Tech Alert Briefing for 12/7/2007
December 7, 2007
Update covering November 30 - December 6, 2007
Welcome to Tech Talk! In this edition, BOL Gurus John Burnett and Andy Zavoina write about IT pros who ignore security policies, and more.
You'll read about:
Get the details below.
Beware of Phishing and Pharming
According to the Anti-Phishing Working Group, phishing attacks reached an all-time high last year. Designed specifically to educate and assist financial institutions, Harland Financial Solutions? Phishing Response Kit provides a detailed checklist and directives to help institutions respond in the event of a phishing scam. Download the complete kit here.
Training on CD-ROM
Remote Deposit Capture:
Images or ACH?
Network & Internet Security
Patch & Vulnerability
Are Your IT Pros Ignoring Policies?
Ponemon Institute LLC, an independent researcher dedicated to improving data security, recently surveyed 890 IT professionals. The survey results strongly suggest that IT personnel are not reading information security policies, don't understand them, or are simply ignoring them. Forty-six percent of those surveyed said they routinely share passwords with coworkers; more than half have copied confidential information to USB memory sticks, in spite of policy prohibitions. Read the rest of the Computerworld article for other discouraging survey results, then ponder how things are going in your shop.
Yes, It's Time for Patch Tuesday Again
Microsoft has sent out its Security Bulletin Advance Notification for December 2007, announcing that it intends to include seven security bulletins in its monthly "Patch Tuesday" release, due next week. Three of the vulnerabilities to be patched are labeled "Critical," and the four remaining are tagged as "Important." The patches will affect several Microsoft operating systems from Windows 2000 to Vista, and multiple operating system components. Review the Advance Notification for details, and be ready to install any needed patches.
TJX $40.9M Settlement Pending
TJX Companies Inc said it would pay up to $40.9 million to affected Visa card issuers who suffered losses inthe highly publicized information breach case currently pending in the U.S. District Court in Boston. ComputerWorld has more on this story, including how the proposed settlement could cause Visa to rescind a part of the fine they imposed on TJX's acquiring bank (the bank that processed card transactions for them), and how class action status was denied to banks. This offer could save TJX tens of millions of dollars.
Firefox Updated -- Again
Mozilla released a patch for the recently released version 220.127.116.11 of Firefox which has a regression bug. The problem involves "canvas elements" which allow web site designers to dynamically render bitmap images in HTML. That's two updates to the popular web browser in one week. Users should get updated to version 18.104.22.168. Read the Computerworld article for details.
McAfee has produced its third annual cybercrime report. McAfee isn't relating just its own experience. Their report is based on information they received from computer security experts from NATO, the FBI, SOCA, The London School of Economics, and the International Institute for Counter-Terrorism. CNet's Robert Vamosi spoke with Dave Marcus, security research and communications manager for McAfee Avert Labs, about the report. The CNet article is here, and the McAfee report is linked here.
Preventing Client-Side VoIP Attacks
One of the 18 critical vulnerabilities listed in the recent SANS Institute Report (see last week's Tech Talk) is client-side attacks, including attacks initiated by compromised VoIP devices. Computerworld just published an article suggesting techniques for reducing the risk of client-side attacks from phones, printers, robotics and other devices.
Big Boys Bomb Test
Virus Bulletin, a leading specialist publication in the field of viruses and related malware, put some of the big names in malware and anti-virus protection to real-world tests to spot commonly-circulating malware. The results were alarming with 17 of 32 products failing the test. PCWorld has the story.
One online advertiser, Adteractive Inc., utilized a process known as "promotion-based lead generation" in which users were told they'd receive cash or gifts after testing products. In this case, PlayStations, laptops and cash were offered to secret shoppers. In fact the user had to navigate several screens, many offers and then subscribe to a one-year satellite TV deal, or sign up for CD/DVD deliveries. PCWorld has more on this story.
Phony coupons? Malicious eCards? Counterfeit Amex gift checks? Vote on the BOL home page to help us compile a list of the scams our readers see. Thanks for participating!
Culprit Was Coworker, Not Battery
In last week's Tech Talk we referred to an article on exploding cell phones and referenced a possible death in Korea from a cell phone in a shirt pocket. The Associated Press has learned that a coworker confessed to accidentally hitting the victim with a drilling vehicleand fabricating the cell phone story as a cover.
Identifying the Bad Sites: Help Wanted
Google has identified hundreds of thousands of malicious web sites. When one of these bad sites is selected, the userreceives a message that the site may cause harm. Google knows there are many more sites than they have flagged now and they want users to report additional malicious sites. This will allow Google to reduce their reputational risk by not sending their users to sites that do harm. CNet has more on this story.
Comparing Apples to Apples to Better Find Worms
Have you heard of the Anti-Malware Testing Working Group? It was recently formed and promises to standardize tests and ratings of anti-virus software. Behavioral tests which can be more time-consuming and expensive than signature-based tests will be used, resulting in more real-world-like experiences. The result will be the ability to make better-informed choices of your software. Read moreat NetworkWorld.
Finding that Lost Phone Remotely
Hewlett-Packard is introducing its Enterprise Mobility Suite. This program will assist businesses with mobile phone setup, configuration, diagnostics and security management. Lost laptops, cell phones, PDAs and other devices can be tracked and disabled, remotely. This could be a significant security step when corporate secrets are at risk. The PCWBusiness Center has more on this.
Better Spam Filtering Promised
Steven T. Kirsch invented the optical mouse and the Infoseek search engine. Now, his new company Abaca claims it can remove 99 percent of the spam you get and they'll back that up with a guarantee. Taking a new approach, Abaca claims its success rate because it doesn't look at the spam sender as much as it looks at you, the recipient. You can read more on this program in the New York Times.
78 Make Latest US-CERT Lists
The US-CERT Vulnerability Summary for the Week of November 26, 2007, lists 38 High, 37 Medium and 3 Low severity vulnerabilities. High severity weaknesses were reportedin QuickTime, BitDefender Online Anti-Virus Scanner, Mozilla Firefox, and more.
Subscribe to Tech Talk and BOL Tech Advisories
Archived Articles on Technology and eBankingYou have access to archived Tech Talk pages and Tech Alerts on BankersOnline's Technology & eBanking Archive page.
Plus, you'll find the latest technology and eBanking articles and guru Q&As there, too.You'll find many more related articles in our InfoVault.
First published on 12/06/2007