Tech Alert Briefing for 3/14/2008
March 14, 2008
Update covering March 7 - 13, 2008
Welcome to Tech Talk! In this edition, BOL Gurus John Burnett and Andy Zavoina write about security site woes, mobile spam, browser betas and more.
Andy
John
You'll read about:
Get the details below.
Trend Micro's Site Polluted Users
Officials at security vendor Trend Micro took down much of its website Tuesday night after they discoveredmalicious code hacked into its pages that redirects users' browsers to an invisible attack hosted on servers in China. Researchers at McAfee estimated that as many as 20,000 pages on the Trend Micro site had been compromised. Affected users' systems were infected with password-stealing malware. According to the CIO article, Trend Micro's site has been cleaned up and restored.
Wireless LANs Cracked by New Tool
FreeRADIUS-WIPE is a tool hackers use to exploit the inherent weaknesses in many wireless Local Area Networks. The problem is poor wireless client design. Windows XP SP2 and Vista allow you to set the proper controls to avoid this vulnerability. For the details on the security gaps, how to mitigate them and screen shots of the correct settings, read ZDNet.
BlackBerry Server Weaknesses
NTA Monitor has found that, when conducting penetration testing, many customers run BlackBerry servers with Microsoft Exchange and open unencrypted ports. This can by-pass some firewall protections and open systems to attack. For more on this story and how to mitigate the risk, read PCWorld.
Mobile Spam's Costly Threat
Old timers like Andy and John remember when fax machines used expensive thermal paper and junk faxes were not only an annoyance, but also really costly. Spam in our email is an annoyance but can often be filtered out or easily trashed. The biggest cost is time. However, asspammers start using text messaging, we are talking real money again. If you pay for text messaging, the costs of spam can climb rapidly. Did you know that every day in the U.S. more than 1 billion text messages are sent?Read the washingtonpost.com for more on the topic, including some ways your cell address is obtained, and where to report this illegal activity.
Scheduled Fixes from Cisco
Microsoft sends patches on the second Tuesday of each month. Oracle sends quarterly updates. Cisco has announced that it will send security patches in March and September. For more on this schedule, and which product lines will vary from the plan, read PCWBusiness Center.
Critical Office Updates Available
Patch Tuesday yielded critical bug fixes for Microsoft Office. One fix was for a recently exploited Excel problem.In all, Excel, Outlook, Office 2000, and Office's Web components were affected. Read the patch details on PCWorld.
Malicious Excel documents have been making the rounds and exploiting a vulnerability in Excel 2003 Service Pack 2, Excel Viewer 2003, Excel 2002, Excel 2000, and Excel 2004 for Mac. The Trojan and the problem are detailed in this PCWorld article.
Overuse of Excel?
Another article warns that Excel is beingstretched for use in ways for which it was not intended. Are you misusing Excel in similar ways and potentially exposing your systems? Read the PCW Business Center article to know for sure.
Firewire as a Hacking Tool
In 2006, researcher Adam Boileau demonstrated a tool that could use a Linux system physically connected via a Firewire port to hack into a Windows system. Boileau didn't reveal much on the specifics, but after two years the threat is still real and is considered a feature, not a bug. Access can be gained in seconds. Boileau believes users need to know about this weakness, but most don't. The published tool is called Winlockpwn and you can read more about it at Networkworld.
Windows Update Excludes IE8
If you happen to be testing Microsoft's Internet Explorer 8 Beta web browser to access Windows Update you may get an error message telling you that you need IE5 or later. Windows Update doesn't support IE8 yet. If you want the workaround or more on this story, read PCWorld.
Firefox Beta Gets Major Upgrade
Mozilla released the 4th beta version of its Firefox 3 browser, saying that the newest release includes 900 bug fixes and tweaks. The newest update includes enhanced malware protection, and integration with Windows Vista's parental controls. If you're interested in testing the Firefox beta, check out the Networkworld article.
Software Pirates Pay Price
Two brothers were pirating software and selling it online. They were arrested and pleaded guilty to copyright infringement. Now, one has to make restitution of nearly $856,000 with 36 months in jail and the other has a $151,000 fine and 30 months to serve. Read the InfoWorld story for more on the crime, the punishment and the other perpetrators.
CAPTCHA Gotcha
Google's Gmail had a pretty good system to weed out spammers who would abuse the popular email site. It used CAPTCHA to thwart automated sign-ups for free accounts. But in February, spamming from Gmail addresses doubled to 2.6 percent of total spam volume. Some predict that CAPTCHA is losing its effectiveness. Spammers are creating software to solve the codes and even employ people to crack this security feature. Google's security appeared to be successful 80 percent of the time. But now with thousands of attempts, the 20 percent that are breaking through are becoming significant. Yahoo's systems also have problems. Read more at Computerworld.
Jargon Watch -- CAPTCHACompletely Automated Public Turing Test to Tell Computers and Humans Apart -- This term was coined in 2000 by Luis von Ahn, Manuel Blum, Nicholas Hopper and John Langford of Carnegie Mellon University. A user signing up for some type of service over the web would see a graphic of distorted text and have to type that text into a box to be approved. A human could read the distorted text, a computer could not. "Turing," by the way, is a reference to Alan Mathison Turing, an English mathematician (1912 - 1954) involved in the breaking of Germany's Enigma codes during World War II. For more, see the CAPTCHA site.
One Billion Access Cards at Risk
There are approximately one billion Mifare Classic RFID chips in access cards used around the world. German researchers Karsten Nohl and Henryk Plötz first hacked this card technology last December. They promise a demonstration by June, but want discussions first, so that users have a chance to improve access security. For the details on this vulnerability read PCWorld.
In a more detailed story, additional credit is given to a third person -- "Starbug" -- and the comments indicate the encryption can be broken in minutes. Networkworld has more.
IE FTP Bug
Microsoft's Internet Explorer 6 and 5 have an FTP flaw that allows an attacker to hijack a user's FTP session. Fortunately, circumstances have to be exactly right for an attack to succeed. Get the details in this Networkworld article.
87 Make Latest US-CERT List
The US-CERT Vulnerability Summary for the Week of March 3, 2008, lists 25 High and 57 Medium weaknesses, and 5 Low-severity flaws. High severity security faults were listed for Vocera wireless handsets, Google Android SDK, MS Access, MS Jet, Red Hat Enterprise Linux and various versions of Sun's Java Runtime Environment, among others.
Subscribe to Tech Talk and BOL Tech Advisories
In the Banker Store
CD ROM Training
Implementing the Red Flag Guidelines
Video Training
FACTA: Responding to Identity Theft
CD ROM Training
Patch & Vulnerability ManagementArchived Articles on Technology and eBankingYou have access to archived Tech Talk pages and Tech Alerts on BankersOnline's Technology & eBanking Archive page.
Plus, you'll find the latest technology and eBanking articles and guru Q&As there, too.You'll find many more related articles in our InfoVault.
print
share