According to Adobe officials, the vulnerability is within the Adobe Reader control. If an XML script is embedded in JavaScript, it is possible to discover the existence of local files, according to a security advisory from the company. An attacker could then maliciously use the gathered information. But the statement pointed out that the local files can be found only if the attacker knows the complete file names and paths in advance of such an attack.

Get your update from:
http://www.adobe.com/support/downloads

The data security breach, possibly the largest to date, happened because intruders were able to exploit software security vulnerabilities to install a rogue program on the network of CardSystems Solutions, MasterCard International spokeswoman Jessica Antle said. The program captured credit card data, she said.

“install rogue program” is code-word for “some dumb*ss let a trojan horse get installed”.

The probe also found that the Atlanta-based payment processor did not meet MasterCard’s security regulations. CardSystems held onto records that it should have discarded, and it stored transaction data in unencrypted form, Antle said.

Now, whose fault is it that CardSystems continued (and continues) to operate? I caught a GMSV article quoting CEO John Perry that they retained all those excess records for “research” purposes? Research on what? To sell to whom? WTF!

MasterCard declined to disclose more information on the breach, citing an ongoing investigation by the FBI.

Oh, that’s nice. How convenient.

The data processor’s Web site runs on Microsoft’s Windows 2000 operating system and IIS Server 5.0, which has fueled speculation that its other set-ups may also be Microsoft-based.

So, what, did they forget to install a service pack or “security” update?

Now comes the really scary part:

MBNA, one of the largest U.S. credit card issuers, said it has received information from CardSystems about exposed customer accounts. The company won’t contact the individuals affected but is keeping a close eye on the compromised accounts, said Jim Donahue, an MBNA spokesman.

Well, isn’t that special? They won’t even tell their customers that their cards have been stolen. Is that to protect the innocent, help the FBI, or just not have to deal with freaking out their customers because they’ve contracted with a loser organization?

Lest we think that CardSystems is the only loser in the group let me remind you:

Two weeks ago, CitiFinancial said tapes containing unencrypted information on 3.9 million customers were lost by the United Parcel Service while in transit to a credit bureau. …data leaks have been reported by Bank of America and Wachovia, data brokers ChoicePoint and LexisNexis, and the University of California at Berkeley and Stanford University.

Clearly, a new way of doing this has to be done. We simply can’t trust that those that hold the data can responsibly treat it.

Call your bank.

This one poses as a system administrator warning you that your account will be cancelled. As with any other emails with attachments and directions to open the attachment, DON’T DO IT.

And of course, NEVER, EVER open ANY attachments (even if they are from your mother who just called you saying she’s sending you an attachment) if they end in .bat, .cmd, .exe, .pif or .scr. This little bugger might also come as a .zip file too which is normally OK but in this case it’s not.

Make sure your anti-virus definitions are up to date and be careful.

Checkout the video for a step-by-step demonstration!

Somebody asked me:

“I recently received an email notifying me that my account with Ebay had been suspended and I had to fill out a form to re-activate it. They asked for all kinds of personal information. Is this legit?”

I’m sorry to say that you’ve been the victim of what’s known as “Phishing” which is a new, dangerous breed of spam. This spam doesn’t ask you to buy anything, but rather warns you about having your account canceled unless you fill out a form. The official-looking form asks you the deepest, most personal information such as mother’s maiden name, social security number, bank account number numbers, bank card PIN access codes, and the like.

Of course what really happens is that this information goes to a thief who proceeds to take all the money out of your bank account and uses your credit cards to go on a shopping spree. Disclosing this kind of personal information gives someone else everything they need to completely steal your identity and perhaps cause a lot more damage than “just” stealing your money; for example, a criminal that gets arrested can use give out your identity instead. Suddenly, you have a criminal record!

How can you avoid becoming a victim of a Phish? Here’s a super-easy way: If you get an email that warns you of an account being canceled, don’t click on any of the links in the email under any circumstances, no matter how legitimate they may seem. Instead open up a new browser window and go ahead and log into your account using your known user name and password. If your account is truly in danger of getting canceled, the Web site will repeat the warning and tell you how you can recover from it.

Today’s Internet-connected world brings fantastic productivity but you must always be vigilant about scams like Phishes. It’s sad to say but you just can’t trust email these days, especially emails that “smell like a Phish”. But the good news is if you just don’t click on that link, and instead open a new browser window, you can easily avoid becoming another victim of identity theft.

Subscribe to the Podcast and automatically download new video and audio tips as they come!

Make sure your anti-virus software is fully up to date. This one is picking up steam pretty quickly.

What it does is send you email messages with an attached ZIP file. The message contents say something to the effect of:

Account and Password Information are attached!

Visit: http://www.cheqnet.net

or

This is an automatically generated E-Mail Delivery Status Notification.

Mail-Header, Mail-Body and Error Description are attached

What’s especially tricky is that it signs the email with what looks like your own anti-virus software stamp of approval:

*** Attachment-Scanner: Status OK
*** “yourcomputerminute” Anti-Virus
*** http://www.yourcomputerminute.com

My advice:

1. don’t open any Zip files that you may have received since Sunday of this week.
2. Make sure your antivirus is up to date and verify this with your IT folks before you open any other zip files