Trojan disguised as Lycos' antispam screensaver
A new Trojan horse is passing itself off as Lycos' "Make Love Not Spam" screensaver. In a bizarre twist in the screensaver saga, Finnish security firm F-Secure said an e-mail attachment promising to be the screensaver is really a keylogger Trojan. The malicious program came on the scene Monday as Lycos was announcing plans to remove the screensaver from circulation. "With this campaign we intended to raise a new impulse in the antispam discussion and therefore create awareness for the big economical and societal problems caused by spam. The campaign has reached its goal and thus will be stopped," Lycos said in a statement.
Lycos also indicated a study by Netcraft had wrongly claimed the screensaver had shut down two spamming Web sites. Netcraft has now said the problem was a misunderstanding created by a list of Web sites Lycos claimed it was attacking, SC magazine reported. Because there were no dates, Netcraft studied spamming sites on days they were not actually being attacked by Lycos screensavers. So when Netcraft said the sites were down, it was probably not due to Lycos' screensaver. "We were monitoring the sites on different days to which they were attacking them," Paul Mutton, Internet services developer at Netcraft, told SC magazine. He suggested it was inevitable the site shut-down. "A lot of people think fighting fire with fire is not a good idea. With ISPs black-holing the Web site, believing it to be in breach of Internet protocol, it had to be shut-down," Mutton said.
Gartner: Security measures not enough for online customers
A new Gartner survey shows online consumers are unhappy with what they see as insufficient security provided by banks and online retailers. They feel passwords are no longer enough to secure their online transactions, the IDG News Service reported. A survey of 5,000 Internet users showed online shoppers want retailers to offer more than just passwords to protect their accounts. Respondents also expressed concerns that a lack of security may be hampering the growth of online commerce. Almost 60% of the respondents said they're concerned or very concerned about online security.
Even more important for online retailers: Over 80% of those surveyed said they would buy more from an online vendor who offered them more than just a username and password to protect their accounts, Gartner analyst Avivah Litan told the IDG News Service. But there are limits to how much they'll take in the name of security, she said. When asked to choose among technologies to supplement password protections, respondents gave high ratings to low-tech options such as challenge and response features, which ask shoppers to provide responses to tailored questions, or shared secret technology that displays shopper-selected images on Web pages to prove the authenticity of e-commerce Web sites. More complicated solutions like security software downloads or so-called multifactor authentication that couple smart cards or USB tokens with usernames and passwords were less popular, Litan said.
The most popular choice for fixing the security of online shopping and banking sites is for providers to be made legally responsible for strict security measures, she said. Also, those surveyed indicated they want the choice of using stronger authentication but do not want to be forced to use it. Gartner predicts that by the end of 2007, more than 60% of banks in the U.S., but fewer than 20% of banks worldwide, will rely on simple passwords to authenticate retail customers. That may change, especially as retailers and banks contend with a wave of phishing, Litan said.
SP2 security features won't be backported to Windows 2000
Microsoft's decision to scrap plans for Windows 2000 Service Pack 5 has effectively killed all hopes that security enhancements built into Windows XP SP2 will be backported to Windows 2000, eWeek.com reported. Following a spate of recent analyst reports warning of long-term security problems with the platform, some enterprise customers anticipated Microsoft would reconsider the Service Pack 5 issue. This hope has endured despite Microsoft's rejection of XP SP2 fixes for Windows 2000 as well as IE-specific SP2 fixes for orphan versions of Windows. Instead of Windows 2000 SP5, eWeek.com said the software giant will release an "Update Rollup" next year as the final security patch for the operating system. A spokeswoman said there is no chance that some of the XP SP2 security goodies will be added to the Update Rollup. "The enhancements introduced in Windows XP SP2 will not be back-ported to Windows 2000, as this would require a significant rearchitecting to a large portion of the Windows 2000 code base," the spokeswoman told eWeek.com. She said the decision was based on feedback from Windows 2000 customers who said they prefer stability to new additions.