A new federal report found that a whopping 74 percent of Internal Revenue Service (IRS) employees abuse the agency's email systems. The report released by the Treasury Inspector General for Tax Administration found that these employees had email in their inboxes that violated the IRS personal use policy.
Additionally, inspectors found more than 700 vulnerabilities on the agency servers, most a result of poor patch management. These factors, combined with the fact that inspectors found thousands of IP-addressable devices serving as unofficial mail servers on IRS, led inspectors to warn IRS officials that the agency is ripe for attacks.
A year after launching its sometimes controversial Zero Day Initiative (ZDI), TippingPoint tweaked the program to responsibly disclose which vendors are sitting on unresolved vulnerabilities.
The new unresolved vulnerability pipeline will list vendor name, the date ZDI disclosed the vulnerability to the vendor, and the severity. The announcement about the pipeline fingered 29 different unresolved flaws from vendors such as Microsoft, Novell, Apple and Symantec.
The practice of phishing bled over to cell phones with a new type of attack that McAfee's Avert Labs dubbed "SMiShing."
The new method targets users with short message service (SMS) text messages alerting them of impending fee charges for a dating service. They are prompted to go to a URL that secretly loads a trojan that turns the PC into a zombie.
IBM announced its $1.3 billion acquisition of network intrusion and managed services provider Internet Security Systems (ISS). Big Blue execs said that they intend to strengthen the company's Global Services' Security organization.
Paul Stamp, a Forrester researcher, said the acquisition is less about a bolstered managed security services division and more about providing the opportunity for IBM to "plug gaps in their security portfolio."
AOL's CTO Maureen Govern left her post after the company posted the search queries of some 650,000 subscribers on a research website.
Though the internet giant did not post user screen names and quickly removed the offending data from the original website, the information was just as quickly mirrored on dozens of sites. Public furor mounted swiftly as reporters and amateur internet detectives alike were able to easily identify many of the searches — branded with supposedly anonymous user numbers — through the often personally identifiable data entered into search fields.
Errata: In September (after page 18), we should have said: Paul Zazzera is SVP/CIO with Time, Inc., and Dan Caprio is former CPO, U.S. Department of Commerce.