Patch/Configuration Management, Vulnerability Management

News briefs

*The personal information of nearly 200,000 current and former employees of Hewlett-Packard (HP) was compromised after a laptop computer in the possession of a Fidelity Investments employee was stolen.

Fidelity is administering a retirement program for HP employees. It sent a letter of notification to all individuals affected by the breach.

Fidelity did not reveal where in the U.S. the incident took place because an investigation into the matter is being conducted by local authorities.

*Microsoft struggled with whether or not to release an early patch for a flaw in Internet Explorer that exposed PC users to the possibility of malicious code taking control of their computers.

Determina and eEye Digital Security both released third-party patches for the flaw in late March, while Microsoft officials confirmed they had the fix scheduled for its April Patch Tuesday release.

The flaw left websites exposed to malicious sites exploiting the flaw, executing code and taking over the PC as a bot for a distributed denial of service attack.

*Popular social website was the target of a hybrid phishing attack where fraudsters tried to steal the personal information from financial websites.

Scammers were posting malicious links on the network that would send users to similar websites. The MySpace member was then prompted to re-enter login account information, which was captured by the fraudsters.

The malware authors would combine some other malware, such as a trojan or keylogger, to determine where else on the internet the user might enlist that same login information.

*Microsoft announced that its next generation Windows Vista platform, which company Chairman Bill Gates had announced would feature numerous security enhancements, would be delayed until 2007.

The company said that it is still on target to offer business versions of Vista through volume licensing this November. However, smaller businesses will have to wait with customers until Vista hits retail and OEM channels in January of next year.

Microsoft said that the delay came as a result of the company's need for more time to improve quality assurance.

*A new version of the infamous Bagle worm was discovered by Helsinki-based F-Secure.

The company warned PC users that this version of the worm is unique because the malicious website promoted by the virus changed every four minutes.

The firm called the worm W32/Bagle.GI, adding that the virus's contents, which encourage PC users to visit the malicious website, keep changing.


What is it?

RFID stands for Radio Frequency Identification, a technology increasingly used for tracking retail goods, passports and even pets. A tiny chip and radio transmitter is embedded into an item, and when activated remotely by an RFID reader, transmits a stored code back to the reader over radio waves.

Recently, researchers have demonstrated how a virus might be implanted into an RFID tag which could spread to the RFID reader and even back to other RFID tags.

How does it work?

Each RFID tag contains a tiny amount of memory used to store a unique code to be transmitted back to the reader. The premise of a recent research paper on the topic is that a system that utilizes the tag memory to store variables describing the tagged item might be compromised if those variables were changed to include hostile code.

Should I be worried?

Generally, RFID tags only store a number used as an index into a database. A properly designed system would hold descriptive variables and extra data in the server side database, and not in the RFID tag itself.

How can I prevent it?

As with all client/server applications, input from the client (the RFID tag) should never be implicitly trusted, and proper sanity checks should be done with all user-supplied data.

Joe Stewart, Senior Security Researcher, LURHQ

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.