Security Bytes: VA slapped over credit monitoring

By SearchSecurity.com Staff 27 Jun 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

VA slapped over credit monitoring
The U.S. Department of Veteran's Affairs (VA) has been offering and publicizing free credit monitoring services in response to the data breach affecting 26.5 million veterans and about 2.2 million active duty personnel. But a federal judge has ordered them to stop publicizing it.

The VA has said it will offer a year of free credit counseling to veterans who are now at heightened risk for identity fraud due to the breach, in which computer hardware containing the personal data was stolen from the home of a VA employee during a burglary. According to published reports, lawyers for the veterans claim the VA proposal is "misleading and incomplete" because it doesn't adequately inform those who accept the offer whether they are giving up the right to seek other remedies.

The matter will be discussed at a hearing Friday before Judge William Bertelsman of the U.S. District Court for the Eastern District of Kentucky.

Symantec readies anti-data fraud tool
Cupertino, Calif.-based antivirus giant Symantec Corp. has announced that in September it will release a beta version of a security software product that bolsters a computer's defenses against thieves who target ecommerce and banking sites.

Norton Confidential is designed to detect when a Web site or malicious program is trying to steal a username or password using phishing techniques, Symantec said. The Anti-Phishing Working Group, a consortium of companies and researchers, recorded a record 20,109 unique phishing attacks last month.

The product rollout comes as a growing number of organizations are suffering data breaches that put millions of people at risk for identity fraud.

Norton Confidential will scan Web sites visited by a client machine for fraudulent or suspicious activity. The software will compare a Web site against lists of fraudulent ones. The product will also generate warnings for pages that function like known fraudulent sites.

Security hole surfaces in Trend Micro Control Manager
Attackers could launch malicious code using a flaw in Trend Micro Control Manager, the French Security Incident Response Team (FrSIRT) warned in an advisory Tuesday.

The flaw is due to an input validation error in the logging feature that does not validate user-supplied parameters like usernames before being stored in the log file and displayed via the administrative interface, FrSIRT said. This could be exploited by attackers to cause arbitrary scripting code to be executed by the administrator's browser in the security context of an affected Web site. Trend Micro Control Manager version 3.5 and prior are affected. FrSIRT said vulnerability researcher Darren Bounds discovered the flaw, and Trend Micro has not yet patched the issue.

Tags: Identity Theft and Data Security Breaches,  Web Services Security and SOA Security,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Theft and Data Security Breaches Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy Security expert's PCI analysis misguided, says PCI Council GM External attacks start with unintentional mistakes, survey finds Web Services Security and SOA Security Security testing firm uncovers XML vulnerabilities Cryptographers say cloud computing can be secured Information security book excerpts and reviews Will cloud computing and virtualization save the day? MySpace, Facebook ignoring basic principles of security Kaminsky: DNS flaw capable of attacks on many fronts Kaminsky on DNS rebinding attacks, hacking techniques Which operating system can best secure an FTP site? IBM's Watchfire halts network research, focuses on Web apps How does identity propagation work? Application Attacks (Buffer Overflows, Cross-Site Scripting) Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches SSH key compromise shuts down Apache website IBM finds sharp spike in malicious content on trusted sites Application Attacks (Buffer Overflows, Cross-Site Scripting) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary