Updates

A compilation of the latest information about viruses and worms, security issues and patches to rectify the same

High Data breach reported in 2007

Thanks to legislation requiring the disclosure of breaches, companies and government agencies accepted this year that information from a record number of accounts was lost.

There is no exact number of the records lost in 2007, but two agencies have tracked the size of breaches reported in the media. According to Attrition.org, in excess of 163 million records were reported lost or stolen by third parties in 2007 in the US. The Identity Theft Resource Center put the size of reported privacy losses at more than 127 million records for the year. Credit-card information, usernames and passwords, e-mail addresses, and full identity information, such as social-security number, name, address, and date of birth were part of the data loss specifications.

Despite efforts by governmental agencies, consumer advocates and law enforcement agencies, identity theft continues to increase. Identity thieves keep finding ways to steal who are becoming more sophisticated and skilled at their craft.

Among the major reported losses, retail giant TJX Companies, announced in January that online thieves had stolen in a compromise of its systems that lasted nearly 18 months.

The size of the breach reached according Visa and Mastercard executive’s testimony. In another major loss, the UK’s tax agency, HM Revenue & Customs, lost sensitive identity information of more than 25 million children and their families in November when two disks containing the data were lost in the mail.

Large breaches that garnered nationwide media attention in US, made up a large share of the data reported lost in 2007. On the other hand, the average number of records lost per breach topped 600,000 and the typical breach calculated as the median of the data involved about 6,000 records. In 2006, nearly 50 million records were reported lost or stolen. In many cases, breaches reported in 2007 involved losses or theft from previous years.

Fake codec attack continues

Trojan horse programs, which look like video decoders, or codecs, have become a rather popular way to attempt to infect the computers of innocent Web surfers.

Research by antispyware firm Sunbelt Software found that a number of sites hosted by blog service provider Blogger, a subsidiary of Google, contained fake video files that, if clicked on by a visitor, would prompt the victim to download and install a video helper application. In reality, the application is a Trojan horse program designed to infect the victim’s PC.

This is not in the league of the massive Google poisoning that had taken place recently. That was an epic attack, using exploits and all kinds of nasty tricks. This is something to be aware of, and hopefully Google will take the concerned blogs down quickly.

Some basic searches uncovered more than 30 blogs that hosted these files. These days, video players have become a major means for attacks against computer users. In October, the first significant Trojan horse aimed at users of the Mac OS X operating system masqueraded as a plug-in for playing video files. Security researchers have worried about the rise in the use of video files as a means of attack for over a year now.

Recently, Sunbelt Software found that fraudsters had attempted to poison Google’s search rankings and put a large number of sites hosting fake codecs high up in searches for common words. Google regularly combs its search results for malicious sites.

Microsoft offers peek into “juicy” flaw details

Recently, Microsoft launched a blog, which promises to keep its customers abreast of the spicy spill-over technical stuff found by the company’s vulnerability researchers.

The blog, titled “Security Vulnerability Research and Defense,” at blogs.technet.com/swi/default.aspx will host a variety of technical elements such as complicated workarounds, debugging techniques and information on vulnerability triage that do not regularly make it into Microsoft’s security bulletins. The software giant posted two analyses of vulnerabilities patched last month.

The blog says that it will include interesting facts about vulnerabilities that Microsoft is fixing that will help customers learn more about Windows, the security infrastructure, or the way Microsoft conduct security investigations. Further, they are going to share as much of that information as possible there because that will help customers understand vulnerabilities, workarounds, and mitigations will help you more effectively secure an organization.

The blog is the latest change in the way that Microsoft informs its users about security flaws and patches. In May, the company modified the layout of its bulletins and started giving more information about upcoming advisories through its Advanced Notification Service. Microsoft has found that the number of high severity vulnerabilities slightly decreased in the first six months of 2007.

Earlier this month, Microsoft published its final regularly scheduled patches for the year, bringing the total number of bulletins published by the company to 69 in 2007.