Europe May Require Data Breach Notification -- Microsoft Certified Professional Magazine Online

Europe May Require Data Breach Notification

Also: ATMs working like greased slot machines; QuickTime, Flash Player invite hackers to your machine.

By Russ Cooper
10/23/2006

The European Commission has put forward a proposed change to existing laws governing providers of electronic communication networks or services which would make it mandatory for them to advise customers of security breaches, in addition to the existing requirement that they advise customers of security risks. (For the EU's working document, click here.)

The difference could lead to a spate of media stories about lost European laptops and the like. One has to wonder if these aren't being proposed because there's been such a lack of interesting computer security stories.

ATMs Give Up Cash Easy Slot Machines
A man allegedly walked up to an ATM machine located at a gas station, keyed in "something" and got the ATM to issue $20 bills while counting them as $5 bills. The story reports that the man "reprogrammed" the ATM. However, how this was accomplished, or even if it was, is unconfirmed.

The machine was a Tranax Mini-Bank 1500 Series, easily reprogrammed by obtaining the codes right off of Google. Imagine if you could walk up to a slot machine, press a few buttons and have it issue a jackpot. So be careful how much trust you put in "secure" technology.

QuickTime Show More Than Video
Six separate vulnerabilities were discovered in Apple QuickTime, all of which could lead to a code of the criminal's choice to execute on a victim system in the security context of the victim user. All appear to be buffer overflows of one type or another, involving various QuickTime formats, such as FLC or FlashPix.

All six are credited to McAfee AVERT labs, making one wonder if some form of malware has been seen. However, Apple makes no mention and, so far, neither has McAfee. Two of the vulnerabilities were also discovered by others, and they have released detailed information regarding their discoveries.

Want More Security?

This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

Drive-By Hacking, Thanks to Adobe Flash Player
According to Adobe, "multiple input validation errors" have been patched in Flash Player versions 7 and 8. These issues were corrected in Flash Player version 9, but not disclosed until now. One of these permitted criminals to bypass the "allowScriptAccess" option regulating whether a control could be scriptable. They also indicate that the way Microsoft Office products invoke the ActiveX control has been modified.

Well, bad month for Adobe. Flash Player was shipped with Windows XP and is likely installed on most home user systems, if not most corporate systems also. This is likely to make it an attractive target for criminal sites looking to do drive-by downloads. Computer Terrorism, the group that Adobe credited with reporting these Flash Player vulnerabilities, states that it has seen "undisclosed" proof-of-concept code which works across multiple operating systems and multiple browser types. Such a beast is certainly not something we want to see in the wild.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.