ETD: 797 Embedding Their Hopes in RFID; Emerging Trends
Marketers Target The Mommy Track; Major Security Flaws; US-CERT:
Beware of IE; Pop-up program reads keystrokes, steals passwords
E-Tailer's Digest
etd_post at gapent.com
Thu Jul 1 11:38:59 GMT 2004
E-Tailer's Digest --- Everything for the Retailer
Issue #0797 July 1, 2004
George Matyjewicz, Moderator mailto:georgem at gapent.com
Published by: GAP Enterprises, Ltd. http://www.etailersdigest.com
==================================================================
CONTENTS
[1] Greetings
[2] Embedding Their Hopes in RFID
[3] Emerging Trends Marketers Target The Mommy Track
[4] Major Security Flaws
-- US-CERT: Beware of IE
-- Pop-up program reads keystrokes, steals passwords
==================================================================
[1] Greetings.
==================================================================
Hi All:
I had to do an analysis yesterday, and was surprised to see that of the
Business Week 50 Top Performers in Europe, we have nine of them as
clients. In the U.S., it's six of the top 50. Not bad eh?
Beware of some major security flaws with Microsoft I.E. The US-CERT went
so far as to say to stop using I.E. And those pesky pop-ups are stealing
your passwords. I was recently introduced to a dandy utility called Ace
Utilities (http://www.acelogix.com/) which cleans junk files and the
registry. It's shocking how much junk accumulates on your computer. I
combine that with Ad Aware from Lavasoft which:
"Ad-aware is THE award winning, multi-trackware detection and removal
utility (designed for Windows 98 / 98SE / ME / NT40 / 2000 / XP Home / XP
Pro) that will comprehensively scan your memory, registry, hard, removable
and optical drives for known Datamining, aggressive advertising, Parasites,
Scumware, Keyloggers, selected traditional Trojans, Dialers, Malware,
Browser hijackers, and tracking components."
List member Larry Verkeyn shares his experiences with "The Mommy
Track." Are we going back to the 1950s? What do you think?
RFID is coming to many different places. Imagine seeing it at the casino
where they can learn how you bet? Or how about in a soap dispenser to tell
the restaurant manager whether the employee washed his hands after using
the toilet? I think this will revolutionize retailing and our lives in
general. What do you think?
I hope our Canadian members enjoy Canada Day today. And our U.S. members,
enjoy Independence Day on Monday.
Tell us about your business which will remain for posterity at
our "Members: Who Are You?"
site. http://etailersdigest.com/resources/members/index.htm And we have a
form there for you to tell us about you. As I said when I first proposed
this idea, we have "known" each other for a long time, yet we often don't
know anything about each other. So, tell us who you are and what you do.
Now, let's get to everything for the retailer.
Sincerely
George Matyjewicz, PhD
Chief Global Strategist, GAP Enterprises, Ltd.
mailto:georgem at gapent.com
http://www.etailersdigest.com
==================================================================
[2] Embedding Their Hopes in RFID
==================================================================
The technology has been around for a decade -- including use in the E-ZPass
system that helps speed drivers through toll booths on many East Coast
highways -- but RFID is now robust enough, and getting cheap enough, that
it is beginning to transform numerous sectors of the economy by allowing
unparalleled tracking of products and people.
To John Kendall, casino gambling will soon look like this:
A player sits down at a blackjack table and bets a stack of chips, which
Kendall hopes are manufactured by his company, Chipco International of
Raymond, Maine. Sensors trained on the betting area of the table scan tiny
computer tags embedded in the chips, and electronically report the amount
of the bet to a security control room.
"If at table 17, player 4 has been betting $5, and all of a sudden he bets
$500, they want to be notified," said Kendall, whose firm is investing
heavily in technology known as RFID -- radio frequency identification -- to
make the tags work. "Our reporting will tell the casino manager that this
person has just changed his betting habits," perhaps because he is cheating.
Chipco, which hopes to introduce its new chips late this year, is one of
many companies placing bets on RFID these days.
Early this month, Reston-based Accenture LLP won a contract worth as much
as $10 billion from the Department of Homeland Security that will include
using RFID at U.S. border checkpoints.
Delta Air Lines Inc. is testing RFID baggage tags on its service between
Jacksonville, Fla., and Atlanta, to help with security and lost luggage. In
Great Britain, officials are weighing proposals to embed tags in vehicle
license plates. International Business Machines Corp. is seeking to
convince banks that their best customers could be issued cards with the
tags, allowing them to be immediately recognized when they enter the bank
and given red-carpet treatment.
RFID Tags Read Remotely
Unlike bar codes, which must be passed in front of a scanner, RFID tags can
be read remotely by a device in the vicinity, sharply reducing time and
labor needed to take inventory and letting stores more quickly recognize
when stocks are low. By some estimates, retailers lose 4 percent in sales
because they are out of what consumers are looking for.
But RFID initiatives alarm privacy advocates, as well as some federal
government officials and state legislators, who understand the benefits but
worry about the possibility of abuse in the tracking of goods and people.
For example, an RFID tag on a medication bottle might one day be used to
alert a relative at another location that an elderly father forgot to take
his pills. But electronic readers in office buildings might detect the
types of medicines being carried around by employees, which many would
regard as an invasion of privacy.
The Food and Drug Administration is in fact encouraging adoption of RFID in
the pharmaceutical industry to attack counterfeit drugs, pushing for
widespread tagging of medicines by 2007.
Tremendous Potential
Other uses are proliferating as well. One California company has developed
a soap dispenser capable of reading employee tags to let restaurant
managers know whether their workers washed their hands while in the
bathroom. A charter school in Buffalo uses tags on its students as a way of
taking attendance in the mornings.
Details at...
http://www.ecommercetimes.com/story/34773.html
==================================================================
[3] Emerging Trends Marketers Target The Mommy Track
==================================================================
ETD snip: "The younger generation of mothers, many of them the latchkey
offspring of over-committed super-moms, are returning to more traditional
family modes."
We have seen this trend in our store (Children's clothing/Children's hair
salon). Four years ago, when we first started, we needed to have evening
hours for hair appointments, even in the summer months because both parents
worked. Many of the daytime appointments we took back then had either a
Grandparent or a baby sitter with the child.
Now, daytime appointments are in demand, and it is not just Moms, but Dads
who show up with the kids. More than a few of our customers now have stay
at home fathers. Does that still make mom an "over-committed super-mom"?
Larry Verkeyn
==================================================================
[4] Major Security Flaws
==================================================================
US-CERT: Beware of IE
The U.S. government's Computer Emergency Readiness Team (US-CERT) is
warning Web surfers to stop using Microsoft's Internet Explorer (IE) browser.
On the heels of last week's sophisticated malware attack that targeted a
known IE flaw, US-CERT updated an earlier advisory to recommend the use of
alternative browsers because of "significant vulnerabilities" in
technologies embedded in IE.
"There are a number of significant vulnerabilities in technologies relating
to the IE domain/zone security model, the DHTML object model, MIME-type
determination, and ActiveX. It is possible to reduce exposure to these
vulnerabilities by using a different Web browser, especially when browsing
untrusted sites," US-CERT noted in a vulnerability note.
The latest US-CERT position comes at a crucial time for Microsoft , which
has invested heavily to add secure browsing technologies in the coming
Windows XP Service Pack 2. The software giant has spent the last few months
talking up the coming IE security improvements but the slow response to
patching well-known -- and sometimes "critical" -- browser holes isn't
sitting well with security experts.
On discussion lists and message boards, security researchers have spent a
lot of time beating the "Dump IE" drum, and the US-CERT notice is sure to
lend credibility to the movement away from the world's most popular browser.
US-CERT is a non-profit partnership between the Department of Homeland
Security (DHS) and the public and private sectors. It was established in
September 2003 to improve computer security preparedness and response to
cyber attacks in the United States.
It has been more than two weeks since Microsoft confirmed the existence on
an "extremely critical" IE bug, which was being used to load adware/spyware
and malware on PCs without user intervention but, even though the company
hinted it would go outside its monthly security update cycle to issue a
fix, the flaw remains unpatched.
US-CERT researchers say the IE browser does not adequately validate the
security context of a frame that has been redirected by a Web server. It
opens the door for an attacker to exploit the flaw by executing script in
different security domains.
"By causing script to be evaluated in the Local Machine Zone, the attacker
could execute arbitrary code with the privileges of the user running IE,"
according to the advisory.
"Functional exploit code is publicly available, and there are reports of
incidents involving this vulnerability."
To protect against the flaw, IE users are urged to disable Active scripting
and ActiveX controls in the Internet Zone (or any zone used by an
attacker). Other temporary workarounds include the application of the
Outlook e-mail security update; the use of plain-text e-mails and the use
of anti-virus software.
Surfers must also get into the habit of not clicking on unsolicited URLs
from e-mail, instant messages, Web forums or internet relay chat (IRC)
sessions.
Details at...
www.internetnews.com/security/article.php/3374931
--- <Next Security Issue> ---
Pop-up program reads keystrokes, steals passwords
A malicious program that installs itself through a pop-up can read
keystrokes and steal passwords when victims visit any of nearly 50 targeted
banking sites, security researchers warned on Tuesday.
Bottom line: The program is part of a larger trend, as malicious hackers
increasingly focus not on random acts of destruction but on stealing money.
The targeted sites include major financial institutions, such as Citibank,
Barclays Bank and Deutsche Bank, researcher Marcus Sachs said Tuesday.
"If (the program) recognizes that you are on one of those sites, it does
keystroke logging," said Sachs, director of the Internet Storm Center, a
site that monitors network threats. Even though all financial sites use
encryption built into the browser to protect log-in data, the Trojan horse
program can capture the information before it gets encrypted by the browser
software. "The browser does not encrypt data between your keyboard and
computer. It's encrypting it (when it goes) out onto the Web."
Sachs said the Trojan horse was first discovered on the computer of "an
employee at a major dot-com." The victim apparently picked up the program
from a malicious pop-up ad that used a flaw in Internet Explorer's helper
server to install itself on the user's PC. In this case, because of the
computer's security settings, the installation failed. Microsoft said IE
users should raise the security settings to high until the company issues a
patch.
Two other IE flaws, which Microsoft has yet to fix, were used recently in
two other hacking schemes, one last week that turned some Web sites into
points of digital infection, and another, earlier in the month, that
installed a toolbar on victims' computers that triggered pop-ups. This most
recent Trojan horse differs from the attack software used in last week's
Web site compromises but could be paired with that technique to spread
spyware.
Researchers at the Internet Storm Center studied the Trojan horse file,
called "img1big.gif," which was provided by the dot-com. Working through
the weekend, the security experts reverse-engineered the program and
discovered that it targeted a long list of banks and attempted to steal the
account information of those institutions' customers.
The program points to a recent trend in computer viruses and remote-access
Trojan horse, or RAT, programs: Attackers are increasingly after money. In
April, security experts warned that 'bot networks'--large networks of
zombified home PCs--are a greater threat than high-profile worms such as
Sasser and MSBlast, because they could be used to steal financial
information or to send untraceable spam.
"In the past, the most common way to collect financial information was
through fraud like the Nigerian e-mail scam," said Oliver Friedrichs,
senior manager in antivirus company Symantec's security response center.
Friedrichs said that in the past few months, Symantec analysts have studied
threats similar to the current Trojan horse.
Because it carries a .gif file extension, the Trojan horse appears to be
a graphic in a compressed format commonly found on the Internet. In
reality, it's two programs: a browser helper file that surreptitiously
captures usernames and passwords; and a "file dropper" that installs the
keyword logger on the victim's computer.
The first file attempts to run itself by using an old Internet Explorer
flaw, and the second file uses a feature of most major browsers, known as
helper files, to intercept data, Sachs said.
"Before data goes through your browser, it can be processed by a helper
file," he said. "What makes this one really clever is that (it takes)
advantage of the ability in all browsers to use helper files and defeat the
encryption."
Once the Trojan horse captures financial information, it encrypts the data
by using a program hosted on an Internet server and sends the data back to
the attackers, who appear to be in South America, Sachs said.
Security experts have stressed the vulnerability of Microsoft's Internet
Explorer recently, following public warnings of vulnerabilities in the
browser that could enable attackers to install malicious programs. Those
flaws have not yet been fixed by Microsoft.
An attack that had used a vulnerability to turn some Web sites into points
of digital infection was nipped in the bud Friday, when Internet engineers
managed to shut down a Russian server that had been the source of malicious
code. Compromised Web sites are still attempting to infect Web surfers' PCs
by referring them to the server in Russia, but that computer can no longer
be reached.
While the latest program is installed on Windows computers using a known
vulnerability, the helper file hack exploits a feature, not a flaw, and
could work with most major browsers, Sachs said.
"Sometimes, there's not much difference between a feature and a flaw," he said.
Details...
http://zdnet.com.com/2100-1105-5251981.html
==================================================================
Links to follow
==================================================================
GAP Enterprises, Ltd. http://www.gapent.com/
Sarbanes-Oxley 2002 http://www.sarbanes-oxley2002.com
E-Tailer's Digest http://www.etailersdigest.com
ETD Archives: http://topica.com/lists/etailer/read
Prior to 29 Dec
1999 http://etailersdigest.com/archives/index.htm
Marketing Your Web http://www.gapent.com/myweb/
Automated Press Releases http://www.automatedpr.com
More information about the ETD
mailing list