Caught in the Web
The bug may have existed in Microsoft's software since 2002; it received fresh attention when a Google security engineer, Chris Evans, mentioned it in a December 2009 blog post on which Computerworld reported Tuesday. The bug, which affects Internet Explorer 8, existed in other browsers, including Google's Chrome and Mozilla Foundation's Firefox, but has since been patched in those browsers. Internet Explorer 9, which is to be introduced in beta form this month, does not have this vulnerability.
The bug is called "CSS cross-origin theft," the article said. Evans said in a blog post last month that a hacker using that bug could take over a target's e-mail account by tricking the target into clicking a link. "It's a nasty attack," he wrote.
Microsoft said Friday that, though it is looking into the bug, it has not seen any instances of the bug's being used by hackers. Though Microsoft said it prefers researchers to work quietly with it in identifying security vulnerabilities that need patches, Evans said he was applying public pressure because he felt Microsoft was not moving ahead with a fix, the article said.
Computerworld noted that this is not the first time a Google employee has pressed Microsoft on a security flaw. Another Google researcher, Tavis Ormandy, publicly exposed a flaw in the Windows operating system this year. The flaw has since been fixed.
'Chat' Service Risks
As retailers increasingly embrace online chat for customer service, they open themselves up to security concerns about what is discussed in the chat sessions.
This is of particular concern when transcripts of chat sessions are sent to customers for their records, according to an article published Sept. 2 at the retail news website StorefrontBacktalk. Even if retailers comply with data protection rules, the transcripts could be intercepted.
The article focused on pharmacies; both Rite-Aid Corp. and Walgreen Co. announced pharmacist-chat services last month, the article said. Rite-Aid restricts what information pharmacists may have during chat sessions, but Walgreen gives them the same level of access they would have for face-to-face interactions.
Because Rite-Aid limits pharmacists' access to patient information during online chats, it requires customers to bring up any sensitive information they wish discussed. The article said that this could still present a security hole if the chat transcript is not given the same level of protection as other data.
"All of the security in the world will be made meaningless by the weakest link," the article said, comparing the issue to call centers that read payment card information aloud to verify it — making it possible for malicious insiders to record information to which they would not normally have access.
Old-Fashioned Fraud
Though many identity thieves steal data by exploiting weaknesses in computer systems, a woman in Raleigh is accused of exploiting weaknesses in home security.
Heather Lynn Holley faces charges of breaking into three homes to steal personal checks, passports, tax forms and other sensitive information that was then used for fraud and identity theft, The News & Observer reported Monday. In one case, she is accused of stealing the identity of a 2-year-old girl to get health insurance benefits. She faces 29 felony and misdemeanor charges.
