Kama Sutra worm set to strike Windows machines on Feb 3rd

Windows users are being urged to make sure their systems are clean from an email worm that promises recipients images of the Kama Sutra. It is in fact designed to hide on user systems and programmed to overwrite user files (DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP files) on February 3rd. Blackworm (also called Nyxem, MyWife or Tearec) has infected more than 300,000 systems worldwide. Here are its propagation statistics.

According to the Register, if activated, Blackworm tries to disable security software. It also tries to harvest email addresses from infected PCs in a routine designed to draw up a hit list of targets for infection. Blackworm is programmed to download updates of its code onto infected PCs. Whether it will have any success is another matter, as most anti-virus vendors have already included its unique signature in their detection engines.

ChoicePoint Fined $15 Million for Losing Private Data of 163,000 Individuals

Data broker ChoicePoint was fined $15m last week over a data security breach that led to at least 800 cases of identity theft out of the entire set of 163,000 that they managed to lose to hackers in one of 2005's most spectacular cybertheft cases. ChoicePoint agreed to pay $10m in civil penalties (a record fine) and $5m to compensate consumers as part of a settlement with US consumer watchdog the Federal Trade Commission (FTC). It also agreed to maintain a revamped security program, featuring regular third-party security audits until 2026, and promised to ensure it provides consumer reports only to legitimate businesses for lawful purposes. ChoicePoint competitor Equifax has twice been similarly breached in the past couple of years, but has to date managed to escape serious repercussions.

Zero-day Exploit Embarrasses Microsoft

For four days in January, network administrators and security-savvy home users had a choice: download and install an unofficial open-source fix for the critical flaw in the Windows Meta File (WMF) format, or wait an estimated week for an official patch from Microsoft.

Microsoft was under such pressure to test and release the patch on January 10th that a work-in-progress version of the fix was accidentally leaked to security sites. The issue was so serious that Microsoft ended up publishing the code before its notoriously rigid release date, even after stating that they would make no exceptions to their patch schedule.

To be fair, with each patch cycle, the company must test its patches to work on multiple Windows OSes and in 23 languages. "The expedited track to investigate the vulnerability and develop the security update includes redirecting resources from other security development and testing efforts to primarily focus around the clock on producing and releasing the security update," wrote a representative.  

ID Theft Leads FTC List of Consumer Complaints

As it turns out, consumers don't enjoy being duped. Last week the Federal Trade Commission released its annual report detailing consumer complaints about fraud and identity theft in 2005. Complaints about identity theft topped the list, accounting for 255,000 (37%) of more than 686,000 total complaints filed with the agency in 2005.

Findings from the report include:

• Internet-related complaints accounted for 46 percent of all fraud complaints.
• The percent of Internet-related fraud complaints with ?wire transfer? as the reported payment method more than tripled between 2003 and 2005.
• The major metropolitan areas with the highest per capita rates of consumer fraud reported were Washington, DC; Tampa/St. Petersburg/Clearwater, FL; and Seattle, WA.
• Credit card fraud was the most common form of reported identity theft, followed by phone or utilities fraud, bank fraud, and employment fraud.
• The most frequently reported type of identity theft bank fraud was electronic funds transfers.
• The major metropolitan areas with the highest per capita rates of reported identity theft were Phoenix/Mesa/Scottsdale, AZ; Las Vegas/Paradise, NV; and Riverside/San Bernardino/Ontario, CA.

More Americans anticipate falling victim to a cyber attack rather than a physical crime, reports a recent IBM survey of U.S. adults. And, despite the convenience and flexibility that online transactions offer, 37 percent of Americans will not provide credit card information online.

Surveying almost 700 participants that have Internet access at work or home, IBM reveals that, in the next twelve months, more than three times the number of respondents think it is more likely they will be the victim of a cybercrime (ie, attacked through networked devices such as computers, ATMs, obile phones, PDAs, etc.) than a physical crime. Consumers are reportedly changing their own behavior to protect themselves against cyber attack:

• 85 percent destroy all documents that have personal information or they attempt to securely store the information
• 70 percent only use Internet shopping sites that display a security protection seal
• 64 percent don't conduct online transactions on a shared computer
• 50 percent don't use shared wireless networks such as in a coffee shop or airport
• 38 percent don't bank online
• 37 percent don't use credit card information online

In the last 12 months, survey respondents have taken certain actions to protect themselves against the growing cybercrime threat:

• 29% have stopped reading credit or debit card information over the phone
• 27% have stopped buying from unfamiliar retailers
• 18% have stopped paying bills online
• 16% have stopped playing online games

According to ITBusiness.ca, a Superior Court judge has dismissed a lawsuit after the plaintiff hacked into the defendant?s computer server while legal proceedings were taking place.
 
The plaintiff secretly accessed and downloaded the entire contents of the defendant?s server, including privileged communications between the defendant and his solicitors, as well as data unrelated to the lawsuit. click here to read the whole article

Australian Police Apologise For Sending Child Porn To Schools

I know, it's unfair to drag the past out into the light, but from the Bonehead archives comes this story, dating back to November 2004. Australian police apologized profusely after inadvertently sending Internet images of child pornography to 1,800 schools ... while trying to warn principals about children at risk of abuse.

The mistake came during a massive, 400-raid police crackdown on child pornography that had resulted in more than 200 arrests, including police, teachers, clergy and the owner of a child-care centre.

Two New Types of Security Audit Address Website, Small Business Threats

Small and Mid-size enterprises (SME) account for over 75% of companies and just as high a percentage of security breaches, yet the attention is always on the big names. Unfortunately many of these smaller firms suffer in silence, sometimes reporting breaches, sometimes covering them up.

As a result of very specific client requests, Informatica (yes, this company) has introduced two new securiy assessments designed to detect and address SME security vulnerabilities, preferably before they cause public embarrassment, costly lawsuits or loss of business.

• The first is FlexSecure WebVerify, delivering a complete analysis and report of the security posture of Web sites or online applications. This is a high growth areas as more than 100 new Web-related vulnerabilities are introduced each month.
  
• The second is FlexSecure SnapShot, a terrific expert review of business processes and operations that produces a comprehensive view of a company's security readiness, from the way it manages site visitors, to its employee policy enforcement. Click the above links for more information, and let your business contacts know about them (or join our Partner Program to do some good).

New Internet Explorer 7 Offers New Security and Privacy Features

Microsoft has recently made available their new Internet Explorer 7 browser for free download to users of Windows XP. It is not the final, fully tested product, but a beta release that is mostly stable and introduces a whole new set of security and privacy features. Among them, a variety of basic safeguards against phishing, information theft and spyware, including better protection settings enabled by default. For a full description of security features, click here.

Main Site | White Papers | Free Software | News & Articles | Forward to a Friend

About your humble scribe: Claudiu Popa is a certified security professional (CISSP, PMP, CISA) and president of Informatica Corporation, a Toronto-based consulting company with a strong focus on education. Over the past decade, Claudiu has focused on helping companies improve their information security. Today, he brings effective security to corporate boardrooms, helping organizations manage security, awareness and compliance programs. Claudiu can be contacted by simply replying to this message (and he promises not to respond in the third person).  He welcomes your suggestions and comments regarding this publication.

use this link to subscribe.