IT@Diocesan House #19

INTERESTING WEBSITES: For those of you interested in web marketing or search engine optimization, there are several sites you need to check out:Google AnalyticsBiznologyChurch Marketing SucksAll of the above are good tools for web-based optimization. You might also want to check out Mike Moran's book, Doing it Wrong Quickly which is on web marketing and search engine optimization.

FREE Apple Training:Lehigh Valley Mall Apple Store:http://www.apple.com/retail/lehighvalley/month/200803.html  

Bethlehem:Thursday, Mar 6, 2008: 06:30 PM-07:30 PM, at Double ClickIntro to iPhotoSee how to edit/manage your photo library and share your pictures with family and friends.

Thursday, Mar 13, 2008: 06:30 PM-07:30 PM, at Double ClickIntro to LeopardIntroduction to Mac OS X 10.5

Thursday, Mar 20, 2008: 06:30 PM-07:30 PM, at Double ClickMicrosoft Office on the MacIntro to MS Office '08 for the Mac.

Philadelphia:Tuesday, Apr 8, 2008: 07:00 PM-09:00 PM, at Sam Ash PhiladelphiaLive on Stage with Logic StudioLogic Studio - from Garage to Studio to the Stage.

From CNN.com:Consumers confused -- and often wrong -- about digital TV transitionMuch of what consumers are learning about the looming shift to digital broadcasting is just plain wrong and could end up costing them money, according to a survey.FULL STORY

Amazon.com adds web services to its offeringsCritics thought it was over the top when Amazon.com Inc. expanded from books into music in 1998. When the Web retailer let competitors start selling things alongside its own inventory in 2000, they said Amazon had gone nuts.FULL STORY

FBI wants palm prints, eye scans, tattoo mappingThe FBI is gearing up to create a massive computer database of people's physical characteristics, all part of an effort the bureau says to better identify criminals and terrorists.FULL STORY       WATCH VIDEO

Free Web site maps crime reports, callsThe inspiration for CrimeReports.com came a decade ago when Greg Whisenant made the mistake of letting a stranger, who turned out to be a burglar, into his apartment building in Arlington, Virginia.FULL STORY

Communing without natureAs people spend more time communing with their televisions and computers, the impact is not just on their health, researchers say. Less time spent outdoors means less contact with nature and, eventually, less interest in conservation and parks.FULL STORY

Microsoft tinkers with scary-smart ads

Microsoft Corp.'s online advertising researchers will spend this year teaching computers to be smart about sticking ads into video clips, and to be even smarter about targeting ads to specific Web surfers. FULL STORY

Facebook fraudster 'stole prince's ID'Moroccan authorities arrested a state-employed engineer on Wednesday for allegedly stealing the identity of King Mohammed VI's younger brother on the Internet site Facebook, the official news agency said. FULL STORY

China cuts online video a little slackChina's government has eased new Internet controls that had limited video-sharing to state companies, saying private competitors already operating in the fast-growing arena may continue. FULL STORY

Reusable camera pill would be about $300Technology that doctors expect will help detect precancerous cells faster and less painfully also could someday take cameras to parts of the body where no camera has gone before.FULL STORY

Yahoo to reject Microsoft bid - sourceYahoo plans to reject Microsoft's $44.6 billion takeover bid, the Wall Street Journal reported Saturday, citing a person familiar with the situation.FULL STORY

EBay's PayPal funds freeze plan draws fireIn the uproar that erupted over the planned fee hikes and other policy changes eBay announced last week, one drew particular ire and incredulity: eBay's plan to hold payments sent through its PayPal payment service for up to 21 days in certain circumstances.

FULL STORY

From the Christian Science Monitor:Facebook used to target Colombia's FARC with global rallyInternet site to spawn protests in 185 cities Monday against rebel group's methodshttp://www.elabs5.com/ct.html?rtr=on&s=o1l,j69,er,be98,ajy8,2n9,aafe

Building at World Trade Center is a showcase of terrorproof technologiesArchitects around the world are erecting skyscrapers that use a hollow concrete core surrounded by bomb-resistant glass and other security innovations.http://www.elabs5.com/ct.html?rtr=on&s=o1l,j69,er,1lbg,dzr7,2n9,aafe

Resume advice for the over-50 crowdThose with lengthy work histories must keep resumes brief and adjust to today's digital times, career specialist say.http://www.elabs5.com/ct.html?rtr=on&s=o1l,j69,er,bosi,1cne,2n9,aafe

Essay: Need a new password? Here's literary help.Be inventive when changing those computer passwords every few months.http://www.elabs5.com/ct.html?rtr=on&s=o1l,j69,er,l8r6,jpj8,2n9,aafe

Colombians tell FARC: 'Enough's enough'In a march organized on Facebook, hundreds of thousands protested against the leftist rebel group Monday.http://www.elabs5.com/ct.html?rtr=on&s=o1l,jin,er,ez5o,1j12,2n9,aafe

We're on information overloadKids can't focus these days, and neither can I.http://www.elabs5.com/ct.html?rtr=on&s=o1l,jin,er,iam2,jzgu,2n9,aafe

Godtube.com puts Christian worship onlineEntrepreneur Chris Wyatt draws millions to GodTube.com, a website with Christian content that features prayer walls, video clips, and social networking.NEW YORK - Chris Wyatt bears many marks of the Internet Generation. His thumbs beat out text messages on his BlackBerry, while his 60-gig iPod croons a soundtrack for his life. He also sprinkles his conversation with words like "dude" and "man."Click here to continue reading...http://www.elabs5.com/ct.html?rtr=on&s=o1l,jlw,er,lh8b,855r,2n9,aafe

In China, texting home for the New YearModern technologies update Chinese traditions as billions of text messages zing phone to phone.http://www.elabs5.com/ct.html?rtr=on&s=o1l,jmv,er,gpty,79m3,2n9,aafe

What's in a (domain) name? Some serious cash.At least 100 domain names sold for more than $100,000 last year.http://www.elabs5.com/ct.html?rtr=on&s=o1l,jx7,er,cps4,16n8,2n9,aafe

Humor: A dog becomes a victim of identity theftThe ID tag of Sir Barks-a-lot, a black Lab, is stolen by a German shepherd owner, who pins a crime on the unsuspecting hound.http://www.elabs5.com/ct.html?rtr=on&s=o1l,jxv,er,egih,j2i3,2n9,aafe

Burma's censors monitor Internet, newspapers - and poetsThe regime has watched the media more closely since last September's uprising by monks.http://www.elabs5.com/ct.html?rtr=on&s=o1l,kgk,er,kq89,32li,2n9,aafe

Homeless: Can you build a life from $25?In a test of the American Dream, Adam Shepard started life from scratch with the clothes on his back and twenty-five dollars. Ten months later, he had an apartment, a car, and a small savings.http://www.elabs5.com/ct.html?rtr=on&s=o1l,kgv,er,l43l,e8cy,2n9,aafe

In opening Iran's first major space center and unveiling the country's first domestically built satellite Monday, President Mahmoud Ahmadinejad said Iran needs to have "an active and influential presence in space." According to state-run television, Iran launched a research rocket that was its first into space, reaching more than 60 miles above the earth.

The amount of water that flows in the Mississippi River has increased 9 percent since 1950 and carbon levels have risen 40 percent, according to a research article in the journal Nature. The authors cite farming practices, including irrigation and soil treatments, and new crop types, as the probable reasons why a greater percentage of rainfall makes it into the river instead of evaporating into the atmosphere.

Dozens of families separated for decades by the border dividing North and South Korea exchanged video messages with their kin Tuesday under a new program. The two Koreas plan to continue the exchange every three months.

Enhanced security technology is now in use at three airports, with Boston the latest to introduce equipment for digitally scanning each finger of foreign travelers, not just their index fingers, as has been done since 2004. More complete fingerprinting, previously introduced in Washington and Atlanta, is slated to be used at all the nation's international airports, seaports, and border crossings by the end of the year.

From Macworld.com:Review: MacBook Air

The decision about whether the MacBook Air is a product worth having can be answered by one question: How much are you willing to compromise? In his extensive review of the latest Apple laptop, Jason Snell looks at what trade-offs you'll have to make and whether the MacBook Air is the right machine for your needs.  Read the story Copy files from 10.5 Preview's sidebarhttp://www.macworld.com/article/131793/2008/01/dicttricks.html?lsrc=mwhints

From PCWorld.com:PBS Adds iTunes U ContentApple's iTunes U offerings have expanded this week with new content from the(PBS) network.Read the storyMore Options With Tomorrow's Cell PhonesInstall the software and services you want--plus, enjoy cameras, portable game consoles, and more with access to wireless networks.Read the storyCut Cables Force Worldwide 'Net Traffic ReroutingA preliminary investigation links the cuts to a ship's anchor that dragged and ripped into the two fiber optic undersea cables.Read the storyHackers Can Expose Masked Surfers, Study SaysA researcher says the techniques to stay anonymous online can be thwarted through flaws in the systems.Read the story25 Moments From Our First 25 YearsWe at PC World have seen technology history--lots and lots of it. And maybe even made a little of it ourselves.Read the storyRock On! iPods Won't Hurt Your HeartMagnetic fields produced by Apple iPods and other such portable music devices don't interfere with cardiac pacemakers, an FDA study says.Read the storyThree Plead Guilty in Nigerian Spam SchemeE-Mail sob stories that turn out to be scams could bring jail terms for

trio who coaxed $1.2 million from victims.Read the storyFacebook, MySpace Hit by Zero-Day FlawExploit code affecting an unpatched flaw in an image uploader used by both Facebook and MySpace is circulating publicly.Read the storyPortable Hard Drive Requires PasswordThe new USB-based SATA EZSecu disk drive comes with a keypad to enter a PIN for access.Read the storyNew Mac Gaming Site Serves Disabled UsersAssistiveGaming.com launches to make computer games more accessible to fans with physical disabilities.Read the storyUsers' Bad Habits Invite Malware, Forum SaysA spyware forum panel suggests users' sloppy security practices are a major contributor to problems.Read the story25 Products We Can't Live WithoutHere's the stuff you'd have to pry from the hands of the PC World staff.View the slideshowHackers Rig Google to Deliver MalwareThe latest malware trend should prompt you to think twice about the links you click next time you search.Read the story5 Cool Cell Phone AccessoriesHaving a flashy phone just isn't enough anymore. These add-ons will help you chat and listen to your tunes in style.Read the reviewShop for Cell Phone Accessories:Cell Phone Accessories25 Answers To Common Tech QuestionsHow can you make Vista less annoying? Or back up your data easily? Or preserve your pricey new HDTV's picture? We've got solutions for these and 22 other common tech conundrums.Read the articleUse Google Apps to Build Your BusinessAdWords, AdSense, and Google Analytics can help you grow the reach of your Web site and help you make money.Read the article

Open Your Business to Open-Source AppsThese nine free alternatives to commercial software applications can improve your productivity--and save you money.Read the articleHow the Presidential Candidates Stand on TechnologyFrom broadband speeds to patent reform, lots of important technology issues face the United States. Here's your guide to how the presidential candidates view the major questions.Read the story

Apple Is Third Largest Smart Phone CompanyWith the iPhone in only four countries, Apple has become the world's third largest smart phone supplier.Read the storySecurity Pros: Kill ActiveXA wave of bugs in the plug-in technology used by Microsoft's browser has some security experts recommending that users disable all ActiveX controls.Read the storyMicrosoft Offers Small Business Software SubscriptionsThe new Open Value Subscription program gives additional software license options to small businesses.Read the storyMac Hack Contest May Include Linux and Vista The CanSecWest security research conference promoters are thinking about giving hackers another shot at hacking a Mac, as well as Linux- and Windows-based PCs.Read the storyWhy Users Hate VistaHands-on users of the new OS are proving to be the most resistant. Read the storyFour Services Inspired by Firefox and How They Were BuiltThe four applications serve different purposes: A Web browser, a music player and organizer, another that does the same for video, and a word processor for screenwriters.Read the story

Time Warner to Split AOL Internet BusinessTime Warner will run the Internet access and audience businesses of its AOL segment independently, the company said today.Read the storyTechnology Gets ChicA fashion show at the Boston Museum of Science blended high tech with high fashion.Read the storyZebraHosts Announces Mac HostingNew ZebraHosts service lets data center admins deploy Apple machines in dedicated rack space.Read the storyLast Call: Analog Cell Phone Service DisappearingMost phones now use digital service, but home and business owners with alarm systems may miss the analog signal.Read the storyYahoo Cancels Limits on Small Biz Hosted StorageThe new monthly Web hosting service for small and medium sized businesses provides unlimited hosted storage capacity and bandwidth.Read the storyYahoo Said to Beef Up Talks With GoogleYahoo looks for alternatives to Microsoft's unsolicited $44.6 billion takeover bid, according to a report in the Los Angeles Times.Read the storyStudy: iPhone Dominant as Motorola FallsNew research claims consumers are searching out more advanced phones -- with Apple's iPhone and RIM's Blackberry leading the trend.Read the storyNew Apple Patents Show Range of TechnologiesForty-seven Apple patents have been published by the U.S. Patent and Trademark Office showing off upcoming product changes.Read the storyKeep Windows XP Until 2009, Analysts Tell MicrosoftMicrosoft may have pushed a too-aggressive XP transition schedule because of how long it took to release Vista, an

analyst suggests.Read the storyHacked Antivirus Site Delivers a VirusThe Web site of AvSoft Technologies attempts to install a virus on visiting PCs, security firm warns.Read the storyEncryption Brings New Risks, Experts SaySecurity workers warn that encrypting stored data doesn't truly protect it, and you're fooling yourself if you think so.Read the story

From ITBusiness Edge/Daily Edge:Phishers Go WhalingThe names given to various Internet scams are amusing. They also are important. Common sense says that the more precisely a threat is defined, the more effective technical countermeasures will emerge. Simply put, the better folks understand the issues, the better the odds are of staying safe — and it all starts with evocative names. But the names proliferate: phishing, spear phishing, pharming and drive-by-phishing. In a relatively recent innovation, there now is whaling. All of these terms refer to efforts to get folks to surrender valuable information or to click on links that do bad things to their systems, such as plant key loggers and spyware.Read Full Article

Open Source Implications of Microsoft-YahooMicrosoft's $44.6 billion bid for Yahoo is all over the news, of course, and pundits are analyzing the possibility from all angles. Will a Microsoft/Yahoo combo give Google a run for its money? Will the government gear up for yet another antitrust investigation? Does it automatically take the sting out of (and the suspicion away from) the Google-DoubleClick deal? News.com blogger Matt Asay raises another relevant question: If the deal goes through, what implications will a Microsoft-Yahoo combination have for open source? In his view, it puts Microsoft squarely in the open source game — like it or not.Read Full Article

Barracuda: We Will Defend Open Source Against Patent ThreatWhen I see the words "open source" and "patent threat," I automatically think "Microsoft and Linux." So when news of Barracuda Networks' fight with Trend Micro over ClamAV began to surface, it took me awhile to wrap my head around the situation. Here are the basics, from Barracuda's point of view: Trend Micro wrote a letter informing the open source security appliance provider that some of its products violated a Trend Micro patent. Upon discovering that the patent covered technology used in the Clam AV open source project, the company filed lawsuit seeking a declaratory judgment that the patent is invalid and not infringed. Now, the case is being investigated by the International Trade Commission, and Barracuda is asking the open source community for help researching prior art.

Users Cutting Corners, Not Crooks, Are Main Inside ThreatHuman nature dictates that malicious inside threats get more attention than folks who cut security corners out of ignorance or because they want to do their jobs more efficiently. But these non-malicious threats actually are far greater, says Matt Flynn, the strategist for NetVision. Luckily, many tools will do as good a job catching well-meaning employees bypassing security as a malcontent trying to steal valuable data. It is important, however, that security staffs put measures in place to closely track both groups.Read Full Article

Noted Intranets Make Liberal Use of Web 2.0Many companies are still struggling to determine when and where it makes sense to employ Web 2.0 technologies at work. Yet at least one application — the company intranet — appears to be a fairly obvious candidate to me. So it's not surprising that the winners of Nielsen Norman Group's (NNG's) annual Ten Best Designed Intranets competition make liberal use of such Web 2.0 features as advanced personalization.Read Full Article

Get the Full Network Security PictureNetwork security analysts have so much data coming at them from so many different devices it's hard to get a handle on what's really going on sometimes, says Packet Analytics' Andy Alsop. The company's new tool gives them what they need to get a "full context" picture.Read Full Article

U.S. Tops in Tech Use :: ReutersWeb Site Takes Recruiting up a Notch :: Inc.comCut Cables Cause Internet Outages in India :: USA TodayLate or Not, Dell Enters VoIP Market :: GigaOMBlogger Calls Cloud Computing Just Plain Goofy :: ZDNetVista May Be Linux's Best Friend :: The Chief Officers' NetworkOpen Solutions Alliance to Open European Chapter :: LinuxWorldInsight on HP's Open Source Initiative :: News.comTrolltech: Another Open Source Company Gobbled Up :: News.comFrench Police Dump Windows for Ubuntu :: The RegisterGovernment Using Wiki to Swap Info :: The Washington PostGphone Speculation Mounts Again :: MarketingWeekGartner Predicts More Macs and More :: InformationWeekMicrosoft Makes $44.6 billion Bid for Yahoo :: TechCrunchBroad Encryption Deployment Key to Data Security :: News.comWeb Apps, Phishing Responsible for Security Vulnerabilities :: InformationWeekPhishers Sharpening Their Harpoons :: Dark ReadingCisco Pushes High-Performance Firewall :: internetnews.comStorm Botnet Not Going Anywhere :: Computerworld

From IEEE Spectrum:Detroit Auto Show: Diesels Turn Green and EcofriendlyHybrid cars took a backseat to diesels, and GM went on an eco-offensive, but pickup trucks were still the big deal at the

Detroit auto showDean Kamen's "Luke Arm" Prosthesis Readies for Clinical TrialsDARPA may decide the fate of Dean Kamen's next-generation prosthetic armGadgets Gab at 60 GHzCheap silicon transceivers broadcasting in this still-unlicensed band may usher in the hi-def wireless homeAcross the Outback on Photons AloneWith Australia's desert as its raceway, the World Solar Challenge illuminates some of the best electric-vehicle technologyThe Erasable Holographic DisplayNew three-dimensional holographic material can be written and rewritten indefinitely, paving the way toward 3-D movies

From Techtarget.com:INFORMATION SECURITY REQUIRES ORGANIZED TEAMShttp://go.techtarget.com/r/2995785/5300425Joel Dubin, CISSP, Contributor

ENTERPRISE SECURITY IN 2008: ASSESSING ACCESS MANAGEMENTJoel Dubin, ContributorLet's start with a key piece of the remote access and endpoint security puzzle: network authentication for mobile devices like laptops, BlackBerrys, PDAs and other wireless equipment. For road warriors armed with laptops, the old standby VPNs -- both IPsec and SSL -- will continue to grow and dominate because of their successful track record, ease of deployment and reasonable cost, though SSL will still outpace IPsec.http://go.techtarget.com/r/3004673/5300425

WHITE PAPERS:The Four Essentials of WAN Optimization from Packeteer

TITLE: "Physical Security in Mission Critical Facilities"URL: http://go.techtarget.com/r/2989583/3976660/2PUBLISHER: APCTYPE: White Paper

10 Steps to Security and Compliancehttp://go.techtarget.com/r/3013383/5300425

Outbound Email and Content Security in Today's Enterprisehttp://go.techtarget.com/r/3013384/5300425

Understanding VPN Technology Choices: Comparing MPLS, IPSec and SSLhttp://go.techtarget.com/r/3022991/5300425

The Age of Wireless LANshttp://go.techtarget.com/r/3022993/5300425

SECURITY News:From SANS:--Severed Cables Disrupt Service in Mediterranean and Asia(January 31, 2008)Two undersea communications cables in the Mediterranean - one near Marseilles, France and the other near Alexandria, Egypt - were accidentally cut on Tuesday, January 29.  Different groups operated the two cables, but the damage to both occurred within a matter of hours. Undersea cables can be damaged by movement along fault lines or by ships' anchors.  Internet access was disrupted in most of Egypt and in India, and some Verizon customers experienced slow service. Most communications were rerouted through other cables.http://www.nytimes.com/2008/01/31/business/worldbusiness/31cable.html?ei=5088&en=95a9e51bf6chttp://news.bbc.co.uk/2/hi/technology/7218008.stmhttp://news.smh.com.au/damaged-cables-cut-internet-in-mideast/20080131-1p5a.html[Editor's Note (Schultz): Although it appears that this

incident was completely accidental, it is hugely significant in that it provides a glimpse of what might happen when a massive denial of service attack designed to bring the entire Internet down occurs, something that I have predicted will happen this year.  (Honan): If your company outsources services to countries overseas have you reviewed your business continuity plans lately to determine how an outage like this would impact on your business and what to do in the event that it does?]

--FTC Asks Court to Hold Alleged MySpace Hijackers in Contempt(January 31, 2008)The Federal Trade Commission (FTC) has asked a US district court to hold alleged MySpace hijackers in contempt for violating an earlier FTC order that bars them from unfair and deceptive practices.  Walter Rines, Sanford Wallace and Rines's company Online Turbo Merchant allegedly used a variety of techniques to redirect MySpace users to other websites where they were inundated with ads, earning the accused commissions. Rines, who previously ran a company called Odysseus Marketing, was accused in October 2005 of offering users free software that came bundled with spyware that bombarded users with pop-ups, replaced legitimate search results with results that benefited the company, and stole information from users.  In October 2006, the FTC obtained a permanent injunction that barred the defendants from redirecting users' computers, changing their browser default home pages and from altering functions of other applications.http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9060482&source=rss_topic17http://www.ftc.gov/opa/2008/01/contempt.shtm

--Employee Literally Pulls Plug on Attempted Cyber Theft(January 31, 2008)A scheme to steal money from a bank using remote access equipment was foiled when an attentive bank employee

realized something was amiss with his computer and unplugged it.  The thieves were attempting to transfer a large sum of money from the bank into an account that they would later presumably empty.  Swedish police arrested seven people earlier this week in connection with the incident, which occurred last August.http://www.theregister.co.uk/2008/01/31/remote_access_bank_robbery_unplugged/print.htmlhttp://news.smh.com.au/swedish-bank-stops-digital-theft/20080131-1p53.htmlhttp://www.citynews.ca/news/news_19122.aspx[Editor's Note (Ullrich): It's nice to see someone paying attention! However, before you start unplugging your systems, consider removing the network cable instead. In some cases, memory forensics can be important. I know some malware researchers who snapped off the little tap on their network cable to make them easier to pull, after accidentally setting off malware (not that I recommend doing so on production systems. (Ullrich): Kudos to the employee for spotting this attack and reacting to it.  Two takeaways from this story, does your security awareness program educate users on what they should do if they see suspicious activity on their system?  How stringent are your background checks on the employees, contractors, cleaners and other people who have physical access to sensitive systems?]

--Stolen Laptop Holds Info on 300,000 NJ HMO Members(January 30 & 31, 2008)A stolen laptop computer contains personally identifiable information of approximately 300,000 members of New Jersey-based Horizon Blue Cross/Blue Shield health insurance.  The compromised data include names and Social Security numbers (SSNs), but not medical information.  The laptop was not encrypted, but a security feature on the computer was programmed to delete the data on January 23.  The computer was stolen from an employee on January 5.  That employee was authorized to have the data on the computer, but taking it off premises without taking

proper security precautions was a violation of company policy.http://www.njherald.com/345987573807788.phphttp://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9060299&source=rss_topic17http://www.nj.com/news/ledger/jersey/index.ssf?/base/news-9/1201671434279680.xml&coll=1

--Identity Thief Exploits Hotel Business Center and Internet Lounge Computers.Simbaqueba Bonilla, a Colombian national, pleaded guilty January 9, 2008 to an indictment involving an identity theft scheme in which he installed keylogging software on hotel business center computers and Internet lounges in order to steal passwords, account data, and other personal information. The computer fraud scheme had more than 600 victims worldwide, including U.S. Department of Defense employees. Simbaqueba used money obtained in the scheme to buy expensive electronic devices, including a home theater system, and to fund luxury travel to Hong Kong, France, Jamaica, the U.S., and other locations.More information:http://www.infoworld.com/article/08/01/10/Colombian-man-pleads-guilty-to-computer-fraud_1.html[Editor's Note (Reichert): How many of you have sent sensitive personal information (bank accounts, user IDs and passwords, etc.) over a public-use computer or an open wireless connection offered at internet cafes, coffee shops, or hotels?  Those of you that raised your hand should rethink how important your personal information is to you. Editor's note (Rietveld): Maybe the Department of Defense should mandate that all of its employees subscribe to OUCH! if they still think hotel business center computers and Internet lounges are safe ways to send personal information.]

Security Screw-Up of the MonthData Lost on 650,000 Credit Card Holders. Personal information on about 650,000 customers of J.C.

Penney and up to 100 or more other retailers could be compromised after a computer tape went missing. GE Money, which handles credit card operations for J.C. Penney and many other retailers, said that the missing information includes Social Security numbers for about 150,000 people. The information was on a backup computer tape that was discovered missing last October. It was being stored at a warehouse run by Iron Mountain Inc., a data storage company, and was never checked out, but can't be found either, said Richard C. Jones, a spokesman for GE Money, part of General Electric Capital Corp. Jones said there was "no indication of theft or anything of that sort," and no evidence of fraudulent activity on the accounts involved.More information:http://ap.google.com/article/ALeqM5iZchJDcVnuQDNPJsok2PSPr5vwRQD8U808VO0http://www.news.com/Credit-issuer-says-data-lost-for-650%2C000-customers/2100-1029_3-6226913.html?tag=cd.top

--Higher Education Funding Bill Tied to Anti-Piracy Efforts(February 7, 2008)A provision of the College Opportunity and Affordability Act, which was approved this week by the US House of Representatives, requires colleges and universities that participate in federal financial aid programs to develop and implement plans to enforce antipiracy rules, either through subscription services or "technology-based deterrents to prevent" piracy.  The bill will have to be reconciled with a different Senate higher education funding bill before a final version is drafted for the president's signature.http://www.news.com/8301-10784_3-9867146-7.html?part=rss&subj=news&tag=2547-1_3-0-20http://thomas.loc.gov/cgi-bin/bdquery/z?d110:h.r.04137:[Editor's Note (Schultz): To have college funding tied to anti-piracy enforcement is an intriguing approach. Many other anti-piracy approaches in colleges and universities that have been tried have failed. I suspect, however, that this

particular approach has a high chance of succeeding given the great need for funding in higher education.  ] [Editor's Note (Ullrich): It's not clear why universities are singled out like this. Universities are already exposed to a huge workload in responding to copyright requests and should be allowed to decide if the problem is large enough to require a technical solution.]

 --Lawsuit Will Seek Clarification on Electronic Device Searches(February 7, 2008)The Electronic Frontier Foundation (EFF) and the Asia Law Caucus plan to file a lawsuit this week that would force the US government to reveal its border search policies, including policy regarding copying electronic content from devices and seizing such devices.  The lawsuit was prompted by a number of cases in which travelers' laptop computers, cell phones, MP3 players and other electronic devices were searched. The searches carried out on the devices go beyond looking at items being transported; according to an Asian Law Caucus attorney, "the government is going well beyond its traditional role of looking for contraband and really is looking into the content of people's thoughts and ideas and their lawful political activities."  If the searches were conductedwithin the country, they would require warrants and probable cause. Some companies have changed their policies to require travelers not to have company information on laptop computers.  Instead, these people must access company data over the Internet.http://www.washingtonpost.com/wp-dyn/content/article/2008/02/06/AR2008020604763_pf.html[Editor's Note (Ullrich): Various countries have laws that prohibit certain data or software from being imported and exported. I kind of like the note at the end that some companies no longer allow travelers to carry any company data in and out of the country. This policy will protect users from lost laptops as well as from searches by non-US customs services. However, it does require a safe way to

access the data remotely.]

 --Spammer Fined US $2.5 Million(February 4 & 6, 2008)The Federal Trade Commission (FTC) has announced that a US judge has ordered Sili Neutraceuticals and its owner Brian McDaid to pay more than US $2.5 million for violations of the FTC Act and the CAN-SPAM Act.  The company and McDaid were ordered to cease sending spam, and to cease misrepresenting the products advertised in the email.  The company sent unsolicited email messages advertising weight loss and age reversing products with unsubstantiated claims and misleading subject fields, no opt-out mechanism, and no physical postal address.http://www.techworld.com/security/news/index.cfm?RSS&NewsID=11323http://www.scmagazine.com/uk/news/article/782050/judge-orders-weight-loss-spammer-pay-25-million/http://www.ftc.gov/opa/2008/02/sili.shtm

DNI CYBER THREAT SUMMARYDNI has just released a new unclassified threat assessment.  Below is a summary of the assessment; the whole document can be found at:http://www.dni.gov/testimonies/20080205_testimony.pdf

FROM SNOPES.COM:New Articles 

Did Senator John McCain once say that 'the Democratic Party is a fine party, and I have no problems with it'?

Is the Make-A-Wish Foundation being driven into bankruptcy by a child who wished for unlimited wishes?

Of Pell Grants and more: E-mail claims non-citizens don't pay taxes but are eligible for federal educational assistance programs not available to U.S. citizens.

Photograph purportedly shows Brutus, a canine Medal of Honor recipient who tore the throats out of the insurgent guards holding his handlers before turning his boys loose.

Has the result of this Sunday's Super Bowl already been foretold by a popular film that hit the theaters in December 2007?

"I Have a Deram" — er, what? News report shows Martin Luther King Day celebrants holding misspelled signs.

Was a group of Muslim women clutching briefcases and text messaging during films spotted making a terrorist attack "dry run" in a theater?

Web site offers to sell third-world orphans for adoption as organ donors.

Does a U.S. penny cost more than one cent to manufacture?

E-mail posits a "Bill and Hillary Clinton" presidency. Is it possible?

The malicious 'Storm Worm' is still stealthily infecting computers, this time with a lure tied to Valentine's Day- themed messages.

Was Patriots quarterback Tom Brady once a cast member of The Brady Bunch television series?

Worth a Second LookDoes the winner of the Super Bowl predict stock market

trends for the year?Did actress Catherine Bell correctly predict the results of

Super Bowl XXXVI?Of avocados and toilet flushes: a round-up of miscellaneous

Super Bowl legends.Guitar Man: Musician finally masters extraordinarily difficult

guitar part he heard on a record, only to learn the recording had been made using two guitars.

Still Haunting the InboxThere was no letter to Starbucks from coffee-seeking GI's

serving in Iraq, so no response from the coffee retailer saying it didn't support the war and anyone in it.

Many rumors are swirling about Illinois senator Barack Obama.

A 15-year-old boy named Evan Trembley from Wichita Falls, Texas, isn't missing — it's a hoax.

The entreaty to aid 7-year-old Amy Bruce who is dying of lung cancer and a brain tumor by forwarding an email

and a sappy poem titled "Slow Dance" is a hoax.No, the new U.S. dollar coin doesn't omit "In God We Trust"

— that phrase has been stamped into its edge.While it is true that in 2004 a man in India was electrocuted

when trying to use his cell phone as it recharged, it is safe to use your cell phone while it is charging.

No, commentator Andy Rooney did not write the "I like big cars, big boats ..." polemic.

Dialing #77 or *677 is not a surefire way of reaching the local highway patrol — the service is in place in some regions, but not in others. If in need of assistance, dial 911 instead for the sure thing.

The missing child alert about 13-year-old Ashley Flores of Philadelphia is a hoax.

809 area code scam: Unsuspecting phone customers have been gulled by con artists into placing calls to area codes in the Caribbean that result in hefty charges.

No, reversing your PIN at the ATM won't summon the police to your aid if you're being robbed.

Hillary Clinton is the subject of many e-mailed items, and our "Clintons" section contains write-ups about a number of them.

No, Bill Gates is not sharing his fortune with everyone who forwards a specific e-mail on his behalf. This tired leg-pull continues to romp through everyone's inbox, the most widespread incarnation swearing "This took two pages of the Tuesday USA Today!"

Virus announcement and virus hoax e-mails are afoot! We try to keep current on them and do our best to point readers to authoritative links confirming or debunking them.

Political rumors continue to swell around the two leading Democratic presidential contenders, Barack Obama and Hillary Clinton.

Appeals to find missing children: Ashley Flores, Reachelle Marie Smith, and Evan Trembley.

E-mail claims cell phone numbers are about to be given to telemarketers.

Computer virus warnings: Life Is Beautiful, Invitation (or

Olympic Torch), and Postcard (or Greeting Card).E-mail claims Starbucks refused to send free coffee to G.I.s

serving in Iraq.E-mail claims Bill Gates, Microsoft and AOL are giving away

cash and merchandise to those who forward an e-mail message.

E-mail claims that entering one's PIN in reverse at any ATM will summon the police.

E-mail describes woman who evades a rapist posing as a policeman by calling #77 (or *677) on her cell phone.

Various rumors about the U.S. Social Security system.Image shows artist's conception of the USS New York, an

under-construction warship built using steel from the World Trade Center.

Warnings about scammers' running up long-distance charges by asking victims to press #-9-0 on their telephones or luring phone users into returning calls to numbers within the 809 area code.

"Slow Dance," a poem supposedly written by a terminally ill young girl named Amy Bruce.

E-mail claims the design of new U.S.dollar coins omits the motto "In God We Trust."

E-mail warns that auto thieves are stealing cars by using VINs to obtain duplicate keys.

Transcripts of remarks attributed to television personalities Andy Rooney and Jay Leno.

FDA health advisory regarding drugs containing PPA (phenylpropanolamine).

Web site allocates money to autism research and other charities for every video viewed.

Photograph shows a kayaker being trailed by a Great White shark.

Fraud AfootSeems like everyone has become the recipient of

mysterious e-mails promising untold wealth if only one helps a wealthy foreigner quietly move millions of dollars out of his country. The venerable Nigerian Scam has discovered the goldmine that is the Internet. Beware — there's still no such thing as "something for

nothing," and the contents of your bank account will end up with these wily foreigners if you fall in with this.

Likewise, look out for mailings announcing you've won a foreign lottery you don't recall entering.

Or that because you share the surname of a wealthy person who died without leaving a will you're in line for a windfall inheritance.

And be especially wary if, while trying to sell or rent anything online (car, boat, horse, motorcycle, painting, apartment, you name it) you're approached by a prospective buyer/renter who wants to pay with a cashier check made out for an amount in excess of the agreed-upon price and who asks the balance be sent to a third party.

Aspiring work-at-homers promised big bucks for acting as intermediaries for international transactions wherein they cash checks for other parties or reship goods to them have been defrauded by con artists. Don't you be next.

If someone calls to announce you've failed to appear for jury duty and will be arrested, do not give the caller your personal and financial information in an effort to prove he's sending the gendarmes after the wrong guy. You're being tricked into giving up this information to an identity thief.

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHESFrom SANS:--ActiveX Control Flaws Affect MySpace and Facebook Users(January 31, 2008)Vulnerabilities in two ActiveX controls that Facebook and MySpace members use to upload images to their pages could be exploited to crash Internet Explorer (IE) and possibly allow remote code execution, which could in turn allow attackers to take control of the machine on which IE runs or steal data.  The ActiveX controls in question are based on a commercial control known as Image Uploader.http://www.computerworld.com/action/article.do?

command=viewArticleBasic&articleId=9060483&source=rss_topic17

-- WORM_SILLYFDC.CY. A worm that disables Windows Automatic Updating and the Task Manager (a part of Windows that provides information about your computer's performance, services and running applications).  The worm is dropped by other malware on infected websites and spreads via removable devices such as USB sticks and portable drives.  Affected computers are unable to get Windows updates automatically. Disabling the Task Manager makes it impossible to check the running processes in order to shut down the infection.More information:http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SILLYFDC.CY

-- Secret Crush. Adware* with over 50,000 daily users on Facebook that invites people to find out who amongst their friends has a secret crush on them. Users tempted to discover more have to invite at least five other Facebook users to install the application before their mystery admirer is revealed. However, no secret crush is ever revealed. Instead users are directed to an external website that invites Facebook users to download potentially unwanted applications that will display pop-up advertising.More information:http://www.sophos.com/pressoffice/news/articles/2008/01/facebook-adware.html*Adware: A form of spyware, installed and activated on your computer without your consent, that collects information about your browsing patterns and uses it to display targeted advertisements as pop-ups in your web browser.

-- Storm Worm encore. A Trojan repackaged yet again.  This incarnation of the "Dorf" Trojan sends out emails posing as messages of love in an attempt to lure unsuspecting users to dangerous

websites. The emails sport subject lines such as "Falling In Love with You," "SpecialRomance," and "You're In My Thoughts."  The body of the email contains a link to a website that is actually one of the many compromised computers in the worldwide Storm botnet. The website displays a large red heart, while installing malware onto the visitor's computer.More information:http://www.sophos.com/pressoffice/news/articles/2008/01/love-storm.html

-- Win 32/Agent. A Trojan-like malware that found its way onto a popular brand of digital photo frames sold by Best Buy, both online and in-store. The affected frames are limited to the 10.4-inch version (model# NS-DPF10A) of Best Buy's own Insignia brand photo frames,although there are reports of the same malware found on similar devices bought from Sam's Club.  Best Buy spokesperson Nissa French said the virus was apparently introduced at some point in the manufacturing process.More information:http://www.theregister.co.uk/2008/01/25/best_buy_digital_frames_virus/http://isc.incidents.org/diary.html?storyid=3892

--Drive-by Download* Menace Spreading FastBooby-trapped web pages are growing at an alarming rate with unsuspecting firms acting as nurseries for botnet farmers, according to a new study. Security watchers at Sophos** are discovering 6,000 new infected webpages every day, the equivalent of one every 14 seconds. Four out of five of these webpages actually belong to innocent companies and individuals, unaware that their sites have been hacked. Websites of all types, from those of antique dealers to ice cream manufacturers and wedding photographers, have hosted malware on behalf of virus writers.More information:

http://www.theregister.co.uk/2008/01/23/booby_trapped_web_botnet_menace/* http://en.wikipedia.org/wiki/Drive-by_download** http://www.sophos.com/

--Pharming*: Home Router Attack Serves Up Counterfeit WebpagesA security researcher says he has observed criminals using a new form of attack that causes victims to visit spoofed banking pages by secretly making changes to their high-speed home routers. According to Symantec researcher Zulfikar Ramzan, the attack changes a router's settings which can then send a user to a rogue web site instead of the one they requested.  Malicious code embedded in an email message he uncovered caused the URL for a popular Mexico-based bank to map to a fraudulent website controlled by the attackers.More information:http://www.symantec.com/enterprise/security_response/weblog/2008/01/driveby_pharming_in_the_wild.htmlhttp://www.theregister.co.uk/2008/01/23/pharming_attack_in_the_wild/* http://en.wikipedia.org/wiki/Pharming

--Mozilla Releases Firefox Update(February 7, 2008)Mozilla has released Firefox 2.0.0.12, an update for the open source browser that addresses a number of flaws, three rated critical, one rated high, and three rated moderate.  The flaws addressed could be exploited to conduct cross-site scripting attacks, execute code, and steal information that could be used to commit identity fraud.  The update fixes a disclosed directory traversal vulnerability that affected the browser if it had add-ons with flat packaging.http://www.eweek.com/index2.php?option=content&task=view&id=46262&pop=1&hide_ads=1&page=0&hide_js=1http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.12

--Lack of Documentation Accompanying Adobe Reader Update Raises Questions(February 6, 2008)Adobe has issued an update for Adobe Reader 8 (Specifically 8.1.2), but there was no accompanying public documentation on the severity of the flaws addressed.  The summary in Adobe's security advisory says "the update includes several important security fixes, among them a few of critical severity that could be remotely exploitable."  An Adobe spokesperson said the company "plan[s] to share further information on the topic within a few days ..., at which point the company has completed the process of responsible disclosure with third-party stakeholders."  The statement suggests that at least one of the vulnerabilities involves third-party software licensed by Adobe.Internet Storm Center:http://isc.sans.org/diary.html?storyid=3955http://www.eweek.com/c/a/Security/Adobe-Ships-Silent-Fix-for-Critical-PDF-Reader-Flaw/http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9061299&source=rss_topic17http://www.adobe.com/support/security/advisories/apsa08-01.html[Guest Editor's Note (Raul Siles, Internet Storm Center ): It is a serious flaw that may cause remote code execution, and proof-of-concept (PoC) code is already available from a commercial pen-testing tool vendor.]

 --ActiveX Flaws in Yahoo! Jukebox is Being Actively Exploited(February 4, 5 & 6, 2008)Attackers have begun exploiting recently disclosed ActiveX flaws in Yahoo! Music Jukebox.  Two ActiveX controls in the media player are vulnerable to buffer overflow attacks.  The malware places backdoors on vulnerable machine; there is no fix available at this time. ActiveX vulnerabilities in other products have also been disclosed recently. Yahoo! has announced that it plans to switch its customers over to RealNetwork's Rhapsody service.

http://www.theregister.co.uk/2008/02/05/yahoo_jukebox_vuln/print.htmlhttp://www.heise-online.co.uk/security/Holes-in-numerous-ActiveX-controls--/news/103006http://www.scmagazineus.com/ActiveX-control-flaws-found-in-Yahoo-Music-Jukebox-FrSIRT/article/104937/http://www.scmagazine.com/uk/news/article/782053/yahoo-switches-jukebox-users-rhapsody-exploit-activex-control-flaw-appears-wild/

 --US-CERT Recommends Disabling All ActiveX Controls(February 5, 2008)The recent spate of ActiveX vulnerabilities has led the US Computer Emergency Readiness Team (US-CERT) to recommend that users disable all ActiveX controls.  Vulnerabilities have been disclosed in ActiveX controls in the Facebook and MySpace social network sites and Yahoo! Messenger, Instant Messenger and Music Jukebox media player.  Internet Explorer users can disable ActiveX controls by setting the browser's security level to "high."http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9061101&source=NLT_PM&nlid=8http://www.zdnetasia.com/news/security/0,39044215,62037417,00.htmhttp://www.zdnetasia.com/news/security/0,39044215,62037415,00.htm[Editor's Note (Ullrich): Internet Storm Center handler Tom Liston wrote a little GUI tool which will allow you to disable these ActiveX controls. See http://isc.sans.org/diary.html?storyid=3931]

HIGH: Multiple Yahoo! Jukebox ActiveX Controls Multiple VulnerabilitiesAffected:Yahoo! Jukebox mediagrid.dll ActiveX ControlYahoo! Jukebox datagrid.dll ActiveX ControlDescription: Yahoo! Jukebox is Yahoo's popular music

management service. Part of its functionality is provided by two ActiveX controls, "mediagrid.dll" and "datagrid.dll". These controls contain multiple buffer overflow vulnerabilities in their handling of a variety ofparameters. A malicious web page that instantiated one of these controls could trigger one of these vulnerabilities, allowing an attacker to execute arbitrary code with the privileges of the current user. Multiple proofs-of-concept and technical details are publicly available for these vulnerabilities.Status: Yahoo! has not confirmed, no updates available. Users can mitigate the impact of these vulnerabilities by disabling the affected controls via Microsoft's "kill bit" mechanism for CLSIDs "22FD7C0A-850C-4A53-9821-0B0915C96139" and "5F810AFC-BB5F-4416-BE63-E01DD117BD6C". Note that this may affect normal application functionality.References:Proofs-of-Concepthttp://milw0rm.com/exploits/5052http://milw0rm.com/exploits/5051http://milw0rm.com/exploits/5048http://milw0rm.com/exploits/5046http://milw0rm.com/exploits/5043Microsoft Knowledge Base Article (details the "kill bit" mechanism)http://support.microsoft.com/kb/240797Yahoo! Jukebox Home Pagehttp://music.yahoo.com/jukebox/SecurityFocus BIDshttp://www.securityfocus.com/bid/27578http://www.securityfocus.com/bid/27579

HIGH: Multiple Uploader ActiveX Controls Buffer OverflowsAffected:MySpace Uploader ActiveX ControlFacebook Photo Uploader 4 ActiveX ControlAurigma ImageUploader ActiveX ControlDescription: Multiple image uploading ActiveX controls contain buffer overflows in their handling of control properties. These controls are used by several web sites to facilitate image uploading. Most importantly, these controls are used by two extremely popular social networking sites, MySpace and Facebook. A specially crafted web page that instantiates one of these controls could exploit this buffer overflow to execute arbitrary code with the privileges of the current user. A proof-of-concept and full technical details are publicly available for this vulnerability.Status: MySpace has not confirmed, no updates available. Users can mitigate the impact of this vulnerability by disabling the affected controls via Microsoft's "kill bit" mechanism using CLSIDs "48DD0448-9209-4F81-9F6D-D83562940134" and "6E5E167B-1566-4316-B27F-0DDAB3484CF7". Note that this may affect normal application functionality.References:Proof-of-Concepthttp://milw0rm.com/exploits/5025Microsoft Knowledge Base Article (details the "kill bit" mechanism)http://support.microsoft.com/kb/240797SecurityFocus BIDs

http://www.securityfocus.com/bid/27533http://www.securityfocus.com/bid/27534http://www.securityfocus.com/bid/27539

Kat LehmanInformation Technology CoordinatorDiocese of Bethlehem610-691-5655 x235klehman@diobeth.org