Blog: IT Security Alerts

New Daylight Savings Time dates effective for 2007:

• Begin: 2:00 AM, March 11, 2007 (was April 1, 2007)
• End: 2:00 AM, November 4, 2007 (was October 28, 2007)

Given the broad range of technology in use today and the integration of systems between customers, vendors, and partners, IT managers should determine what actions should be taken to mitigate the affects of DST 2007 on their organizations. [more] 

Microsoft is providing updates for supported systems and applications. If these updates are not applied:

• Outlook calendar entries will be off for 1 hour for a 3 week period at the beginning of DST, and for one week at the end of DST.
• Any process that relies on a calendar/time entry, i.e. backup jobs, will run one hour earlier than intended.

The following Microsoft products have an update available for Daylight Savings Time:

• Windows XP SP2
• Windows Server 2003
• Windows Server 2003 SP1
• Exchange Server 2003 SP1
• Exchange Server 2003 SP2
• Office Outlook 2007/2003/XP/2000

The following products are not supported, but can be updated manually:

• Windows XP SP1
• Windows 2000
• Windows 95/98
• Windows NT4

Please take the following steps to determine if your systems or applications are supported for the Microsoft updates:

1. Determine the Operating System version and Service Pack level for all servers and client computers.
2. Determine version and Service Pack level for Microsoft Outlook. Outlook is usually installed as a part of Microsoft Office.

For more detailed information, go to:
http://support.microsoft.com/gp/dst_topissues#a2

Once the updates are applied, please check Outlook calendar entries to be sure they are scheduled for the correct time. Microsoft has suggested that you enter the time in the subject of the appointment or meeting request so that none of the attendees are confused.

Microsoft plans to deliver their latest version of Internet Explorer (version 7) as a high-priority security update via Automatic Updates (AU) and the Windows Update and Microsoft Update sites. The IE update will be available shortly after its final version release (expected within the next few weeks).

Internet Explorer 7 Release Candidate 1 (RC1) is currently available from Microsoft's website (http://www.microsoft.com/windows/ie/downloads/default.mspx). IT Administrators should begin installing and testing this new version of IE for application compatibility.

Microsoft is providing a Blocker Toolkit for enterprise customers who want to block automatic delivery of IE7. The Blocker Toolkit can be downloaded from Microsoft's Download Center at:
http://go.microsoft.com/fwlink/?linkid=65788

Symantec has recently released information about a critical vulnerability found in their Client Security and AntiVirus Corporate Edition products that may allow local or remote attackers to crash a system or execute arbitrary code.

The following Symantec Client Security products are affected: [more]

• v3.1 (build 3.1.0.394)
• v3.1 (build 3.1.0.400)
• v3.0 (build 3.0.2.2000)
• v3.0 (build 3.0.2.2001)
• v3.0 (build 3.0.2.2010)
• v3.0 (build 3.0.2.2020)

The following Symantec Antivirus Corporate Edition products are affected:

• v10.1 (build 10.1.0.396)
• v10.1 (build 10.1.0.400)
• v10.0 (build 10.0.2.2000)
• v10.0 (build 10.0.2.2001)
• v10.0 (build 10.0.2.2010)
• v10.0 (build 10.0.2.2020)

Security patches to address affected products, as well as more information about this vulnerability can be obtained at:
http://www.symantec.com/avcenter/security/Content/2006.05.25.html

Microsoft has recently released information about a critical vulnerability found in their Exchange Server product. The vulnerability, if exploited, could allow a remote attacker to execute arbitrary code and gain complete control of the Exchange mail server.

The following Microsoft Exchange Server products are affected:

• Microsoft Exchange Server 2000 with the Exchange 2000 Post-Service Pack 3 Update Rollup of August 2004
• Microsoft Exchange Server 2003 Service Pack 1
• Microsoft Exchange Server 2003 Service Pack 2

Security patches to address affected products can be obtained at:
http://www.microsoft.com/technet/security/bulletin/ms06-019.mspx

A vulnerability has been discovered in Microsoft's Picture and Fax Viewer that allows arbitrary code embedded in image files to be executed without user intervention. This vulnerability can be exploited by simply loading a picture from a malicious website or e-mail message. Microsoft is aware of the problem and is working on a fix. Until an update has been released, users are encouraged to exercise extreme caution when browsing the web or opening e-mails with embedded pictures. It is also important that Anti-virus and Anti-spyware applications be kept up-to-date.

Following daylight savings time change, some backup applications will modify the scheduled backup job start time to preserve a 24-hour time gap between the current and previous day’s job. In particular, CoNetrix has determined Veritas’ Backup Exec version 9.x and greater will push the scheduled backup job back one hour from the original start time. For example, a backup job typically scheduled to start at 10:00pm on Monday will start at 11:00pm on Monday. This may cause conflicts with overlapping scheduled jobs. Veritas states that the problem should automatically correct itself following the first run after the time change. Users should check their scheduled backup jobs to ensure the start time for each job is correct.

APC's PowerChute Business Edition 6.x must be upgraded to 7.x. PowerChute software manages the UPS system (Uninterruptible Power Supply).

If you are still using any version of PowerChute Business Edition 6.x, you may experience various computer issues. The most common symptom is that servers are hanging or booting slowly. Other symptoms may be a delay while trying to access the Control Panel or an inability to stop the PBCE Services.

Due to expiration of the Sun Java Runtime Environment certificate, versions 6.x of PowerChute Business Edition will cease to operate normally as of July 27, 2005. Failure to upgrade will result in PowerChute Business Edition no longer providing monitoring and graceful shutdown of your system. In order for PowerChute Business Edition to remain functional, users must upgrade to any version of 7.x. [more]

CoNetrix recommends customers take the following steps to ensure they are not affected by possible problems resulting from the expiration of the Sun Java Runtime Environment certificate:

• Logon to your servers as an administrative user.
• Goto: Start -> Settings -> Control Panel -> Administrative Tools -> Services
• Check the list of services for APCPBEAgent and APCPBEServer

If the services exist:

• Right click on the service name and goto Properties
• On the General tab, change Startup type to Disabled
• Click OK and close the Services window
• Upgrade to PowerChute Business Edition 7.x

For more information regarding this vulnerability, please visit:
CRITICAL UPDATE REQUIRED PowerChute Business Edition - Customers Using 6.x Must Upgrade to 7.x due to Java Runtime Environment expiration

Personal or confidential information about an individual or organization can be collected and exposed without a person’s prior knowledge or informed consent. This information can be used to compromise a bank's systems or to conduct identity theft. Practices to prevent and detect spyware should be regularly reviewed to ensure that an institution is aware of all risks to its systems and to sensitive customer information.

Tips to Prevent Spyware [more]
http://www.ftc.gov/bcp/conline/pubs/alerts/spywarealrt.htm

• Update your operating system and Web browser software. Your operating system (like Windows or Linux) may offer free software "patches" to close holes in the system that spyware could exploit.
• Download free software only from sites you know and trust. It can be appealing to download free software like games, peer-to-peer file-sharing programs, customized toolbars, or other programs that may change or customize the functioning of your computer. Be aware, however, that some of these free software applications bundle other software, including spyware.
• Don't install any software without knowing exactly what it is. Take the time to read the end-user license agreement (EULA) before downloading any software. If the EULA is hard to find — or difficult to understand — think twice about installing the software.
• Minimize "drive-by" downloads. Make sure your browser security setting is high enough to detect unauthorized downloads, for example, at least the "Medium" setting for Internet Explorer. Keep your browser updated.
• Don't click on any links within pop-up windows. If you do, you may install spyware on your computer. Instead, close pop-up windows by clicking on the "X" icon in the title bar.
• Don't click on links in spam that claim to offer anti-spyware software. Some software offered in spam actually installs spyware.

Install a personal firewall to stop uninvited users from accessing your computer. A firewall blocks unauthorized access to your computer and will alert you if spyware already on your computer is sending information out.

The best prevention is awareness training to help employees adopt the behavior needed to prevent spyware on bank computers and on personal computers that are used to connect to the bank's network. Internet banking customers would also benefit from training. Education should advise of the risks in using public computers – such as those in hotels, libraries, or Internet cafés because of the uncertainty of the spyware which may have been installed on the public equipment.

Detection includes installing client solutions to block spyware. This software should be run on a regular basis to combat spyware infections.

If you could benefit from spyware prevention or detection services or need assistance with technology support, please contact us.

For more information regarding this vulnerability, please visit:
http://www.fdic.gov/news/news/financial/2005/fil6605.html
http://www.cio-today.com/news/Internet-Users-Change-Habits-for-Spyware/story.xhtml?story_id=020000O5OSBS
http://japantoday.com/e/?content=news&cat=2&id=343907
http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1108774,00.html?track=NL-105&ad=523375
http://www.eweek.com/article2/0,1759,1839427,00.asp

The Department of the Treasury recently published Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.

You are probably familiar with the publication of this guidance as described by The Federal Reserve Board at www.federalreserve.gov/boarddocs/press/bcreg/2005/20050323/default.htm

The Text of Common Final Guidance contains Supplement A to Appendix B which is being incorporated into agency regulations. It would be wise for appropriate bank personnel to be familiar with this supplement’s text (found on page 32 of attachment found at www.federalreserve.gov/boarddocs/press/bcreg/2005/20050323/attachment.pdf). The entire document is useful in understanding the overall guidance and thought processes behind the rulings, but the actual guidance text begins on page 32. [more]

The CoNetrix Security Group has reviewed the guidelines and has drafted recommended updates to Information Technology Security Policies. Within the next few weeks, we will contact the banks with which we have worked on such policies. If you have not worked with CoNetrix regarding preparation of security policies and are interested in doing so, please contact us.