|
| |
INTERESTING SECURITY RELATED TOPICS
FROM SANS Newsbite
--Microsoft Releases Update for SP2 Firewall Flaw
(17/16 December 2004)
Microsoft has released a Windows XP SP2 update that fixes a firewall
configuration flaw. Users with file and printer sharing turned on could be
sharing their files and printers with the entire Internet instead of just the
local network because of a problem with how broadly local network was defined.
The update narrows the definition. Even so, users are being advised to place an
additional firewall in front of the network.
http://www.computerworld.com/printthis/2004/0,4814,98347,00.html
http://www.eweek.com/print_article2/0,2533,a=141102,00.asp
http://www.theregister.co.uk/2004/12/17/windows_bug_roundup/print.html
[Editor's Note (Paller): This vulnerability and patch was a stealth announcement
from Microsoft. It was not included with the monthly patch announcement (even
though it was ready the day before that announcement); it was not posted at the
standard location. And on top of that, it is one of the worst vulnerabilities
we've seen because it made dial-up users' files available for reading by huge
numbers of people. No hacking necessary - any curious person could read your
files.
It's equivalent to the Post Office putting your private mail in the public
library and pointing people to it if they are curious.]
--Judge Awards Iowa ISP Damages in Spam Cases (20 December 2004) A judge
in Iowa has awarded a small ISP more than US$1 billion in damages in a default
judgment against three alleged spammers. The enormous sum was determined under
an Iowa law that levies a $10 fine for each spam email sent. It is unlikely the
plaintiff will recover any of the awarded damages.
http://www.theregister.co.uk/2004/12/20/isp_wins_1bn_damages_from_spammers/print.html
--Phishing Attacks Increase in November (16 December 2004)
A newly released report from the Anti-Phishing Working group says that phishing
attacks were up 29% in November, nearly a third higher than the figure for
October. EarthLink and MSN were both highly targeted in November. The US
accounted for 27% of phishing sites; China accounted for 21%.
http://asia.cnet.com/news/security/printfriendly.htm?AT=39209629-39037064t-39000005c
--FDIC Report Offers Suggestions for Protecting Customers from Identity Theft
(14 December 2004)
The Federal Deposit Insurance Corporation is accepting comments on its recently
published report "Putting an End to Account-Hijacking Identity Theft." To help
combat the growing incidence of identity theft through phishing and other cyber
crimes, the FDIC recommends that financial institutions upgrade from password
authentication to two-factor authentication, use scanning software to detect and
guard against phishing attacks, strengthen education for its customers to help
them be savvy consumers, and share information with other financial
institutions, the government and technology providers.
Comments on the report will be accepted through February 11, 2005.
http://www.fdic.gov/consumers/consumer/idtheftstudy/index.html
http://www.fdic.gov/consumers/consumer/idtheftstudy/identity_theft.pdf
--Google Fixes Desktop Search Utility Vulnerability (20/15 December 2004)
Google has fixed a recently discovered vulnerability in its desktop search
utility. Attackers could embed a Java applet on a web page that would trick
users' computers into revealing their desktop searches to the attacker. Some in
the security field are concerned that the emergence of desktop search tools
could be exploited by cyber criminals to steal email addresses and other
personal data.
http://www.eweek.com/print_article2/0,2533,a=141305,00.asp
http://www.internetnews.com/security/print.php/3450251
http://news.com.com/2102-1002_3-5497885.html?tag=st.util.print
http://asia.cnet.com/news/security/printfriendly.htm?AT=39209364-39037064t-39000005c
--Zafi.D Worm Spreading (17 December 2004)
The Zafi.D worm spreads in the guise of a Christmas greeting and sends itself
out to email addresses found on infected machines. Zafi is capable of
terminating applications with the words "firewall" or "virus"
in them and reportedly disables certain Windows tools.
http://www.pcadvisor.co.uk/index.cfm?go=news.view&news=4397
http://www.datafuse.net/page.php?news=398
http://www.contractoruk.com/news/001871.html
http://www.eweek.com/print_article2/0,2533,a=141027,00.asp
--Diebold Will Pay US$2.6 Million to California for Fraudulent Security
Claims (17 December 2004)
Diebold has reached a settlement with the State of California and Alameda
County, both of which had sued the voting machine manufacturer for fraudulent
claims about the security of its products. The State of California will receive
US$2.6 million and the county US$100,000; the court that approved the settlement
has ordered that US$500,000 of the money be spent on a voter education and poll
worker training program.
http://www.internetnews.com/bus-news/print.php/3449691
[Editor's Note (Schultz): It's good to see this controversial voting machine
manufacturer taken to task. It is very possible that this settlement will pave
the way for legal actions against Diebold by others, something that may in the
long run be beneficial to the integrity of electronic voting.]
--Healthcare Security Workgroup to Release HIPAA Compliance Guidelines
(13 December 2004)
The Healthcare Security Workgroup says it will release guidelines to help health
care organizations comply with the data security requirements established by the
Health Insurance Portability and Accountability Act (HIPAA). The security
provisions of the Act take effect in April 2005.
http://www.computerworld.com/printthis/2004/0,4814,98232,00.html
http://www.urac.org/committees_sworkgroup.asp
|
