From NetworkWorldFusion:
Sasser infections hit Amex, others
“American Express joined a number of U.S. universities in reporting infections from the Sasser worm on Monday and the SANS Institute’s Internet Storm Center (ISC) maintained a yellow warning Tuesday despite expectations earlier in the day that the Sasser outbreak would wind down Monday, according to interviews.”
But here’s the money quote:
“Sasser exploits a recently disclosed hole in a component of Microsoft’s Windows operating system called the Local Security Authority Subsystem Service, or LSASS. Microsoft released a software patch, MS04-011, on April 13.”
A few observations:
1. How much patience should we have with organizations that put the rest of Internet users at risk and inconvenience because of their inattention to widely-publicized and preventable security and virus problems? And, although I hate to be a lawyer on this point, but at what point does legal liability attach for inattention to this kinds of preventable risks?
2. Don’t the large organizations mentioned in these articles have someone designated to deal with Windows critical updates?
3. I received an e-mail from Amex this morning with an attractive new feature for my account with a hyperlink for me to click on. Would you be willing to click on that link? I wouldn’t because now I have no confidence that the e-mail came from Amex. In fact, I have serious doubts now about the safety of my personal information held by Amex. I found the time to install the Windows update and I am an IT department of one.
4. If you are working with anyone, including law firms, that continue to be ravaged by these types of preventable problems, don’t you think you need to start questioning why you continue to do so?
5. I now hope I don’t get bitten in the ass by Sasser as an ironic way to prove my point. 🙂