Tech Alert Briefing for 1/11/2008
January 11, 2008
Update covering January 4 - 10, 2008
Welcome to Tech Talk! In this edition, BOL Gurus John Burnett and Andy Zavoina write about hidden malware, Nugache, phishing and more.
Andy
John
You'll read about:
Get the details below.
Conducting the Required Identity Theft Risk Assessment
Tuesday
January 22, 2008
Your bank has to have a board-approved Identity Theft Prevention Program in place no later than November 1, 2008. Getting it implemented sooner just makes good business sense. The cornerstone of your bank's Program is a risk assessment to determine which accounts are at risk, and which "red flags" of ID theft are relevant to your institution.
Join BOL Gurus Mary Beth Guard and Jack Holzknecht as they share a blueprint for your bank's risk assessment in this important webinar.
Hi-Tech Hide and Seek
A new rootkit has been found that hides in a hard drive's boot sector. This makes it undetectable by most current antivirus programs. It can overwrite the hard drive's master boot record and later steal online banking information. It can even reinstall itself if it is detected. It has reportedly infected several thousand computers since mid-December. Read this Computerworld article for more information.
Expect Oracle Patches Tuesday
Oracle has announced plans to include 27 patches in its Critical Patch Update (CPU) on Tuesday. Oracle's last quarterly CPU included 51 bug fixes. Eight of this quarter's patches affect the Oracle Database product. Get details in this InfoWorld article.
Nugache Looms as Major Worm Threat
While the Storm botnet is still considered one of the worst and most dangerous, there is a new threat on the horizon that could pack just as big a punch: Nugache. While this worm is about two years old, the Russian Business Network recently modified it to add many of the attributes of Storm. Nugache allows a compromised machine to send unauthorized spam. It also can encrypt itself and new versions that are being created rapidly make it hard to detect. Like the Storm worm, Nugache has been morphed to create peer-to-peer controls, which decentralizes its management, making it difficult to isolate and destroy the botnet.PCWorld has more on this story.
Post-Holiday Phishing Trips
Phishing scammers aren't known for skipping opportunities to trick computer users into revealing logon and other confidential information. January and February are prime phishing months, as scam emails attack consumers who are receiving credit card bills reflecting the usual heavy holiday purchase activity. Bogus credit card company websites will be set up for transaction disputes and inquiries, ready to collect account number and logon details from unwary end users. Scammers have fresh sets of email addresses to target, following heavy directory harvest attacks in the last two months of 2007. SC Magazine has more details.
Jargon Watch: Directory Harvest AttacksDirectory harvest attacks are waves of spam messages sent to random email addresses. Messages sent to non-existent addresses often bounce back and are then removed from the original list. The addresses that remain are then used more efficiently in phishing attacks.
Taking Aim at Malicious Vista Gadgets
Microsoft is encouraging owners of PCs with the Vista operating system to download and install a new security tool that cripples suspicious or malicious "gadgets." These small applets are held in the Vista Windows Sidebar, and typically are single-purpose tools such as those that display the time or date or RSS feeds. They are written in HTML and script code, and can be malicious. Microsoft's new "Windows Sidebar Protection" is designed to prevent malicious gadgets from being installed, and to block those that are installed from running. Details are available in an InfoWorld article.
TXT Message Emergency
For disaster recovery, redundancy is a way of life. If your communications plan includes cell phones and text messaging, you may want to read on. On New Year's Eve, there were so many text messages sent as 2007 became 2008 that networks couldn't handle the volume. Many messages were delivered late, or not at all. Cellular carriers say they are expanding capacity, but is there enough for your needs now? Read the Associated Press story.
No More Spam I Am
You may not know the name Alan Ralsky or the names of the other ten defendants indicted with him, but there is a strong chance they know you ... or at least your email address. Ralsky and ten others have been indicted in what is possibly the largest criminal spam and electronic fraud case in history. They allegedly sent millions of spam messages every day, including many of those infamous pump-and-dump messages. You can read more on this CAN SPAM enforcement effort and the 41 count indictment at the Detroit News, detnews.com.
Recycling is Good
Bankers carry cell phones,often the property of their banks. The Environmental Protection Agency wants to encourage a second life for those phones when they're replaced. The EPA is ready to launch a $175,000 campaign with retailers emphasizing the benefits of recycling these chunks of glass, metals and chemicals. The New York Times has this story, including the retailers now scheduled to participate.
Disgruntled SysAdmin Gets 30 Months
Yung-Hsun Lin of Montville, NJ was a systems administrator for Medco Health Solutions, Inc. He plead guilty to planting a logic bomb on Medco's computer system that could have taken down the medical records of many patients, along with the company's systems. The U.S. Attorney's office said they believe his sentence is the longest imposed for this type of crime. In addition to 30 months in a federal prison, he will have to make restitution and remain under supervised release. Computerworld has those details and more on the case.
The iPhone Has Come of Age! -- It's Been Hacked
The iPhone has enough market share to attract hackers, so it's not surprising to hear that an iPhone Trojan has been reported. It doesn't appear to be a huge risk yet because the Trojan targets modified iPhones that allow third party software installations. Read more on PCWorld.
MS Patches
We reminded you last week about this week's Patch Tuesday. It was Microsoft's first systems update for 2008. One patchfixes a critical flaw that allowed criminals to create a self-copying worm. Another helps secure passwords and prevents Windows from being operated with greater than allowed privileges. PCWorld has more.
Coming to a Printer Near You: Spam
Apparently, not even your network printer is safe from a spam attack! A Computerworld article reports on a discovery that network printers can be spammed from the Web. The risk is potentially much more serious than just finding annoying ads in the printer tray, à la junk faxes. A printer could be ordered to format its on-board hard drive or to send print-job information out over the internet.
Here is My Internet Banking Password
Do you provide your customers with email alerts on account activity or just daily balance information? If you don't send alerts, there are services that will do it for customers who want the information. Mint.com is one such service that would like to bring back the concept of account aggregation that enjoyed a short run of popularity a few years ago.If your customers use such a service, they have to share their confidential passwords. Is it all that bad? Decide for yourself as you read who else has access to your customers' account data, and sends it to them in this PCWorld article.
When banks were testing the waters by offering account aggregation services themselves several years ago, the practice was often called "screen scraping." The OCC issued a 2001 guidance document on Bank-Provided Aggregation Services (MS Word document) that identified many of the risks involved in the service. Those concerns apply to aggregation services offered by third parties, as well.
Lower ATM Limits -- Who Would Care?
So you think lowering the cash withdrawal limits at some ATMs or for some customers is no big deal? What if you make such a change, and it is heard about on blogs, then the New York Daily News, and other places? Citibank lowered limits at some ATMs to combat fraud, and conspiracy theorists came out of the woodwork, speculating that the decision somehow related to Citibank's cash reserve position. Is there a plan in place to handle repercussions and truly explain why the changes were made? File this Computerworld story under lessons learned.
GAO Report Rips IRS
The Government Accountability Office has released a scathing report on IRS data security weaknesses. The report says that the IRS has made only limited progress in addressing dozens of problems identified in March 2007. Problems ranged from excessive staff access to system commands, to unencrypted user logon information, to lax physical security. How long do you think your bank's IT management would last if these problems were found in your bank? InfoWorld has the alarming details.
67 Make Latest US-CERT List
The US-CERT Vulnerability Summary for the Week of December 31, 2007, lists 25 High and 42 Medium severity weaknesses. High severity security faults were reported in Joomla, Macrovision and WebPortal products, and others.
Subscribe to Tech Talk and BOL Tech Advisories
In the Banker Store
CD ROM Training
Implementing the Red Flag Guidelines
2008 ID Guide
Stay Current!
CD ROM Training
Patch & Vulnerability ManagementArchived Articles on Technology and eBankingYou have access to archived Tech Talk pages and Tech Alerts on BankersOnline's Technology & eBanking Archive page.
Plus, you'll find the latest technology and eBanking articles and guru Q&As there, too.You'll find many more related articles in our InfoVault.
print
share