-Cybercriminals

• Hack into corporate computers and steal

• Engage in all forms of computer fraud

• Chargebacks are disputed transactions

• Loss of customer trust has more impact than fraud

• To reduce the potential for online credit card fraud sites:

- Use encryption technology
- Verify the address submitted online against the issuing
bank
- Request a card verification value
- Use transaction-risk scoring software

• Smart Cards

- Contain a memory chip
- Are updated with encrypted data every time the card
is used
- Used widely in Europe
- Not widely used in the U.S.

ZERO-DAY ATTACK

• A zero-day attack is a virus or other exploit that is used to take advantage of a vulnerability in a computer application before a fix for the vulnerability has been released, or even before the vulnerability has been announced. Generally, when software is released for use, it is fully functional, but some backdoor vulnerabilities may be undiscovered. When computer security researchers discover such bugs, they tend to announce them so that the company can start creating a patch. Within the relatively short period between announcement and patch, however, attackers may be able to exploit the vulnerability. Such attacks are few in number but increasing.

Some examples of zero-day attacks:

1. On November 09, 2006, there was a zero-day attack on a part of Windows called the XMLHTTP 4.0 ActiveX Control. When a web browser opened an infected web page in Internet Explorer (IE), it called the ActiveX control, which then helped the attacker to cause a buffer overflow. Attackers were then able to download spyware and steal data.

2. An attack took place against Microsoft Word around May 2006. In this case, the exploit was in the form of a Word document attachment to an email. When a user opened a Word document attached in an email, the vulnerability created a backdoor able to mask itself from anti-virus scanners. The Symantec DeepSight Threat Analyst Team confirmed this vulnerability.

-http://www.mysecurecyberspace.com/encyclopedia/index/zero-day-attack.html

SITUATION 1:

I was hired as an IT Security Consultant of a manufacturing company, this company was been hacked mercilessly and I was the one to fix the problem. The Company gave me 90 days and a budget of 1 million dollars to fix the problem.

The procedures I'll do in order for me to solve/fix the problem are the following:

1. Investigate regarding the incident.
2. Identify those persons that have the motives of doing the crime.
3. Identify what kind of system used by the one who committed the
crime to enter/invade the security system of the company.
4. Study the system used.
5. Make a security system that is stronger than the company's old security system.
6. Make the hacker pay for the crime he made.

SITUATION 2:

Even though the "worm" is harmless otherwise it can cause disturbance, still it is illegal because you are not licensed to make such things like that.
You are entering a private system,...and it is impossible that you cannot be traced because your professors are better than you. So I say NO.