News Stay informed about the latest enterprise technology news and product updates.

Security Bytes: Data on 3.9 million Citigroup customers missing

Elsewhere, an old flaw is reintroduced to Firefox; a security hole plagues Kaspersky Anti-Virus; and Cisco beefs up defenses against DDoS attacks.

Citigroup: UPS lost data on 3.9 million customers
The world's largest bank says the United Parcel Service [UPS] lost information on 3.9 million of its customers. Citigroup Inc. said Monday that UPS lost the account and payment history data -- including Social Security numbers -- in transit. According to Reuters, the New York-based bank said the data was stored on computer tapes and lost while UPS, the world's biggest package carrier, was shipping them to an Experian credit bureau in Texas.

The tapes covered CitiFinancial Branch Network customers and about 50,000 customers with closed accounts from CitiFinancial Retail Services. Customers of CitiFinancial Auto and CitiFinancial Mortgage are unaffected, Reuters reported. Citigroup customers were informed of the security breach by mail over the weekend. The bank said it has received no reports of unauthorized activity, and said there is "little risk" of the accounts being compromised. Various news reports do not mention if the files were encrypted, but company officials hinted they were. "We were moving this using an enhanced security procedure we specified and developed with (UPS)," Kevin Kessinger, president of Citigroup's North America consumer finance unit, told Reuters. "You can imagine how frustrated and disappointed we are that this occurred."

Old flaw reintroduced to Mozilla, Firefox
Attackers could spoof the content of Web sites by exploiting an old vulnerability that has been reintroduced to Mozilla and Firefox, Danish security firm Secunia said in an advisory.

"The problem is that the browser [doesn't] check if a target frame belongs to a Web site containing a malicious link, which therefore doesn't prevent one browser window from loading content in a named frame in another window," Secunia said. "Successful exploitation allows a malicious Web site to load arbitrary content in an arbitrary frame in another browser window owned by a trusted site."

Secunia has constructed a test users can run to see if their browser is affected. The firm confirmed the security hole in Firefox 1.0.4 and Mozilla 1.7.8. It recommends users avoid untrusted Web sites.

Flaw affects Kaspersky Anti-Virus
Attackers could gain elevated user privileges by exploiting a security hole in Kaspersky Anti-Virus, the French Security Incident Response Team [FrSIRT] said in an advisory.

"This flaw is due to an error in the "klif.sys" driver where functions are called insecurely from the user level, which may be exploited by local users to execute arbitrary commands with kernel privileges," FrSIRT said. "This issue occurs on systems running Windows 2000 [and affects] Kaspersky Anti-Virus version 5.0.325 and prior."

FrSIRT said it is not aware of any official supplied patch for this issue.

The advisory comes as the Russian antivirus firm announces the release of Maintenance Pack 3 for Kaspersky Anti-Virus Personal 5.0. At the time of writing it was unclear if the maintenance pack addressed the flaw FrSIRT warned of. But in a statement the firm said, "The pack introduces a number of new features and product improvements."

Cisco offers new DDoS protection
Cisco Systems has stepped up efforts to thwart distributed denial-of-service attacks. The San Jose, Calif.-based networking giant announced new protection Monday at the Supercomm confab in Chicago, labeling it the Cisco Distributed Denial of Service [DDoS] Protection solution.

"Security features are an integral part of Cisco IP NGN architecture," Cisco said in a statement. "At the Service Layer, the DDoS Protection solution enables service providers to deploy network-based security services for added revenue and fulfill the market demands for security with simplicity. At the Operational Layer, this solution also enables service providers to deploy hardening and protection measures to shield their own network infrastructure from DDoS attacks. This permits providers to deliver highly secure, resilient IP services, including VPN, IP voice communications, video and on-line gaming, to their customers without disruption."

More information is available on Cisco's Web site.

Dig Deeper on Information security policies, procedures and guidelines

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.