We’re still waiting for those Microsoft security bulletins,
which Redmond has promised to release this week, and there’s still a nice lull
in new vulnerabilities and viruses. However, we can’t say the same for phishing
scams, which are still on the rise.

Details

Once again, Microsoft has pre-announced its monthly
security bulletin release. (The software giant pulled the release
for September at the last minute due to problems with the patch.)

However, even if Microsoft sticks to its schedule this time,
the official release date is October 11. So, look for the details about the
latest security bulletins in my next article; in the meantime, let’s concentrate
this week on phishing and other threats.

The “governator” goes phishing

While phishing may appear
to be a threat that primarily affects individual users, it also poses a major
problem for businesses, both directly and indirectly. The goal of most phishing
attacks is to obtain personal information from an individual.

However, some scams are beginning to target business credit
information—companies are often a better target because they have more money. Businesses
are accustomed to paying an invoice when they get it without doing much
research. In fact, this is an old scam: Just mail out a bunch of invoices using
a professional-sounding name, and many companies will just send a check. This means
that even seemingly harmless information about billing cycles and sample
invoices can pose a threat.

As phishing increases, consumers are becoming more leery about
giving out personal information online, which negatively affects confidence in
online buying—just as companies are turning to the Internet for an increasingly
significant proportion of their sales. This change in attitude is having a
measurable impact. According to Forrester Research, 600,000 online banking
users in the United Kingdom have turned
their backs on online banking due to the phishing threat.

And according to BBC, 90 percent of American PC users have changed their online
habits due to a fear of spyware. This includes changing browsers, dropping
file-sharing software, and even avoiding some Web sites.

Given that number, how can this fail to affect online sales?
Any way you look at it, this can’t be good news for companies.

In an effort to fight back, California recently became the
first state to actually make phishing a crime that you can sue over. On Sept.
30, 2005, Governor Arnold Schwarzenegger signed the
nation’s first anti-phishing bill. As hard as it may be to believe, until
the new law went into effect, there was little or nothing you could do about
phishing—even if you caught someone red-handed trying to steal your personal
information.

The California Anti-Phishing Act of 2005 finally made it a
civil offense to take any action to induce people to disclose personal data by
falsely representing themselves as doing so for a business. The law included
fines of $2,500 for each violation, and it lets victims sue for actual damage
or $500,000 per violation, whichever is greater.

But the new California law is too narrow in its definition
of phishing, and it doesn’t apply to malware-based phishing. In addition, it
poses little if any concern for any attacker not based in the state. However,
it may trigger action in other states as have other pioneering California
privacy laws.

U.S. Senator Patrick Leahy introduced a similar bill to
Congress in February 2005, but the proposal has received little attention.
Leahy’s proposed bill would make it a federal crime even to create a fake
business site that spoofs a legitimate business or to attempt to obtain
personal information via e-mail. The bill provides specific protection for
parody sites and includes other First Amendment protection.

And while the number of new security vulnerabilities and
serious virus threats has remained very low recently, two-thirds of companies
have suffered “significant” financial costs associated with IT
failures in the last year, according to Silicon.com. One-third suffered
damage due to direct phishing and hacking attacks.

Microsoft gets serious about security

For the past few years, the Redmond giant has been
concentrating on plugging security holes in its products. However, industry
insiders have been waiting for the company to enter the lucrative security
field ever since Microsoft
began acquiring security companies. Last week, Microsoft announced plans to
release its
business-oriented Client Protection software, which will put it into direct
competition with Symantec and other security specialists.

While few details are available, we do know that it will
integrate with Active Directory. Client Protection is the business equivalent
of Windows OneCare,
Microsoft’s subscription-based end-user repair software. The new Client
Protection software will ship in 2006, and testing will begin later this year. You
can also look for the full working version of Windows OneCare to arrive next
year, and it’s currently
in limited beta release.

Even if it isn’t perfect, security software provided by
Microsoft should help slow the spread of some viruses. That’s because far more
PCs will likely have the protection implemented than the excellent third-party antivirus
tools already available today.

Recent threats

  • A Wi-Fi
    vulnerability     has surfaced in fully patched Windows XP Service Pack 2
    systems. The hole in the Wireless Zero Configuration service is a local
    threat that can allow a user to gain higher privileges.
  • A highly
    critical vulnerability     has emerged in Kaspersky Anti-Virus programs.
    See the Secunia report
    for more details.
  • Red
    Hat has announced updates
    for Thunderbird     (Enterprise Linux AS4, ES4, and WS4) that fix remote
    spoofing and other vulnerabilities.

Final word

Reports about people changing their surfing habits should
concern any business that’s selling online. Phishing and spyware don’t just
affect unsophisticated individuals—they also have a financial impact on those
who want to do business with them.

With the holidays approaching, I guess I should note that
Electronic Arts has announced that Need for Speed
Most Wanted will be ready to ship
on November 22, the same day Microsoft plans to release the
initial Xbox 360 consoles. I find it interesting that while Nicholas
Negroponte, the cofounder of MIT’s Media Lab, is moving forward on the proposed
$100 notebooks for digitally deprived Third-World children in the One Laptop Per
Child program, the connected world is eyeing $300 and $400 game consoles—the expected pricing for the two flavors of Xbox 360.

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.