this Security Fix article.

    Retailers May be the Weakest Link
    3,000 retailers in the U.S. and Europe with wireless connectivity were tested for security. Half of them have vulnerable systems that could expose customers' credit card numbers, Social Security numbers and other confidential data to hackers. While 25 percent had outdated encryption, another 25 percent had none at all. Read more in the AP article.

    Bot Roast II Uncovers a Million Infected Machines
    The FBI announced this week that the second phase of its Operation Bot Roast had resulted in multiple arrests of so-called "bot herders," domestic and overseas search warrants, and an estimate that identified botnets had caused $20 million in losses and infected more than a million machines. According to the US-CERT release, the FBI is "working with industry partners to notify the infected victims." Be careful, though! US-CERT advises caution if you get a notice that your machine is part of the botnet. Get details in the US-CERT release.

    The Other BSA
    "BSA" doesn't always conjure up visions of money laundering. The other BSA that should concern IT professionals, the Business Software Alliance, is still looking for those using software without a license. MyWay has an AP story about a small company that did a poor job of enforcing its own computer policies and documenting that it purchasedsoftware used on its computers. This company's annual profit was about $67,000 and the BSA wanted all of it as compensation for the use of unlicensed software. That was the lower "settle now" cost, not the "we'll see you in court" cost. Banks have heard from the BSA too. Read the article and ask yourself how well you are managing the software on your computers.

    Top 20 Internet Threats
    Sans has released a report on the "Top 20 Internet Security Risks of 2007." According to a summary in CNet News, "spear" phishing and custom-built malware applications are on the increase, and added to the annual Sans report this year. Chinese attacks on military and civilian government organizations and military contractors, along with corporate executives, account for the lion's share of these targeted attacks, according to the Sans report. By the way, we counted. There are only 18 threats listed in the report.

    Take Notes on This Weakness
    If your shop uses IBM's Lotus Notes, you'll want to read a Computerworld article describing a "file parsing bug" in the method used by Notes to process Lotus 1-2-3 file email attachments. IBM has posted a software patch for Notes 7 users, and suggested workarounds for users of earlier releases.

    Seen our Scams Index Lately?
    Watch our BOL Scams Index this week. We update the list each week with new choices. Vote on the BOL home page to help us compile a list of the scams our readers see. Thanks for participating!
    If One Antivirus Program is Good, Two Must be Better (Not!)
    And speaking of file parsing bugs, read what Thierry Zoller says about using more than one antivirus program. Adding layers of protection could bring unintended results. Zoller, a security engineer, believes that after a two-year study, every major AV program has parser bugs. They've found 80 and many have not been patched. These bugs can lead to a serious breach, especially when multiple programs are used. PCWorld has the story.

    Search Engines Subverted in Malware Attack
    Users who use popular search engines like Google and Microsoft Live Search are being duped into accessing malicious web pages loaded with malware, according to a recent Computerworld article. Cyberscammers are using sophisticated techniques to manipulate the search engines' site ranking algorithms and move their malware pages to the top of search results pages. Keeping current with security patches is the most effective way to prevent pollution from the infected sites. Note: Later reports indicate that Google quickly removed the malicious sites from its search results.

    E-Notices to Customers May Save You $$
    E-Notices providing "electronic" or "early" warnings to your customers of new scams with different faces may save your bank money in losses and help you in good will. With the holiday shopping season upon us, more people will let their mice do the shopping this year and that means there will be more susceptible internet shoppersto take the bait of scammers. has an article on this seasonal threat. Banks would be wise to take a proactive response, telling customers early about scams they're seeing. An ounce of prevention can bring a pound of profit to your bottom line.

    In a related story,, Ch. 8, has a story on "telespoofing," which allows a scammer to call your customer and force caller ID to show your bank as the caller. Time to Watch for Vista Weaknesses
    McAfee is warning that weaknesses in Microsoft's Vista operating system will begin to be uncovered, now that Vista is within sight of attaining a 10 percent market share. The analyst's forecast suggests that market share improvement in 2008 will put Vista on the radar screen of hackers and purveyors of malware. The McAfee predictions are reported in InfoWorld.

    Firefox Updates to Burn Bugs
    Mozilla released version of its widely-installed Firefox web browser to address a number of weaknesses, including a well-publicized flaw in the way the browser was handling Java Archive (.jar) file formats. Get more details in the InfoWorld:Security article.

    Exploits of QuickTime Weakness Available
    An unpatched Apple QuickTime flaw has left the door open to available exploits, says a Washington Post Security Fix article. Fortunately, there are some relatively simple changes that users can make to lower their exposure to the released malware.

    Four Ways to Deal with IT Complexity
    Moore's Law describes the advancing speed of technology. Moore's Flaw suggests that keeping up with these advances in technology can be too difficult and costly to manage. CIO has four principles that may help you manage the complexity of technolgy in today's and tomorrow's hi-tech environments.

    Important Number: 5.3 Percent
    Demand is growing for IT professionals. Average starting salaries may increase 5.3 percent in 2008, according to an annual salary survey. Some of the more demanding positions may even see 7.6 percent increases over 2007. In addition to increases in base pay, additional perks such as signing bonuses and equity incentives are being offered. PCWorld has more on this.

    Can We Run Out of Internet?
    Nemertes Research Group is an independent analysis firm which released a study on internet capacity. They say that it is possible, within two years, that the internet will reach its maximum capacity. They estimate that internet users will create 161 exabytes (that'sabout 185,620,000,000,000,000,000 bytes) of new data this year. Higher quality video is one of the big sources. The study indicates that backbone providers need to invest $137 billion in new capacity. Read more on this at PCWorld.

    XP-SP3 Provides a Speed Boost
    Service Pack 3 for Windows XP is due out in 2008. A beta has already been released and early tests show it can speed up Microsoft Office Suite by a significant ten percent.Windows Vista is due to receive SP1, but that doesn't show any improvement in speed at all. You can read more on this at PCWorld.

    Assigning a Cost to a Data Breach
    The cost per record to recover from data breach incidents and to try to retain customers is rising. Ponemon Institute has done a study for each of the last three years, and reports a 54 percent increase over two years. The study also found the average total cost of a breach in 2007 was $6.3 million. The PCWorld BusinessCenter has more on this story.

    Exploding Cell Phone Batteries - a Real Threat?
    In one week there were two reports of exploding cell phone batteries. In South Korea a worker may have died after his cell phone battery exploded while it was in his shirt pocket. And in New Zealand a man awoke in the middle of the night after hearing a loud bang. He had his cell phone charging while he was asleep, but found it in flames on his carpet. You can find more on this and the battery type in the PCWorld article.

    180 Make Latest US-CERT Lists
    The US-CERT Vulnerability Summary for the Week of November 12, 2007, lists 46 High, 62 Medium and 4 Low severity vulnerabilities. High severity weaknesses were reportedin Apple's MAC OS X, QucikTime and Safari (Apple released a large security update on November 15), Microsoft's Windows 2000 Server SP4, and more.

    TheVulnerability Summary for the Week of November 19, 2007, lists 43 High and 24 Medium severity vulnerabilities and one Low severity weakness. High severity vulnerabilities were reportedin IBM Director, Ingate products, and more.

    P.S. from the BOL Team:Don't wait until that panicked moment that occurs when you learn your institution's name is being used as the hook in a phishing scam.Be prepared.Download the free financial institution phishing attack response kit from Harland Financial Solutions.

    Subscribe to Tech Talk and BOL Tech Advisories
    Archived Articles on Technology and eBankingYou have access to archived Tech Talk pages and Tech Alerts on BankersOnline's Technology & eBanking Archive page.
    Plus, you'll find the latest technology and eBanking articles and guru Q&As t
    ere, too.You'll find many more related articles in our InfoVault.
  • First published on 11/29/2007

    Briefing type: 

    Banker Tools View All

    A collection of useful resources for various areas of the bank which have been developed by members of the BankersOnline staff or have been created and contributed by users of the BankersOnline site.

    Banker Tools

    Penalties View All

    Banker Store View All

    From training, policies, forms, and publications, to office products and occasional gifts, it’s available here:

    Banker Store

    hot right now

    image description

    Looking for effective, convenient training on a particular subject?

    BOL Learning Connect offers more than 200 courses ON-DEMAND or on CD ROM from AML to Reg Z and every topic in between.

    Search Briefings

    Briefing Archives