Personal info about 310,000 at risk
LexisNexis cites database breach
By Jon SwartzUSA TODAY
In one of the biggest computer-security breaches ever, personal data on 310,000 people may have been stolen from data broker LexisNexis — nearly 10 times the number first disclosed, the company said Tuesday.
The disclosure of the latest electronic break-in underscores the vulnerability of computerized personal data records. In incidents reported publicly since February, the rough tally is now approaching 1 million records potentially comprised at data broker ChoicePoint, San Jose Medical Group, Boston College and elsewhere.
A probe by LexisNexis' London-based publishing parent, Reed Elsevier Group, determined that databases containing Social Security numbers and addresses had been fraudulently breached 59 times using stolen passwords.
LexisNexis initially said last month that 32,000 individuals potentially had been affected. It says it has found no cases of identity theft, such as using a stolen Social Security number to apply for a credit card.
Still, the episodes have heightened concerns about identity theft, which costs U.S. consumers and businesses $50 billion annually, according to government estimates.
Fears of identity theft are running high among consumers; 59% say they are very concerned, according to a USA TODAY/CNN/Gallup Poll, taken in late February after ChoicePoint disclosed that thieves had gained access to some 145,000 consumer profiles. ChoicePoint, like others, was forced to make the disclosure under a California law.
Separately that month, Bank of America admitted it lost data tapes containing sensitive details of 1.2 million U.S. government employees. It said there was no evidence that the lost information ended up in the hands of thieves.
Those two lapses set off a flurry of activity on Capitol Hill, including hearings on identity theft and several bills to punish offenders.
The breach at LexisNexis was uncovered after a billing complaint by a customer of the company's Seisint unit led to the discovery that personal information might have been misappropriated. Law enforcement authorities are assisting the company's investigation.
Wednesday, April 13, 2005
Tuesday, April 12, 2005
Microsoft Patch Day Brings Urgent Updates
Written by: Ryan Naraine - eWEEK
The Microsoft security train made its scheduled monthly stop on Tuesday, dropping off eight updates to cover 18 vulnerabilities in a range of widely deployed products.
Five of the eight advisories are rated "critical" and Redmond officials are urging customers to apply at least three immediately as high-priority updates.
The top three include fixes for high-risk flaws in Microsoft Corp.'s implementation of the TCP/IP stack; a cumulative patch for the Internet Explorer browser; and a patch for a remote code-execution hole in the enterprise-focused Microsoft Exchange Server.
According to Stephen Toulouse, program manager at the Microsoft Security Response Center, the vulnerabilities discussed in the MS05-019 bulletin present the biggest threat to Microsoft Windows users because a successful exploit could allow a malicious hacker to take complete control of an affected system.
In all, Microsoft is patching five vulnerabilities in the TCP/IP stack, the most serious of which could let an attacker install programs; view, change or delete data; or create new accounts with full user rights.
Click here to read more about SP2's vulnerability to a denial-of-service attack.
Successful exploits could also cause denial-of-service conditions, Toulouse said in an interview with eWEEK.com.
Software affected by the TCP/IP vulnerabilities includes Windows 2000 Service Packs 3 and 4, Windows XP SP1 and SP2, Windows XP 64-Bit Edition, and Windows Server 2003. Patches were also shipped for the Windows 98 and Windows ME operating systems.
For the second time this year, a cumulative update with a "critical" rating was released for the dominant Internet Explorer browser. The IE patch, covered in MS05-020, affects all operating systems up to and including Windows XP SP2. It addresses three separate code-execution vulnerabilities in IE that could lead to remote system takeover.
To read Larry Seltzer's column on Microsoft's patch-day system, click here.
According to Microsoft's advisory, one vulnerability is caused by the way IE handles certain DHTML (Dynamic HTML) objects. "An attacker could exploit the vulnerability by constructing a malicious Web page. This malicious Web page could allow remote code execution if a user visited a malicious Web site. An attacker who successfully exploited this vulnerability could take complete control of an affected system," the company warned.
Code-execution holes have also been plugged in the way the browser handles Content Advisor files and certain URLs.
Microsoft Exchange Server, which is widely employed in large corporations using Microsoft infrastructure solutions, is also vulnerable to a critical code-execution vulnerability. The MS05-021 update provides a fix for the issue, which can allow an attacker to connect to the SMTP port on an Exchange server and issue a specially crafted command. A successful attack could result in a denial of service or allow attackers to run malicious programs of their choice in the security context of the SMTP service.
Customers running Microsoft Exchange 2000 Server SP3, Exchange Server 2003 and Exchange Server 2003 SP1 are affected.
The April advisories also include fixes for a pair of buffer-overflow flaws in Microsoft Word, the popular word processor that ships as part of the Office suite.
The MS05-023 update provides patches for the remote code-execution Word vulnerabilities.
Both flaws could allow a malicious hacker to take complete control of a user's PC by creating a document that contains malicious code and persuading the target to open the document.
Customers affected include users of Microsoft Word 2000 and 2002, Microsoft Office Word 2003, and Microsoft Works Suite 2001, 2002, 2003 and 2004.
For the second time this year, the MSN Messenger application has gotten a security makeover to correct a critical remote code-execution vulnerability. Patches have been included in the MS05-022 advisory, which applies to MSN Messenger Version 6.2. Users of the newest MSN Messenger 7.0 are not affected.
The last three advisories (MS05-016, MS05-017 and MS05-018) are rated "important" and address flaws in Windows Shell, Message Queuing and the Windows Kernel.
The software giant also released two non-security-related updates marked "high priority" through Windows Update to help provide all of the updates requiring a reboot in a single release cycle. These updates relate to the Microsoft Windows Installer and the Background Intelligent Transfer Service.
The Redmond, Wash.-based company's worm-removal tool also got the scheduled monthly update to add detection for new viruses and threats.
Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.
The Microsoft security train made its scheduled monthly stop on Tuesday, dropping off eight updates to cover 18 vulnerabilities in a range of widely deployed products.
Five of the eight advisories are rated "critical" and Redmond officials are urging customers to apply at least three immediately as high-priority updates.
The top three include fixes for high-risk flaws in Microsoft Corp.'s implementation of the TCP/IP stack; a cumulative patch for the Internet Explorer browser; and a patch for a remote code-execution hole in the enterprise-focused Microsoft Exchange Server.
According to Stephen Toulouse, program manager at the Microsoft Security Response Center, the vulnerabilities discussed in the MS05-019 bulletin present the biggest threat to Microsoft Windows users because a successful exploit could allow a malicious hacker to take complete control of an affected system.
In all, Microsoft is patching five vulnerabilities in the TCP/IP stack, the most serious of which could let an attacker install programs; view, change or delete data; or create new accounts with full user rights.
Click here to read more about SP2's vulnerability to a denial-of-service attack.
Successful exploits could also cause denial-of-service conditions, Toulouse said in an interview with eWEEK.com.
Software affected by the TCP/IP vulnerabilities includes Windows 2000 Service Packs 3 and 4, Windows XP SP1 and SP2, Windows XP 64-Bit Edition, and Windows Server 2003. Patches were also shipped for the Windows 98 and Windows ME operating systems.
For the second time this year, a cumulative update with a "critical" rating was released for the dominant Internet Explorer browser. The IE patch, covered in MS05-020, affects all operating systems up to and including Windows XP SP2. It addresses three separate code-execution vulnerabilities in IE that could lead to remote system takeover.
To read Larry Seltzer's column on Microsoft's patch-day system, click here.
According to Microsoft's advisory, one vulnerability is caused by the way IE handles certain DHTML (Dynamic HTML) objects. "An attacker could exploit the vulnerability by constructing a malicious Web page. This malicious Web page could allow remote code execution if a user visited a malicious Web site. An attacker who successfully exploited this vulnerability could take complete control of an affected system," the company warned.
Code-execution holes have also been plugged in the way the browser handles Content Advisor files and certain URLs.
Microsoft Exchange Server, which is widely employed in large corporations using Microsoft infrastructure solutions, is also vulnerable to a critical code-execution vulnerability. The MS05-021 update provides a fix for the issue, which can allow an attacker to connect to the SMTP port on an Exchange server and issue a specially crafted command. A successful attack could result in a denial of service or allow attackers to run malicious programs of their choice in the security context of the SMTP service.
Customers running Microsoft Exchange 2000 Server SP3, Exchange Server 2003 and Exchange Server 2003 SP1 are affected.
The April advisories also include fixes for a pair of buffer-overflow flaws in Microsoft Word, the popular word processor that ships as part of the Office suite.
The MS05-023 update provides patches for the remote code-execution Word vulnerabilities.
Both flaws could allow a malicious hacker to take complete control of a user's PC by creating a document that contains malicious code and persuading the target to open the document.
Customers affected include users of Microsoft Word 2000 and 2002, Microsoft Office Word 2003, and Microsoft Works Suite 2001, 2002, 2003 and 2004.
For the second time this year, the MSN Messenger application has gotten a security makeover to correct a critical remote code-execution vulnerability. Patches have been included in the MS05-022 advisory, which applies to MSN Messenger Version 6.2. Users of the newest MSN Messenger 7.0 are not affected.
The last three advisories (MS05-016, MS05-017 and MS05-018) are rated "important" and address flaws in Windows Shell, Message Queuing and the Windows Kernel.
The software giant also released two non-security-related updates marked "high priority" through Windows Update to help provide all of the updates requiring a reboot in a single release cycle. These updates relate to the Microsoft Windows Installer and the Background Intelligent Transfer Service.
The Redmond, Wash.-based company's worm-removal tool also got the scheduled monthly update to add detection for new viruses and threats.
Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.
Microsoft plugs critical holes in Windows
update Microsoft on Tuesday released a slew of security patches, five of them critical, as part of its monthly update.
The updates include "critical" fixes to Windows' TCP/IP networking, Internet Explorer, MSN Messenger, Office and Exchange Server. "Critical" is the company's highest severity rating. Three other Windows security holes are rated as "important," the next highest rating.
In each case, Microsoft said the flaws, if exploited, could enable an attacker to take remote control of a vulnerable machine.
In general, Microsoft said it is making progress on security issues. Stephen Toulouse, security program manager with the Microsoft Security Response Center, noted that many of the flaws that were rated critical had lower ratings for those running the latest versions of Microsoft's software.
With the vulnerability in the Exchange Server software for managing e-mail, contact lists and calendars, for example, Toulouse said that it is rated only "moderate" for those running Exchange Server 2003. Similarly, no immediate attention was needed on the Windows flaws for those running the just-released Windows Server 2003 Service Pack 1.
Worming into Exchange?Atlanta-based Internet Security Systems, which was credited for discovering the Exchange vulnerability last year, said it is concerned that now that the details of the Exchange fix are out there, a worm could be created that exploits the flaw, and such a bug could quickly do damage.
"There is no user interaction required to exploit the vulnerability," said Neel Mehta, team leader of advanced research for ISS' X-Force unit.
Toulouse said it is difficult to say whether the Exchange vulnerability could lead to a new worm.
"It's really hard to speculate on what an attacker might do," he said. He noted that he has not seen any discussion of such a bug, nor has there been any so-called "proof of concept" code that is often a precursor to an actual worm. "What we are doing right now, and what we do after every release, is to watch."
ISS also found the flaw in TCP/IP networking, the standard behind the Internet and other networks. Mehta said it appeared to be more difficult to exploit, but the danger is greater if it were since it is so widely used.
"Every networked Windows computer is using this," Mehta said. "It's not something you can disable. It's not something you can turn off."
With the Internet Explorer bug, Toulouse said that someone who visits a specially configured Web site could then have malicious code executed on their machine. As for the Office vulnerability, Toulouse said that any attack would have to involve someone receiving and opening a maliciously constructed Word file.
Higher riskIn response to the new flaw disclosures, Symantec raised its overall "ThreatCon" security level for the computer industry.
"It is important that both home users and enterprises take proactive steps to deploy these patches," Oliver Friedrichs, senior manager at Symantec Security Response, said in a statement. "The vulnerabilities announced by Microsoft today can result in broad exposure to blended threats and worms, as well as denial-of-service attacks."
In addition to those patches, Microsoft is releasing two high-priority upgrades unrelated to security. One is for the Windows Installer and the other is for the Background Intelligent Transfer Service, which Microsoft uses to allow piecemeal downloading of software updates.
The software maker said last week to expect the eight security patches, as well as the other updates, but did not offer details.
In March, the company took a break from its monthly routine of security releases and did not issue any patches. The prior month, Microsoft had a dozen fixes in its regularly scheduled release and later plugged a hole in the digital-rights technology within Windows Media Player.
Microsoft also revamped its technology for removing malicious code, a sort of basic antivirus tool for cleaning up infections. The software now removes Hacker Defender, Mimail and Rbot, as well as new variants of the Berbew, Bropia Gaobot, MyDoom and Sober worms, the company said.
People can get the patches at Microsoft's Web site or set their systems to automatically update.
The updates include "critical" fixes to Windows' TCP/IP networking, Internet Explorer, MSN Messenger, Office and Exchange Server. "Critical" is the company's highest severity rating. Three other Windows security holes are rated as "important," the next highest rating.
In each case, Microsoft said the flaws, if exploited, could enable an attacker to take remote control of a vulnerable machine.
In general, Microsoft said it is making progress on security issues. Stephen Toulouse, security program manager with the Microsoft Security Response Center, noted that many of the flaws that were rated critical had lower ratings for those running the latest versions of Microsoft's software.
With the vulnerability in the Exchange Server software for managing e-mail, contact lists and calendars, for example, Toulouse said that it is rated only "moderate" for those running Exchange Server 2003. Similarly, no immediate attention was needed on the Windows flaws for those running the just-released Windows Server 2003 Service Pack 1.
Worming into Exchange?Atlanta-based Internet Security Systems, which was credited for discovering the Exchange vulnerability last year, said it is concerned that now that the details of the Exchange fix are out there, a worm could be created that exploits the flaw, and such a bug could quickly do damage.
"There is no user interaction required to exploit the vulnerability," said Neel Mehta, team leader of advanced research for ISS' X-Force unit.
Toulouse said it is difficult to say whether the Exchange vulnerability could lead to a new worm.
"It's really hard to speculate on what an attacker might do," he said. He noted that he has not seen any discussion of such a bug, nor has there been any so-called "proof of concept" code that is often a precursor to an actual worm. "What we are doing right now, and what we do after every release, is to watch."
ISS also found the flaw in TCP/IP networking, the standard behind the Internet and other networks. Mehta said it appeared to be more difficult to exploit, but the danger is greater if it were since it is so widely used.
"Every networked Windows computer is using this," Mehta said. "It's not something you can disable. It's not something you can turn off."
With the Internet Explorer bug, Toulouse said that someone who visits a specially configured Web site could then have malicious code executed on their machine. As for the Office vulnerability, Toulouse said that any attack would have to involve someone receiving and opening a maliciously constructed Word file.
Higher riskIn response to the new flaw disclosures, Symantec raised its overall "ThreatCon" security level for the computer industry.
"It is important that both home users and enterprises take proactive steps to deploy these patches," Oliver Friedrichs, senior manager at Symantec Security Response, said in a statement. "The vulnerabilities announced by Microsoft today can result in broad exposure to blended threats and worms, as well as denial-of-service attacks."
In addition to those patches, Microsoft is releasing two high-priority upgrades unrelated to security. One is for the Windows Installer and the other is for the Background Intelligent Transfer Service, which Microsoft uses to allow piecemeal downloading of software updates.
The software maker said last week to expect the eight security patches, as well as the other updates, but did not offer details.
In March, the company took a break from its monthly routine of security releases and did not issue any patches. The prior month, Microsoft had a dozen fixes in its regularly scheduled release and later plugged a hole in the digital-rights technology within Windows Media Player.
Microsoft also revamped its technology for removing malicious code, a sort of basic antivirus tool for cleaning up infections. The software now removes Hacker Defender, Mimail and Rbot, as well as new variants of the Berbew, Bropia Gaobot, MyDoom and Sober worms, the company said.
People can get the patches at Microsoft's Web site or set their systems to automatically update.
Subscribe to:
Posts (Atom)
