In-Depth

In Brief

Microsoft ISA vulnerability may lead to phishing attacks, a new version of MyDoom targets the IFRAME vulnerability in IE, and survey finds bank clients willing to defect over banks’ lack of ID theft protections

• By Mathew Schwartz
• 11/17/2004

Microsoft Vulnerability May Lead to Phishing Attacks

This month’s Microsoft security bulletin details an “important” vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2000 and Proxy Server 2.0. According to Microsoft, “this vulnerability could enable an attacker to spoof trusted Internet content.” Note that ISA Server 2004 is not affected.

Microsoft released a patch.

Symantec, which rates the threat as “moderate,” notes “in order for an attack to occur, the attacker must entice a vulnerable user to visit a malicious Web site instead of the site they are attempting to access.” Once there, however, the attacker could mimic the look of the site to trick a user into divulging sensitive information.

Sound familiar? “With the increasing prevalence of phishing attacks, this vulnerability may provide yet another platform for the gathering of identity information,” notes Oliver Friedrichs, a senior manager for Symantec Security Response.

Attackers would be unable to spoof Web sites that use SSL certificates.

For security managers unable to patch immediately, Microsoft offers a workaround: set the DNS cache size to zero, which “effectively disables DNS caching on the affected system.” “This would prevent the affected software from using potentially spoofed data from the cache.” As this might impact device performance, it’s recommended as a short-term solution only.

Symantec suggests another temporary workaround for users: “not to click on links to unknown Web sites.”

- - -

New MyDoom Targets IFRAME vulnerability

Symantec says a new worm, W32.Mydoom.AH, targets the IFRAME buffer overflow vulnerability in Microsoft Internet Explorer.

Since no patch is available, Symantec offers some workarounds. For starters, it recommends deactivating ActiveX on all systems running Internet Explorer, then blocking outbound access to TCP ports 1639 through 1649, since the worm prefers using these, post-compromise, to download malicious code. Symantec also recommends filtering inbound traffic from those ports—to counter systems trying to spread the worm—and blocking outbound access to TCP port 6667, used by the worm to connect to IRC servers.

Related Article:

Internet Explorer Security Flaw—Time for a New Browser?
http://www.esj.com/security/article.aspx?EditorialsID=1035

- - -

Unisys Mystery Shopper: ID Theft May Topple Banks

Banks face mass client defection unless they tackle ID theft.

“Banks put themselves at a competitive disadvantage if they don’t offer and aggressively market their ID theft protection services,” says Gary Cawthorne, vice president and managing partner of global banking at Unisys.

According to International Communications Research (ICR), which conducted a survey for Unisys of over 1,000 adults, and visited 300 bank branches of the top-100 national banks in a “mystery shopper” capacity, half of U.S. consumers want better theft detection and alert services from their bank, and are willing to switch to get it.

Identity theft is rampant; one out of five consumers surveyed has been affected by it. Assigning blame was easy: two-thirds of those surveyed thought banks could prevent such fraud before it happened, and almost 80 percent thought doing so was their bank’s responsibility. Only 27 percent of customers, however, were willing to pay more for additional account safeguards.

Despite the perception that financial institutions are leading-edge when it comes to information security, ICR’s mystery shopping research suggests many banks have overlooked the non-technological aspects of the equation. Even if the bank offers ID theft protection, most front-line employees don’t know about it.

For example, ICR says 15 percent of banks’ customer service representatives “say that their bank does not do anything special to prevent ID theft,” and only 14 percent report a dedicated department for preventing ID theft. In addition, only 2 percent reported their bank conducted anti-ID theft training for employees. The lack of training shows, with over 90 percent of customer service representatives claiming “their institutions have never experienced phishing attacks.” Likewise only 3 percent recommended customers should contact a credit-reporting agency in instances of ID theft.

The bottom line: shape up or lose customers. “We’ve found an interesting disconnect between consumers’ apparent trust in their banks and their banks’ ability to communicate their fraud protection policies,” says Cawthorne.

For banks, having information security isn’t enough; the customer-facing parts of the organization need to understand and communicate how it works. “Unless banks better train their front line on identity theft, they risk substantial damage to their reputation,” and a resulting loss of customers, he says.

Related Articles:

Banks Unwittingly Aid ID Thieves
http://esj.com/Security/article.aspx?EditorialsID=1137

Wild Kingdom: Life and Quick Death of a Phishing Site
http://esj.com/enterprise/article.aspx?EditorialsID=1095

Web Caller-ID Arrests Spoof Sites
http://www.esj.com/security/article.aspx?EditorialsID=1087