Updated every Tuesday evening, circa 11 p.m. ET. Links may require registration/subscription.

 

Tech Trends

The "Conficker" program, a bug that has infected millions of computers worldwide, refuses to die.

Security experts developed tools that should wipe out Conficker from any infected computer, but the bug has persisted, The New York Times reported Aug. 27.

Conficker has been a suspected data thief, able to steal banking passwords and other sensitive information, though it could also use hijacked computers for other malicious purposes, such as sending out spam or selling fake antivirus software, the article said. As yet, it has mostly laid low, despite its alarming rate of infection.

Even the Conficker Working Group, the industry alliance devoted to the bug's eradication, has not been able to stop it. "We have not found the trick to take control back from the malware in any way," Rodney Joffe, the group's director, told the Times.

 


 

Certain types of Wi-Fi network are less secure than ever, now that research has shown how some can be cracked in just one minute.

The attacks target Wi-Fi Protected Access, or WPA, networks using the Temporal Key Integrity Protocol, an encryption algorithm that has been described as an interim measure while the industry works to develop stronger security, according to an article Computerworld published Aug. 27.

The new attack method was disclosed in August by computer scientists at Japan's Hiroshima University and Kobe University. It builds on earlier research on a method that could take up to 15 minutes to perform and worked on fewer devices.

The WPA devices are considered more secure than earlier versions that used the Wired Equivalent Privacy system, which has been considered "completely insecure" for years, the article said.

 


 

Still shredding your documents to avoid identity theft? It may not do much good.

Security expert Bruce Schneier said in an Aug. 27 post to his "Schneier on Security" blog that shredding sensitive papers is essentially "obsolete" as a security measure.

Schneier wrote that criminals often view sifting through trash cans in the hope of finding the odd unshredded bill as a waste of time when such details "can be stolen by the millions from merchant databases." His post came in response to the indictment of Albert Gonzalez for his alleged involvement in the Heartland Payment Systems Inc. breach.

By targeting such databases, even small-time crooks get away with big hauls. "Even if you only want 10, you have to steal millions," he wrote.

However, James Van Dyke, the principal and founder of Javelin Strategy and Research in Pleasanton, Calif., said in a post to his own blog that consumers should not be quick to let their guard down.

"Individuals are getting a rash of confusing and often unhelpful security advice for their financial services records," he wrote.

He agreed that shredding is no longer as important as it once was but said that people should still be careful with their sensitive documents, including paper bills. "If shredding is worth an ounce of fraud prevention, turning the paper off [by asking not to get bills in the mail] is worth at least a pound," he wrote.

Scamming.Gov

Government agencies in four states have received laptop computers that they did not order, and are wondering whether the machines are part of a scam.

One possibility is credit card fraud. Two of the four states, Washington and Wyoming, said their computers were bought from Hewlett-Packard Co. with credit cards that do not belong to either state, the Associated Press reported Friday.

HP has classified the recent orders as fraudulent, though it does have contracts with the four states (the others are West Virginia and Vermont).

But the issue could go deeper than simple credit card fraud, the article said. Fearing some sort of malicious program, none of the states that got the unexpected computers dared to switch them on.

"I don't know what's on them, but I'm assuming we didn't receive these as a gesture of goodwill," Kyle Schafer, West Virginia's chief technology officer, told the AP.

Personal Attack

Some malicious programs hold personal grudges.

The Washington Post's Brian Krebs has discovered that the latest version of the Koobface worm, notable for spreading through social networking Web sites, included an unflattering message about him.

The latest version includes a reference to the domain name (expletive)briankrebs.com, Krebs wrote in the Monday edition of his "Security Fix" column. He warned people not to guess the expletive because the Web site was still active and would infect visitors.

FireEye Inc. in Milpitas, Calif., which has published research on malicious software, was similarly insulted by Koobface.

"It's a personal feather in the cap, knowing that on some level we made cyber crime more difficult," Alex Lanstein, FireEye's senior security researcher, told Krebs.

Visitors to one of these colorfully named Web sites see a spoofed Facebook page. Clicking a video on the page can install a "scareware" program that infects a computer system and asks the victim to use a credit card to buy bogus antivirus software.

Update

Terry Childs, the man accused last year of holding San Francisco's municipal computer network hostage, is still in jail though several charges against him were thrown out in August.

He is still charged with one count of disrupting computer services, which carries a potential five-year prison sentence, according to an article Computerworld ran Monday. He is being held on $5 million bail, an amount the article described as unusually high. The recommended bail amount for crimes such as sexual assault of a child, aggravated arson or kidnapping for ransom is just $1 million, it said.

Childs' request to have his bail reduced was denied Monday.

Prosecutors have said Childs is a flight risk and may still be able to damage the city's computer network if released. His trial is set for Oct. 9.

Childs, a former city network administrator, was arrested last year after a workplace dispute in which he was accused of withholding administrative passwords and configuring the network to block other users from gaining access to it. Roughly a week after his arrest, Childs gave the passwords to the city's mayor, Gavin Newsom.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.