Security hole found in AOL instant messenger
A group of security researchers led by a Utah State University student announced Wednesday that America Online's instant messenger software has a flaw that could allow malicious hackers to take control of a user's computer. AOL spokesman Andrew Weinstein told the San Jose Mercury-News that the company was unaware of anyone who had been affected by the security hole. The discoverers of the flaw, an ad-hoc group that calls itself w00w00 (with zeroes instead of O's), said the bug is triggered when the program is asked to store more data than it can handle, also known as a buffer overrun. Matt Conover, the 19-year-old Utah State computer science student who founded w00w00, said the group contacted AOL about the flaw about a week ago, but received no response. The next step was to post the information on its Web site, www.w00w00.org. "I don't think that waiting any longer would have done any good," Conover told the Mercury-News. Weinstein said AOL would have preferred that w00w00 sent the information to the company privately. Microsoft's Windows XP and Oracle's 9i application server software each faced similar problems and have been patched, reports said.
'Zacker' attacks anti-virus software
Anti-virus companies have issued moderate alerts for a new virus called "Zacker," also known as W32.Maldal.D@mm, which arrives via e-mail and tries to destroy anti-virus programs once activated. Like many other such rogue programs, Zacker uses Microsoft Outlook to spread itself from infected computers. It goes after anti-virus software by Symantec, McAfee and Zone Labs, as well as others, and it also can attack photographs, Word documents, music files and software applications. Michael Murphy, Symantec's Canadian general manager, told the National Post, "It is the first virus of the year, and damage can be high." An infected e-mail arrives with the subject "ZaCker" and an attachment called zacker.exe.
Online customer service gets mediocre marks
Internet research firm Jupiter Media Metrix is expected Thursday to release the results of a survey that measured customer service response times at 250 online retailers, and the results won't be surprising to anyone left hanging by a company's Web site. Jupiter found that only 30 percent of retailers responded to online customer service requests within 6 hours, and 18 percent took six to 24 hours. From there, the numbers go downhill: Another 18 percent took one to three days, and the remaining one-third of retailers took longer than three days or didn't respond. David Daniels, a Jupiter senior analyst, told The New York Times: "What is surprising is the number of businesses that continue to take three days or longer or simply don't respond to the e-mail, that it's still so high. The implications of a dissatisfying online experience can be really harsh --- the rippling effect it has across channels."
Cyber-crime insurance in state of flux
Insurance companies are rethinking how they write policies for cyber-crime, according to InformationWeek.com. Some insurers include cyber-crime in standard commercial insurance policies, but in 2002, companies are expected to shift that coverage to more expensive supplemental policies solely for information technology. Robert Hartwig, chief economist at the New York-based Insurance Information Institute, told InformationWeek.com: "I used to think cyber-crime would become a standard feature of commercial property policies. Instead, the opposite has happened." Most current policies protect info-tech gear from physical damage -- a fire in the computer room, for instance -- but companies have been filing claims on those policies as a result of hacker damage and intellectual property problems, InformationWeek.com said. Now the insurers want to separate the two situations. "They want to make it clear that losses stemming from (denial-of-service attacks), viruses, and intellectual property violations are not covered by standard policies," Hartwig said.
New York state takes sensitive info offline
New York state is the latest governmental entity to take important infrastructure information offline, as part of an effort to deter terrorism. The Albany Times-Union said the directive was mailed out Oct. 30 to the 70 largest state agencies, and so far 10 of them have removed information. There were no specifics about what was taken offline, but the state's Office for Technology had noted earlier that information such as locations of wastewater treatment plants, floor maps of buildings and addresses for nuclear power plants were accessible by the public somewhere online. Some observers say that removing government information from the Web is no way to operate in a Democratic society. "If a terrorist is that committed to know where power plants are, I'm not sure going to a library instead would deter him or her," Kim Fortun, an associate professor at Rensselaer Polytechnic Institute in Troy, N.Y., told the Times-Union.
Tech companies could face penny-stock blues
Bad news for struggling tech companies: The Nasdaq stock market on Wednesday said that it would reinstate a requirement for stocks to be worth more than $1 in order to be traded on the exchange. The requirement had been suspended after the Sept. 11 terrorist attacks. As of October, the Nasdaq said it had delisted 349 firms in 2001, compared with 240 a year earlier. Some analysts said the shakeup could be good for companies that would fare better on Nasdaq's Small Cap exchange, which has less stringent requirements for the stocks traded on it.
(Compiled by Joe Warminsky in Washington.)