Slashdot Mirror
Corporate Servers Spreading IE Virus [Updated]
uncadonna writes "ZDNet is reporting that corporate web servers are infecting visitors' PCs. The combination of two unpatched IE security holes and hacked corporate websites is apparently distributing malware via
several high-credibility sites. ZDNet says users have 'few options' other than alternative browsers or platforms." Update: 06/25 14:50 GMT by J : A reader points out Microsoft's What You Should Know page. Here's the short version for avoiding this Critical severity attack: you must install add-on software, and change multiple settings in multiple programs, thus causing "some Web sites to work improperly." By changing more settings, you can regain functionality for a particular site if "you trust that it is safe to use," which you have no way of knowing. Or try Firefox. Update: 06/25 19:30 GMT by J : Reuters reports the attack installs a keysniffer which can steal credit card numbers, passwords, and so on. The story offers safety tips, but fails to mention that, after patching the hole, many users will be infected without their knowledge. Shouldn't the "fix" include ceasing to type anything important into your computer until you purchase software which can detect and remove the Trojan? And will you be downloading that software with Mastercard or Visa?
The MSN search engine is infected.
You can download the trojan from here:
http://search.msn.com/msits.exe
I think I'll just have to be content that great browsers like Firefox are available for me to use, because obviously the masses are never going to be interested.
With these unpatched IE flaws in the wild, IE users don't even have to do something silly to get infected. But I suppose you could argue they are already doing something silly!
Homme petit d'homme petit, s'attend, n'avale
I know its not fashionable around these parts, being closed source, but Opera (www.opera.com) really is the bees knees. On my machine it renders faster, everything is snappier than mozilla/firefox and has more features than you can shake Darl Mcbride at. Its not free, true, but costs about the same as a pop-up blocker for Internal Exploder Plus, Operas built in mail client is wonderful Not that Im badmouthing firefox, I have that too, I just like Opera even better
I've always wondered how my coworkers who "only" go to major sites like Yahoo and Ebay, pick up all sorts of spyware and adware.
I was wondering where I got this from. I spent 4 hours removing Malware from my computer the other day. Since I don't tend to visit pr0n sites at work, I had know idea how I was so badly infected until now... Ad-aware, spybot, and Nortons did not find the evil software. My process list was filled with MANY unkillable process with random names. Every time I killed one, it would start again with a new name. I found the executables on my drive and deleted them, they would RE-CREATE themselves!! Also, it looked like one of the installed viruses(?) would download new Malware! I was wondering, is this a virus? is it spyware? It was hard to classify as far as I could tell and it SUCKED.
Word to me.
WTF is that? So it can infect the rest of the world?
This reeks of criminal negligence IMHO, they know of a crime, and they wont tell how or who will do it to you..
"/Dread"
This "virus" is not detected by antivirus software, according to the article. Does anyone know why? I run eTrust on my IIS boxen. (yes, I have a few, no I didn't put them there, no, they shouldn't be there, but our dev team wants ASP) Etrust is a fine product, but supposedly this offending code isn't detected. That bothers me a little, but this leads to another question.
Why isn't spyware classified as viral code? I realize it doesn't spread in the same manner as a virus, but it a) installs itself uninvited b) causes the PC and its software to behave erratically and c) makes my job needlessly more difficult. It bothers me that virus scanners aren't picking up spyware.
Anyway, to bring this back on topic, this situation requires a server side fix. I'm sorry, I can't tell every customer to switch browsers. I can't even get my internal users to switch. Most can't, because of some oddly coded piece of software that only runs in IE. My point is, my boxen might be infected right now. Not caught by AV software, how am I supposed to determine whether this thing lives on my server?
There is no reasonable defense against an idiot with an agenda
:wq
So many places say "this site best when viewed with IE." IANAL, but it seems irresponsible for a site to recommend IE, especially if site handles sensitive materials such as financial services or downloadable software. If IE includes known vulnerabilities, can sites be held liable for making that recommendation?
Any thoughts from the more legally minded amongst us?
Two wrongs don't make a right, but three lefts do.
ZDNet:
"Meanwhile, the average Internet surfer is left with few options. Windows users could download an alternate browser, such as Mozilla or Opera, and Mac users are not in danger."
The original post mentions a "combination of two unpatched IE security holes", but both the US-CERT and Internet Storm Center only mention javascript and not a specific browser as being able to be compromised by the infected IIS servers.
My question is, how do we know this is an IE-only problem? I ask this because I have several friends whom I'm trying to convince try an alternative browser for security reasons but I don't want to be that guy we all know who goes off about "IE exploits" that turn out to be nothing of the sort.
You mean like CNN?
A quick scan of that article and I couldn't see any mention of using an alternative browser, just the usual "update virus checker, etc"
We need these sites to push the idea of Mozilla to the masses
It won't be long before Javascript is considered a complete security risk and it's the web developers who are going to suffer. Despite the rantings of sysadmins who don't touch web development it is actually a very useful language to supplement HTML.
Javascript menus and first pass form validation, anyone?
And I also wonder how many people will actually heed the call and switch their browser.
Not many. They will rather believe it is a kind of valuable new feature, and they will perceive the inability of being infected as another flaw in mozilla. You probably think I'm joking, but, sadly, I'm not. I was recently forced to work with two windows-minded webmasters and this is exactly the way their brains work. MSIE cannot by definition have any flaws. If MSIE is not standards-compliant, well, too bad for the standards. I'm not even sure such folks can comprehend the concept of technical standards. And they won't listen to an opinion coming from someone who uses linux and doesn't approve piracy. You don't steal software => you are irrational, perhaps insane => you can't be trusted. And the <input type crash> bug was not a bug, it was Microsoft's joke. And GIMP is simply unusable.
So, I say, those windows users who are not totally fucked up have already switched to mozilla. Others will never switch.
Help more people switch to mozilla/firefox. Mozilla hacker Blake Ross has started a weekly brainstorming effort for firefox marketing ideas on his weblog. Go thither and chime in. I just did.
Despite them getting infected with adware and spyware through IE, none of them want to use firefox. I've asked them many times, and even gone to the point of deleting IE, but their resillence to use anything else forced me to put it back on (amongst other reasons).
If you would be so kind, I am really curious what the reasons were.
What I have always done is download Firefox, change the icon to the blue E, and rename the shortcut "Internet Explorer". I then tell them, "It's the new version of Internet Explorer, called Mozilla."
I have had no people complain or ask to have the "old" version back. In fact, the only thing I have heard is praise ("It's so fast", "I don't get pop-ups anymore", etc).
I've done this for about 60 users (45 computers), so far.
- Tony
I know people are skeptical about a mass swap, but actually I think this is just the kind of issue that could cause small/medium sized) business (say a 100-200 users) to actually switch the default browser on their machines.
If the scenario is as reported, and IE is currently unpatchable, then the conversation is likely to go like this:
IT Manager: An problem has been identified in IE, it leaves the organization open to virus infection, we need to change the browser we use to something else.
CEO: Haven't you got more important things to do, where's my mail merge. I'm not having you spending a week changing every machine.
IT Manager: OK, the deal is, here is a threat that can't currently be solved, it presents the possibility that many of our machines could slow down, crash or be otherwise infected. To be honest, the details aren't clear, but it appears to be very easy for the infection to spread.
Are you formally telling me that you don't want me to take any action? and that you are happy with the situation.
CEO: How much does a new browser cost?
IT Manager - it's free.
CEO: quit hanging about in my office and get those new browsers installed.
Actually it implies that you need Windows XP SP2 _RC2_ (ie not actually released yet) to be safe - that's not really something that MS should expect people to install on production boxes.
...the uneducated user. Let's face it: the internet has been sold as this great tool and all you need to get on it is a PC and a phone line, cable, or whatever. If you preach the need for basic education, you are some kind of geek (how often have you heard, "I don't want to know all that, I just want to get online!") and if you make even the slightest suggestion that some people just don't belong online due to their own lack of common sense, you are some kind of elitist (try telling people to use the BCC option of their e-mail client instead of CC'ing everyone in their address book and see what kind of reaction you get). As a previous poster said, it is, once again, unpatched systems that are causing the problem. And here's the chorus now, "I didn't know! No one told me! It's not my fault!" And we, of course, will pick up the pieces.
Don't be a looter...and yes, I know that it's spelled with an "A" instead of an "E".
Huh?
Every Mom and Pop I've given Mozilla or FireFox to has been ecstatic, right from the start. Nobody actually LIKES Internet Explorer. They either:
1) don't care
2) prefer Mozilla, or
3) are forced to use IE in a corporate environment.
Why does your family resist?
Another thought - if any bank or institution that you use is running IIS, write them and ask them to certify that they are not infected. Let them know that if they do not guarantee that their servers are not compromised by this exploit, you will be transferring your account to an institution which uses servers that don't have such an abysmal security record.
This isn't a new technique, I remember the web development agency I worked for a few years back being caught out by a similar effect. A co-worker took some work home with him, and his (unpatched, unfirewalled, broadband-connected) IIS installation was infected. When he synced up with us the next morning, he infected about two hundred websites, some of them were very high profile. Hundreds of thousands of users were exposed.
It was a stupid company, and I was always trying to get them to change policies that let things like this happen. When we started getting phonecalls from clients about this, the owner blamed stupid kids with too much time on their hands, and said we had absolutely nothing to do with it, couldn't be blamed, etc. All our clients fell for it, hook line and sinker. I think the owner had himself convinced by the end of the day (he was the type that refused to accept he was capable of screwing up).
It's a sad state of the industry that we were responsible for infecting thousands of people and we got away with it scot-free.
I can't operate without the google toolbar, which has no complete mozilla equivalent. There are many sites which people can't do without which use Internet Explorer. Many tools that work only with the browser. Apart from that, Firefox is the ideal browser at the moment.
___
internet, productivity blog
I wonder if they would agree to do the same with those infected servers, spreading IE virus.
Not to mention that most of those servers shall be Windows NT and 2000
Shame they didn't include links to Mozilla, FireFox, Opera, et-al in the story
http://blog.nexusuk.org
I'm a long time IE (then myIE2) user and have just moved to Firefox. Some of the things as a long term IE user I dont like is:
- The default theme is horrible. After some digging I found Qute which is far nicer on apparantly used to be default. Why they changed it is silly.
- The installer has a checkbox for recommended plugins, but it isn't active. Probably due to it being less than version 1.0. I think that when it does become active it should be on by default. It is worth noting that although geeks love plugins, the normal user is somewhat slightly less ameniable to the idea (especially when the plugin is considered "essential").
- The settings aren't very newbie friendly. I found i had to take a lot of time setting it up. There are settings hidden away that I have to use "about:config". I should never have to do that - especially not for the ones which aren't completely obscure. It kind of reminds me of Linux (firefox) vs Windows (ie). One is more powerful and customisable, but you have to work a lot at it to get it the way you like. The other isn't, but comes with basic settings that 80% of users are happy with.
- Error messages in browswer is not on by default. Why not? Why is the setting hidden away? 1995 is not calling. Lets move on.
- The button bar has about 4 buttons. I don't think it's too much to have, by default, new tab, back, forward, stop, reload, home, bookmarks, history, print and downloads. Power users can remove them, beginners will be fine.
- Google search by default takes you to the "I feel lucky" page. What was wrong with the normal search?
- No good support for IE favourites. No wizard, for importing, no ability to automatically detect them (I had to export then from IE and import), no ability to use the IE method of storing bookmarks and retain compatibility with other parts of the OS that show my bookmarks. Hell, if you want people to migrate, make it easy for their bookmarks!
- Still can't work out how to make shift-click open into a new tab. One extension will allow this - but it doesn't work with the (practically essential) tabbrowser extensions.
- Loading times are slow. A splash screen that indicates it's loading would be nicer than sitting looking at my desktop wondering if I really did click the icon. Or faster loading times. But there is no option in the config for that. Looks like i'll have to dig again.
Having said all that though:- There is some neat functionality both with and without all the plugins. Although having said that I have no idea what the neat plugins are. It's often a case of pick what looks good and go for it.
- The adblock extension is very good.
- I like the way I can put folders into the links bar and they drop down with my websites. Especially the open all in tabs.
Now I'm sure I'll get 50+ posts of people telling me that I'm dumb, if I do x, y and z then I can get this, I just need to edit a file, I need to install this plugin, etc.etc. but the point is that I shouldn't need to post complaints to slashdot to get the answers, nor should i need to surf the web, use google or anything else.Nothing I've asked for is particulary difficult, it just makes migrating less painful.
But yes, Firefox is very good. Got a few rough edges in the userbility department, but very good.
Avantslash - View Slashdot cleanly on your mobile phone.
The javascript file looks like this:It looks like this:
var cm_HOST="test";
var cmD=document;
function cmSetProduction(){cm_HOST="data";}
function getDefPgID(t) {
if (!t){t ="";}
var cmT = cmD.title;
if (cmT.indexOf("Bank of America |") == 0) {cmT = cmT.substr(17);}
cmT = cmT + " (" + t + ")";
return(cmT);}
function cmAdStr(){
var linkCt = cmD.links.length;
var lurl,i,ndx,ad;
var adSt = "";
for (i = 0; i ? linkCt; i++) {
lurl = cmD.links[i].href;
ndx = lurl.lastIndexOf("adlink=");
ndx2 = lurl.lastIndexOf("/adtrack/");
And on and on for three pages.
So if every major website already puts javascript at the bottom of every page, how is my mom supposed to read the code and see whether its real javacript from my bank or from a hacker?
yahoo news had this article from zdnet.
In this article, it says (towards the bottom)
"Meanwhile, the average Internet surfer is left with few options. Windows users could download an alternate browser, such as Mozilla or Opera, and Mac users are not in danger."
What I found somewhat funny was this quote (from NetSec's chief technology officer)
"I told my wife, unless it is absolutely necessary and unless you are going to a site like our banking site, stay off the Internet right now"
Does that mean he forsees a time in the near future when this kind of problem will go away? I don't.
My family resists because "my clients don't use Mozilla" or "Mozilla isn't the standard."
Seems odd, doesn't it? Mozilla is one of the only standards-compliant browsers around.
1. His wife might not understand computers, so he has to explain it simply.
2. His wife might use IE, and since HE'S AT WORK, he can't go home to switch it for her.
3. He probably doesn't have time to walk her through it, because she's clueless.
4. He probably knows his bank is running on Apache and is therefore immune to this attack.
Looking at the stats on my web site, which receives over 1000 unique visitors/day on average (and almost all of them are Windows users because I distribute Windows software)... here are this year's proportions:
Jan: IE 73%, Mozilla 12%
Feb: IE 76%, Mozilla 15%
Mar: IE 75%, Mozilla 16%
Apr: IE 75%, Mozilla 16%
May: IE 71%, Mozilla 19%
Jun: IE 71%, Mozilla 20%
And for some historical reference, in July of 2003 I saw: IE 78%, Mozilla 11%.
> And just WHY should CNN, or any other news service, "push" one
> product over another? What possible interest could they have?
Rhetorical questions, both. Historically, the media frequently takes positions on all sorts of things. Your questions imply that they don't.
While I share you enthusiasm for a grassroots process of replacing bad software with good software, historically, the evidence that suggests that this might actually happen is pretty poor.
Almost every non-technical person that I've met doesn't care about any of this stuff. In fact, if they did not suffer from viruses and pop-ups and spam and trojans, they would worry that something is actually wrong with their computer.
--Richard
Thanks fot the link, I've been meaning to switch from IE for a while now. Firefox looks neat, it's small and imported the bookmarks and history from IE. Easy. It also imported the saved passwords on my computer (I rarely use this option but still). Leading to a slightly offtopic and pretty stupid question: If Firefox can easily import my passwords, can't every adware and such also "import" them and send them anywhere?
Unlike Mozilla, by default, you have to type google in a silly little search box instead of the address box. Which is silly, since google is all about finding what you want and the address box is all about going places.
I use google like an abused personal assistant: "Jenkins! get me foobar corp! If foobar.com doesn't exist then just get me the google search results on foobar, whatever, I don't have time to think about how to get it, just get it!"
The address bar is about going places and integrating it with search is such a stunningly obvious thing to do that I find it amazing that Foxfire has a different default behavior. The fact that I can't just go to options->Addressbarsearch> and change this nonsense is evidence some user testing would have been in order.
Instead, in typical "menus are for cretins, the 31337, use configs and command lines", I have to hunt down the instructions for changing this behavior, then edit the user.js file on every machine I use.
None of which is to say it is a bad browser, it just has a number of annoyances.
Quoting the Parent:
no ability to use the IE method of storing bookmarks and retain compatibility with other parts of the OS that show my bookmarks. Hell, if you want people to migrate, make it easy for their bookmarks!
--
I think this is the big issue here, IE is tied to the OS in many ways and bookmarks are one of them. Its not as easy as simply importing. The replacement browser should provide the neccassary hooks so that the OS can get at the bookmark list and use it as neccassary.
"Don't mess with him, he taunts the happy fun ball."
True this particular exploit didn't affect Mozilla/Firefox, but it is certainly possible that something similar might in the future.
So, with that in mind, what new security features would help make Mozilla/Firefox even safer and better?
These come to my mind:
- A trusted site list to which I can easily add the current site, and indicate whether it can load images, run scripts and/or download applets.
- An option that will pop up a dialog asking for permission if an untrusted site tries to do any of the above.
- Some type of "zone" concept similar to IEs so that internal (company) sites can have more privileges than external sites.
- Capability of central administration and control (in a business setting) so that users can easily be protected from themselves in a business or large network environment.
Thoughts? Can some or all of this be easily implemented as Firefox extensions?If Mozilla/Firefox is clearly a better, more secure solution, it will gain marketshare rapidly.
Galileo: "The Earth revolves around the Sun!"
Score: -1 100% Flamebait
Simple. Because if people are infected and unable to get to your website because their computer is screwed, then you don't have them as a customer at the moment.
Also realize that it is possible that someone that hated CNN could easily create one of these viruses to redirect cnn.com to a competitor or to the localhost.
Urging customers to use products that keep them a customer is good business. Much like bars generally won't serve someone that is so drunk they can't stand up and sometimes (I have seen it) call a cab for someone they knew couldn't drive.
See also XHTML Ruby support
Actually, yes. I want them to become targets. As a result of this, Mozilla/Firefox's quality will increase rapidly, and patches will be available within hours, going by usual standards.
Don't know about Opera, but they seem to care more than MS does about fixing things.
"You would have been much better off implementing that stuff in a browser agnostic, standards compliant way, using Java for any heavy lifting required."
.ASP's that seem to crash like a drunk at mardi gras.
This is a good strategy, and one that I insist we use here at work, but the push-back from *everybody* is unbelievable.
* The MS Weenies insist on doing everything as Webforms (with some pretty strong IE dependancies) because its easy
* The open source guys insist that every web page should be done in PHP (which I prohibit)
* Everybody (except the Java guys) are upset that I insist that we use best practices like written requirements, use cases, and other software tools to ensure we have a verifiable, understandable set of applications.
Its like a jungle. Strangely enough, those "heavyweight, bloated Java servlets" seem to run without problems. Its those easy Webforms and
I've come to the conclusion that *nobody gives a shit any more*. If it crashes, if somebody's credit card is stolen, if info is lost, people shrug and give an "oh well!".
Its really depressing.
I've had problems with some hotfixes wanting to be applied over-and-over again; don't remember if 833732 was one of them.
In any event, the problem often resulted from a customization I had made to Windows. In particular, if I had moved some system files to a new location (e.g. dllcache). Normally, this isn't a problem -- you just make some registry changes to point to the new location, copy the files, etc. But I've come to find that some hotfixes (which, as Microsoft states, often have not been through a full regression test) are hard-coded to things like the C: drive. So, they blindly look in C:\Windows\System32 for the updates files, don't find them, and indicate an update is required.
Now, more oddly still, often the patch updates in the correct location -- i.e. where the registry says the files should be.
So, you return to Windows Updates, and the C:\Windows\System32 files are still out-of-date (because the update was applied to the correct files), and you are told you need to apply the patch.
Rinse. Repeat.
Now, if this is your problem, there is a good chance that you are patched. But, who knows? It sure doesn't give you a warm fuzzy feeling to be told to apply the patch over-and-over again.
Whenever Windows Update applies a patch, it does generate a log file. You can try to scan the log file to see what it's doing and look for errors. That's how I determined the cause of my problem. My solution was to copy the patched files into the hard-coded directory, even though I never run those copies. A symlink would probably be a better choice...
(If you've never edited your registry to move files, maybe you've used something like TweakUI? Can cause the same problem, for the same reasons.)
Yes, it's true. This man has no dick.
And just WHY should CNN, or any other news service, "push" one product over another? What possible interest could they have?
1. News media frequently do things "for the public good"-- insofar as switching browsers is the best protection, they might recommend doing so just to be helpful. 2. The media are alreay, even in the CNN article, pushing one product over another-- they suggest updating virus definitions and stuff, which sounds a lot like a product endorsement for virus protection software to me. 3. Their own company might benefit from a more insightful analysis of the issue, considering that CNN has a web server and is probably staffed by lots of web surfers. If they recommend updating virus definitions, yet their server manages to infect me, because I followed their advice and it was insufficient, can I hold them liable? Also, if their employees are affected because they followed an insufficient plan, could it hurt their bottom line?
By the way, my job is not supplying applications support to Microsoft's customers-- no matter how much I care about those customers personally.
I do not have a signature
Better and more widespread use of https, and have a way so that pages must be validated quickly and automatically, perhaps even with a md5 checksum type arrangement as a backup, before they can be downloaded and displayed.
That and just a complete rethink of OS and browsers and "the internet". For another example for another problem, I'd like to see a totally non-commercial email system, no commercial email used in it whatsoever, and your email addy was treated as importantly as your physical address at your home, or like your telco number. You'd have an option, email like it is now, or be inside a commercial free and registered email system that cost folding money per year per email addy and refused any email into it from outside, or any emailto leave the system. A large but closed system where every email addy was tied to a real human being with a real name with a real IP for verification. You could still try to use the wild wild west anarchy chaos email system we have now, but also opt in to the closed, verified and much more secure and hassle free email system.
Same thing with the net, anarchy and chaos with hacks, attacks and bogusness, or only visit sites that are verified and secure and conformed to some decent standards that have those issues as of paramount importance, as opposed to blinkenlights eye candy insecure.
I tell you, I just detest that I even have to run javascript to view some pages, I usually skip them. I'm not running an active x machine, but I feel the same way about that too, it's useful, but so easily used for bogusness that it's rapidly lost any universal advantage, IMO.
As to moz and firefox, I don'tknow on firefox but I don't see a way to disallow small invisible webbugs on moz. That would help. Maybe it's there and I just don't see it though,could just be me I admit, all I see is deny by domain. I want deny for a variety of reasons, size and visibility being a big one. Or conversely, just the ability to chose a single image to view, select it, the page doesn't jump away to refresh the whole deal just that particular image loads. And no downloading images in general but failing to display, I mean it can see an object and only allow it to be downloaded on a case by case basis if you choose that option. Nowadays when you click on an URL you have no idea what you will be downloading unless you view source in advance, which is nuts.
Etiquette is etiquette. He kills his mother but he can't wear grey trousers.
For internal apps, this model makes alot of sense. The organazation has control of the computers and can insure consistent configuration, training, and security. The users can be monitored and likewise the users can trust the content. Therefore there is no issue with the server taking control of the client machine.
The problem is that web designers tend to assume that everyone on the internet should trust them, and everyone who uses IE tends to believe they can trust all web designers. Generic web pages are designed using features, and often frivoulous features at that, that require the server to control the host computer is scary ways.
I think MS realizes the problem and used security zones to try to provide a method by which IE can switch between a web browser and application front end. The problem is that like many failed security measures, it became too incovinent. Almost all internet sites should be marked as untrusted as placed in the lowest zone, but because so many sites are written badly, user tend to be forced to trust them or not get anything done.
A good example of this is the local school district, which standardized on IE and uses IE features extensively. Within the schools there is little problems. The district does a good job at protecting and training internal users. The problem is that the internet pages, including the home page, only works well on IE. In this way the district is forcing students and parents to use a browser that is verifiable unsafe. Internally they have a need to use IE. Externally, there is little reason for them to ignore standard best practice.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
This news has now made front page at news.bbc.co.uk under the heading "People urged to avoid Internet Explorer until Microsoft fixes a serious security hole."
LISTEN UP Mozilla/Firefox/Opera people. Get your marketing divisions off their asses. You will most likely NEVER EVER get another chance like this. If you don't do something now, before MS responds, you deserve to to stay marginalised to the end of time.
/. Where the truth
Considering that SANS says that have reports from admins who have been attacked that the systems are fully patched, would make me think that this advice is a bit unfounded in this situation.
Maybe it should be Microsoft please write patches for known exploits in less than two months. Since these IE exploits have been out since April and the IIS problem is now a known unknown exploit.
I was thinking of the immortal words of Socrates, who said: "I drank what?" - Chris Knight (Val Kilmer)- Real Genius
The InfoWorld article has a more candid take: they don't want to be sued by the compromised major site owners. Even if the lawsuits do not succeed, the cost of defending against them is potentially ruinous for anyone not a Fortune 500.
Unlike companies, private individuals have better protection in the many states that have anti-SLAPP laws. These laws allow a judge to summarily dismiss SLAPPs (strategic lawsuits against public participation, i.e. intimidation by litigation) and award legal costs to the defendant.
Apparently the high ranking at NetSec techie doesn't know it. from http://zdnet.com.com/2100-1105_2-5247187.html?tag= zdfd.newsfeed
NetSec's Houlahan advocated drastic action. "I told my wife, unless it is absolutely necessary and unless you are going to a site like our banking site, stay off the Internet right now," he said.
Idiot. NetSec credibility is now equal to zero. OF all the peole who should have removed all shortcuts to IE, it's a techie. And what's to stop your bank from running the unpatched IIS 5? What about your homepage? IIS 5? Could be. Alt-browser time.
SAILING MISHAP
When you call BofA, you get "hours" of prerecorder/touch tone crap. I have just about given up on BofA.
I gave up on B of A when they decided to become Bank of India but forgot to change their name. My local community bank has great customer service and gives back to the community by employing residents. That's where my business and money goes now.