VA slapped over credit monitoring
The U.S. Department of Veteran's Affairs (VA) has been offering and publicizing free credit monitoring services in response to the data breach affecting 26.5 million veterans and about 2.2 million active duty personnel. But a federal judge has ordered them to stop publicizing it.
The VA has said it will offer a year of free credit counseling to veterans who are now at heightened risk for identity fraud due to the breach, in which computer hardware containing the personal data was stolen from the home of a VA employee during a burglary. According to published reports, lawyers for the veterans claim the VA proposal is "misleading and incomplete" because it doesn't adequately inform those who accept the offer whether they are giving up the right to seek other remedies.
The matter will be discussed at a hearing Friday before Judge William Bertelsman of the U.S. District Court for the Eastern District of Kentucky.
Symantec readies anti-data fraud tool
Cupertino, Calif.-based antivirus giant Symantec Corp. has announced that in September it will release a beta version of a security software product that bolsters a computer's defenses against thieves who target ecommerce and banking sites.
Norton Confidential is designed to detect when a Web site or malicious program is trying to steal a username or password using phishing techniques, Symantec said. The Anti-Phishing Working Group, a consortium of companies and researchers, recorded a record 20,109 unique phishing attacks last month.
The product rollout comes as a growing number of organizations are suffering data breaches that put millions of people at risk for identity fraud.
Norton Confidential will scan Web sites visited by a client machine for fraudulent or suspicious activity. The software will compare a Web site against lists of fraudulent ones. The product will also generate warnings for pages that function like known fraudulent sites.
Security hole surfaces in Trend Micro Control Manager
Attackers could launch malicious code using a flaw in Trend Micro Control Manager, the French Security Incident Response Team (FrSIRT) warned in an advisory Tuesday.
The flaw is due to an input validation error in the logging feature that does not validate user-supplied parameters like usernames before being stored in the log file and displayed via the administrative interface, FrSIRT said. This could be exploited by attackers to cause arbitrary scripting code to be executed by the administrator's browser in the security context of an affected Web site. Trend Micro Control Manager version 3.5 and prior are affected. FrSIRT said vulnerability researcher Darren Bounds discovered the flaw, and Trend Micro has not yet patched the issue.